Airlines Alert Customers, Employees of Cybersecurity
Incidents
Virgin
America said it detected unauthorized access to information systems
containing employee and contractor data on March 13. According to the company, a third-party
accessed logins and passwords used for its corporate network.
… Canada-based WestJet
Airlines told customers on Friday that an unauthorized third party
disclosed some WestJet Rewards member profile data. While the leaked data did not contain any payment
card or other financial information, the company has notified the Calgary
Police Service and the RCMP’s cybercrime unit.
… Florida-based
ultra low cost carrier Spirit Airlines has sent an email to
customers to notify them of an incident involving their FREE SPIRIT account.
… Security expert
Troy Hunt, the owner of the Have I
Been Pwned service, told SecurityWeek that all the email addresses he
tested from the leaked data show up in Exploit.in,
a list of nearly 600 million email address and password combinations compiled
using data stolen from various online systems.
Cybercriminals have used the Exploit.in list for
credential stuffing attacks, where attackers automatically inject
username/password combinations into a website’s login page in hopes that account owners have used the same credentials on
multiple online services.
Not all hackers are brilliant.
Teen was writing a fraud to-do list when the cops came. Now
he’ll be doing time
When police executed a search warrant at Phyllistone
Termine’s North Miami-Dade home in 2016, he was listening to tunes and doing a
fraudster’s to-do list that included buying other people’s credit card numbers
and security codes.
Termine, 19, was sentenced last week to 4
1/2 years in federal prison for aggravated identity theft and access device
fraud.
The scam involved converting the modern tax return scam to
unemployment benefits — amassing names and Social Security numbers and getting
benefits in multiple fraudulent filings, Termine admitted in court documents. Using more than 1,000 names and numbers, the teenager falsely collected more than $1 million in
benefits from March 2015 through May 2016.
… When cops burst
into Termine’s home with a search warrant on May 20, 2016, they found him in
his bedroom, listening to music and writing what appeared to be a summer to-do
list on a legal pad. The list included
the tasks “Buy Online, Merrick BNK & CCVs” and “Buy 3 phones, 1 clean 2
dirty’s.”
The first phrase means buying Merrick Bank credit card
numbers and the security code on the back from sites on the “dark web.”
Next to Termine on his bed: three cellphones and laptop. Hidden between the mattress and box spring:
debit and credit cards that didn’t belong to Termine or anybody who lived with
Termine. Also, there were blank white
plastic cards with magnetic strips. Termine also had equipment to encode the
magnetic strip on a credit or debit card.
Useful tool for my Computer Security classes.
Have you ever seen a visualization of the world’s biggest
data breaches? If not, you can see it here.
Hovering over incidents will lead you to
additional information on the incident, and you can also use a variety of
filters.
I love that site, especially because that wonderful tool
relies on DataBreaches.net as a source of its data. It’s a great use of my site and my work, and
yes, I gave them permission. I’m pleased
to see my work used for some worthy noncommercial tools like that one.
Also illustrates a very simple hack, based on very poor
design.
Kids Pass Just Reminded Us How Hard Responsible Disclosure Is
Only a couple of months ago, I did a talk titled "The
Responsibility of Disclosure: Playing Nice and Staying Out of Prison". The basic premise was to illustrate where
folks finding security vulnerabilities often go wrong in their handling of the
reporting, but I also wanted to show how organisations frequently make it very
difficult to responsibly disclose the issue in the first place. Just for context, I suggest watching a few
minutes of the talk from the point at which I've set the video below to start:
A Privacy breach occurs when we move from what we can see
(old, white male) to what requires technology to reveal.
Turna Ray reports:
Genealogy firm Family Tree DNA
has challenged the constitutionality of Alaska’s Genetic Privacy Act on the
grounds that the statute is so vague in its definitions of terms, such as “DNA
analysis,” “disclosure,” and “informed consent,” that the firm cannot know how
to comply with the law.
The move is part of Family Tree
DNA’s defense strategy in a lawsuit in which a customer, Alaska resident
Michael Cole, is alleging the company breached his rights under the Genetic
Privacy Act by publicly sharing his genetic information without his consent.
Read more on Genome
Web.
A tool we should understand.
(Related)
Putin Signs Controversial Law Tightening Internet
Restrictions
Russian President Vladimir Putin has signed controversial
legislation prohibiting the use of Internet proxy services -- including virtual
private networks, or VPNs -- and cracking down on the anonymous use of instant
messaging services.
The law on proxy services, signed by Putin on July 29 and published by the government
on July 30, was promoted by lawmakers who said it is needed to prevent the
spread of extremist materials and ideas.
Critics say Putin's government often uses that
justification to suppress political dissent.
(Related)
Apple removes VPN apps from the App Store in China
The Chinese government’s crackdown on the internet
continues with the news that Apple has removed all major VPN apps, which help
internet users overcome the country’s censorship system, from the App Store in
China.
An interesting idea.
Would there be much of a market for my Ethical Hackers? (If not, why not?)
How Deep & Dark Web Intelligence Supports Merger and
Acquisition Due Diligence
After all, for an M&A engagement to be truly
advantageous, the acquirer must first gain an accurate and comprehensive
understanding of the target company’s business risk profile. Extensive due diligence is essential, as any
unknowns pertaining to the target company’s finances, reputation, strategy,
liabilities, or compliance could hinder the short- and/or long-term success of
any merger or acquisition. Given that an
abundance of such unknowns exist in the form of threats emerging from the Deep
& Dark Web, gaining visibility into these online regions is crucial.
Indeed, Deep & Dark Web intelligence can enable
potential acquirers to proactively detect and address a broad spectrum of cyber
and physical threats to which target companies may be susceptible, such as:
Insider Threats
Ransomware
Fraud
Data Theft
Supply Chain Security
Hacktivism
At all? Ever?
German court rules bosses can't use keyboard-tracking
software to spy on workers
The Federal Labour Court ruled on Thursday that evidence
collected by a company through keystroke-tracking software could not be used to
fire an employee, explaining that such surveillance violates workers’ personal
rights.
The complainant had been working as a web developer at a
media agency in North Rhine-Westphalia since 2011 when the company sent an email
out in April 2015 explaining that employees’ complete “internet traffic” and
use of the company computer systems would be logged and permanently saved.
Company policy forbade private use of the computers.
The firm then installed keylogger software on company PCs
to monitor keyboard strokes and regularly take screenshots.
Less than a month later, the complainant was called in to
speak with his boss about what the company had discovered through the spying
software. Based on their findings, they
accused him of working for another company while at work, and of developing a
computer game for them.
He was fired that same day.
English words, grammar has changed. More efficient than English? Probably.
Dangerous? Unlikely. Cute
headline though. Let’s see who panics…
Facebook AI Invents Language That Humans Can't Understand:
System Shut Down Before It Evolves Into Skynet
… Facebook had to
pull the plug on an artificial intelligence system that its researchers
were working on because things got out of hand. The AI did not start shutting down computers
worldwide or something of the sort, but it stopped using English and started
using a language that it created.
… The AI agents
were not confined to a limitation of only using the English language, and so
they deviated from it and created one that made it easier and faster for them
to communicate. Facebook researchers,
however, decided to shut down the AI systems and then force them to speak to each other
only in English.
Likely to be installed in every Whole Foods location?
Amazon’s new ‘Hub’ delivery lockers will accept packages from
any sender
Amazon is expanding its delivery locker concept into
apartment lobbies, with a twist: the new lockers will accept packages not just
from Amazon but from any sender, shipped via any carrier, according to the
company.
… With the Hub
rollout, the company is broadening the concept to let people receive packages
from friends and family, competing retailers or anyone else. The move could make Amazon a much bigger rival
to retail mailbox stores and existing
package lockers. It could also give
the Seattle-based tech giant access to a trove of new shipping and customer
data that provide a competitive edge.
No comments:
Post a Comment