Security News for Friday, April 18 2014

Happy Friday!

Another day another major breach. According to this article, Michaels Arts and Crafts stores have suffered a breach that saw the release of 2.6 million credit/debit cards. From the article:

The nation’s largest arts and crafts chain said its subsidiary Aaron Brothers was also attacked, with about 400,000 cards potentially affected.

Irving, Texas-based Michaels said that it has contained the incident, which began last year. It has received “limited” reports of fraud from banks and the payment card brands that are potentially connected to the breach.

When the iPhone 5s was released, it didn’t take long for security researchers to bypass the fingerprint reader on the device that was used for authentication. This post is reporting that the newly released Samsung Galaxy S5′s fingerprint reader also suffering bypass flaws. From the post:

Samsung’s positive buzz over the Galaxy S5 didn’t last long – security researchers from SRLabs soon posted a video on YouTube demonstrating how they were able to trick the scanner with a fake fingerprint made of wood glue.

Posted in Security News | Leave a comment

Security News for Thursday, April 17 2014

OK this is probably the last article we will post on the Heartbleed flaw. The article examines the fallout created by this vulnerability which has been rated an 11 on a scale of 1-10 in terms of how serious it is. From the article:

The Heartbleed flaw has impacted various prominent websites and services, most of which you probably use every day, such as Flickr, Pinterest, and Yahoo. It has also affected search engines, banks and online shopping sites; sites where protection of personal data is paramount.

Not surprisingly, scammers are taking advantage of the missing Malaysian Airlines plane in order to install malware on victim’s computers. This article discusses some of teh scams seen in the wild since the place has gone missing. From the article:

Mark Nunnikhoven, vice-president of cloud and emerging technologies at global security firm Trend Micro, says current events scams have emerged only in the last couple of years and are actually a variation on old-fashioned phishing attacks, like the old “Nigerian prince” money scam, which proliferated largely through email.

There are also many smaller campaigns, where hackers might, for example, pose as your bank in order to solicit personal and financial information.

Posted in Security News | Leave a comment

Security News for Tuesday, April 15 2014

Everyone is probably familiar with the OpenSSL Heartbleed flaw as it has been in the news so frequently for the last week. LWG Consulting has put together a nice infographic here that depicts popular sites that are vulnerable to the flaw as well as sites that have already taken measures to mitigate the vulnerability.

And for some more Heartbleed news. This post is reporting that up to 50 million Android devices could be vulnerable to the vulnerability. The post also describes how you can check if your Android device is vulnerable.

Posted in Security News | Leave a comment

Security News for Monday, April 14 2014

This post discusses proposed legislation that will make retailers financially responsible for data breaches. From the post:

The bill, AB 1710, would make retailers responsible for notifying customers of any data breach incident, as well as hold them liable for reimbursing customers’ financial damages.

The bill would require the business that maintains the data to notify affected people within 15 days of the breach. As it now stands, banks and credit card companies are also liable for consumer losses caused by data breaches.

Posted in Security News | Leave a comment

Security News for Friday, April 11 2014

Happy Friday.

Most companies today expend vast resources in order to protect their network perimeters from intrusion. This article is reporting on a clever intrusion that recently took place on the network of a large oil company. From the article:

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

More new on the OpenSSl heartbleed vulnerability that has been discussed on this blog the last couple days.  The programmer who wrote the code that is vulnerable to this flaw has spoken out in this post. From the post:

The German software developer denies that the security flaw was included deliberately, and told the publication that which the error introduced into OpenSLL was “trivial,” the impact was “severe.”

Posted in Security News | Leave a comment

Security News for Thursday, April 10 2014

Yesterday the OpenSSL heartbleed vulnerability was discussed here. Many security professionals have been warning users to change all of their passwords to online sites in case their credentials may have already been compromised. This article offers a list of sites that were known to be vulnerable to the heartbleed flaw and makes recommendations on what passwords should be changed.

This post also discusses the need for changing your online passwords due to the OpenSSL heartbleed vulnerability but makes a good case for holding off on changing them for now:

If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed.

And it’s fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up.

We suggest you wait until you know that a site is not vulnerable, for example because it makes a clear statement to that effect, or use a public testing service that connects to a website to estimate whether it’s safe or not first.

Posted in Security News | Leave a comment

Security News for Wednesday, April 9 2014

This post discusses the recently released OpenSSl heartbleed vulnerability. In a nutshell, OpenSSL is an application that encrypts web-based traffic, such as when you connect to your bank online. The vulnerability lies in an extension called heartbeat that is used to keep a session alive. If the payload of the “heartbeat” is manipulated by an attacker, the server could return information that is stored in memory.

Posted in Security News | Leave a comment

Security News for Tuesday, April 1 2014

This article discusses “cyber extortion”, a method used by malicious individuals to threaten companies with the disclosure of confidential information if they don’t pay up. From the article:

Like kidnappers and terrorists, cyberciminals have been demanding ransoms for years. But cases of digital extortion appear to have grown more frequent in recent months and involved more high-profile victims, according to Matthew Prince, chief executive of the security firm CloudFlare.

“The brazenness of the attacks has increased and they are targeting household names,” Prince said in an interview.

Posted in Security News | Leave a comment

Security News for Thursday, March 27 2014

According to this post, security researchers have discovered bugs in Google’s Android mobile operating system that could be used to launch denial of service attacks rendering the device useless. The bugs can also be leveraged to delete data. From the post:

Apps that exploit the denial-of-service vulnerability work on Android versions 2.3, 4.2.2, 4.3, and possibly many other releases of the operating system, researcher Ibrahim Balic wrote in a blog post.

This post is reporting that based upon recently released research companies world-wide will spend $491 billion in 2014 dealing with malware. From the post:

The sponsor, Microsoft, also noted that pirated software tweaked with intent is a common method of getting inside. Consumers will likely spend $25 billion as a result of those security threats.

Posted in Security News | Leave a comment

Security News for Wednesday, March 26 2014

According to this blog post, and based on research commissioned by security vendor Juniper,  the “Cyber Black Market” is more profitable than the illegal drug trade. From the post:

RAND Corporation’s newest report tells us the black market for cybercrime, a “varied landscape of discrete, ad hoc networks of individuals motivated by ego and notoriety, has now become a burgeoning powerhouse of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states.”

According to this brief article, half of Android users don’t bother to lock their mobile devices despite the array of solutions that are available to lock them. From the article:

Half of Android users don’t bother to lock their phones, despite having the choice of using patterns, passwords, PINs, and even their faces to secure their devices. This contrasts starkly with a report from the Federal Communications Commission warning that up to 40 percent of robberies in major cities involve cell phones.

Posted in Security News | Leave a comment