Security News for Monday, February 9 2016

According to this article, an anonymous hacker has threatened to release the “names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees, as well as over 9,000 alleged Department of Homeland Security (DHS) employees”.  From teh article:

On Sunday, Motherboard obtained the supposedly soon-to-be-leaked data and called a large selection of random numbers in both the DHS and FBI databases. Many of the calls went through to their respective voicemail boxes, and the names for their supposed owners matched with those in the database. At one point, Motherboard reached the operations center of the FBI, according to the person on the other end.

This article is reporting that the Dridex botnet has been hijacked to send its users free antivirus applications rather that malware as was its intended purpose. From the article:

A botnet (a term formed from the words robot and network) is a group of Internet-connected computers communicating together to complete repetitive tasks and objectives, often used to send spam, push malware, or participate in distributed denial-of-service (DDoS) attacks. The Dridex botnet leverages Microsoft Word macros to infect systems (usually via a malicious email), after which attackers use it to steal banking credentials and other personal information via transparent redirects and injections to manipulate websites.

And yet, someone decided that Dridex should not serve its malicious payload anymore. Instead, it’s now delivering a clean, signed copy of Avira Free Antivirus.

This article provides 5 steps to “make your digital self less attractive to hackers, phishers and overly aggressive marketers”.  While the tips provided in this article seem simple, they will definitely increase your personal security posture.

Posted in Security News | Leave a comment

Security News for Wednesday, January 27 2016

Like most things, cars are becoming more and more advanced and rely more heavily on computer technology. Like most technologies that evolve rapidly, security seems to be an after-thought. Not surprisingly, and according to this article, security experts claim that hacking cars is easy. From the article:

Security researchers from the University of Washington and the University of California, San Diego took to the stage at a conference on Tuesday to describe how they were able to remotely break into vehicle electronics through an array of security holes. Speaking at the Enigma Security Conference in San Francisco, they discussed how cars have evolved over the years into computers on wheels that crafty hackers can penetrate under the right circumstances.

Posted in Security News | Leave a comment

Security News for Monday, January 25 2016

This article is reporting (not to the surprise of most) that hospitals, doctors, and insurance companies are not doing enough to protect your private medical data. While the survey discussed in this article was conducted in the UK, the information is also valid here in the United States. From the article:

Although encryption of laptops and USB drives is mandated by law, and 84% of respondents believe encryption is becoming a necessity, encryption is not broadly used:

– Only 10% say that encryption is “well established” within their organization.
– Only 59% encrypt email.
– Only 49% encrypt files shared on the network.
– Only 34% encrypt data stored in the cloud.

One would think that in this day and age, people would make an effort to choose strong passwords in order to safeguard their data. According to this article which looks at 25 of the weakest passwords from 2015, people still look for shortcuts and choose easy to remember passwords. From the article:

Clearly, we’re still bad at creating secure passwords, despite all the warnings about data breaches and cybercriminals out to get us.

The list has remarkable consistency to last year’s: nine of the top 10 passwords from 2014 also made the top 10 for 2015 – “dragon” dropped from #9 to #16 – with some slight reordering (e.g., “12345” moved from #3 in 2014 to #5 on 2015’s list).

Posted in Security News | Leave a comment

Security News for Friday, January 15 2016

This article is reporting that the US National Intelligence Director’s online accounts have been targeted by hackers. It is worth noting that personal accounts were breached which technically should not contain any classified data.

The “teenage” hacker(s) who last year breached the personal AOL email account of CIA Director John Brennan is supposedly back in action targeting the online accounts of James Clapper, director of National Intelligence.

Evidence that online accounts associated with Clapper’s household have been compromised were shared with the Office of the Director, a U.S. intelligence official familiar with the matter told Fortune. The hackers appear to have gained access to the personal Yahoo email account of Clapper’s wife, Susan Clapper, as well as a Verizon  FiOS account linked to the family’s home phone number.

According to this article, Microsoft has stopped supporting Internet Explorer versions 11 and under as of this past Tuesday. From the article:

Our concern, given that as many as 10% of users in the world still seem to be running Windows XP, which hasn’t been patched against security holes (privately or publicly known) since mid-2014, is that equally many people on Windows 7 may take a similar attitude and resist upgrading to Internet Explorer 11, on the grounds that “the old one still works, so why risk changing anything?”

The problem, for desktop Windows users at any rate, is that the Internet Explorer cumulative update that was published by Microsoft on Tuesday 12 January 2016 (MS16-001) is the last ever update for Windows 7 that will patch IE 8, 9 and 10.

Posted in Security News | Leave a comment

Security News for Thursday, January 7 2016

The past several years have seen major data breaches including the Target and Anthem Insurance hacks which exposed millions upon millions of sensitive records. The tide may now be shifting to attacks against power grids and infrastructure. This article discusses the recent power outage in Ukraine that was caused by malware as well as the future of attacks against infrastructure.  From the article:

First reported by Ukrainian news agency TSN (surfaced by Ars TechnicaArs Technica), the December 23rd malware-based attack disconnected a handful of electrical substations, leaving hundreds of thousands of homes in a particular region of the country without power. If officially confirmed, it will be the first known case of a mass power outage caused by hackers.

According to this post, Time Warner Cable may have suffered a data breach that exposed records for 320,000 of its customers. From the post:

“Approximately 320,000 customers across our markets could be impacted by this situation,” Eric Mangan, director of public relations, was quoted by VentureBeat as saying.

“To protect the security of these customers, we are sending emails and direct mail correspondence to encourage them to update their email password as a precaution.”

Posted in Security News | Leave a comment

Security News for Thursday, December 17 2015

According to this article, the online hacker group known as Phantom Squad has announced that they plan to launch distributed denial of service (DDos) against PlayStation Network and Xbox Live this Christmas. Such an attack could render these sites unusable. From the article:

This could cause a big problem, because a lot of people are expecting to receive new gaming consoles on Dec. 25.

If Phantom Squad is successful, this would be the second year in a row that these gaming networks go offline.

Posted in Security News | Leave a comment

Security News for Tuesday, December 15 2015

It’s a quiet news day today…..

This brief article shows how to enable security settings prevent people from looking up your Facebook account via email your email address or phone number (this is enabled by default in Facebook for some reason).

Posted in Security News | Leave a comment

Security News for Monday, December 14 2015

Tax season is only a little over a month away which means the bad guys will be out in full force attempting to separate you from your tax refunds. This article offers tips to prevent falling victim to tax fraud in the new year. From the article:

The good news is that the states and Uncle Sam have got a whole new bag of technological tricks up their sleeves this coming tax season. The bad news is ID thieves are already testing those defenses, and will be working against a financially strapped federal agency that’s been forced to cede much of its ability to investigate and prosecute such crimes.

According to this article, Google has announced that their “Safe Browsing” service is now available for Chrome on Android. Safe Browsing is used to protect about 1 billion desktop users from unsafe websites, malware, and social engineering attempts. From the article:

Make that 1 billion plus all its free-range users: Google last Monday (7 December) announced that it’s extending Safe Browsing inoculation to Chrome users on Android.

Google added unwanted software download warnings to its Safe Browsing warnings in August 2014 to give users a heads-up when software was doing something sneaky – like switching your homepage or other browser settings to ones you don’t want, piggybacking on another app’s installation, or collecting or transmitting private information without letting a user know, among other things.

This article is warning of new malware seen embedded in email in the wild that is making its way past the security scans of major vendors. From the article:

Cybersecurity experts in the banking and financial services industry have been battling early evolving versions of email embedded malware known as Cridex and Dridex that attempted to steal banking credentials and personal information since late last year. And just when the banking organizations began their fight to keep your financial information safe, numerous reports started to appear about the increase of malware targeting the healthcare industry and your critical health information.

Posted in Security News | Leave a comment

Security News for Wednesday, December 9 2015

According to this article, Adobe has issued the final patch update for the year which correct a whopping 78 vulnerabilities in Flash player. Seven of these vulnerabilities are flagged as high-risk. From the article:

The software giant has recently renamed its Flash Professional product to Animate, no doubt to distance the product from the bug-riddled and somewhat untrustworthy Flash Player, but a simple renaming of the product family, unfortunately, does not erase security flaws.

In the last patch round scheduled for this year, Adobe’s latest set of security updates are specially targeted at Adobe Flash Player and address issues which “could potentially allow an attacker to take control of the affected system,” according to the software developer.

in this article, Microsoft is warning of possible attacks after Xbox security certificates were leaked. From the article:

Buried away in Tuesday’s monthly bumper roundup of security updates, the software giant warned in an advisory that the private keys to the xboxlive.com domain had been “inadvertently disclosed,” but did not elaborate on exactly how it happened.

The certificate can be used by an attacker to impersonate the xboxlive.com domain  and carry out a so-called “man-in-the-middle” attacks, which allows the attacker to intercept the website’s secure connection. This could trick Xbox users into handing over their username and password, potentially leading to further attacks on the user.

Posted in Security News | Leave a comment

Security News for Monday, November 16 2015

In light of the Paris terrorist attacks this past week, the hacker collective known as anonymous has announced their “biggest operation” yet against ISIS, the group that has claimed responsibility for the attacks. From the article:

In the as-yet-unverified video, posted on YouTube, a spokesperson wearing the group’s signature Guy Fawkes mask said the group of hackers would use its expertise to wage “war” on the militant group.

“Expect massive cyber attacks. War is declared. Get prepared,” the announcer says in French.

According to this article, apps that can be installed on a mobile device in order to electronically “stalk” the owner of that device are still legal in the United States but Senator Al Franken is introducing legislation that will ban these apps. From the article:

Franken, one of the Senate’s staunchest defenders of privacy rights, has introduced similar legislation before and has been trying to ban stalking apps since 2011.

If it seems inconceivable that apps marketed and sold for the purpose of monitoring their users are legal, there’s a maddeningly logical explanation.

Spying apps that can track location, read text messages, monitor calls (and much more) also have legitimate purposes, despite the likelihood for abuse.

Posted in Security News | Leave a comment