According to this post, a security researcher has uncovered a major flaw in the Blackphone, a mobile device that has been highly advertised as being extremely secure. The flaw can allow an attacker to send a Blackphone user a specially crafted text message that allows remote code execution on the device. A paper with full details on the flaw can be found here.
Unless forced to use complex passwords, many users elect to use easy to remember passwords to protect their accounts (123456 typically tops the list of most used passwords every year). This article discusses how two-factor authentication can be used to protect accounts that incorporate simple passwords. This article takes a look at the 25 most used passwords for 2014. The password ‘123456’ ranks at #1.
According to this article, and based on recently released research from Google’s research team Project Zero, three new unpatched vulnerabilities have been discovered in Apple OS X. From the article:
CNET describes the three exploits in detail. The first involves “circumvention of commands in the network system”, but may already be a non-issue for users on OS X Yosemite. The second documents “OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator.” The final bug is an exploit relating to OS X’s kernel structure. All three of the exploits would requite an attacker to have access to a targeted Mac.
After the holiday season and some extended vacations, we are back to posting on a regular basis.
There has been much talk in the news over the last 6 months about personal webcams and baby monitors (usually being run in default configurations) being taken over by malicious individuals or set up to stream over sites where anyone can view them. This article provides some sound advice on how to protect your webcam/baby monitor from hackers.
A new day and even more news regarding the recent Sony hack. According to this post, Sony is using unconventional methods to fight back at data thieves looking to obtain data that was stolen during the breach. From the post:
As reported by Re/Code, according to two people with knowledge of the matter, the company is using hundreds of computers in Asia to initiate denial of service attacks on websites where Sony’s stolen information is available for download.
Amazon Web Services data centers in Tokyo and Singapore are being used to support the counter-attack, according to one of the sources.
Stolen credit card data due to breaches of merchants such as Home Depot is getting to the point that it is commonplace. Many have no idea what actually happens with the stolen credit card data. This article examines what the bad guys do with this data. From the article:
Whether it’s a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, phishing attack or simply storing customers’ card information insecurely, the result is the same: credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?
More fallout from the recent hack against Sony. According to this post, not only were unreleased movies stolen and released on the Internet, but contact details and aliases for celebrities has also been released. From the post:
Those affected include Brad Pitt, Julia Roberts, Tom Hanks, Daniel Craig, Natalie Portman, Tobey Maguire and Sarah Michelle Gellar.
Besides the doxed aliases, the new leaks also include the email addresses and phone numbers of cast, crew and other staff on several film productions.
While this is not security related, it is still interesting. According to this post, Facebook has enabled a new search feature that allows users to search for keywords in past posts. From the post:
On Monday, it announced the new Graph Search, which, it tells us, will enable the reliving of “the most important memories of your life”.
The new Facebook search is being introduced this week in the US, in English, on iPhone and on the desktop version of Facebook.
There has been a lot of news stories over the last week about the recent attack against Sony Pictures but according to this article, the attack was an ‘unparalleled crime’. From the article:
The cyber-attack knocked much of Sony Pictures’ network offline, resulted in the theft and distribution online of five movies about to be released to cinemas worldwide as well as the exposure of vital records including celebrity data and over 47,000 social security numbers.
According to this post, a recently uncovered flaw in PayPal left over 150 million accounts open to hijacking. Fortunately, a security researcher reported it to PayPal and the issue was corrected. From the post:
…the “critical vulnerability” meant an attacker could hijack any PayPal user account and have their way with it, including but not limited to the ability to:
– Add/remove/confirm email address
– Add fully privileged users to a business account
– Change security questions
– Change billing/shipping address
– Change payment methods
– Change user settings (notifications/mobile settings)
This article offers tips for staying safe online which is especially important with the holiday season ramping up. Attempts to scam individuals out of their financial data always seems to increase this time of year. From the article:
According to the Breach Level Index, over 2,360,000,000 records have been lost to security breaches since 2013, including credit card records, consumer data and sensitive corporate information. The most heavily hit industries are the retail, technology and financial sectors — US retailer Target, the US Postal Service and JP Morgan this year to name but a few.
This article discusses a part of the Internet called “The Dark Web” that most people don’t even know exists. The Dark Web is not indexed by search engines and is considered by some to be a haven for criminal enterprises. From the article:
The majority of Dark Web sites use the anonymity software Tor, though a smaller number also use a similar tool called I2P. Both of those systems encrypt web traffic in layers and bounce it through randomly-chosen computers around the world, each of which removes a single layer of encryption before passing the data on to its next hop in the network. In theory, that prevents any spy—even one who controls one of those computers in the encrypted chain—from matching the traffic’s origin with its destination.
The holiday season is upon us which means the bad guys will be looking at new and creative ways to steal your data. This brief article examines 5 security tips you can use for safe online holiday shopping. This list is worth sharing with friends who might not be very security savvy.
This article is reporting on a site that allegedly links to “the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries – including, for example, Thailand, Sudan, the Netherlands, the UK, the US, Bolivia, Korea, and China”. Many people fail to change the default passwords on these devices.
It has been a bad year for Home Depot and data breaches. This article is reporting that in addition to 56 million credit cards being exposed in a recent breach, more than 53 million email addresses were also exposed. From the article:
The company, which confirmed the breach of its payment data systems in September, said that a joint investigation by its own staff, law enforcement and third-party IT experts had discovered that separate files containing emails had been stolen but that no passwords, personal information or additional payment card information had been compromised.
This article discusses some recently released research by Kaspersky Labs regarding malware that affects automated teller machines (ATMs). These machines are obviously an attractive target for the bad guys. From the article:
Cyber criminals are adopting even more creative and sophisticated tactics to collect users’ personal information. Banking is one of the industries most targeted by cyber criminals. Very interesting are the techniques adopted by criminals to steal money with malicious code or to capture users’ PINs directly from the ATMs.
“It just blows you away how sophisticated these folks are in thinking this stuff up,”says Bryan Sartin, director of the team at Verizon Communications that investigates data breaches.
This article takes a look at what it claims are the top hacker groups to be worried about. Personally I believe you should be more worried about hacker groups that you don’t hear about but the article is still worth taking a look at. From the article:
Ironically, the hacker groups that you should be afraid of also have the least intimidating names. Deep Panda, Putter Panda, and Flying Kitten have been listed by security technology firm CrowdStrike as the groups to watch out for. While they may seem cuddly, these hackers continue to be some of the most dangerous in the world.