A new day and even more news regarding the recent Sony hack. According to this post, Sony is using unconventional methods to fight back at data thieves looking to obtain data that was stolen during the breach. From the post:
As reported by Re/Code, according to two people with knowledge of the matter, the company is using hundreds of computers in Asia to initiate denial of service attacks on websites where Sony’s stolen information is available for download.
Amazon Web Services data centers in Tokyo and Singapore are being used to support the counter-attack, according to one of the sources.
Stolen credit card data due to breaches of merchants such as Home Depot is getting to the point that it is commonplace. Many have no idea what actually happens with the stolen credit card data. This article examines what the bad guys do with this data. From the article:
Whether it’s a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, phishing attack or simply storing customers’ card information insecurely, the result is the same: credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?
More fallout from the recent hack against Sony. According to this post, not only were unreleased movies stolen and released on the Internet, but contact details and aliases for celebrities has also been released. From the post:
Those affected include Brad Pitt, Julia Roberts, Tom Hanks, Daniel Craig, Natalie Portman, Tobey Maguire and Sarah Michelle Gellar.
Besides the doxed aliases, the new leaks also include the email addresses and phone numbers of cast, crew and other staff on several film productions.
While this is not security related, it is still interesting. According to this post, Facebook has enabled a new search feature that allows users to search for keywords in past posts. From the post:
On Monday, it announced the new Graph Search, which, it tells us, will enable the reliving of “the most important memories of your life”.
The new Facebook search is being introduced this week in the US, in English, on iPhone and on the desktop version of Facebook.
There has been a lot of news stories over the last week about the recent attack against Sony Pictures but according to this article, the attack was an ‘unparalleled crime’. From the article:
The cyber-attack knocked much of Sony Pictures’ network offline, resulted in the theft and distribution online of five movies about to be released to cinemas worldwide as well as the exposure of vital records including celebrity data and over 47,000 social security numbers.
According to this post, a recently uncovered flaw in PayPal left over 150 million accounts open to hijacking. Fortunately, a security researcher reported it to PayPal and the issue was corrected. From the post:
…the “critical vulnerability” meant an attacker could hijack any PayPal user account and have their way with it, including but not limited to the ability to:
– Add/remove/confirm email address
– Add fully privileged users to a business account
– Change security questions
– Change billing/shipping address
– Change payment methods
– Change user settings (notifications/mobile settings)
This article offers tips for staying safe online which is especially important with the holiday season ramping up. Attempts to scam individuals out of their financial data always seems to increase this time of year. From the article:
According to the Breach Level Index, over 2,360,000,000 records have been lost to security breaches since 2013, including credit card records, consumer data and sensitive corporate information. The most heavily hit industries are the retail, technology and financial sectors — US retailer Target, the US Postal Service and JP Morgan this year to name but a few.
This article discusses a part of the Internet called “The Dark Web” that most people don’t even know exists. The Dark Web is not indexed by search engines and is considered by some to be a haven for criminal enterprises. From the article:
The majority of Dark Web sites use the anonymity software Tor, though a smaller number also use a similar tool called I2P. Both of those systems encrypt web traffic in layers and bounce it through randomly-chosen computers around the world, each of which removes a single layer of encryption before passing the data on to its next hop in the network. In theory, that prevents any spy—even one who controls one of those computers in the encrypted chain—from matching the traffic’s origin with its destination.
The holiday season is upon us which means the bad guys will be looking at new and creative ways to steal your data. This brief article examines 5 security tips you can use for safe online holiday shopping. This list is worth sharing with friends who might not be very security savvy.
This article is reporting on a site that allegedly links to “the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries – including, for example, Thailand, Sudan, the Netherlands, the UK, the US, Bolivia, Korea, and China”. Many people fail to change the default passwords on these devices.
It has been a bad year for Home Depot and data breaches. This article is reporting that in addition to 56 million credit cards being exposed in a recent breach, more than 53 million email addresses were also exposed. From the article:
The company, which confirmed the breach of its payment data systems in September, said that a joint investigation by its own staff, law enforcement and third-party IT experts had discovered that separate files containing emails had been stolen but that no passwords, personal information or additional payment card information had been compromised.
This article discusses some recently released research by Kaspersky Labs regarding malware that affects automated teller machines (ATMs). These machines are obviously an attractive target for the bad guys. From the article:
Cyber criminals are adopting even more creative and sophisticated tactics to collect users’ personal information. Banking is one of the industries most targeted by cyber criminals. Very interesting are the techniques adopted by criminals to steal money with malicious code or to capture users’ PINs directly from the ATMs.
“It just blows you away how sophisticated these folks are in thinking this stuff up,”says Bryan Sartin, director of the team at Verizon Communications that investigates data breaches.
This article takes a look at what it claims are the top hacker groups to be worried about. Personally I believe you should be more worried about hacker groups that you don’t hear about but the article is still worth taking a look at. From the article:
Ironically, the hacker groups that you should be afraid of also have the least intimidating names. Deep Panda, Putter Panda, and Flying Kitten have been listed by security technology firm CrowdStrike as the groups to watch out for. While they may seem cuddly, these hackers continue to be some of the most dangerous in the world.
Another week and another (possible) data breach. According to this article, Staples is investigating a possible breach of payment card data. This is becoming way too commonplace, especially with the holidays fast approaching. From the article:
The office-supply retailer disclosed the investigation after security reporter Brian Krebs reported on his blog Krebsonsecurity.com that several banks have identified a pattern of payment card fraud suggesting that several Staples stores in northeastern United States had succumbed to a data breach.
Most people that use smartphones want strong encryption on their devices to protect their data. According to this article, the FBI does not share that stance. From the article:
US law enforcement’s top officials are not happy about Apple and Google updating their mobile devices to have encryption turned on by default.
FBI Director James Comey reproached the two companies in a speech before the Brookings Institution in Washington, D.C. on Thursday, 16 October.
Earlier this month, US Attorney General Eric Holder said that it’s “worrisome” for Google and Apple to “thwart” law enforcement’s ability to pursue investigations.
According to this post, attackers are using Universal Plug and Play (UPnP) devices to launch massive Distributed Denial of Service (DDoS) attacks. From the post:
PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That’s about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts.
This post is reporting that a group of hackers found a flaw in Microsoft Windows and leveraged it to spy on “Western governments, NATO, European energy companies and an academic organization in the United States”. From the post:
Patrick McBride, a spokesman with iSight, says the hackers targeted specific officials using a well-known kind of attack called spear-phishing. Hackers would craft a message with a PowerPoint document attached. For example, they’d say, “We’d like to be involved in the conference.”
Another week, another data breach. According to this article, Kmart has announced they have detected a breach against its store payment data systems. It is reported that their systems were breached since at least early September and that credit card numbers were stolen from their brick-and-mortar stores. From the article:
Kmart says it hasn’t seen any evidence that anything other than the numbers of customers’ debit and credit cards have been grabbed by the hackers, but there will obviously be concerns that the situation might turn out to be worse than initially feared.
In what appears to becoming a common thread between recent retail hacks, the card numbers compromised appear to have been stolen from actual retail stores, and not from those who purchased goods via the company’s website.