From Help Net security:
Email scammers stole $215M from businesses in 14 months
The Business E-mail Compromise scam is alive and well, and expected to rise both when it comes to the number of victims and the total money loss sustained by them.
Thursday, January 29, 2015
How important is online privacy?
From Help Net Security:
How important is online privacy?
Consumer online privacy concerns remain extremely high with 92 percent of American internet users worrying to some extent about their privacy online – the same percentage as in January 2014. 44 percent said they were frequently or always concerned and 42 percent agreed they were more concerned than one year ago.
How important is online privacy?
Consumer online privacy concerns remain extremely high with 92 percent of American internet users worrying to some extent about their privacy online – the same percentage as in January 2014. 44 percent said they were frequently or always concerned and 42 percent agreed they were more concerned than one year ago.
APTs: Minimizing losses with early detection
From Help Net Security:
APTs: Minimizing losses with early detection
Let’s travel back to 2006, the year the blockbuster, “The Departed,” came out. Matt Damon plays a young criminal who has infiltrated the state police as an informer for South Boston’s Irish Mob. Working his way up the ranks, he gathers sensitive information about the plans and counter-plans of the operations he has penetrated and leaks them to his organized crime cohorts. Eventually, police suspect that there's a mole in their midst. Now, we all know how this ends – Damon is exposed and killed by Mark Wahlberg for his stint – but not before wreaking havoc throughout the department.
APTs: Minimizing losses with early detection
Let’s travel back to 2006, the year the blockbuster, “The Departed,” came out. Matt Damon plays a young criminal who has infiltrated the state police as an informer for South Boston’s Irish Mob. Working his way up the ranks, he gathers sensitive information about the plans and counter-plans of the operations he has penetrated and leaks them to his organized crime cohorts. Eventually, police suspect that there's a mole in their midst. Now, we all know how this ends – Damon is exposed and killed by Mark Wahlberg for his stint – but not before wreaking havoc throughout the department.
Hotels that block personal Wi-Fi hotspots will get busted, says FCC
From Sophos Naked Security:
Hotels that block personal Wi-Fi hotspots will get busted, says FCC
The US Federal Communications Commission (FCC) didn't mince its words: hotels that block Wi-Fi are breaking the law.
From a warning posted on Tuesday:
Hotels that block personal Wi-Fi hotspots will get busted, says FCC
The US Federal Communications Commission (FCC) didn't mince its words: hotels that block Wi-Fi are breaking the law.
From a warning posted on Tuesday:
In the 21st Century, Wi-Fi represents an essential on-ramp to the internet. Personal Wi-Fi networks, or "hotspots", are an important way that consumers connect to the internet. Willful or malicious interference with Wi-Fi hotspots is illegal.
Cop who stole nude photos from arrested women's seized phones escapes jail time
From Sophos Naked Security:
Cop who stole nude photos from arrested women's seized phones escapes jail time
A former California Highway Patrol (CHP) officer who forwarded nude photos of arrested women from their mobile phones to his and his colleagues' phones has escaped jail time.
Cop who stole nude photos from arrested women's seized phones escapes jail time
A former California Highway Patrol (CHP) officer who forwarded nude photos of arrested women from their mobile phones to his and his colleagues' phones has escaped jail time.
US Military wants to replace passwords with "cognitive fingerprints"
From Sophos Naked Security:
US Military wants to replace passwords with "cognitive fingerprints"
Researchers at the US military's elite West Point military academy have been awarded a multi-million dollar contract to produce a new identity verification system based on users' behavior.
US Military wants to replace passwords with "cognitive fingerprints"
Researchers at the US military's elite West Point military academy have been awarded a multi-million dollar contract to produce a new identity verification system based on users' behavior.
Massive DEA license plate reader program tracks millions of Americans
From Sophos Naked Security:
Massive DEA license plate reader program tracks millions of Americans
The US Drug Enforcement Administration (DEA) has been building a massive national license plate reader (LPR) database over several years that it shares with federal and local authorities, with no clarity on whether the network is subject to court oversight.
Massive DEA license plate reader program tracks millions of Americans
The US Drug Enforcement Administration (DEA) has been building a massive national license plate reader (LPR) database over several years that it shares with federal and local authorities, with no clarity on whether the network is subject to court oversight.
Facebook vs 25,000 users - privacy class action lawsuit has initial hearing date set
From Sophos Naked Security:
Facebook vs 25,000 users - privacy class action lawsuit has initial hearing date set
An Austrian court has given the go ahead to a class action lawsuit brought against Facebook for alleged privacy violations across Europe.
Facebook vs 25,000 users - privacy class action lawsuit has initial hearing date set
An Austrian court has given the go ahead to a class action lawsuit brought against Facebook for alleged privacy violations across Europe.
Bughunter cracks "absolute privacy" Blackphone - by sending it a text message
From Sophos Naked Security:
Bughunter cracks "absolute privacy" Blackphone - by sending it a text message
Serial Aussie bugfinder Mark Dowd has been at it again.
He loves to look for security flaws in interesting and important places.
This time, he turned his attention to a device that most users acquired precisely because of its security pedigree, namely the Blackphone.
Bughunter cracks "absolute privacy" Blackphone - by sending it a text message
Serial Aussie bugfinder Mark Dowd has been at it again.
He loves to look for security flaws in interesting and important places.
This time, he turned his attention to a device that most users acquired precisely because of its security pedigree, namely the Blackphone.
The "Dirty Dozen" SPAMPIONSHIP: Who's the biggest? Who's the worst?
From Sophos Naked security:
The "Dirty Dozen" SPAMPIONSHIP: Who's the biggest? Who's the worst?
At last!
The United States of America can finally celebrate failing to win our SPAMPIONSHIP!
If it seems odd to cheer yourself for losing the top spot, remember that this is a league table where lower is better.
The "Dirty Dozen" SPAMPIONSHIP: Who's the biggest? Who's the worst?
At last!
The United States of America can finally celebrate failing to win our SPAMPIONSHIP!
If it seems odd to cheer yourself for losing the top spot, remember that this is a league table where lower is better.
Apple fixes Thunderstrike and 3 Project Zero bugs in OS X 10.10.2 Yosemite
From Sophos Naked Security:
Apple fixes Thunderstrike and 3 Project Zero bugs in OS X 10.10.2 Yosemite
Apple is readying a series of fixes to defend Yosemite, its flagship operating system, from so-called 'evil maid' attacks.
Apple fixes Thunderstrike and 3 Project Zero bugs in OS X 10.10.2 Yosemite
Apple is readying a series of fixes to defend Yosemite, its flagship operating system, from so-called 'evil maid' attacks.
Google asked to muzzle Waze 'police-stalking' app
From Sophos Naked Security:
Google asked to muzzle Waze 'police-stalking' app
GPS trackers on vehicles; stingray devices to siphon mobile phone IDs and their owners' locations; gunshot-detection sensors; license plate readers: these are just some of the types of surveillance technologies used by law enforcement, often without warrants.
Google asked to muzzle Waze 'police-stalking' app
GPS trackers on vehicles; stingray devices to siphon mobile phone IDs and their owners' locations; gunshot-detection sensors; license plate readers: these are just some of the types of surveillance technologies used by law enforcement, often without warrants.
Pinterest to sell ads based on what you're thinking of buying
From Sophos Naked Security:
Pinterest to sell ads based on what you're thinking of buying
Pinterest users, get ready to be squeeeeeeeeeeeeezed like the data-rich, spendy sponges that you are.
Pinterest to sell ads based on what you're thinking of buying
Pinterest users, get ready to be squeeeeeeeeeeeeezed like the data-rich, spendy sponges that you are.
D-Link routers vulnerable to DNS hijacking
From Help Net Security:
D-Link routers vulnerable to DNS hijacking
At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered.
D-Link routers vulnerable to DNS hijacking
At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered.
Fed Reveals Plan for Faster Payments
From InfoRiskToday:
Fed Reveals Plan for Faster Payments
The Federal Reserve on Jan. 26 revealed its roadmap for an overhaul of the U.S. payments system, which includes plans for faster settlement in all payment categories and near real-time settlement of peer-to-peer payments.
Fed Reveals Plan for Faster Payments
The Federal Reserve on Jan. 26 revealed its roadmap for an overhaul of the U.S. payments system, which includes plans for faster settlement in all payment categories and near real-time settlement of peer-to-peer payments.
IT Security Hiring Surge Continues
From InfoRiskToday:
IT Security Hiring Surge Continues
If 2014 was a harbinger of things to come, with the supply failing to keep pace with the demand, 2015 will be a banner year for IT security employment.
IT Security Hiring Surge Continues
If 2014 was a harbinger of things to come, with the supply failing to keep pace with the demand, 2015 will be a banner year for IT security employment.
FTC Alert: FTC Announces Schedule for Reviewing Regulations
From the Federal Trade Commission:
FTC Announces Schedule for Reviewing Regulations
As part of the Federal Trade Commission’s systematic review of all current FTC rules and guides, the agency is announcing a modified 10-year regulatory review schedule.
FTC Announces Schedule for Reviewing Regulations
As part of the Federal Trade Commission’s systematic review of all current FTC rules and guides, the agency is announcing a modified 10-year regulatory review schedule.
NFL Mobile App Leaks Unencrypted Credentials
From ThreatPost:
NFL Mobile App Leaks Unencrypted Credentials
As if the National Football League doesn’t have enough to worry about during Super Bowl week with deflated footballs and cheating allegations marring its most important event, a security firm has found a glaring vulnerability in its mobile application.
NFL Mobile App Leaks Unencrypted Credentials
As if the National Football League doesn’t have enough to worry about during Super Bowl week with deflated footballs and cheating allegations marring its most important event, a security firm has found a glaring vulnerability in its mobile application.
'Ghost' flaws poses high risk to Linux distributions
From ComputerWorld:
'Ghost' flaws poses high risk to Linux distributions
A fault in a widely used component of most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email.
'Ghost' flaws poses high risk to Linux distributions
A fault in a widely used component of most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email.
RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses
From Forbes:
RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses
In another startling development in the world of cyber crime, malicious hackers have started taking over website servers, encrypting the data on them and demanding payment to unlock the files. A large European financial services company, whose name was not disclosed, was the first known victim of this potentially business-destroying attack, according to Swiss security firm High-Tech Bridge, which investigated the breach in December 2014.
RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses
In another startling development in the world of cyber crime, malicious hackers have started taking over website servers, encrypting the data on them and demanding payment to unlock the files. A large European financial services company, whose name was not disclosed, was the first known victim of this potentially business-destroying attack, according to Swiss security firm High-Tech Bridge, which investigated the breach in December 2014.
U.S. FCC warns against blocking personal Wi-Fi access
From CNBC:
U.S. FCC warns against blocking personal Wi-Fi access
The U.S. Federal Communications Commission on Tuesday warned hotels and other entities against blocking personal Wi-Fi access, or hot spots, saying it was illegal and could incur heavy fines.
U.S. FCC warns against blocking personal Wi-Fi access
The U.S. Federal Communications Commission on Tuesday warned hotels and other entities against blocking personal Wi-Fi access, or hot spots, saying it was illegal and could incur heavy fines.
Wednesday, January 28, 2015
US-CERT: Apple Releases Security Updates for OS X, Safari, iOS and Apple TV
From US-CERT:
Apple Releases Security Updates for OS X, Safari, iOS and Apple TV
Apple has released security updates for OS X, Safari, iOS and Apple TV to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system.
Updates available include:
Apple Releases Security Updates for OS X, Safari, iOS and Apple TV
Apple has released security updates for OS X, Safari, iOS and Apple TV to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system.
Updates available include:
- OS X v10.10.2 and Security Update 2015-001 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10 and v10.10.1
- Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1
- iOS 8.1.3 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later
- Apple TV 7.0.3 for Apple TV 3rd generation and later
US-CERT: Security Advisory for Adobe Flash Player
From US-CERT:
Security Advisory for Adobe Flash Player
"Adobe has released Flash Player desktop version 16.0.0.296 to address a critical vulnerability (CVE-2015-0311) in 16.0.0.287 and earlier versions for Windows and Macintosh. This vulnerability could allow an attacker to take control of the affected system.
Users and administrators are encouraged to review Adobe Security Bulletin APSB15-01 (link is external) and apply the necessary updates."
Security Advisory for Adobe Flash Player
"Adobe has released Flash Player desktop version 16.0.0.296 to address a critical vulnerability (CVE-2015-0311) in 16.0.0.287 and earlier versions for Windows and Macintosh. This vulnerability could allow an attacker to take control of the affected system.
Users and administrators are encouraged to review Adobe Security Bulletin APSB15-01 (link is external) and apply the necessary updates."
US-CERT: Linux "Ghost" Remote Code Execution Vulnerability
From US-CERT:
Linux "Ghost" Remote Code Execution Vulnerability
"The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.
US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu (link is external) and Red Hat (link is external). The GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement."
Linux "Ghost" Remote Code Execution Vulnerability
"The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.
US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu (link is external) and Red Hat (link is external). The GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement."
Tuesday, January 27, 2015
Monday, January 26, 2015
Apple readies fix for Thunderstrike bootkit exploit in next OS X release
From ars technica:
Apple readies fix for Thunderstrike bootkit exploit in next OS X release
"Yosemite 10.10.2 also squashes three unpatched bugs disclosed by Google."
Apple readies fix for Thunderstrike bootkit exploit in next OS X release
"Yosemite 10.10.2 also squashes three unpatched bugs disclosed by Google."
Friday, January 23, 2015
Europol 'to be given new internet watchdog powers'
From The Telegraph:
Europol 'to be given new internet watchdog powers'
"The EU is planning to give Europe’s police intelligence agency, Europol, new powers to become a European internet watchdog and censor, according to a secret policy document."
Europol 'to be given new internet watchdog powers'
"The EU is planning to give Europe’s police intelligence agency, Europol, new powers to become a European internet watchdog and censor, according to a secret policy document."
Thursday, January 22, 2015
Obama Wants Companies to Stop Stealing Your Data. Good Luck.
From Mother Jones:
Obama Wants Companies to Stop Stealing Your Data. Good Luck.
"...According to Evidon, an online marketing analytics service, an app called My Pregnancy Today shared data with 19 different third parties, including Google, Facebook, Twitter, BabyCenter, AdMob, Dynamic Logic, and various other obscurely named companies. An app that tracks when women menstruate did the same. Weight Watchers International sends your diet plans directly to Kraft Foods."
Obama Wants Companies to Stop Stealing Your Data. Good Luck.
"...According to Evidon, an online marketing analytics service, an app called My Pregnancy Today shared data with 19 different third parties, including Google, Facebook, Twitter, BabyCenter, AdMob, Dynamic Logic, and various other obscurely named companies. An app that tracks when women menstruate did the same. Weight Watchers International sends your diet plans directly to Kraft Foods."
Wednesday, January 21, 2015
11% of Android banking and finance apps are dangerous
From Help Net Security:
11% of Android banking and finance apps are dangerous
Of the more than 40,000 mobile apps listed as suspicious:
11% of Android banking and finance apps are dangerous
Of the more than 40,000 mobile apps listed as suspicious:
- 21,076 contained adware
- 20,000 contained Trojan malware
- 3,823 contained spyware
- 209 contained exploit code
- 178 contained malicious JavaScript.
- 8,672 could capture device logs
- 8,408 could record audio
- 7,188 could access contacts lists
- 4,892 could read SMS messages
- 2,961 could write to contacts lists
- 4,018 could disable key guard
- 3,783 could read the device’s settings
- 1,148 could install packages
- 1,028 could access GPS information.
People happily give away their (bad) passwords to TV reporter
For Pete's sake people DO NOT GIVE AWAY YOUR PASSWORDS!!! One would think that to be common sense. Evidently it's not as intuitive as one would think.
From Sophos Naked Security:
People happily give away their (bad) passwords to TV reporter
From Sophos Naked Security:
People happily give away their (bad) passwords to TV reporter
Does Facebook know you better than your friends and family do?
From Sophos Naked Security:
Does Facebook know you better than your friends and family do?
"What if a computer could predict your behavior and understand your personality better than your coworkers, friends, siblings, and even your spouse do?
According to researchers from the University of Cambridge and Stanford University, it's already possible - by studying your Facebook likes.
...
The study also found that the computer model was better than personal acquaintances at predicting life outcomes such as substance use, political attitudes and physical health - and "for some outcomes, they even outperform the self-rated personality scores.""
Does Facebook know you better than your friends and family do?
"What if a computer could predict your behavior and understand your personality better than your coworkers, friends, siblings, and even your spouse do?
According to researchers from the University of Cambridge and Stanford University, it's already possible - by studying your Facebook likes.
...
The study also found that the computer model was better than personal acquaintances at predicting life outcomes such as substance use, political attitudes and physical health - and "for some outcomes, they even outperform the self-rated personality scores.""
US-CERT: Oracle Releases January 2015 Security Advisory
From US-CERT:
Oracle Releases January 2015 Security Advisory
Versions affected:
8 for Oracle Database Server
36 for Oracle Fusion Middleware
10 for Oracle Enterprise Manager Grid Control
10 for Oracle E-Business Suite
6 for Oracle Supply Chain Products Suite
7 for Oracle PeopleSoft Products
1 for Oracle JD Edwards Products
17 for Oracle Siebel CRM
2 for Oracle iLearning
2 for Oracle Communications Applications
1 for Oracle Retail Applications
1 for Oracle Health Sciences Applications
19 for Oracle Java SE
29 for Oracle Sun Systems Products Suite
11 for Oracle Linux and Virtualization
9 for Oracle MySQL
Oracle Releases January 2015 Security Advisory
Versions affected:
Tuesday, January 20, 2015
Please don't use these passwords. Sincerely, the Internet
From Engadget:
Please don't use these passwords. Sincerely, the Internet
For more on passwords please see my Cyber Tips & IT Security threads.
Please don't use these passwords. Sincerely, the Internet
For more on passwords please see my Cyber Tips & IT Security threads.
SQL injection vulnerabilities surge to highest levels in three years
!!! SANITIZE USER INPUT !!!
From Help Net Security:
SQL injection vulnerabilities surge to highest levels in three years
From Help Net Security:
SQL injection vulnerabilities surge to highest levels in three years
Monday, January 19, 2015
Man dies after 3-day video gaming binge
I'm not sure what I find more disturbing, the fact that he died after playing a game for 3 days straight or this was:
"... the country's second "sudden death" involving an Internet café customer this year."
From Fox News:
Man dies after 3-day video gaming binge
"... the country's second "sudden death" involving an Internet café customer this year."
From Fox News:
Man dies after 3-day video gaming binge
Guide on actionable information for security incident response
Another piece on ENISA's new manual. From Help Net Security:
Guide on actionable information for security incident response
Guide on actionable information for security incident response
NSA secretly hijacked existing malware to spy on N. Korea, others
Lots & lots on the NSA & N. Korea today. From ars technica:
NSA secretly hijacked existing malware to spy on N. Korea, others
NSA secretly hijacked existing malware to spy on N. Korea, others