Monthly Archive December 2014

Information Security Breach Report – 23 December 2014

This is the last report of 2014 – next one on Monday 5th January

I hope you have a great Christmas and a happy new year!

Here’s to a secure 2015.

 

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

 

Breaches, Incidents and Alerts:

Entry Point of JPMorgan Data Breach Is Identified – http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0

Apple releases critical NTP Security Update for OS X Yosemite, Mavericks, & Mountain Lion – http://9to5mac.com/2014/12/22/ntp-security-update-os-x-yosemite-mavericks-mountain-lion/

Easily Exploitable NTP Vulnerabilities Put ICS Operators at Risk – http://www.securityweek.com/easily-exploitable-ntp-vulnerabilities-put-ics-operators-risk

North Korea falls off the internet – is the United States to blame? – http://www.welivesecurity.com/2014/12/22/north-korea-internet/

Student information compromised in York County high school data breach: report – http://www.pennlive.com/midstate/index.ssf/2014/12/student_information_compromise.html

Police: Students’ information compromised in South Western HS data breach – http://www.yorkdispatch.com/breaking/ci_27188043/police-students-information-compromised-south-western-hs-data

Northwestern Memorial reports stolen laptop, notifies 2,800 patients of data breach – http://www.beckershospitalreview.com/healthcare-information-technology/northwestern-memorial-reports-stolen-laptop-notifies-2-800-patients-of-data-breach.html

Sony Threatens to Sue Twitter Unless It Removes Tweets Containing Hacked Emails – http://motherboard.vice.com/read/sony-threatens-to-sue-twitter-unless-it-removes-tweets-containing-hacked-emails

SoakSoak Campaign Evolves – New Wave of Attacks – http://blog.sucuri.net/2014/12/soaksoak-new-wave-evolution-attacks.html

‘Vawtrak’ Banking Malware Continues to Evolve – http://www.securityweek.com/vawtrak-banking-malware-continues-evolve

Cyber Gang Linked to Theft of $17M From Banks, Retailers: Research – http://www.securityweek.com/cyber-gang-linked-theft-17m-banks-retailers-research

Researcher to Demonstrate Attack on Apple EFI Firmware – http://www.securityweek.com/researcher-demonstrate-attack-apple-efi-firmware

Rackspace DNS DDOS – https://plus.google.com/+RackspaceHosting/posts/8yVxbLqfx6Q

Gang Hacked ATMs from Inside Banks – http://krebsonsecurity.com/2014/12/gang-hacked-atms-from-inside-banks/

 

Miscellaneous Infosec stories:

Sucker for punishment? Join Sony’s security team – http://www.theregister.co.uk/2014/12/23/sucker_for_punishment_join_sonys_security_team/

10 recent data breaches – http://www.beckershospitalreview.com/healthcare-information-technology/10-recent-data-breaches-12-22-14.html

Security News No One Saw Coming In 2014 – http://www.darkreading.com/attacks-breaches/security-news-no-one-saw-coming-in-2014/a/d-id/1318228

Will 2015 be the year of risk-based security? – http://www.net-security.org/article.php?id=2188

The Biggest Facebook Scams Of 2014 Targeted Curious Perverts – http://www.techweekeurope.co.uk/security/virus/facebook-scams-virus-trojan-157977

How The Sony Hack Will Turn Technology Upside Down… Again – http://uk.businessinsider.com/steven-sinofsky-sony-hack-is-a-major-security-breaking-point-2014-12?r=US

Why did the Sony hackers spend so much time leaking celebrity gossip? – http://www.vox.com/2014/12/22/7433243/sony-hack-gossip-information

Schwab password policies and two factor authentication: a comedy of errors – http://www.jeremytunnell.com/posts/swab-password-policies-and-two-factor-authentication-a-comedy-of-errors

What Is Wrong With ‘Legal Malware’? – http://www.forbes.com/sites/eugenekaspersky/2014/12/22/what-is-wrong-with-legal-malware/

Alleged Counterfeiter “Willy Clock” Arrested – http://krebsonsecurity.com/2014/12/alleged-counterfeiter-willy-clock-arrested/

Sony & Cybersecurity: Supply Chain Concerns – http://www.forbes.com/sites/kevinomarah/2014/12/22/sony-cybersecurity-supply-chain-concerns/

Wake-up call for banks as scandals weigh and cyber threats loom – http://www.standard.co.uk/business/business-news/wakeup-call-for-banks-as-scandals-weigh-and-cyber-threats-loom-9939794.html

Six cloud security predictions for 2015 – http://www.scmagazine.com/six-cloud-security-predictions-for-2015/article/388926/

Taking IT Security’s Pulse: What to Expect in 2015 – http://www.securityweek.com/taking-it-securitys-pulse-what-expect-2015

Two eras of the internet: pull and push – http://cdixon.org/2014/12/21/two-eras-of-the-internet-pull-and-push/

South Korea Nuclear Plants Stage Drill Against Cyber Attack – http://www.securityweek.com/south-korea-nuclear-plants-stage-drill-against-cyber-attack

 

Tools, Tips and How it’s done:

Principles of Distributed Computing (lecture collection) – http://dcg.ethz.ch/lectures/podc_allstars/

Interesting papers from NIPS 2014 – http://nicklothian.com/blog/2014/12/22/interesting-papers-from-nips-2014/

Pattern-Based Approach for In-Memory ShellCodes Detection – http://resources.infosecinstitute.com/pattern-based-approach-memory-shellcodes-detection/

Mitigate cyber attacks with crisis management – http://www.techrepublic.com/article/mitigate-cyber-attacks-with-crisis-management/

1995 Newsweek article that claimed the internet was useless – http://www.newsweek.com/clifford-stoll-why-web-wont-be-nirvana-185306

Old-school tricks to protect your passwords – http://www.csoonline.com/article/2862016/data-protection/old-school-tricks-to-protect-your-passwords.html#tk.rss_all

5 lessons to help security pros craft a New Year’s resolution – http://www.csoonline.com/article/2860409/data-protection/5-lessons-to-help-security-pros-craft-a-new-year-s-resolution.html#tk.rss_all

Analyzing cyberthreat intelligence definitions and trends – http://searchsecurity.techtarget.com/video/Analyzing-cyberthreat-intelligence-definitions-and-trends

What’s the True Cost of a Breach? – http://www.inforisktoday.co.uk/whats-true-cost-breach-a-7711

Column: “White hat hacker” reveals the tricks of the trade – http://www.wcpo.com/news/opinion/op-ed/column-white-hat-hacker-reveals-the-tricks-of-the-trade

Five things you should know about PCI DSS – http://www.scmagazineuk.com/five-things-you-should-know-about-pci-dss/article/389108/

 

Miscellaneous Privacy stories

Spyware use in domestic violence ‘escalating’ – http://www.bbc.co.uk/news/technology-30579307

Danah Boyd Of Microsoft Research: Teens Are Exploring Privacy Practices Outside The Frame Of Technology – http://www.forbes.com/sites/kaviguppta/2014/12/22/danah-boyd-of-microsoft-research-teens-are-exploring-privacy-practices-outside-the-frame-of-technology/

 

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 22 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

Breaches, Incidents and Alerts:

STAY AWAY: Popular Tor exit relays look raided – http://www.theregister.co.uk/2014/12/22/stay_away_popular_tor_exit_relays_look_raided/

ISIS operates spear phishing attacks against a Syrian citizen media group – http://securityaffairs.co/wordpress/31325/malware/isis-spear-phishing-attacks-syrian-group.html

Security breach at JMU releases thousands of employees’ data – http://www.breezejmu.org/news/article_d806545c-8861-11e4-989d-1bb141dcd74d.html

Mercy Medical Center Redding Oncology Clinic notifies patients of privacy breach – http://www.phiprivacy.net/mercy-medical-center-redding-oncology-clinic-notifies-patients-of-privacy-breach/

Quest Diagnostics notifies employees of breach after email attachment error – http://www.databreaches.net/quest-diagnostics-notifies-employees-of-breach-after-email-attachment-error/

Whistleblower reveals how fraud of Booking.com worked – http://www.bbc.co.uk/news/business-30555620

Critical #NTP Vulnerability in ntpd prior to 4.2.8 – https://isc.sans.edu/diary/Critical+%23NTP+Vulnerability+in+ntpd+prior+to+4.2.8/19093

New security flaws in the SS7 protocol allow hackers to spy on phone users – http://securityaffairs.co/wordpress/31262/hacking/flaws-ss7-protocol-spy-on-phone.html

Several critical security vulnerabilities affect the Glassdoor website – http://securityaffairs.co/wordpress/31244/hacking/several-critical-security-vulnerabilities-glassdoor.html

Staples Finds PoS Malware in 115 Stores; 1.16 Million Payment Cards Affected – http://www.securityweek.com/staples-finds-pos-malware-115-stores-116-million-payment-cards-affected

Huge data leak sees personal details of 15,000 Hackney residents published online – http://www.hackneygazette.co.uk/news/politics/huge_data_leak_sees_personal_details_of_15_000_hackney_residents_published_online_1_3892558

Privilege Escalation Vulnerability Found in Linux Kernel – http://www.securityweek.com/privilege-escalation-vulnerability-found-linux-kernel

Proxy auto-config attacks defeat 2-factor auth, hide using country specific content – http://news.netcraft.com/archives/2014/12/18/proxy-auto-config-attacks-defeat-2-factor-auth-hide-using-country-specific-content.html

Serious Vulnerabilities Found in Schneider Electric’s ProClima Solution – http://www.securityweek.com/serious-vulnerabilities-found-schneider-electrics-proclima-solution

 

Miscellaneous Infosec stories:

I work at Sony Pictures. This is what it was like after we got hacked. – http://fortune.com/2014/12/20/sony-pictures-entertainment-essay/

Throwing Money at Data Breach May Make It Worse – Study offers model for response to large-scale data breaches – http://newswire.uark.edu/articles/26195/throwing-money-at-data-breach-may-make-it-worse

Sony Hack Was Not All That Sophisticated, Cybersecurity Experts Say – http://www.billboard.com/articles/business/6413955/sony-security-kevin-mitnick-electronic-frontier

Hackers Used Sophisticated SMB Worm Tool to Attack Sony – http://www.securityweek.com/hackers-used-sophisticated-smb-worm-tool-attack-sony

Aviation industry agrees on common roadmap for tackling cyber threats – https://vouchers.innovateuk.org/web/defence/article-view/-/blogs/aviation-industry-agrees-on-common-roadmap-for-tackling-cyber-threats?p_p_auth=VezCt5us

50% of companies unprepared for DDoS attacks: Report – http://cio.economictimes.indiatimes.com/news/digital-security/50-of-companies-unprepared-for-ddos-attacks-report/45582354

Top 10 Phone Scams of 2014 – http://www.itbusinessedge.com/slideshows/top-10-phone-scams-of-2014.html

A cyber-resilience blueprint for ASEAN – http://www.eastasiaforum.org/2014/12/20/a-cyber-resilience-blueprint-for-asean/

US tries to strike deal with EU for immunity over online security breaches – http://www.theguardian.com/technology/2014/dec/19/us-negotiation-eu-prosecution-immunity-online-security-breaches-corporations

What does a cyber counterattack look like? – http://www.politico.com/story/2014/12/what-does-a-cyber-counterattack-look-like-113715.html

Ukraine conflict: Hackers take sides in virtual war – http://www.bbc.co.uk/news/world-europe-30453069

ICANN: The TRUTH about that hacker attack on our DNS zone file database – http://www.theregister.co.uk/2014/12/19/icann_stresses_critical_internet_systems_not_hacked/

Risk modellers look to clarify cyber risk costs – https://uk.news.yahoo.com/risk-modellers-look-clarify-cyber-risk-costs-221241816–finance.html#oPltu3G

How North Korea, one of the world’s poorest countries, got so good at hacking – http://www.vox.com/2014/12/18/7413229/north-korea-hack-sony

What story are security leaders telling themselves? – http://www.csoonline.com/article/2861393/security-leadership/what-story-are-security-leaders-telling-themselves.html#tk.rss_all

Post Breach, Regulator Reviews Policies – http://www.databreachtoday.com/post-breach-regulator-reviews-policies-a-7698

Questions Abound Following Data Breach Caused By NCUA Examiner’s Error – http://www.acuia.org/news/questions-abound-following-data-breach-caused-ncua-examiners-error

Complex Solutions to a Simple Problem – http://krebsonsecurity.com/2014/12/complex-solutions-to-a-simple-problem/

Crimeware-as-a-Service Threatens Banks – http://www.databreachtoday.co.uk/crimeware-as-a-service-threatens-banks-a-7690

 

Tools, Tips and How it’s done:

Cloud VPN Security Recommendations – http://resources.infosecinstitute.com/cloud-vpn-security-recommendations-2/

Hiding Malware in Plain Sight From Online Scanners – http://noxxi.de/research/content-encoding-online-scanner.html

Ask HN: What encrypted chat application to choose? – https://news.ycombinator.com/item?id=8776398

Bridging Datacenters for Disaster Recovery – Virtually – https://isc.sans.edu/diary/Bridging+Datacenters+for+Disaster+Recovery+-+Virtually/19091

10 Technical Papers Every Programmer Should Read (At Least Twice) – http://blog.fogus.me/2011/09/08/10-technical-papers-every-programmer-should-read-at-least-twice/

Endpoint security fundamentals: The business case for antimalware protection – http://searchsecurity.techtarget.com/feature/Endpoint-security-fundamentals-The-business-case-for-antimalware-protection

How cookies can be used for global surveillance – https://freedom-to-tinker.com/blog/englehardt/how-cookies-can-be-used-for-global-surveillance/

Live Map Shows Thousands Of Cyber Attacks As They Happen – http://www.forbes.com/sites/frankbi/2014/12/19/live-map-shows-thousands-of-cyber-attacks-as-they-happen/

How good is your infosec knowledge really? Test your skills with this holiday quiz – http://exp.tw/articles/show/27820

Do You Have A Data Security Breach Policy Yet? (Spoiler: You Should) – http://www.adaptistration.com/blog/2014/12/18/do-you-have-a-data-security-breach-policy-yet-spoiler-you-should/

 

Miscellaneous Privacy stories

LAPD Body Cam Footage Can’t Be FOIA’ed; Used In Court Cases Only – https://www.techdirt.com/articles/20141217/14165929471/lapd-body-cam-footage-cant-be-foiaed-used-court-cases-only.shtml

The Future of Privacy – http://www.pewinternet.org/2014/12/18/future-of-privacy/

BlackBerry Completes Acquisition of German Anti-Eavesdropping Firm – http://www.securityweek.com/blackberry-completes-acquisition-german-anti-eavesdropping-firm

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 19 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

 

Breaches, Incidents and Alerts:

Webcam-snooping spawn of ZeuS hits 150 banks worldwide – http://www.theregister.co.uk/2014/12/19/chthonic_banking_trojan/

Hack hijacks electric skateboards, dumps hipsters in the gutter – http://www.theregister.co.uk/2014/12/19/hack_hijacks_boosted_skateboards_kills_hipsters/

Researchers ID New Variant of Alina PoS Malware – http://www.securityweek.com/researchers-id-new-variant-alina-pos-malware

Over 100,000 Compromised WordPress Sites Serve Malware – http://www.securityweek.com/over-100000-compromised-wordpress-sites-serve-malware

Vulnerability in embedded web server software from 2002 leaves about 12M home routers exposed – Misfortune Cookie – http://mis.fortunecook.ie/ and http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970

Vulnerability in Git, Mercurial allows for arbitrary code execution on OSX, Windows; affects Visual Studio, Github client app, among others – http://article.gmane.org/gmane.linux.kernel/1853266

Another OPM background check contractor breached – http://fedscoop.com/another-opm-background-check-contractor-breached/

New fear: ISIS killers use ‘digital AK-47’ malware to hunt victims – http://www.theregister.co.uk/2014/12/18/experts_fear_isis_using_cheap_malware_as_digital_equivalent_of_ak47/

Point-of-sale malware creators still in business with Spark, an Alina spinoff – http://www.csoonline.com/article/2861027/data-breach/pointofsale-malware-creators-still-in-business-with-spark-an-alina-spinoff.html#tk.rss_all

German researchers discover a flaw that could let anyone listen to your cell calls. – http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/

Cyberattack on German Steel Plant Caused Significant Damage: Report – http://www.securityweek.com/cyberattack-german-steel-plant-causes-significant-damage-report

SAP Patches Bugs in Business Apps – http://www.securityweek.com/sap-patches-bugs-business-apps

Breach Occurs After Health System Donates CDs with PHI – http://www.healthdatamanagement.com/news/Breach-Occurs-After-Health-System-Donates-CDs-with-PHI-49461-1.html

 

Miscellaneous Infosec stories:

Can We Learn from Big Breaches? – http://www.securityweek.com/can-we-learn-big-breaches

Direct Line says your passwords should be alphanumeric and between 8-10 characters – http://grahamcluley.com/2014/12/direct-line-says-passwords-alphanumeric-8-10-characters/

N.Korea’s cyber army’s next targets may be telecoms, utility grids – http://www.abs-cbnnews.com/business/12/19/14/nkoreas-cyber-armys-next-targets-may-be-telecoms-utility-grids

Armouring up online: Duncan Campbell’s chief techie talks crypto with El Reg – http://www.theregister.co.uk/2014/12/19/crypto_toolkit_1/

Ireland Doubles Down on Data Protection Funding – http://www.securityweek.com/ireland-doubles-down-data-protection-funding

OIT implements Cyber Security Incident Response Program to fight threats – https://oit.ncsu.edu/news-releases/oit-implements-cyber-security-incident-response-program-to-fight-threats

Ex-hacker: ‘It’s easy to break into companies like Sony’ – http://www.bbc.co.uk/news/technology-30542855

Forget Google’s robot cars, now it’s on to ANDROID cars – http://www.theregister.co.uk/2014/12/19/android_m_car_infotainment_systems/

IOActive Expands Automotive Security Testing Practice – http://www.securityweek.com/ioactive-expands-automotive-security-testing-practice

Are We Prepared for the Future of Cyber-Attacks? – http://tech.co/sony-pictures-hack-cyber-attacks-2014-12

4 Critical Cyber Trends for 2015 – http://www.dataversity.net/4-critical-cyber-trends-2015/

N.Korea’s cyber army’s next targets may be telecoms, utility grids – http://www.abs-cbnnews.com/business/12/19/14/nkoreas-cyber-armys-next-targets-may-be-telecoms-utility-grids

Kiwi hacker ‘menace’ pops home detention tracker cuffs – http://www.theregister.co.uk/2014/12/19/kiwi_hacker_menace_pops_home_detention_ankle_monitor/

Bad Bots On The Rise – http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276

UK firms turning to cyber-security contractors – http://www.scmagazineuk.com/uk-firms-turning-to-cyber-security-contractors/article/389017/

Employees are biggest security risk when it comes to the cloud – http://www.itproportal.com/2014/12/18/employees-biggest-security-risk-comes-cloud/

Does Your Data Scientist Have Chief Data Officer Potential? – http://www.forbes.com/sites/teradata/2014/12/18/does-your-data-scientist-have-chief-data-officer-potential/

Sony’s surrender will strengthen hackers, experts say – http://www.foxnews.com/tech/2014/12/18/experts-sonys-capitulation-will-strengthen-hackers/

ALMOST HALF OF AMERICANS HAVE BEEN SENT BREACH NOTIFICATIONS – http://www.pymnts.com/news/2014/almost-half-of-americans-have-been-sent-breach-notifications/#.VJQwxl4gKA

 

Tools, Tips and How it’s done:

Public Key Cryptography: Diffie-Hellman Key Exchange – https://www.youtube.com/watch?v=3QnD2c4Xovk&feature=share

Obfuscating “Hello world!” – http://benkurtovic.com/2014/06/01/obfuscating-hello-world.html

A Look at North Korea’s Cyber-Warfare Capabilities – http://gadgets.ndtv.com/internet/features/a-look-at-north-koreas-cyber-warfare-capabilities-636904

PCI Security Standards Council Publishes Guide for Securing Terminal Software – http://www.securityweek.com/pci-security-standards-council-publishes-guide-securing-terminal-software

Snapchat data breach: A case study – http://www.cyberrisknetwork.com/2014/12/18/snapchat-data-breach-case-study/

One Phish, Two Phish, Read Phish, Spear Phish – No Room at the Inn for these Phishing Attempts – http://www.solutionary.com/resource-center/blog/2014/12/holiday-spear-phishing/

Banish the fear of Big Brother when you bring in BYOD – http://www.theregister.co.uk/2014/12/18/byod_management/

Dan Kaminsky on detecting malware with one line of code – http://searchsecurity.techtarget.com/video/Dan-Kaminsky-on-detecting-malware-with-one-line-of-code

How to train your staff on cyber security (and make it stick) – http://www.pcworld.com/article/2861031/how-to-train-your-staff-on-cyber-security-and-make-it-stick.html

Safe way to upload files to Dropbox from an untrusted computer – https://github.com/frontsideair/dropboxwindow

QR Inception: Barcode-in-Barcode Attacks – https://www.iseclab.org/people/atrox/qrinception.pdf

The MPAA’s Secret Plan To Reinterpret The DMCA Into A Vast Censorship Machine That Breaks The Core Workings Of The Internet – https://www.techdirt.com/articles/20141217/17533629473/mpaas-secret-plan-to-reinterpret-dmca-into-vast-censorship-machine-that-breaks-core-workings-internet.shtml

“USBdriveby” Emulates Mouse and Keyboard to Hijack Computers – http://www.securityweek.com/usbdriveby-emulates-mouse-and-keyboard-hijack-computers

How to prevent theft, loss and snooping on the road – http://www.csoonline.com/article/2860837/mobile-security/how-to-prevent-theft-loss-and-snooping-on-the-road.html#tk.rss_all

Data Breach? Strategies to Stem the Damage – http://digitalmarketingmagazine.co.uk/digital-marketing-data/data-breach-strategies-to-stem-the-damage/1347

 

Miscellaneous Privacy stories

Online privacy to remain thorny issue: Survey – http://cio.economictimes.indiatimes.com/news/internet/online-privacy-to-remain-thorny-issue-survey/45570062

Privacy breaches at Rouge Valley hospital may have affected Ajax-Pickering patients – http://www.durhamregion.com/news-story/5211578-privacy-breaches-at-rouge-valley-hospital-may-have-affected-ajax-pickering-patients/

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 18 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

Breaches, Incidents and Alerts:

Phishing email contains Word doc, enabling macros leads to malware infection – http://www.scmagazine.com/phishing-email-contains-word-doc-enabling-macros-leads-to-malware-infection/article/388936/

Mobile RAT Xsser continues to threaten Android, iOS device security – http://www.scmagazine.com/mobile-rat-xsser-continues-to-threaten-android-ios-device-security/article/388929/

Banks Sue Kmart Over Credit Card Data Breach – http://www.databreaches.net/banks-sue-kmart-over-credit-card-data-breach/

Vulnerable TLS Implementation Exposes Cisco Products to POODLE Attacks – http://www.securityweek.com/vulnerable-tls-implementation-exposes-cisco-products-poodle-attacks

ICANN targeted by Spear Phishing attack, several systems impacted – http://www.csoonline.com/article/2860737/social-engineering/icann-targeted-by-spear-phishing-attack-several-systems-impacted.html#tk.rss_all

New ransomware avoids hitting the same victim twice – http://www.csoonline.com/article/2860417/data-protection/new-ransomware-avoids-hitting-the-same-victim-twice.html#tk.rss_all

Certified pre-pw0ned Android Smartphones: Coolpad Firmware Backdoor – https://isc.sans.edu/diary/Certified+pre-pw0ned+Android+Smartphones%3A+Coolpad+Firmware+Backdoor/19075

Android OS And iOS Targeted by Man-in-the-Middle Attacks – http://www.techweekeurope.co.uk/workspace/android-os-ios-targeted-man-middle-attacks-157693

Docker Fixes Vulnerabilities, Shares Plans For Making Platform Safer – http://www.securityweek.com/docker-fixes-vulnerabilities-shares-plans-making-platform-safer

Union First Market Bank deactivates thousands of ATM cards after skimming incidents – http://wtvr.com/2014/12/15/security-breach-leads-union-first-market-bank-to-deactivate-thousands-of-atm-cards/

Did Regulator Cause a Data Breach? – http://www.databreachtoday.com/did-regulator-cause-data-breach-a-7685

 

Miscellaneous Infosec stories:

Cyber Attackers Increasingly Sneaking Corporate Data Out Through DNS – http://www.eweek.com/security/cyber-attackers-increasingly-sneaking-corporate-data-out-through-dns.html

Business interrupted: Telstra reveals Australia’s security breach impact – http://www.zdnet.com/article/business-interrupted-telstra-reveals-australias-security-breach-impact/

TorrentLocker Ransomware Makes Criminals Up to $500K – http://www.infosecurity-magazine.com/news/torrentlocker-ransomware-criminals/

Banks use lots of cloud services but are unaware – http://www.computerweekly.com/news/2240236836/Banks-are-using-hundreds-of-cloud-computing-services-but-dont-know

Top malware families turn point-of-sale into point-of-theft – http://www.csoonline.com/article/2860416/malware-cybercrime/top-malware-families-turn-point-of-sale-into-point-of-theft.html#tk.rss_all

Protecting the underground electronic communications infrastructure – http://www.net-security.org/secworld.php?id=17763

Can’t stop Home Depot-style card pwning, but suppliers will feel PCI regulation pain – http://www.theregister.co.uk/2014/12/17/pci_revamp_after_target_home_depot_breach/

Cryptologists meet in Delhi to make and break new codes – http://cio.economictimes.indiatimes.com/news/internet/cryptologists-meet-in-delhi-to-make-and-break-new-codes/45549123

Google considers warning internet users about data risks – http://www.bbc.co.uk/news/technology-30505970

Is Mobile the weakest link in Enterprise Security? – http://cio.economictimes.indiatimes.com/news/digital-security/is-mobile-the-weakest-link-in-enterprise-security/45534705?utm_source=RSS&utm_medium=ETRSS

 

Tools, Tips and How it’s done:

Using WPA2 to avoid data breach headlines – http://community.spiceworks.com/topic/694163-using-wpa2-to-avoid-data-breach-headlines

Social sniffer predicts which Nigerian prince has the best chance of scamming you – http://www.theregister.co.uk/2014/12/18/human_vulnerability_scanner_predicts_risky_behaviour/

Tallinn Paper: The Nature of International Law Cyber Norms – https://ccdcoe.org/multimedia/tallinn-paper-nature-international-law-cyber-norms.html

Zen and the Art of Cloud Database Security (Part 2) – http://www.securityweek.com/zen-and-art-cloud-database-security-part-2

The four Mac security options everyone should know – http://www.csoonline.com/article/2860380/data-protection/the-four-mac-security-options-everyone-should-know.html#tk.rss_all

Fast Flux Networks Working and Detection, Part 1 – http://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/

Speculations Concerning the First Ultraintelligent Machine (1965) [pdf] – http://webdocs.cs.ualberta.ca/~sutton/Good65ultraintelligent.pdf

Fake2db: generates databases filled with fake but valid information – https://github.com/emirozer/fake2db

 

Miscellaneous Privacy stories

Kudos to Microsoft: Fighting US attempt to access emails at Dublin data centre – http://grahamcluley.com/2014/12/microsoft-dublin-data-centre/

Facebook privacy policy under Dutch lens – http://cio.economictimes.indiatimes.com/news/government-policy/facebook-privacy-policy-under-dutch-lens/45544927?utm_source=RSS&utm_medium=ETRSS

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 17 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

Breaches, Incidents and Alerts:

Linux Distributions Affected by Two “mailx” Vulnerabilities – http://www.securityweek.com/linux-distributions-affected-two-mailx-vulnerabilities

Data Breach at Retail Giants, Malware Communicated with Same C&Cs – http://www.seculert.com/blog/2014/12/data-breach-at-retail-giants-malware-communicated-with-same-ccs.html

VCU Health warns of breach – http://www.fredericksburg.com/news/va_md_dc/vcu-health-warns-of-breach/article_7e4605e0-5ff5-5983-88c1-2554a31ef82e.html

Two New Ransomware Strains – http://www.exchangemagazine.com/morningpost/2014/week50/Tuesday/14121611.htm

PhpBB suffers massive security compromise – https://www.phpbb.com/community/viewtopic.php?f=64&t=1186015

Fake Cell Towers Found in Norway – https://www.schneier.com/blog/archives/2014/12/fake_cell_tower.html

Sony hackers threaten US cinemas – http://www.bbc.co.uk/news/entertainment-arts-30507306

Banks: Park-n-Fly Online Card Breach – http://krebsonsecurity.com/2014/12/banks-park-n-fly-online-card-breach/

Union First Market warns of breach – http://www.fredericksburg.com/business/local_business/union-first-market-warns-of-breach/article_2a4d741c-8550-11e4-bc93-871ee5929f2d.html

Delta security flaw let passengers access others’ boarding passes – http://mashable.com/2014/12/16/delta-security-flaw/

Former Employees Are Suing Sony Over ‘Epic Nightmare’ Hack – http://www.wired.com/2014/12/sony-getting-sued-former-employees-protecting-data/

Ofcom experiences one thousand cyber attacks in two months – http://www.cloudpro.co.uk/cloud-essentials/cloud-security/4709/ofcom-experiences-one-thousand-cyber-attacks-in-two-months

Spain: Four government ministries hit most from cyber hacking attempts – http://www.businessinsurance.com/article/20141216/NEWS09/141219907

Illinois hospital reports data blackmail – http://www.csoonline.com/article/2859900/data-breach/illinois-hospital-reports-data-blackmail.html#tk.rss_all

CA Technologies Fixes Vulnerabilities in CA Release Automation – http://www.securityweek.com/ca-technologies-fixes-vulnerabilities-ca-release-automation

 

Miscellaneous Infosec stories:

The Growing Threat Social Engineering Poses to Organizations… Is Your Team Equipped? – http://www.social-engineer.com/growing-threat-social-engineering-poses-organizations-team-equipped/

2014: Year of the New ‘Old’ Bugs – http://www.databreachtoday.com/2014-year-new-old-bugs-a-7681

Cyber experts predict top targets for 2015 – http://www.wbtw.com/story/27646143/cyber-experts-predict-top-targets-for-2015

Cyber cafes weak link in terror: Ruddock – http://www.pngloop.com/2014/12/17/cyber-cafes-weak-link-terror-ruddock/

2015 InfoSec Trends You Should and Shouldn’t Worry About – http://watchguardsecuritycenter.com/2014/12/16/2015-infosec-trends-you-should-and-shouldnt-worry-about/

2014: The Year of Privilege Vulnerabilities – http://www.darkreading.com/vulnerabilities—threats/2014-the-year-of-privilege-vulnerabilities/a/d-id/1318187

Gov’t beefs up cyber-security after website attacks – http://www.jamaicaobserver.com/latestnews/Govt-beefs-up-cyber-security-after-website-attacks

New England security group shares threat intelligence, strives to bolster region as cybersecurity mecca – http://www.csoonline.com/article/2860392/malware-cybercrime/new-england-security-group-shares-threat-intelligence-strives-to-bolster-region-as-cybersecurity-me.html#tk.rss_all

9 data breaches that cost someone their job – http://www.csoonline.com/article/2859485/data-breach/9-data-breaches-that-cost-someone-their-job.html#tk.rss_all

Data breaches lead long line of reasons for apologies this year – http://www.csoonline.com/article/2859903/data-breach/data-breaches-lead-long-line-of-reasons-for-apologies-this-year.html#tk.rss_all

This Linux grinch could put a hole in your security stocking – http://www.csoonline.com/article/2859511/malware-cybercrime/this-linux-grinch-could-put-a-hole-in-your-security-stocking.html#tk.rss_all

Breach Therapy: 10 Companies Who Can’t Wait For 2014 To Be Over – http://www.webroot.com/blog/2014/12/15/breach-therapy-10-companies-cant-wait-2014/

Gmail gets Content Security Policy support to stop extensions from loading unsafe code – http://venturebeat.com/2014/12/16/gmail-gets-content-security-policy-support-to-stop-extensions-from-loading-unsafe-code/

Spam Laced With Malicious Links Jumps: Symantec – http://www.securityweek.com/spam-laced-malicious-links-jumps-symantec

In A Riskier World, Security Teams Adopt Expanding Roles – http://www.forbes.com/sites/riskmap/2014/12/16/in-a-riskier-world-security-teams-adopt-expanding-roles/

Russian National Defense Control Center almost 100% protected from cyber attacks – http://itar-tass.com/en/russia/767317

Counting the real cost of cyber attacks – http://www.smh.com.au/it-pro/security-it/counting-the-real-cost-of-cyber-attacks-20141216-128ehk.html

From Lycos to Ask Jeeves to Facebook: Tracking the 20 most popular web sites every year since 1996 – http://www.washingtonpost.com/news/the-intersect/wp/2014/12/15/from-lycos-to-ask-jeeves-to-facebook-tracking-the-20-most-popular-web-sites-every-year-since-1996/

The Dawn of the Flying Smartphone – http://motherboard.vice.com/read/the-dawn-of-the-flying-smartphone

Phishing spam gets ‘Big Box Retailer’ holiday makeover – http://www.csoonline.com/article/2859490/malware-cybercrime/phishing-spam-gets-big-box-retailer-holiday-makeover.html#tk.rss_all

 

Tools, Tips and How it’s done:

TorrentLocker: Racketeering ransomware disassembled by ESET experts – http://www.welivesecurity.com/2014/12/16/torrentlocker-racketeering-ransomware-disassembled-by-eset-experts/

2014’s Top Malware: Less Money, Mo’ Problems – http://www.darkreading.com/2014s-top-malware-less-money-mo-problems/d/d-id/1318204

How Secure Are Temporary Messaging Apps for Work? – https://recode.net/2014/12/16/how-secure-are-temporary-messaging-apps-for-work/

SOCIAL ENGINEERING: HACKING WITHOUT PASSWORDS – http://www.droidmaverick.com/social-engineering-hacking-without-passwords/

Operation Tornado – FBI Used Metasploit to unmask Tor users – http://securityaffairs.co/wordpress/31174/cyber-crime/operation-tornado-fbi-against-tor.html

CYBER PLAYBOOK – http://invotas.csgi.com/cyber-playbook

Some Memory Forensic with Forensic Suite (Volatility plugins) – https://isc.sans.edu/diary/Some+Memory+Forensic+with+Forensic+Suite+%28Volatility+plugins%29/19071

A look inside Facebook’s source code – http://sintheticlabs.com/blog/a-look-inside-facebooks-source-code.html

Threat modeling for FPGA software backdoors – http://siliconexposed.blogspot.co.uk/2014/09/threat-modeling-for-fpga-software.html

How does the US government run the internet? This is how – http://www.theregister.co.uk/2014/12/16/this_is_how_the_us_government_runs_the_internet/

Basic Malware Analysis – http://www.solutionary.com/resource-center/blog/2014/12/basic-malware-analysis/

Legality of Jailbreaking Mobile Phones – http://resources.infosecinstitute.com/legality-jailbreaking-mobile-phones/

Android Hacking and Security, Part 16: Broken Cryptography – http://resources.infosecinstitute.com/android-hacking-security-part-16-broken-cryptography/

3 low-tech threats that lead to high-profile breaches – http://www.csoonline.com/article/2859482/data-protection/3-low-tech-threats-that-lead-to-high-profile-breaches.html#tk.rss_all

Virtual machines could be the gold standard for network security – http://www.csoonline.com/article/2859389/data-protection/pre-configured-secure-vms.html#tk.rss_all

A brief history of Mac malware – http://www.csoonline.com/article/2859905/malware-cybercrime/a-brief-history-of-mac-malware.html#tk.rss_all

Forget the Gossip, These Are the Lessons of the Sony Hack – http://www.businessweek.com/articles/2014-12-16/forget-the-gossip-these-are-the-lessons-of-the-sony-hack#r=rss

10 changes you can make to achieve security serenity now! – http://www.csoonline.com/article/2859273/infosec-staffing/top-10-changes-you-can-make-to-achieve-security-serenity-now.html#tk.rss_all

 

Miscellaneous Privacy stories

UK cops caught using 12 MILLION Brits’ mugshots on pic database – http://www.theregister.co.uk/2014/12/17/legality_of_coppers_facial_recognition_database_called_into_question/

Privacy Breach Class Actions in Ontario – What’s Coming in 2015 – http://conway.pro/fr/privacy-breach-class-actions-in-ontario-whats-coming-in-2015/

Privacy and security in cyberspace: right of all or luxury of the few? – https://www.opendemocracy.net/openglobalrights-blog/sarah-mckune/privacy-and-security-in-cyberspace-right-of-all-or-luxury-of-few

Angelina Jolie Hires Cyber Security to Protect Her Kids Online – http://www.people.com/article/angelina-jolie-brad-pitt-kids-monitor-internet

Iowa Dept. Of Transportation Announces Plan To Give Police Officers, Security Personnel Full Access To Your Smartphone – https://www.techdirt.com/articles/20141212/05024829407/iowa-dept-transportation-announces-plan-to-give-police-officers-security-personnel-full-access-to-your-smartphone.shtml

Google faces $18 mn fine for web privacy violations – http://cio.economictimes.indiatimes.com/news/government-policy/google-faces-18-mn-fine-for-web-privacy-violations/45534654?utm_source=RSS&utm_medium=ETRSS

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

SRM Blog

SRM Blog