Monthly Archive December 2014

Information Security Breach Report – 16 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

 

Breaches, Incidents and Alerts:

Shellshock Worm Exploiting Unpatched QNAP NAS Devices – http://threatpost.com/shellshock-worm-exploiting-unpatched-qnap-nas-devices/109870

Customized Support Scam Supported by Typo Squatting – https://isc.sans.edu/diary/Customized+Support+Scam+Supported+by+Typo+Squatting/19065

Researcher identifies XSS vulnerability affecting Citibank website – http://www.scmagazine.com/researcher-identifies-xss-vulnerability-affecting-citibank-website/article/388433/

MS Word and Macros… Now With Social Engineering Malware – http://www.hackbusters.com/news/stories/192837-ms-word-and-macros-now-with-social-engineering-malware

Fixed a critical flaw in Blogger that allows to write posts on any blog – http://securityaffairs.co/wordpress/31120/hacking/fixed-critical-flaw-blogger-allows-write-posts-blog.html

Breach insurance might not cover losses at Sony Pictures – http://www.csoonline.com/article/2859535/business-continuity/breach-insurance-might-not-cover-losses-at-sony-pictures.html#tk.rss_all

Honeywell OPOS Suite Affected by Serious Vulnerability – http://www.securityweek.com/honeywell-opos-suite-affected-serious-vulnerability

SPE attorneys want media to destroy received materials from breach – http://www.tweaktown.com/news/41961/spe-attorneys-want-media-destroy-received-materials-breach/index.html

University of California, Berkeley suffers data breach – http://www.csoonline.com/article/2859126/data-breach/university-of-california-berkley-suffers-data-breach.html#tk.rss_all

Mobile Ad Firms Spotted Serving Up Malware Posing As Google Play Apps – http://techcrunch.com/2014/12/12/mobile-ad-firms-spotted-serving-up-malware-posing-as-google-play-apps/

 

Miscellaneous Infosec stories:

Cyberattacks to cost India Inc over $5 billion in 2014 – http://cio.economictimes.indiatimes.com/news/digital-security/cyberattacks-to-cost-india-inc-over-5-billion-in-2014/45530559

What do Targeted Attacks and Texas Hold‘em Have in Common? – http://lightcyber.com/targeted-attacks-texas-holdem-common/

Price Tag Rises For Stolen Identities Sold In The Underground – http://www.darkreading.com/attacks-breaches/price-tag-rises-for-stolen-identities-sold-in-the-underground/d/d-id/1318165

Mark Cuban: People Need To Learn That No Email Is Safe – http://uk.businessinsider.com/mark-cuban-response-to-sony-leak-on-cyber-dust-2014-12?r=US

Excessive Employee Access Privileges Expose Corporate Data to Risk: Survey – http://www.securityweek.com/excessive-employee-access-privileges-expose-corporate-data-risk-survey

Roll up, come see the BOOMING HACKER BAZAAR! – http://www.theregister.co.uk/2014/12/15/roll_up_come_see_the_booming_hacker_bazaar/ and http://www.businessweek.com/articles/2014-12-15/current-hacker-underground-markets-are-booming#r=rss

Holding masses of data, cyber criminals face new hurdles to cashing out – http://www.infoworld.com/article/2859544/security/holding-masses-of-data-cyber-criminals-face-new-hurdles-to-cashing-out.html

Voice Biometrics Improve Transaction Monitoring Fraud Detection – http://www.banktech.com/security/voice-biometrics-improve-transaction-monitoring-fraud-detection/a/d-id/1318145

Stolen Identity Business Going Strong – http://www.securityweek.com/stolen-identity-business-going-strong

What Banks Don’t Know About the Security Hazards of Cloud Computing – http://www.americanbanker.com/news/bank-technology/what-banks-dont-know-about-the-security-hazards-of-cloud-computing-1071672-1.html

Chrome Security Team Considers Marking All HTTP Pages As ‘Non-Secure’ – https://www.techdirt.com/articles/20141213/07112629425/chrome-security-team-considers-marking-all-http-pages-as-non-secure.shtml

Analytics, cyber security top CIO concerns for 2015 – http://www.itworldcanada.com/article/analytics-cyber-security-top-cio-concerns-for-2015/100458

IBM Study says Organizations Struggling to Defend Against Sophisticated Cyber Attacks – http://investcorrectly.com/20141215/ibm-study-says-organizations-struggling-defend-sophisticated-cyber-attacks/

Crypto Chaos: Survey Finds Data Breach Vector Remains Wide Open Thanks to Traffic Encryption Challenges – https://uk.finance.yahoo.com/news/crypto-chaos-survey-finds-data-170000032.html

Retailers must not ignore security alerts, court says – http://www.csoonline.com/article/2859181/data-protection/retailers-must-not-ignore-security-alerts-court-says.html#tk.rss_all

Death of antivirus software greatly exaggerated – http://www.csoonline.com/article/2859123/data-protection/death-of-antivirus-software-greatly-exaggerated.html#tk.rss_all

Tokenization: Why EMVCo Falls Short – http://www.bankinfosecurity.co.uk/blogs/tokenization-emvco-falls-short-p-1784

‘Shadow IT’ gradually sapping power and budget from CIOs – http://www.theregister.co.uk/2014/12/15/cios_grip_on_budgets_loosened_by_shadow_it_says_survey/

DEBUNKING THE BIGGEST CYBER SECURITY MYTHS FOR BUSINESSES – http://www.tripwire.com/state-of-security/security-awareness/debunking-the-biggest-cyber-security-myths-for-businesses/

Insider threat prevention may demand more spending – http://searchsecurity.techtarget.com/video/Insider-threat-prevention-may-demand-more-spending

The Internet Of Things’ Best-Kept Secret – http://www.forbes.com/sites/gilpress/2014/12/15/the-internet-of-things-best-kept-secret-2/

ICANN: data breaches not due to new top-level domains – http://www.csoonline.com/article/2858896/browser-security/icann-data-breaches-not-due-to-new-top-level-domains.html#tk.rss_all

The problem with security shortcuts – http://www.net-security.org/secworld.php?id=17754

Plusnet could face DATA BREACH probe over SPAM HELL gripes – http://www.theregister.co.uk/2014/12/15/plusnet_could_face_data_breach_probe_over_spam_hell_complaints/

10 CYBER SECURITY FACTS – http://www.latesthackingnews.com/2014/12/14/10-cyber-security-facts/

Sony Pictures hacking back: The ethics of obfuscation – http://searchsecurity.techtarget.com/news/2240236597/Sony-Pictures-hacking-back-The-ethics-of-obfuscation

We Are Living In The Age of the Mega-Breach – https://ctovision.com/2014/12/living-age-mega-breach/

‘Security by Antiquity’ Bricks Payment Terminals – http://krebsonsecurity.com/2014/12/security-by-antiquity-bricks-payment-terminals/

 

Tools, Tips and How it’s done:

The Importance of POS Threat Analysis for the Retail Sector – http://resources.infosecinstitute.com/importance-pos-threat-analysis-retail-sector/

Dark Reading Radio: How To Become A CISO – http://www.darkreading.com/dark-reading-radio-how-to-become-a-ciso/a/d-id/1318150

BlueMaho Project – Bluetooth Security Testing Suite – http://www.darknet.org.uk/2014/12/bluemaho-project-bluetooth-security-testing-suite/

NIST Revises Guide on Security Controls – http://www.inforisktoday.co.uk/nist-revises-guide-on-security-controls-a-7679

Uncrackable quantum authentication uses photons to secure your data – http://www.extremetech.com/extreme/195952-uncrackable-quantum-authentication-uses-photons-to-secure-your-data

Passive WiFi Tracking – http://edwardkeeble.com/2014/02/passive-wifi-tracking/

How To Survive Breach Failure (Part 3 of 3) – http://www.accuvant.com/blog/how-to-survive-breach-failure-part-3-of-3

Cloud computing and privacy series: the general legal framework (part 1 of 6) – http://www.twobirds.com/en/news/articles/2014/global/cloud-computing-and-privacy-series-the-general-legal-framework-1

Cloud computing and privacy series: the data protection legal framework (part 2 of 6) – http://www.twobirds.com/en/news/articles/2014/global/cloud-computing-and-privacy-series-the-data-protection-legal-framework

Cloud computing and privacy series: security requirements and guidance (part 3 of 6) – http://www.twobirds.com/en/news/articles/2014/global/cloud-computing-series-security-requirements-and-guidance

Cloud computing and privacy series: a legal perspective on data anonymisation (part 4 of 6) – http://www.twobirds.com/en/news/articles/2014/global/cloud-computing-series-legal-perspective-on-data-anonymisation

Cloud computing and privacy series: security and data breach legal requirements (part 5 of 6) – http://www.twobirds.com/en/news/articles/2014/global/cloud-computing-and-privacy-series-security-and-data-breach-legal-requirements

Evolutionary couplings between files reveal poor design choices in software architecture – http://ergoso.me/computer/science/github/software/evolutionary/couplings/2014/12/10/evsrc-evolutionary-couplings-reveal-poor-software-design.html

Breaking a flawed audio CAPTCHA in JavaScript – https://github.com/vladc/RoTLD-Captcha

How to secure Apple and Android mobile devices using 802.1X – http://www.csoonline.com/article/2859554/mobile-security/how-to-secure-apple-and-android-mobile-devices-using-802-1x.html#tk.rss_all

Spear Alerting: Improving Efficiency of Security Operations and Incident Response – http://www.securityweek.com/spear-alerting-improving-efficiency-security-operations-and-incident-response

Stop spammers from exploiting your webserver! – http://www.spamhaus.org/news/article/718/stop-spammers-from-exploiting-your-webserver

Balancing BYOD and the Company’s Needs – http://www.bankinfosecurity.co.uk/balancing-byod-companys-needs-a-7677

Fundamentals of endpoint security: Antimalware protection in the enterprise – http://searchsecurity.techtarget.com/feature/Fundamentals-of-endpoint-security-Antimalware-protection-in-the-enterprise

Simple yet Effective Methods to Solve Java Security Issues – http://resources.infosecinstitute.com/simple-yet-effective-methods-solve-java-security-issues/

 

Miscellaneous Privacy stories

We Asked 29 Tech Companies If Their Employees Can Access Your Personal Data – http://www.buzzfeed.com/charliewarzel/we-asked-29-tech-companies-if-their-employees-can-access-you

Sony Breach May Inspire Slew Of Privacy, Employment Claims – http://www.mondaq.com/unitedstates/x/360648/Data+Protection+Privacy/Sony+Breach+May+Inspire+Slew+Of+Privacy+Employment+Claims

Google must free us from ‘invisible web of our personal data’ – DPA – http://www.theregister.co.uk/2014/12/15/google_change_privacy_policy_dutch_dpa/

Companies invested millions in privacy in 2014 – http://www.net-security.org/secworld.php?id=17755

Stingray surveillance devices used to spy on the Norwegian Parliament – http://securityaffairs.co/wordpress/31109/intelligence/stingray-used-spy-norway-politicians.html

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 15 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

 

Breaches, Incidents and Alerts:

Report: Cyber attack against Swedish government after file-sharing website raided – http://www.ynetnews.com/articles/0,7340,L-4603541,00.html

SoakSoak Malware Compromises 100,000+ WordPress Websites – http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html

Spain police arrest 4 for allegedly launching cyber-attack that crashed media website 3 weeks – http://www.startribune.com/world/285754681.html

Hamas claims it hacked IDF computers to leak sensitive details of previous operations – http://www.independent.co.uk/news/world/middle-east/hamas-claims-it-hacked-idf-computers-to-leak-sensitive-details-of-previous-operations-9923742.html

SpamHaus, CloudFlare Attacker Pleads Guilty – http://krebsonsecurity.com/2014/12/spamhaus-cloudflare-attacker-pleads-guilty-to-computer-abuse-child-porn-charges/

Cornwall Council data breach reveals personal information – http://www.krollontrack.co.uk/company/press-room/legal-technologies-news/cornwall-council-data-breach-reveals-personal-information755.aspx

Local Security Breach Compromises People’s Information – http://www.cbs12.com/news/top-stories/stories/vid_21310.shtml

Chinese hackers attacked National Research Council computers – http://www.ctvnews.ca/canada/chinese-hackers-attacked-national-research-council-computers-1.2146400

Serbia – Hackers claimed to have stolen the entire national database – http://securityaffairs.co/wordpress/31068/cyber-crime/serbia-hackers-stolen-national-database.html

Ukrainian Hackers Leak Russian Interior Ministry Docs with ‘Evidence’ of Russian Invasion – http://globalvoicesonline.org/2014/12/13/ukrainian-hackers-leak-russian-interior-ministry-docs-with-evidence-of-russian-invasion/

Ursnif Malware Steals Data, Infects Files in US, UK – http://www.securityweek.com/ursnif-malware-steals-data-infects-files-us-uk

Malwarebytes Anti-Exploit Upgrade Mechanism Vulnerable to MitM Attacks – http://www.securityweek.com/malwarebytes-anti-exploit-upgrade-mechanism-vulnerable-mitm-attacks

Android Malware Installs Pirated Assassin’s Creed App – http://threatpost.com/android-malware-installs-pirated-assassins-creed-app/109862

Attackers Turn Focus to PoS Vendors – http://www.darkreading.com/attacks-breaches/attackers-turn-focus-to-pos-vendors/d/d-id/1318129

Batten down the patches: New vuln found in Docker container tech – http://www.theregister.co.uk/2014/12/12/docker_vulnerability/

Possible Data Breach Being Investigated by County Department in Iowa – http://www.hacksurfer.com/posts/possible-data-breach-being-investigated-by-county-department-in-iowa

Report: ‘Wiper’ Malware Hit Casino Firm – http://www.databreachtoday.com/report-wiper-malware-hit-casino-firm-a-7675

Upatre Downloader Spreading Dyreza Banking Trojan – http://threatpost.com/upatre-downloader-spreading-dyreza-banking-trojan/109858

Bong Ventures LLC: We’ve been cyberhacked – http://www.theregister.co.uk/2014/12/12/steve_bong_cyberattack/

 

Sony:

Sony Hackers Offer to Withhold Stolen Data From Promised Leak – http://recode.net/2014/12/14/sony-hackers-offer-to-withhold-stolen-data-from-promised-leak/

Sony Hackers Leak New Data, Threaten ‘Christmas Gift’ To Put Studio In ‘Worst State’ – http://www.thewrap.com/sony-hackers-leak-new-data-threaten-christmas-gift-to-put-studio-in-worst-state/

Hackers vs. James Bond in Sony cyber attack – http://arynews.tv/en/hackers-vs-james-bond-sony-cyber-attack/

Sony data breach shows downsides of cloud storage – http://www.isoqsltd.com/general/sony-data-breach-shows-downsides-cloud-storage/

Sony Pictures Knew of Gaps in Computer Network Before Hack Attack – http://recode.net/2014/12/12/sony-pictures-knew-of-gaps-in-computer-network-before-hack-attack/

The Sony hack might mark the end of the phony cyber war and the beginning of the real one – http://www.techpolicydaily.com/technology/sony-hack-marks-end-phony-cyber-war/

Sony Hack: Legal Department Under Microscope After Latest Leak – http://www.hollywoodreporter.com/thr-esq/sony-hack-legal-department-under-756713

 

Miscellaneous Infosec stories:

Social Engineering, Monsters, Hackers And The Culture And Politics Of Technology, Secrets, And Fear – http://twittoscope.org/2014/12/14/social-engineering-monsters-hackers-and-the-culture-and-politics-of-technology-secrets-and-fear/

Victims of identity theft face months of hassle trying to restore accounts, credit history – http://www.pennlive.com/nation-world/2014/12/victims_of_identity_theft_face.html

Banks arm themselves against ever-more sophisticated cyber threats – http://www.euromoney.com/Article/3409927/Banks-arm-themselves-against-ever-more-sophisticated-cyber-threats.html

Cyber crooks target freshers hunting jobs – http://www.deccanchronicle.com/141214/nation-crime/article/cyber-crooks-target-freshers-hunting-jobs

UK’s biggest firms still falling down on anti-phishing security – http://www.csoonline.com/article/2859232/malware-cybercrime/uks-biggest-firms-still-falling-down-on-antiphishing-security.html#tk.rss_all

10 Predictions About the Data Breach Landscape in 2015 – http://www.eweek.com/security/slideshows/10-predictions-about-the-data-breach-landscape-in-2015.html

Retailers are “overconfident” about their security, majority have fundamental gaps – https://nakedsecurity.sophos.com/2014/12/12/retailers-are-overconfident-about-their-security-majority-have-fundamental-gaps/

 

Tools, Tips and How it’s done:

BYOD: How to keep your data safe on their mobile devices – http://www.theregister.co.uk/2014/12/14/device_management/

Worm Backdoors and Secures QNAP Network Storage Devices – https://isc.sans.edu/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061

DOWNLOAD ETHICAL HACKING COURSE PART-10 INTRODUCTIONS TO SOCIAL ENGINEERING ATTACKS VIDEO – https://www.tumblr.com/search/Download+Ethical+Hacking+Course+Part-10+Introductions+to+Social+Engineering+Attacks+video

A Tutorial on Linear and Differential Cryptanalysis – http://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf

OPERATION SOCIALIST – THE INSIDE STORY OF HOW BRITISH SPIES HACKED BELGIUM’S LARGEST TELCO – https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/

Foundations of Cryptography (2007) – http://www.wisdom.weizmann.ac.il/~naor/COURSE/foundations_of_crypto.html

Here’s How Cyber-Warfare Started And Where It’s Going – http://www.businessinsider.sg/future-of-cyber-warfare-2014-12/#.VI6jZiusWSo

WATCH: Scientists have put a worm’s brain into a Lego robot’s body – and it works – http://www.sciencealert.com/watch-scientists-have-put-a-worm-s-brain-into-a-lego-robot-s-body-and-it-works

Your Own Private Cyber ISAC: How To Get Up and Running – http://www.securityweek.com/your-own-private-cyber-isac-how-get-and-running

Top 3 Takeaways from the “Get it Under Control: Top 7 Security Controls to Focus On” Webcast – https://community.rapid7.com/community/infosec/blog/2014/12/12/top-3-takeaways-from-the-get-it-under-control-top-7-security-controls-to-focus-on-webcast

How to bridge and secure air gap networks – http://www.csoonline.com/article/2858751/data-breach/how-to-bridge-and-secure-air-gap-networks.html#tk.rss_all

A brief history of Linux malware – http://www.csoonline.com/article/2859117/malware-cybercrime/a-brief-history-of-linux-malware.html#tk.rss_all

How To Survive Breach Failure (Part 1 of 3) – http://www.accuvant.com/blog/how-to-survive-breach-failure-part-1-of-3

How To Survive Breach Failure (Part 2 of 3) – http://www.accuvant.com/blog/how-to-survive-breach-failure-part-2-of-3

Penetration Testing Methodology for Web Applications – http://resources.infosecinstitute.com/penetration-testing-methodology-web-applications/

Data Loss Prevention Walkthrough Guide – http://resources.infosecinstitute.com/download/data-loss-prevention/

Avoiding Mod Security False Positives with White-listing – http://resources.infosecinstitute.com/avoiding-mod-security-false-positives-white-listing/

Malvertising on a Website Without Ads – http://blog.sucuri.net/2014/12/malvertising-on-a-website-without-ads.html

A Model for Evaluating Breach Detection Readiness – http://blogs.cisco.com/security/a-model-for-evaluating-breach-detection-readiness

Attackers Prey on Incident Response Bottlenecks – https://community.rapid7.com/community/userinsight/blog/2014/12/12/attackers-prey-on-incident-response-bottlenecks

 

Miscellaneous Privacy stories

Centrelink’s slap on the wrist for shocking privacy breach – http://www.smh.com.au/national/public-service/centrelinks-slap-on-the-wrist-for-shocking-privacy-breach-20141214-1246fs.html

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 12 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

Breaches, Incidents and Alerts:

Hacking attack hits Sweden internet giant – http://www.thelocal.se/20141211/internet-issues-in-telia-attack

A Cyber Attack May Have Caused a Turkish Oil Pipeline to Catch Fire – http://www.slate.com/blogs/future_tense/2014/12/11/bloomberg_reports_a_cyber_attack_may_have_made_a_turkish_oil_pipeline_catch.html

Data Breach at Popular Restaurant Kickback Jacks Leaves Customers Vulnerable – http://www.financialbuzz.com/data-breach-at-popular-restaurant-kickback-jacks-leaves-customers-vulnerable-market-news-193103

State retirement system suffers security breach – http://themissouritimes.com/15353/state-retirement-system-compromised/

BlackBerry Ltd Legacy Phones Hit By ‘Inception’ Malware – http://www.valuewalk.com/2014/12/blackberry-legacy-phone-malware/

ICS-CERT Warns Attackers May be Targeting Patched SIMATIC Wincc Vulnerability – http://www.securityweek.com/ics-cert-warns-attackers-may-be-targeting-patched-simatic-wincc-vulnerability

Targeted Phishing Against GoDaddy Customers – http://blog.sucuri.net/2014/12/targeted-phishing-against-godaddy-customers.html

Black Energy Malware May Be Exploiting Patched WinCC Flaw – http://threatpost.com/black-energy-malware-may-be-exploiting-patched-wincc-flaw/109835

Vulnerabilities in Alibaba Marketplace Exposed Buyer and Seller Accounts – http://www.securityweek.com/vulnerabilities-alibaba-marketplace-exposed-buyer-and-seller-accounts

Smartwatch Hacked, how to access data exchanged with Smartphone – http://securityaffairs.co/wordpress/31007/intelligence/smartwatch-hacked.html

FreeBSD developers VANQUISH Demon bug – http://www.theregister.co.uk/2014/12/11/freebsd_security_bug_patched/

Elderly zombie Asprox botnet STILL mauling biz bods, says survey – http://www.theregister.co.uk/2014/12/11/asprox_malware_mauls_business/

Parking company issues cardholder security breach at Union Station – http://fox2now.com/2014/12/10/parking-company-issues-cardholder-security-breach-at-union-station/

Now at the Sands Casino: An Iranian Hacker in Every Server – http://nybw.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas#r=rss

Mysterious Turla Linux Backdoor Also For Solaris? – https://www.f-secure.com/weblog/archives/00002775.html

 

Miscellaneous Infosec stories:

GCHQ’s first tablet app targets future cyber sleuths – http://www.bbc.co.uk/news/technology-30443083

Hiring Hackers To Secure The Internet Of Things – http://www.darkreading.com/vulnerabilities—threats/hiring-hackers-to-secure-the-internet-of-things/d/d-id/1318107

Analyzing Ponemon Cost of Data Breach – http://www.r-bloggers.com/analyzing-ponemon-cost-of-data-breach/

Sony is poisoning torrent swarms to contain data leaks – http://www.geek.com/apps/sony-is-poisoning-torrent-swarms-to-contain-data-leaks-1611442/

The biggest challenges faced by CIOs/CISOs heading into 2015 – http://www.csoonline.com/article/2858343/data-protection/the-biggest-challenges-faced-by-cios-cisos-heading-into-2015.html#tk.rss_all

Is your information security spending in line with the risks? – http://searchsecurity.techtarget.com/answer/Is-your-information-security-spending-in-line-with-the-risks

Sony Hackers Risk Exposure with Each Data Leak, According to Security Experts – http://variety.com/2014/digital/news/sony-hackers-risk-exposure-with-each-data-leak-security-experts-1201377113/

TRL researching vehicle cyber security – http://www.tyrepress.com/2014/12/trl-researching-vehicle-cyber-security/

Experts Question Sony Hack-Back Story – http://www.inforisktoday.co.uk/experts-question-sony-hack-back-story-a-7669

Cloud Atlas APT Shows Red October Threat Actors Are Back – http://www.securityweek.com/cloud-atlas-apt-shows-red-october-threat-actors-are-back

UK Cyber Security Strategy: statement on progress 3 years on – https://www.gov.uk/government/speeches/uk-cyber-security-strategy-statement-on-progress-3-years-on

‘Hackers are a serious threat to aircraft safety’: Aviation chiefs warn of the devastating consequences of a cyber attack – http://www.dailymail.co.uk/sciencetech/article-2869827/Hackers-threat-aircraft-safety-Aviation-chiefs-warn-devastating-consequences-cyber-attack.html

Dan Liljenquist: Sony hack reminds us to prepare for cyber warfare – http://www.deseretnews.com/article/865617441/Sony-hack-reminds-us-to-prepare-for-cyber-warfare.html

4 Worst Government Data Breaches Of 2014 – http://www.informationweek.com/government/cybersecurity/4-worst-government-data-breaches-of-2014/d/d-id/1318061

FBI: Cyber attack against Sony would have bested most federal defenses too – http://www.federalnewsradio.com/533/3760848/FBI-Cyber-attack-against-Sony-would-have-bested-most-federal-defenses-too

IT and end users are far apart on critical data access – http://www.csoonline.com/article/2858374/data-protection/it-end-users-far-apart-on-critical-data-access.html#tk.rss_all

 

Tools, Tips and How it’s done:

Targetted CyberAttacks Logbook – https://apt.securelist.com/

Tutorial – Beginner’s Guide to Fuzzing – https://fuzzing-project.org/tutorial1.html

Can you spot the phishing scams and stay safe online? – http://www.csoonline.com/article/2858894/malware-cybercrime/can-you-spot-the-phishing-scams-and-stay-safe-online.html#tk.rss_all

Social Engineering: 9 Ways to Keep Your Identity Safe – http://www.huffingtonpost.com/adrian-nazari/social-engineering-9-ways_b_6295156.html

Dridex and Email: A Nasty Social Engineering Team – http://www.esecurityplanet.com/malware/dridex-and-email-a-nasty-social-engineering-team.html

Cyber Attribution Problems—Not Just Who, but What – http://justsecurity.org/18334/cyber-attribution-problems-not-who/

Debunking the Hollywood hacker myth: Inside a real cyber-security command centre – http://www.ibtimes.co.uk/debunking-hollywood-hacker-myth-inside-real-cyber-security-command-centre-1479165

GMail quirk used to subvert website spam tracking – https://isc.sans.edu/diary/GMail+quirk+used+to+subvert+website+spam+tracking/19051

Layered Security – It’s Not Just for Networks – http://www.securityweek.com/layered-security-its-not-just-networks

Speaking in Tech: Sony breach proves you can NEVER defend perimeter – http://www.theregister.co.uk/2014/12/11/speaking_in_tech_episode_139/

POODLE Jr.: The Revenge – How to scan for CVE-2014-8730 – https://community.rapid7.com/community/nexpose/blog/2014/12/11/how-to-scan-for-cve-2014-8730

The Fall of Hacker Groups – http://www.phrack.com/papers/fall_of_groups.html

“The Imitation Game” and Alan Turing’s Real Contribution to Computing – http://www.charlespetzold.com/blog/2014/12/The-Imitation-Game-and-Alan-Turings-Real-Contribution-to-Computing.html

Hacker Lexicon: What Is a Backdoor? – http://www.wired.com/2014/12/hacker-lexicon-backdoor/

Why disaster recovery planning can save lives – http://www.csoonline.com/article/2858340/disaster-recovery/why-disaster-recovery-planning-can-save-lives.html#tk.rss_all

Security deficiencies that increase data breach risk – http://www.net-security.org/secworld.php?id=17747

SHORT MESSAGE SERVICE SECURITY – http://www.pdflibrary.org/pdf/short-message-service-security-infosec.html

 

Miscellaneous Privacy stories

Hackable intercom lets you SPY on fellow apartment-dwellers – http://www.theregister.co.uk/2014/12/12/hackable_intercom_becomes_neighbour_spy_box/

Verizon’s New, Encrypted Calling App Comes Pre-Hacked for the NSA – http://origin-www.businessweek.com/articles/2014-12-11/verizons-new-encrypted-calling-app-comes-prehacked-for-the-nsa#r=rss

Europe’s top court mulls vandal’s right to privacy after bloke catches thug on home CCTV – http://www.theregister.co.uk/2014/12/11/eu_data_protection_czech_chap/

Cellphone searches upon arrest allowed by Canada’s top court – http://www.cbc.ca/news/politics/cellphone-searches-upon-arrest-allowed-by-canada-s-top-court-1.2869587

FACIAL WEAPONIZATION SUITE – http://www.zachblas.info/projects/facial-weaponization-suite/#

Normalization Of Mass Surveillance Continues: Ireland And Georgia Join The Snoopers Club – https://www.techdirt.com/articles/20141209/04165429367/normalization-mass-surveillance-continues-ireland-georgia-join-snoopers-club.shtml

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 11 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

Breaches, Incidents and Alerts:

Blu-ray region locks popped by hardware hacker – http://www.theregister.co.uk/2014/12/11/bluray_region_locks_popped/

Audit finds flaws remain in UM network security, even after data breach – http://www.baltimoresun.com/news/maryland/education/bs-md-umd-data-breach-audit-20141210-story.html

Sony Pictures Tries to Disrupt Downloads of its Stolen Files – http://recode.net/2014/12/10/sony-pictures-tries-to-disrupt-downloads-of-its-stolen-files/

Inception: ‘World’s most sophisticated cyber weapon’ attacking embassies and major firms – http://www.ibtimes.co.uk/inception-worlds-most-sophisticated-cyber-weapon-discovered-by-security-experts-1478950 and http://www.securityweek.com/stealthy-inception-attackers-hide-behind-layers-obfuscation

Flaw in AirWatch by VMware Leaks Info in Multi-Tenant Environments – http://www.securityweek.com/flaw-airwatch-vmware-leaks-info-multi-tenant-environments

Trihedral Fixes Vulnerability in SCADA Monitoring and Control Software – http://www.securityweek.com/trihedral-fixes-vulnerability-scada-monitoring-and-control-software

Third-Party Bundling Made IBM Products Most Vulnerable: Study – http://www.securityweek.com/third-party-bundling-made-ibm-products-most-vulnerable-study

Recursive DNS Resolvers Affected by Serious Vulnerability – http://www.securityweek.com/recursive-dns-resolvers-affected-serious-vulnerability

SQL Injection, Other Vulnerabilities Found in InfiniteWP Admin Panel – http://www.securityweek.com/sql-injection-other-vulnerabilities-found-infinitewp-admin-panel

XSS VULNERABILITIES FOUND ON TRIPADVISOR AND UBER WEBSITES – http://www.tripwire.com/state-of-security/security-data-protection/xss-vulnerabilities-found-on-tripadvisor-and-uber-websites/

Critical vulnerability affecting HD FLV Player – http://blog.sucuri.net/2014/12/critical-vulnerability-in-joomla-hd-flv-player-plugin.html

1&1 goes titsup, blames lengthy outage on DDoS attack – http://www.theregister.co.uk/2014/12/10/1_and_1_hosting_firm_claims_ddos_attack_downs_website/

 

Miscellaneous Infosec stories:

Anonymous Snitch ‘Sabu’ warns U.S. of cyber attacks on critical infrastructure. – http://hackread.com/anonymous-snitch-sabu-warns-cyber-attacks/

The Good, the Bad and the Unknown – Should Hacking Groups be Banned? – http://uk.sputniknews.com/world/20141210/1013286831.html

Minister Warns Of Cyber Hacking Threat To Driverless Cars – http://www.montash.com/blog/2014/12/minister-warns-of-cyber-hacking-threat-to-driverless-cars

Employee victims of Sony data breach are left fuming – http://www.twincities.com/technology/ci_27111882/employee-victims-sony-data-breach-are-left-fuming

Hacking Threatens Airline Safety: Aviation Chiefs – http://www.securityweek.com/hacking-threatens-airline-safety-aviation-chiefs

Can three ex-NSA snoops stop the worst hacks before they start? – http://fortune.com/2014/12/10/area-1-security/

Russia’s Kaspersky says cybercriminals to attack banks in 2015 – http://itar-tass.com/en/world/766279

Yahoo to Disclose Newly Discovered Vulnerabilities Within 90-Day Window – http://www.securityweek.com/yahoo-disclose-newly-discovered-vulnerabilities-within-90-day-window

EU breach notification law could cover social networks – http://thehill.com/policy/cybersecurity/226600-eu-breach-notification-law-could-cover-social-networks

NEW YORK TOP REGULATOR CRACKING DOWN ON CYBER SECURITY – http://www.pymnts.com/news/2014/new-york-top-regulator-cracking-down-on-cyber-security/

Why the board of directors will go off on security in 2015 – http://www.csoonline.com/article/2857520/data-protection/why-the-board-of-directors-will-go-off-on-security-in-2015.html#tk.rss_all

When should unauthorized computer access be authorized? – http://www.net-security.org/article.php?id=2180

Swedish police raid Pirate Bay and force it offline – http://www.csoonline.com/article/2857876/data-protection/swedish-police-raid-pirate-bay-and-force-it-offline.html#tk.rss_all

Catchy nicknames prompt more patching of vulnerabilities – http://www.csoonline.com/article/2857719/vulnerabilities/catchy-ncknames-prompt-more-patching-of-vulnerabilities.html#tk.rss_all

The media chums up with LulzSec hackers once again – http://grahamcluley.com/2014/12/lulzsec-media-sabu/

Browser vulnerabilities to become biggest endpoint challenge – http://www.net-security.org/secworld.php?id=17745

Chinese responsible for 85 per cent of website scams – http://www.theregister.co.uk/2014/12/10/chinese_responsible_for_85_per_cent_of_website_scams/

Book Review | Social Engineering Penetration Testing By Gavin Watson – https://www.youtube.com/watch?v=ljhsTkFSB7A

The State of Information and Cyber Security – http://www.cmswire.com/cms/information-management/the-state-of-information-and-cyber-security-027423.php

 

Tools, Tips and How it’s done:

Microsoft lets YOU kill POODLE in Protected Mode sites – http://www.theregister.co.uk/2014/12/11/redmond_lets_you_kill_poodle_in_protected_mode_sites/

Website Hacking Part V – http://resources.infosecinstitute.com/website-hacking-part-v/

Imagine you’re the CEO of a big company that has just been hacked… – http://grahamcluley.com/2014/12/sony-internal-email/

 

Miscellaneous Privacy stories

Taxi app Uber plugs ‘privacy-threatening’ web security flaw – http://www.theregister.co.uk/2014/12/10/uber_xss_security_bug/

Web founder: Europe’s ‘right to be forgotten’ rule is dangerous – http://www.cnet.com/news/web-founder-europes-right-to-be-forgotten-rule-is-dangerous/

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Information Security Breach Report – 10 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

You can always access the latest, and all previous reports at http://blog.srm-solutions.com/

 

Breaches, Incidents and Alerts:

Yik Yak Patches Privacy Vulnerability in iOS App – http://threatpost.com/yik-yak-fixes-privacy-vulnerability-in-ios-app/109779

‘Destover’ Malware Signed by Stolen Sony Certificate – http://www.securityweek.com/destover-malware-signed-stolen-sony-certificate

Cyber attack could cost Sony studio as much as $100 million – http://www.reuters.com/article/2014/12/09/us-sony-cybersecurity-costs-idUSKBN0JN2L020141209?feedType=RSS&feedName=topNews

Charge Anywhere Confirms Card Breach – http://www.bankinfosecurity.com/charge-anywhere-confirms-card-breach-a-7657

Security Updates for BIND DNS Software Fix Multiple Vulnerabilities – http://www.securityweek.com/security-updates-bind-dns-software-fix-multiple-vulnerabilities

Newly Discovered ‘Turla’ Malware Targets Linux Systems – http://www.securityweek.com/newly-discovered-turla-malware-targets-linux-systems

$150K HIPAA Fine for Unpatched Software – http://www.databreachtoday.com/150k-hipaa-fine-for-unpatched-software-a-7656

VMware Patches XSS, Certificate Validation Issues – http://threatpost.com/vmware-patches-xss-certificate-validation-issues/109753

AliExpress patches account mass harvesting flaw – http://www.theregister.co.uk/2014/12/09/aliexpress_patches_mass_account_harvesting_flaw/

 

Miscellaneous Infosec stories:

Report Says Businesses Struggle To Secure Sensitive Data – http://www.cio-today.com/article/index.php?story_id=021000C6SI5F

Why Do Russia and Iran Have More Cyber Commandos Than the U.S.? – http://www.huffingtonpost.com/scott-sigmund-gartner/why-do-russia-and-iran-ha_b_6289580.html

Security group plans for a future without passwords – http://www.csoonline.com/article/2857461/identity-management/security-group-plans-for-a-future-without-passwords.html#tk.rss_all

Matz: Retailers Should Pay Data Breach Costs – http://www.cutimes.com/2014/12/09/matz-retailers-should-pay-data-breach-costs

NIST Tardy on Cryptography Standards Report – http://www.inforisktoday.com/nist-tardy-on-cryptography-standards-report-a-7651

Cybersecurity Skills Shortage Panic in 2015? – http://www.networkworld.com/article/2857305/cisco-subnet/cybersecurity-skills-shortage-panic-in-2015.html

Cyberattacks to Worsen in 2015: McAfee Researchers – http://www.securityweek.com/cyberattacks-worsen-2015-mcafee-researchers

Cost of cybersecurity and risk management to double – http://www.net-security.org/secworld.php?id=17738

FIDO Alliance releases 1.0 specifications for passwordless authentication – http://searchsecurity.techtarget.com/news/2240236317/FIDO-Alliance-releases-10-specifications-for-passwordless-authentication

Forgotten subdomains boost risk of account hijacking, other attacks – http://www.csoonline.com/article/2857298/identity-management/forgotten-subdomains-boost-risk-of-account-hijacking-other-attacks.html#tk.rss_all

Apple Mac users encountered average of nine cyber threats in 2014 – http://www.telegraph.co.uk/technology/internet-security/11281971/Mac-users-encountered-average-of-nine-cyber-threats-in-2014.html

Report: Most companies fail at keeping track of patches, sensitive data – http://www.csoonline.com/article/2857012/disaster-recovery/report-most-companies-fail-at-keeping-track-of-patches-sensitive-data.html#tk.rss_all

Too Much Insider Access To Critical Data Is A Growing Risk – http://www.forbes.com/sites/dinamedland/2014/12/09/too-much-insider-access-to-critical-data-is-a-growing-risk/

Inside the minds of senior security leaders – http://www.net-security.org/secworld.php?id=17739

Poll: The Perimeter Has Shattered! – http://www.darkreading.com/perimeter/poll-the-perimeter-has-shattered!/a/d-id/1317942

The year of the security breach: 6 lessons learned from 2014 – http://www.information-age.com/technology/security/123458735/year-security-breach-6-lessons-learned-2014

 

Tools, Tips and How it’s done:

Hiding In Plain Sight – Analyzing Anomalous Data Structures – http://www.solutionary.com/resource-center/blog/2014/12/analyzing-anomalous-data-structures/

Don’t Learn the Wrong Lessons from Sony Pictures’ Password Breach – https://medium.com/@mfoust/dont-learn-the-wrong-lessons-from-sony-pictures-password-breach-ba0c9b13ac66

8 Christmas gifts that will need to be secured – http://www.csoonline.com/article/2855961/mobile-security/8-christmas-gifts-that-will-need-to-be-secured.html#tk.rss_all

Securing SaaS, Part 1: The architecture of secure design – http://www.signiant.com/blog/securing-saas-part-1-the-architecture-of-secure-design/

Securing SaaS, Part 2: The human factor, user rights and cloud tiers in file transfer – http://www.signiant.com/blog/securing-saas-part-2-the-human-factor-user-rights-and-cloud-tiers-in-file-transfer/

Securing SaaS, Part 3: Design Principles for Safe Media Transfer and Secure Data Storage – http://www.signiant.com/blog/securing-saas-part-3-design-principles-for-safe-media-transfer-and-secure-data-storage/

Securing SaaS, Part 4: Physical Security and Breach Detection – http://www.signiant.com/blog/securing-saas-part-4-physical-security-and-breach-detection/

Defcon 21 – Social Engineering: The Gentleman Thief – http://www.ligsly.net/defcon-21-social-engineering-the-gentleman-thief-video_ef4702710.html

Lenticrypt: a Provably Plausibly Deniable Cryptosystem – http://www.sultanik.com/blog/lenticrypt

Dashlane can now change all your passwords with a single click, and it’s amazing – http://www.theverge.com/2014/12/9/7357251/dashlane-can-now-change-all-your-passwords-with-a-single-click-and

Security Kahuna Podcast: Data Breach Lessons – https://blogs.akamai.com/2014/12/security-kahuna-podcast-data-breach-lessons.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheAkamaiBlog+(The+Akamai+Blog)

SpamMimic: encode your message into something innocent looking – http://www.spammimic.com/explain.shtml

File Inclusion Attacks – http://resources.infosecinstitute.com/file-inclusion-attacks/

Designing Security for Operational Environments – http://www.securityweek.com/designing-security-operational-environments

Hacker Lexicon: What Is an Air Gap? – http://www.wired.com/2014/12/hacker-lexicon-air-gap/

Be good host, offer guest account – http://www.thespectrum.com/story/life/features/mesquite/2014/12/08/good-host-offer-guest-account/20120243/

 

Miscellaneous Privacy stories

Blackphone Confirms Privacy-Focused App Store And Device Sandboxes Incoming – http://techcrunch.com/2014/12/09/blackphone-confirms-privacy-focused-app-store-and-device-sandboxes-incoming/

 

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/


SRM Blog

SRM Blog