Information Security Breach Report – 22 December 2014

A daily round up of the most recent reports of information security breaches, infosec and privacy stories from around the world.

Breaches, Incidents and Alerts:

STAY AWAY: Popular Tor exit relays look raided – http://www.theregister.co.uk/2014/12/22/stay_away_popular_tor_exit_relays_look_raided/

ISIS operates spear phishing attacks against a Syrian citizen media group – http://securityaffairs.co/wordpress/31325/malware/isis-spear-phishing-attacks-syrian-group.html

Security breach at JMU releases thousands of employees’ data – http://www.breezejmu.org/news/article_d806545c-8861-11e4-989d-1bb141dcd74d.html

Mercy Medical Center Redding Oncology Clinic notifies patients of privacy breach – http://www.phiprivacy.net/mercy-medical-center-redding-oncology-clinic-notifies-patients-of-privacy-breach/

Quest Diagnostics notifies employees of breach after email attachment error – http://www.databreaches.net/quest-diagnostics-notifies-employees-of-breach-after-email-attachment-error/

Whistleblower reveals how fraud of Booking.com worked – http://www.bbc.co.uk/news/business-30555620

Critical #NTP Vulnerability in ntpd prior to 4.2.8 – https://isc.sans.edu/diary/Critical+%23NTP+Vulnerability+in+ntpd+prior+to+4.2.8/19093

New security flaws in the SS7 protocol allow hackers to spy on phone users – http://securityaffairs.co/wordpress/31262/hacking/flaws-ss7-protocol-spy-on-phone.html

Several critical security vulnerabilities affect the Glassdoor website – http://securityaffairs.co/wordpress/31244/hacking/several-critical-security-vulnerabilities-glassdoor.html

Staples Finds PoS Malware in 115 Stores; 1.16 Million Payment Cards Affected – http://www.securityweek.com/staples-finds-pos-malware-115-stores-116-million-payment-cards-affected

Huge data leak sees personal details of 15,000 Hackney residents published online – http://www.hackneygazette.co.uk/news/politics/huge_data_leak_sees_personal_details_of_15_000_hackney_residents_published_online_1_3892558

Privilege Escalation Vulnerability Found in Linux Kernel – http://www.securityweek.com/privilege-escalation-vulnerability-found-linux-kernel

Proxy auto-config attacks defeat 2-factor auth, hide using country specific content – http://news.netcraft.com/archives/2014/12/18/proxy-auto-config-attacks-defeat-2-factor-auth-hide-using-country-specific-content.html

Serious Vulnerabilities Found in Schneider Electric’s ProClima Solution – http://www.securityweek.com/serious-vulnerabilities-found-schneider-electrics-proclima-solution

 

Miscellaneous Infosec stories:

I work at Sony Pictures. This is what it was like after we got hacked. – http://fortune.com/2014/12/20/sony-pictures-entertainment-essay/

Throwing Money at Data Breach May Make It Worse – Study offers model for response to large-scale data breaches – http://newswire.uark.edu/articles/26195/throwing-money-at-data-breach-may-make-it-worse

Sony Hack Was Not All That Sophisticated, Cybersecurity Experts Say – http://www.billboard.com/articles/business/6413955/sony-security-kevin-mitnick-electronic-frontier

Hackers Used Sophisticated SMB Worm Tool to Attack Sony – http://www.securityweek.com/hackers-used-sophisticated-smb-worm-tool-attack-sony

Aviation industry agrees on common roadmap for tackling cyber threats – https://vouchers.innovateuk.org/web/defence/article-view/-/blogs/aviation-industry-agrees-on-common-roadmap-for-tackling-cyber-threats?p_p_auth=VezCt5us

50% of companies unprepared for DDoS attacks: Report – http://cio.economictimes.indiatimes.com/news/digital-security/50-of-companies-unprepared-for-ddos-attacks-report/45582354

Top 10 Phone Scams of 2014 – http://www.itbusinessedge.com/slideshows/top-10-phone-scams-of-2014.html

A cyber-resilience blueprint for ASEAN – http://www.eastasiaforum.org/2014/12/20/a-cyber-resilience-blueprint-for-asean/

US tries to strike deal with EU for immunity over online security breaches – http://www.theguardian.com/technology/2014/dec/19/us-negotiation-eu-prosecution-immunity-online-security-breaches-corporations

What does a cyber counterattack look like? – http://www.politico.com/story/2014/12/what-does-a-cyber-counterattack-look-like-113715.html

Ukraine conflict: Hackers take sides in virtual war – http://www.bbc.co.uk/news/world-europe-30453069

ICANN: The TRUTH about that hacker attack on our DNS zone file database – http://www.theregister.co.uk/2014/12/19/icann_stresses_critical_internet_systems_not_hacked/

Risk modellers look to clarify cyber risk costs – https://uk.news.yahoo.com/risk-modellers-look-clarify-cyber-risk-costs-221241816–finance.html#oPltu3G

How North Korea, one of the world’s poorest countries, got so good at hacking – http://www.vox.com/2014/12/18/7413229/north-korea-hack-sony

What story are security leaders telling themselves? – http://www.csoonline.com/article/2861393/security-leadership/what-story-are-security-leaders-telling-themselves.html#tk.rss_all

Post Breach, Regulator Reviews Policies – http://www.databreachtoday.com/post-breach-regulator-reviews-policies-a-7698

Questions Abound Following Data Breach Caused By NCUA Examiner’s Error – http://www.acuia.org/news/questions-abound-following-data-breach-caused-ncua-examiners-error

Complex Solutions to a Simple Problem – http://krebsonsecurity.com/2014/12/complex-solutions-to-a-simple-problem/

Crimeware-as-a-Service Threatens Banks – http://www.databreachtoday.co.uk/crimeware-as-a-service-threatens-banks-a-7690

 

Tools, Tips and How it’s done:

Cloud VPN Security Recommendations – http://resources.infosecinstitute.com/cloud-vpn-security-recommendations-2/

Hiding Malware in Plain Sight From Online Scanners – http://noxxi.de/research/content-encoding-online-scanner.html

Ask HN: What encrypted chat application to choose? – https://news.ycombinator.com/item?id=8776398

Bridging Datacenters for Disaster Recovery – Virtually – https://isc.sans.edu/diary/Bridging+Datacenters+for+Disaster+Recovery+-+Virtually/19091

10 Technical Papers Every Programmer Should Read (At Least Twice) – http://blog.fogus.me/2011/09/08/10-technical-papers-every-programmer-should-read-at-least-twice/

Endpoint security fundamentals: The business case for antimalware protection – http://searchsecurity.techtarget.com/feature/Endpoint-security-fundamentals-The-business-case-for-antimalware-protection

How cookies can be used for global surveillance – https://freedom-to-tinker.com/blog/englehardt/how-cookies-can-be-used-for-global-surveillance/

Live Map Shows Thousands Of Cyber Attacks As They Happen – http://www.forbes.com/sites/frankbi/2014/12/19/live-map-shows-thousands-of-cyber-attacks-as-they-happen/

How good is your infosec knowledge really? Test your skills with this holiday quiz – http://exp.tw/articles/show/27820

Do You Have A Data Security Breach Policy Yet? (Spoiler: You Should) – http://www.adaptistration.com/blog/2014/12/18/do-you-have-a-data-security-breach-policy-yet-spoiler-you-should/

 

Miscellaneous Privacy stories

LAPD Body Cam Footage Can’t Be FOIA’ed; Used In Court Cases Only – https://www.techdirt.com/articles/20141217/14165929471/lapd-body-cam-footage-cant-be-foiaed-used-court-cases-only.shtml

The Future of Privacy – http://www.pewinternet.org/2014/12/18/future-of-privacy/

BlackBerry Completes Acquisition of German Anti-Eavesdropping Firm – http://www.securityweek.com/blackberry-completes-acquisition-german-anti-eavesdropping-firm

 

If you would like this report sent to your inbox each morning, email me at jon.fisher@srm-solutions.com

 

You can see all previous issues of this blog at www.jonfisherthoughts.co.uk

My Linkedin Profile is uk.linkedin.com/in/jonfisher99/

Posted 3 years ago on · Permalink