Tuesday, 14 April 2015

Hackers breach frequent-flyer Lufthansa accounts

The German airlines blocks several accounts after the attack.
Hackers have breached into the customer accounts of Lufthansa to use their miles for purchases, reminiscent of similar incidents involving other top airlines in the past few months.
The German airliner said that it has blocked several accounts after those of some frequent flyers have been hacked.
According to German media reports, the attackers have used a bot net that helped them generate usernames and passwords on numerous computers. The right combinations of credentials were used to access frequent-flyer miles.
DW.de has quoted a Lufthansa spokesperson as telling DPA news agency that it 'had not been able to prevent illicit access to some customer files'.
"We had to lock several hundred customer pages. We believe to have the problem generally under control," he said.
The miles have been credited back to the accounts of the attacked customers, the airlines added.
Attack on Lufthansa comes two weeks after thousands of British Airways frequent-flyer accounts were hacked in March.
American and United airlines reported similar incidents in December. American Airlines said that about 10,000 accounts were hacked while United Airlines confirmed that hackers booked trips or made mileage transactions on about three dozen accounts.

Hackers Attack Belgian Press Group, Second in Days

Hackers attacked one of Belgium’s top newspaper publishers on Sunday just days after Tunisian Islamist militants took control of a regional government portal to denounce US counter-terror operations.
There was no immediate indication the incidents were linked to each other or to a massive cyberattack against French station TV5Monde on Wednesday which Paris said was likely a “terrorist act.”
Didier Hamann, head of the Le Soir newspaper, said the daily had been “the victim of an attack.”
“Nothing concrete to link it with TV5 or RW,” Hamman said in a tweeted message, referring to the French attack and Friday’s takeover of an economic news website run by the Wallonian regional government in southern Belgium.
“We are trying to determine the origin of the attack,” Hamann told Belga news agency separately.
“We are regularly targeted and the attacks are quickly controlled but in this case, the firewalls did not work as normal,” he added.
Le Soir is owned by the Rossel Group which has several other publications.
Its websites were unavailable from 1730 GMT Sunday.
Eric Malrain, chief financial officer with the Rossel Group, told AFP: “There has been a cyberattack at Le Soir but we have no other information for the moment.”
Hamann said Le Soir would appear Monday as usual.
Earlier reports treated the incident as a technical breakdown before it was established it was a hacking attack.
In Friday’s attack on the Wallonian government website, hackers identified as the “Fallaga Team” from Tunisia ran a video followed by a message saying:
“Take your heads out of the sand, struggle against your leaders, join the resistance.”
Press reports said the Fallaga Team had hacked several French institutions shortly after the Islamist attacks in Paris in January which left 17 people dead.
The TV5Monde hackers for their part said French President Francois Hollande had committed “an unforgivable mistake” by joining the US-led air campaign against the extremist Islamic State group in Syria and Iraq, which had led to the January killings in Paris.
Belgium is also part of the US-led operation and in February said it would send around 35 soldiers to Iraq to help train its army in the fight against IS.

Interpol frees 770,000 systems from Simda botnet

Interpol targets the Simda botnet
Interpol has successfully freed 770,000 machines from the Simda botnet during a joint operation with Microsoft, Kaspersky Lab, Trend Micro and Japan's Cyber Defense Institute.
The operation saw Interpol's Digital Crime Centre (IDCC) coordinate with local law enforcement and the tech firms to mount a series of "simultaneous" server takedowns in the US, Russia, Luxembourg and Poland on 9 and 10 April.
The operation has been hailed as a major success in the ongoing battle against cyber crime.
Simda has been used to target everything from general web users to financial institutions for several years.
The attacks granted hackers remote access to victim systems and let them spread malware and steal vast amounts of data, including personal identifiable information and banking passwords.
Kaspersky Lab security expert Vitaly Kamluk said the campaign was particularly dangerous as it had defence-dodging capabilities.
"This bot is mysterious because it rarely appears on our KSN radars despite compromising a large number of hosts every day," he explained in a blog post.
"It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network.
"Another reason is a server-side polymorphism and the limited lifetime of the bots."
The operation began after Microsoft's Digital Crimes Unit spotted and reported a spike in Simda infections.
In January and February Interpol reported that Simda had enslaved 90,000 systems in the US alone.
The IDCC then worked with Microsoft, Kaspersky Lab, Trend Micro and Japan's Cyber Defense Institute to create a "heat map" detailing infection hot zones and the location of the botnet's command and control servers.
Microsoft has since released a Simda clean-up tool that will let users purge their systems of the malware.
IDCC director Sanjay Virmani said the combined operation demonstrated the value of collaboration between the public and private sectors in combating cyber crime.
"This successful operation shows the value and need for partnerships between national and international law enforcement with private industry in the fight against the global threat of cyber crime," said Virmani.
Trend Micro argued that businesses must devise more robust cyber security strategies if they hope to protect themselves from threats like Simda.
"We advise users to be cautious when opening emails. Avoid opening emails and attachments from senders who are unknown or who cannot be verified," explained Trend Micro in a blog post.
"P2P networks aren't inherently malicious but users should be aware that dealing with these sites can increase their chances of encountering malware.
"Users should also invest in a security solution that goes beyond simple malware detection; features such as spam detection and URL blocking can go a long way in protecting users from threats."
The Simda takedown is the latest in a series of anti-botnet operations.
A task force comprising Europol, the Dutch National High Tech Crime Unit and the FBI, with support from Intel, Kaspersky and Shadowserver, reported taking down the Beebone botnet on 9 April.

Russia pulls alleged 'Svpeng' kingpin

money trap conceptual illustration
Russia's Ministry of the Interior has gone public about the March 24 arrest of a 25-year-old and four others it believes was the leader of a gang of cyber-scum behind the “Svpeng” money-draining malware.
The Android malware is believed to have netted a near million-dollar haul within Russia alone (50 million rubles), hitting 350,000 Google devices during 2013 and 2014.
According to Forbes, Svpeng started by acting like a Google Play buy-credit window, opening over the top of the store requesting credit card details. Later, the group in charge switched tactics to ransomeware, popping up a fake FBI “penalty notification” on screens and locking devices until the gang was paid.
Last year, Kaspersky noted the group's decision to start attacking users outside Russia's borders.
According to Google Translate, the ministry's April 11 announcement says the arrests took place in Chelyabinsk during March.
The operatives “seized a significant amount of computer equipment with traces of Internet dissemination of malicious software, mobile phones, SIM cards, electronic media, server hardware,” the statement notes, along with the credit cards that received the stolen funds.
The translation suggests a confession was obtained.

Wednesday, 8 April 2015

Illegal downloading: Australia internet firms must supply data

Actors Matthew McConaughey and Jared Leto attend the "Dallas Buyers Club" UK premiere at the Curzon Mayfair on 29 January 2014 in London, England
An Australian court has ordered internet service providers (ISPs) to hand over details of customers accused of illegally downloading a US movie.

In a landmark move, the Federal Court told six firms to divulge names and addresses of those who downloaded The Dallas Buyers Club.

The case was lodged by the US company that owns the rights to the 2013 movie.

The court said the data could only be used to secure "compensation for the infringements" of copyright.

In the case, which was heard in February, the applicants said they had identified 4,726 unique IP addresses from which their film was shared online using BitTorrent, a peer-to-peer file sharing network. They said this had been done without their permission.

Once they received the names of account holders, the company would then have to prove copyright infringement had taken place.

The judgment comes amidst a crackdown by the Australian government on internet piracy.

Australians are among the world's most regular illegal downloaders of digital content. The delay in release dates for new films and TV shows, and higher prices in Australia for digital content, have prompted many Australians to find surreptitious ways to watch new shows.
Australians are some of the world's most enthusiastic illegal downloaders

The ISPs involved in the case, including Australia's second-largest provider iiNet, said releasing customer information would be a breach of privacy and lead to what is known in the US as "speculative invoicing".

This is where account holders are threatened with court cases that could result in large damages unless smaller settlement fees are paid.

The ISPs argued also that the monetary claims which the US company, Dallas Buyers Club LLC, had against each infringer were so small "that it was plain that no such case could or would be maintained by the applicants".

But Justice Nye Perram ruled that the customer information could be released on condition it was only used to recover compensation for copyright infringement.

"I will also impose a condition on the applicants that they are to submit to me a draft of any letter they propose to send to account holders associated with the IP addresses which have been identified," he ruled.

Justice Perram said the ruling was also important for deterring illegal downloading.

"It is not beyond the realm of possibilities that damages of a sufficient size might be awarded under this provision in an appropriately serious case in a bid to deter people from the file-sharing of films," he said.

The case came to court after Dallas Buyers Club LLC contacted iiNet and other ISPs, asking them to divulge customer details without a court order. The ISPs refused.

The ISPs have yet to say if they will appeal against the court ruling.

Professor of Law at the University of Technology, Sydney, Michael Fraser said it was an important judgement for ISPs and customers.

"If this [judgement] is upheld then the days of anonymous pirating may be over," Prof Fraser told ABC TV.

Report: U.S. officials say Russians hacked White House computer system

White House officials believe hackers who gained access to their computer network may be the same ones who broke into the State Department’s system, CNN reported.

The White House has been hacked and investigators think they know how, according to unnamed officials in a CNN report.
In November, hackers are said to have breached the U.S. State Department’s unclassified email system. A month later, “suspicious cyber activity” was noticed on a White House computer network, Reuters said. Now it appears as though these same hackers used the State Department cyber intrusion—which has been ongoing despite the department’s best efforts to block and wipe it—as a beachhead to gain entry into the White House’s computer systems.
White House deputy national security advisor—and Fortune 40 under 40 alum—Ben Rhodes told Wolf Blitzer on “The Situation Room” that the White House has separate networks: one classified, one unclassified. Hackers appear only to have breached the unclassified one, CNN reported. As Rhodes told Blitzer:
Well, Wolf, first of all I’m not going to get into details about our cyber security efforts. What I can say though, Wolf, is, as you said, we were public about the fact that we were dealing with cyber intrusions and the State Department was public about that, but the fact of the matter is that we have different systems here at the White House, so we have an unclassified system and then we have a classified system, a top-secret system. That is where the sensitive national security information is—the classified information is—that was a secure system. So we do not believe that our classified systems were compromised.
I will tell you, Wolf, as a general matter we are constantly updating our security precautions on our unclassified systems. But frankly, we’re also told to act as if we need to not put information that is sensitive on that system. So, in other words, if you’re going to do something that’s classified you have to do it on one email system, on one phone system, and frankly you have to act as if information could be compromised if it’s not on the classified system.
According to CNN, unnamed White House officials blamed the White House breach on Russian hackers. “One official says the Russian hackers have ‘owned’ the State Department system for months and it is not clear the hackers have been fully eradicated from the system,” CNN reported. After assessing the malware used by the attackers and their methods, the officials seem to believe that the White House breach is in some way linked to Moscow.
In the fall, U.S. director of national intelligence James Clapper told an audience at the University of Texas in Austin that Russia posed a bigger cyber threat than China.
The intrusion likely resulted, as many cyber breaches do, from an employee clicking on a malicious link or attachment in a so-called phishing email. That’s how investigators believe the hackers accessed the State Department’s systems, according to the Wall Street Journal. It’s also how they believe the hackers infiltrated the White House systems—this time, under the guise of a hijacked State Department email account, CNN said.
Though the White House has downplayed the severity of its breach since the fall, CNN noted that the hackers would have gained access to President Barack Obama’s private itinerary—an undeniably irresistible target for foreign spies.

Data possibly exposed for more than 364K Auburn University students

Auburn University is notifying more than 364,000 current, former and prospective students – as well as applicants who never enrolled in or attended the university – that their personal information was inadvertently accessible via the internet.

How many victims? 364,012.

What type of personal information? The information varied depending on the individual, but included names, addresses, dates of birth, Social Security numbers, email addresses and academic information.

What happened? The personal information of current, former and prospective Auburn University students – as well as applicants who never enrolled in or attended the university – was inadvertently accessible via the internet.

What was the response? Auburn University secured its system and launched an investigation, which is ongoing. The university is conducting a review of its data storage practices and policies. All potentially impacted individuals are being notified, and offered two free years of credit monitoring and identity protection services, as well as lifetime access to fraud resolution services.

Details: Auburn University became aware of the issue on March 2. The information was accessible via the internet between September 2014 and March 2. Auburn University is unaware of any attempted or actual misuse of any personal information as a result of the incident.

Quote: “The exposure resulted from configuration issues with a new device installed to replace a broken server,” according to a notification posted to the Auburn University website.

Source: ocm.auburn.edu, “Data Security Incident Information,” April 3, 2015; ocm.auburn.edu, “Frequently Asked Questions,” April 3, 2015.

Hackers leak messages between the Kremlin and France’s far-right National Front

Front National (FN) party president Marine Le Pen (L) and member of Parliament Gilbert Collard (R) take part in a Unity rally on January 11, 2015 in Beaucaire (AFP)
French media site Mediapart has reported that hackers have leaked thousands of texts and emails sent between the Kremlin and the French far-right party, the National Front.
According to French newspaper Le Monde, the hackers posted the messages on their website and many of the texts discuss Marine Le Pen, the leader of the National Front, and her support for the annexation of the Crimean peninsula, which occurred in March 2014.
The exchanges are between ‘Timur Prokopenko,’ who the hackers identify as a Kremlin official and Kostya, a man they describe as a “Russian connection” who has access to Le Pen.
The men discuss finding out if Le Pen will back Russia in Crimea by becoming “an observer” of the annexation. According to Le Monde, one message from Prokopenko reads “We really need her, I said to the boss you could arrange this with her”, in reference to Le Pen’s support of the internationally unrecognised referendum held before Russia annexed Crimea. Kostya then gives assurances that the National Front “will officially take a position on the Crimea".
The head of the National Front’s list in Ile-de-France constituency, Aymeric Chauprade, was an observer at the Crimea referendum last March, although the party denied allegations that he had attended as the foreign policy advisor. Speaking of his decision to attend, Chauprade told Russian News Channel RT: “I think the referendum is legitimate. We are talking about long-term history. We are talking about the Russian people, about the territories of the former USSR.”
In February this year, Le Pen gave an interview to the Polish weekly Do Rzeczy in which she said that France should recognise Crimea as part of Russia.
In December she revealed that her party had received a €9m loan from Russian-owned First Czech-Russian Bank, leading to reports that Putin was purposefully bankrolling radical European parties in order to destabilise Europe. However, Le Pen argued that French banks had turned down the National Front for a loan and so they had accepted one from Russia instead.
Le Pen visited Moscow several times last year and met with deputy prime minister Dmitry Rogozin and other Kremlin officials to discuss policy issues

Islamist hackers seize control of Defra's air-quality website

Group calling itself Moroccan Islamic Union-Mail posts picture of Saddam Hussein and criticises Britain for its role in invasion of Iraq
Defra’s hacked air quality website early on Tuesday morning
Defra’s hacked air-quality website early on Tuesday morning. Photograph: Jim McQuaid/Twitter
Islamist hackers seized control of the government’s official air-quality website to post a message criticising Britain for its role in the invasion of Iraq in 2003.
Visitors on Tuesday morning to the UK-Air website, part of the Department for Food, the Environment and Rural Affairs, were greeted with a black background with a a large portrait of the former Iraqi dictator Saddam Hussein.
Beneath it a message in broken English read: “It’s time to remind the British government what you did with Saddam Hussein will not forget. And we are ready to sacrifice with everything, as not to give up Iraq and stay alert for the coming…”
Twitter users noticed the hack, claimed by a group calling itself the Moroccan Islamic Union-Mail, as early as 7am. By 8am the message had been removed and replaced with a holding page. Moroccan Islamic Union-Mail appears to style itself as an Islamist version of the Anonymous hacking group.
A Defra press officer told the Guardian that the department was “aware” of the hack but could provide no further details at that time.
The hacked page included a link to an Arabic-language Facebook page for the Moroccan Islamic Union-Mail. A banner picture on the page showed eight masked men posing in T-shirts bearing the acronym MIUM. A link on the page led to a webpage hosting an Anonymous-style montage video made of news reports on the hackers’ exploits.
On the news feed, the group claimed responsibility for a separate hack of Zambia’s state website, as well as posting anti-Israel messages and comments on Middle East politics.
The Anti-Defamation League, which documents and counters racism, has previously accused MIUM of hacking on behalf of the Islamic State terrorist group. MIUM hackers have targeted Jewish websites in the US during the recent conflict between Israel and Gaza, the ADL said in a blogpost, before turning their attention to US military-linked websites in response to the American-led air campaign against Isis which began in December.
British forces are also involved in the campaign against Isis militants in Iraq. The backbone of the terror group is formed of Sunni Islamists, but elements of Saddam’s Baathist regime – which was backed by Iraq’s Sunni minority – are also said to support the insurgency.
The UK was part of the US-led coalition that invaded Iraq in 2003, toppling Saddam after nearly 24 years in power. The UK’s role in the Iraq war has previously been cited as a justification for terrorist attacks and threats against British nationals.
Mention of the Defra hack was first made on Twitter by Jim McQuaid at 7.05am. The UK-Air home page usually publishes pollution forecasts for the coming days and data on the latest pollution levels. Normal service had been restored to the UK-Air site by 8.24am.

FBI to WordPress users: patch now before ISIL defaces you

The United States Federal Bureau of Investigation (FBI) has issued a warning to WordPress users: hurry up and patch your content management system before web site is defaced by ISIL sympathisers.
The Bureau has issued a notice titled "ISIL defacements exploiting WordPress vulnerabilities" in which it warns that "Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS)."
"The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites," the notice says. "Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems."
The good news is that the Bureau thinks the perps are not ISIL members, but sympathisers. It nonetheless advises WordPress users to get their heads around security and patch plugins ASAP.
It's sound advice: Sucuri researcher Alexandre Montpas is warning of a persistent cross-site scripting vulnerability in the WordPress Super Cache plugin that allows up to a million sites to be hijacked.
Montpas reveals the bug affecting versions below 1.4.3 which have been downloaded more than a million times according to WordPress statistics.
Montpas says attackers could have malcode executed if administrators peered into the plugin's listing page.
"Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page," Montpas says.
"As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.
"When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, and injecting backdoors by using WordPress theme edition tools"
The since-patched bug resides in the displaying of data within WP-Super-Cache's cache file key that picks the cache file to be loaded.
It is the latest in a laundry list of WordPress plugin vulnerabilities to be disclosed recently.
The problem with un-patched plugins, as distinct from the WordPress platform itself,
WordPress hacking is a favourite pastime of lazy hackers and exploit kit -slingers who seek to achieve maximum carnage for minimum effort.

Google Ads go NUCLEAR, foist exploit kit

Security bod Maarten van Dantzig says a large number of Google ads sold through Bulgarian reseller EngageLab have been pointing users to the dangerous Nuclear exploit kit.
The Fox-IT binary basher found the campaign, which may at the time of writing have been subject to the Choc Factory's boot, could result in a "very large" number of attacks.
Victims could be compromised over Adobe Flash, Java, and Microsoft's lonely orphan Silverlight.
Nuclear exploit kit redirection was first observed overnight targeting Fox-IT customers, van Dantzig says.
"The Fox-IT SOC (security operations centre) has detected a relatively large amount of infections and infection attempts from this exploit kit among our customers [and] we suspect that this malvertising campaign will be of a very large scale," van Dantzig says.
"Though we have not received any official confirmation, we are currently no longer observing malicious redirects from the advertisement reseller."
Van Dantzig reported the command and control server and three others foisting the exploit kit to Google.
He recommends users block access to '', deploy an advertisement blocker and update (or uninstall) Flash, Java, or Silverlight. ®

A MILLION Chrome users' data was sent to ONE dodgy IP address

Image of HAL eye from 2001 movie with Chrome logo in eye
G+A team of security researchers have found malware in a popular Chrome extension which may have sent the browsing data of over 1.2m users to a single IP address.
ScrapeSentry credits its researchers with uncovering "a sinister side-effect to a free app [...] which potentially leaks [users'] personal information back to a single IP address in the USA".
Martin Zetterlund, one of ScrapeSentry's founders, told The Register that the extension's malicious functions would have been difficult to recognise through an automated auditing service because the sneaky developer had ensured this functionality is not downloaded until seven days after being installed..
ScrapeSentry analysed the dodgy Chrome extension last week and submitted its findings to Google.
The offending malware, Webpage Screenshot, was removed from the Chrome Extension web store on Tuesday. The extension apparently allowed users to capture screenshots and save them for later editing.
In a canned statement Zetterlund said: "We recently identified an unusual pattern of traffic to one of our client’s sites which alerted our investigators that something was very wrong."
He added: "Everything downloaded from the internet needs to be treated with suspicion, it's a good idea to look what others have to say about programs and extensions first if you don't have the knowledge to pick them apart yourself."
Cristian Mariolini, the ScrapeSentry analyst who headed up the team that found the rogue extension, noted: “The repercussions of this could be major for the individuals who have downloaded the extension. What happens to the personal data and the motives for wanting it sent it to the US server is anyone’s guess, but ScrapeSentry would take an educated guess it’s not going to be good news."
"And of course, if it’s not stopped, the plug-in may, at any given time, be updated with new malicious functionality as well. We would hope Google will look into this security breach with some urgency," he added.
A spokesman for Webpage Screenshot told the BeeB there was nothing malicious about the data it gathered. Instead, said the company man, it was used to understand who the extension's users were and where they were located to help drive development of the code.
"Users could opt out of sharing data, he said."

Tuesday, 7 April 2015

Huffingtonpost:Don't Be the Weakest Link in Your Company's Cyber Security Plan

The other night, after falling asleep and waking up the next morning, I realized I didn't lock the front door to my home. I have locks on the doors, the windows, an alarm system, hurricane shatterproof windows, and two small dogs with a high-pitch bark that could wake the dead; but all that protection won't do me any good if I forget to lock the front door.

I work for a company that has about 20,000 employees. I own a company that has 18. No matter how big or small your company is we all have something to protect. No matter how many layers of security we have in place, people continue to be the weakest link in their company's Cyber security plan.

Let's go back to the front door analogy for a moment. Even though I have all those layers of security to protect my home, if I don't lock the front door then it's all meaningless and I increase my risk to my family -- what I'm trying to protect. The same holds true for us in business everyday, only the front door isn't always physical it is digital too. Our computers, smartphones and tablets lead directly to our company's front door, providing access to anyone who can get in.

Here's a better way of looking at it.

The company we work for stores our personal information -- social security numbers, first names, last names, phone numbers, and addresses. We should have a strong interest to protect that information because if we don't it could mean the loss or theft of our identities. What about our company's confidential information? We want to protect that too because if we don't, it could mean regulatory compliance fines and reputational damage which could seriously impact our company's bottom line. Some people may lose their jobs if our company can't afford to pay us.

Now, I know what your thinking, "Isn't that why we have a Cyber security team"? Yes, but remember our "front door" analogy? We are at the front door everyday, that digital front door. When we power up our computers in the morning, and open our e-mail, sometimes there's a link or an attachment just waiting to be clicked or open, and that link or attachment, whether we realize it or not, is laden with malicious software (a virus or backdoor) that will leave the front door open to our business. So even though we have a security team in place to protect us, if we click that malicious link or attachment, their hard work and the money they invested to keep the company safe, may not prevent the bad guys from getting in.

So, are you that person? Are you the one who will leave the digital front door to your company unlocked today? Are you the weakest link in your company's cyber security plan? No matter how many firewalls and layers of computer protection your company invests in, if we don't remember to slow down and check the locks on our doors, we could put ourselves and our company at great risk. We all have a role to play to help keep our company's safe.

Be careful what you click. Don't be enticed by tempting messages to watch a funny video or see a nude celebrity. And try to be aware of new social, political, and environmental issues since many hackers use those types of events to entice you into opening that front door. Slow down. Read carefully. Who is the sender? Where you expecting this message or phone call (yes, be on the look out for suspicious phone calls too). If you are unsure then stop what you are doing and ask a security minded professional what they think. If you develop these kinds of behaviors then you won't be the weakest link in your company's cyber security plan. You will have kept the digital front door locked, and your personal and company information safe and secure.

A Herald-State College of Florida public forum on cyber security, identity theft

Last week President Obama put a bright spotlight on devilish issues that jeopardize all Americans: cyber security and identity theft.
Data breaches are all too commonplace today, with personal information and industrial secrets a gold mine for hackers operating for either profit or country.
The global threat is so pervasive and steady, nobody is immune. Last year, FBI Director James Comey told CBS' "60 Minutes" this: "There are two kinds of big companies in the United States. There are those who've been hacked ... and those who don't know they've been hacked ..."
While he was talking specifically about the Chinese, hackers around the world are at work.
Which is why Obama issued an executive order Wednesday empowering the Treasury Department to freeze the financial assets of Internet attackers who threaten our national and economic security.
That includes the theft of trade secrets and personal information, declaring a national emergency on these online threats.
The issue is particularly hot now with income tax season coming to a close, and some filers finding their identities compromised as thieves steal their returns.
To put this into focus, the Herald and State College of Florida Manatee-Sarasota are holding our next Community Conversation on this issue -- on April 29.
This public forum offers you the opportunity to engage experts in information technology and security and learn about Internet vulnerability and risk awareness.
Presented by the Herald and SCF in partnership with Manatee Educational Television, we invite the public to not only attend, but to send us your questions and concerns about this vital issue ahead of the forum. We'll address as many of your questions as possible during the forum.
In order to keep the conversation moving along, there will not be an open mike for public comments and questions during the forum.
Please submit those in advance of the event to cwille@bradenton.com or send regular mail to Editorial Page Editor Chris Wille, 1111 Third Ave. W., Bradenton 34205. And please include your name.
The free forum will be held from 6-7:30 p.m. April 29 at SCF's Howard Studio Theater, located on the college's Bradenton campus in Building 11 West, off 60th Avenue West between 26th and 34th streets, accessed from Parking Lot I. Details can be found at www.scf.edu/maps.
The forum will be broadcast by METV at later dates.
The pervasive and insidious problem of data breaches is best illustrated by these figures:
• 80 million customers of the country's second largest health insurance company, Anthem, had their birthdays, Social Security numbers and employment information taken by cyber attackers, the firm announced in February.
• In December 2013 Target discovered individual contact information on 110 million customer accounts -- credit and debit details -- had been stolen.
• In September 2014, Home Depot reported credit card information of about 56 million shoppers was compromised.
State College of Florida is revamping its associate in science degree in Network Systems Technology this coming fall. That will include a Cybersecurity and Digital Forensics specialization, patterned after the National Security Administration's Center of Academic Excellence guidelines.
As the college notes, demand for cybersecurity professionals has grown 12 times faster than non-IT jobs, and 3.5 times faster than the demand for other IT jobs in recent years.

Read more here: http://www.bradenton.com/2015/04/07/5731893_a-herald-state-college-of-florida.html?rh=1#storylink=cpy

The Whitehouse’s New Executive Order On Cyber Crime is (Unfortunately) No Joke

On the morning of April 1st, the Whitehouse issued a new executive order (EO) that asserts that malicious “cyber-enabled activities” are a national threat, declares a national emergency, and establishes sanctions and other consequences for individuals and entities. While computer and information security is certainly very important, this EO could dangerously backfire, and chill the very security research that is necessary to protect people from malicious attacks.
We wish we could say it was a very well-orchestrated April Fool’s joke, it appears the Whitehouse was serious. The order is yet another example of bad responses to very real security concerns. It comes at the same time as Congress is considering the White House’s proposal for fundamentally flawed cybersecurity legislation.
That perhaps shouldn’t be surprising, since so far, D.C.’s approach to cybersecurity hasn’t encouraged better security through a better understanding of the threats we face (something security experts internationally have pointed out is necessary). Instead of encouraging critical security research into vulnerabilities, or creating a better way to disclose vulnerabilities, this order could actually discourage that research.
The most pernicious provision, Section 1(ii)(B), allows the Secretary of the Treasury, “in consultation with” the Attorney General and Secretary of State, to make a determination that an person or entity has “materially … provided … technological support for, or goods or services in support of any” of these malicious attacks.
While that may sound good on its face, the fact is that the order is dangerously overbroad. That’s because tools that can be used for malicious attacks are also vital for defense. For example, penetration testing is the process of attempting to gain access to computer systems, without credentials like a username. It’s a vital step in finding system vulnerabilities and fixing them before malicious attackers do. Security researchers often publish tools, and provide support for them, to help with this testing. Could the eo be used to issue sanctions against security researchers who make and distribute these tools? On its face, the answer is…maybe.
To be sure, President Obama has said that “this executive order [does not] target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity.” But assurances like this are not enough. Essentially, with these words, Obama asks us to trust the Executive, without substantial oversight, to be able to make decisions about the property and rights of people who may not have much recourse once that decision has been made, and who may well not get prior notice before the hammer comes down. Unfortunately, the Department of Justice has used anti-hacking laws far too aggressively to gain that trust.
As several security researchers who spoke up against similarly problematic terms in the Computer Fraud and Abuse Act recently pointed out in an amicus brief:
There are relatively few sources of pressure to fix design defects, whether they be in wiring, websites, or cars. The government is not set up to test every possible product or website for defects before its release, nor should it be; in addition, those defects in electronic systems that might be uncovered by the government (for instance, during an unrelated investigation) are often not released, due to internal policies. Findings by industry groups are often kept quiet, under the assumption that such defects will never come to light—just as in Grimshaw (the Ford Pinto case). The part of society that consistently serves the public interest by finding and publicizing defects that will harm consumers is the external consumer safety research community, whether those defects be in consumer products or consumer websites.
It’s clear that security researchers play an essential function. It was researchers (not the government) who discovered and conscientiously spread the news about Heartbleed, Shellshock, and POODLE, three major vulnerabilities discovered in 2014. Those researchers should not have to question whether or not they will be subject to sanctions.
To make matters worse, while most of the provisions specify that they apply to activity taking place outside of or mostly outside of the US, Section 1(ii)(B) has no such limitation. We have concerns about how the order applies to everyone. But this section also brings up constitutional due process concerns. That is, if it were to apply to people protected by the U.S. Constitution, it could violate the Fifth Amendment right to due process.
As we’ve had to point out repeatedly in the discussions about reforming the Computer Fraud and Abuse Act, unclear laws, prosecutorial (or in this case, Executive Branch) discretion, coupled with draconian penalties are not the answer to computer crime.

Dyre Wolf malware steals more than $1 million, bypasses 2FA protection

Researchers said they've uncovered an active campaign that has already stolen more than $1 million using a combination of malware and social engineering.
The Dyre Wolf campaign, as it has been dubbed by IBM Security researchers, targets businesses that use wire transfers to move large sums of money, even when the transactions are protected with two-factor authentication. The heist starts with mass e-mailings that attempt to trick people into installing Dyre, a strain of malware that came to light last year. The Dyre versions observed by IBM researchers remained undetected by the majority of antivirus products.
Infected machines then send out mass e-mails to other people in the victim's address book. Then the malware lies in wait. A blog post published Thursday by IBM Security Intelligence researchers John Kuhn and Lance Mueller explains the rest:
Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site. The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in.
One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as. This all results in successfully duping their victims into providing their organizations’ banking credentials.
As soon as the victim hangs up the phone, the wire transfer is complete. The money starts its journey and bounces from foreign bank to foreign bank to circumvent detection by the bank and law enforcement. One organization targeted with the campaign also experienced a DDoS. IBM assumes this was to distract it from finding the wire transfer until it was too late.
The success of the Dyre Wolf campaign underscores the need for improved training so employees can better spot malicious e-mails and suspicious ruses like the one involving the phone call to the targets' banks.

Linux Australia hacked, warns personal details exposed

Linus Torvalds was at hacked event, but organisers say payment details safe

Flytrap The names, phone numbers and street and email addresses of delegates for Linux Australia conferences and PyCon have been exposed in a server breach.
The March attack was detected two weeks ago and is revealed in an email to Linux Australia members.
Linux Australia's server held information on delegates to its popular annual conferences for 2013, 2014, and the most recent event held January in Auckland.
PyCon delegates for the 2013 and 2014 conferences are also affected.
Linux Australia told delegates attackers who hit the ZooKeeper conference management system and exposed hashed passwords but not payment information.
"It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server," the email signed by the Linux Council of Australia read.
"A remote access tool was installed, and the server was rebooted to load this software into memory.
"A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia's automated backup processes ran, which included the dumping of conference databases to disk."
Delegates are urged to change their passwords.
The Linux Australia team operate on a three member response system in which assessments are conducted by two staff, then again by a third. None of the investigators have knowledge of each others' findings.
This is designed to uncover anomalies and inspire more rigorous analysis.
Linux Australia notified Australia's Privacy Commissioner about the breach and has tightened the screws on the rebuilt server. It has committed to better patching regimes.
The group has welcomed assistance from Computer Emergency Response Teams in identifying the exploited unknown vulnerability.