Author Archives: BankInfoSecurity.com RSS Syndication

Mitigating Identity Deception

Agari's Andrew Coyle on New Tools to Foil Socially Engineered Schemes
The fraudsters have more tools and information than ever at their disposal to pull off socially engineered schemes. But how can the victims turn the tables? Agari's Andrew Coyle discusses new tools and strategies to improve defenses.

Super Micro: Audit Didn’t Find Chinese Spying Chip

Firm Says Audit 'Lays to Rest the Unwarranted Accusations'
Super Micro says a third-party audit of recent and older motherboards has not turned up evidence of a spying chip as alleged in an explosive report two months ago by Bloomberg BusinessWeek. Bloomberg, however, has stood by its story despite no physical example of the malicious chip turning up.

Congratulations: You Get ‘Free’ Identity Theft Monitoring

Because Breached Businesses' 'Take Your Security Seriously'
Is there anything better than being offered one year of "free" identity theft monitoring? Regularly offered with strings attached by organizations that mishandled your personal details, the efficacy and use of such services looks set for a U.S. Government Accountability Office review.

Marriott: Breach Victims Won’t Be Forced Into Arbitration

Victims Objected to Terms Of Fraud Monitoring Agreement
Breach victims who sign up for free fraud-monitoring services from breached businesses that lost control of their data often sign away their right to join class-action lawsuits or pursue other legal actions, and Marriott proved to be no exception, following its mega-breach. But it now appears to be backing off.

Equifax Breach ‘Entirely Preventable,’ House Report Finds

Democrats Slam Republican Report for Not Advancing New Breach-Prevention Laws
The massive data breach suffered by Equifax in 2017 "was entirely preventable," according to a report released by the House Oversight Committee's Republican majority. Some Democratic lawmakers have slammed the report for failing to advance legislative or oversight changes to help prevent breaches.

Fresh Google+ Bug Exposed 52.2 Million Users’ Data

Google Advances Date for Mothballing Google+ Social Network for Consumers
Google says a buggy API update it pushed last month for its soon-to-be-mothballed Google+ social network exposed personal information for 52.2 million users. The data-exposure alert arrives just two months after Google admitted that a March problem with the same API exposed data for 500,000 users.

Eastern European Bank Hackers Wield Malicious Hardware

'DarkVishnya' Heists Stole Tens of Millions of Dollars, Kaspersky Lab Says
Hackers have been plugging inexpensive hardware into banks' local area networks to help perpetrate heists that have stolen tens of millions of dollars, warns Kaspersky Lab. It says that since 2017, the "DarkVishnya" attack campaign has hit at least eight Eastern European banks.

Australia Passes Encryption-Busting Law

Government Can Force Technology Companies to Break Encryption
Australia's Parliament has passed new laws enabling it to compel technology companies to break their own encryption. Although the government argued the laws are needed to combat criminal activity and terrorism, opponents argued the powers could creep beyond their scope and weaken the security of all software.

Face Off: Researchers Battle AI-Generated Deep Fake Videos

Convincing Face-Swapping Clips Easy to Create With Gaming Laptops and Free Tools
The easy availability of tools for designing face-swapping deep-fake videos drove Symantec security researchers Vijay Thaware and Niranjan Agnihotri to design a tool for spotting deep fakes, which they described in a briefing at the Black Hat Europe 2018 conference in London.

Cyber Exposure: How to Discover, Measure and Reduce Your Risk

Tenable's Diwaker Dayal on Benchmarking the Success of Your Security Posture
How does an organization measure cybersecurity success? For too many, it's simply the absence of a breach. But Diwakar Dayal of Tenable proposes ways to measure a cybersecurity posture, benchmark it against peers and use the metrics to create a report card and reduce cyber risk.

Black Hat Europe: The Power of Attribution

Estonia's Marina Kaljurand Calls for Greater Cyberattack Accountability
To combat cyberattacks, more nations must not only hold nation-state attackers accountable, but better cooperate by backing each other's attribution, said Estonian politician Marina Kaljurand, who chairs the Global Commission on the Stability of Cyberspace, in her opening keynote speech at Black Hat Europe 2018.

Top Republican Email Accounts Compromised

National Republican Congressional Committee Emails Spied On For Months
Thousands of emails from four senior aides within the National Republican Congressional Committee were exposed after their accounts were compromised for several months earlier this year, Politico reports on Tuesday. Few details have been released about the incident, which was investigated by Crowdstrike.

14 Hot Sessions at Black Hat Europe 2018

Top-Flight Information Security Conference Returns to London
The Black Hat Europe information security conference returns to London, featuring 40 research-rich sessions covering diverse topics, including politically motivated cyberattacks, recovering passwords from keyboards thanks to thermal emanations, hacking Microsoft Edge and detecting "deep fakes."

Question: Did Quora Hack Expose 100 Million Users?

Answer: Yes, Q&A Site Believes Hackers Stole Private Content, Hashed Passwords
Next to corporate communications that claim that "your security is important to us," any website post titled "security update" portends bad news. So too for question-and-answer site Quora, which says a hack exposed 100 million users' personal details, including hashed passwords and private content.

Kubernetes Alert: Security Flaw Could Enable Remote Hacking

Patch Container-Orchestration System Now or Risk Serious Consequences
A severe vulnerability in Kubernetes, the popular, open-source software for managing Linux applications deployed within containers, could allow an attacker to remotely steal data or crash production applications. Microsoft and Red Hat have issued guidance and patches, and recommend immediate updating.

Marriott Mega-Breach: Will GDPR Apply?

Legal Experts Suspect So, But Investigation Could Take a Year or More
Will Marriott be the first organization that lost control of Europeans' personal data to feel the full force of the EU's General Protection Regulation? With GDPR in full effect since May, organizations with data security practices face the potential of massive fines.

Marriott’s Mega-Breach: Many Concerns, But Few Answers

Massive Breach Prompts Calls for New Data Security and Minimization Laws
Marriott's mega-breach underscores the challenges companies face in securing systems that come from acquisitions as well as simply storing too much consumer data for too long, computer security experts say. Meanwhile, the hotel giant has yet to answer many pressing data breach questions.

Healthcare’s Insider Threat

Veriato's Pete Nourse on Why This Is the Sector's Achilles Heel
Organizations in all sectors struggle with mitigating the insider threat, but it's an acute concern in healthcare, where patients' lives are at stake. Pete Nourse of Veriato outlines specific threats to this sector.

The Profile of Modern-Day DDoS

Netscout Arbor's Tom Bienkowski on the Risks to Healthcare Organizations
DDoS attacks against healthcare organizations have increased not only in size and scale, but especially in complexity, says Tom Bienkowski of Netscout Arbor. How can enterprises build upon their traditional DDoS defenses?

Highlights of NIST Cybersecurity Framework Version 1.1

Matthew Barrett of NIST Outlines New Components, Including Supply Chain Risk Management
The latest version of the NIST Cybersecurity Framework - Version 1.1 - includes more information on supply chain risk management, authentication, authorization, identity proofing and self-assessing cybersecurity risk management, says Matthew Barrett of the National Institute of Standards and Technology.

Two Iranians Charged in SamSam Ransomware Attacks

US Prosecutors Allege Pair Targeted More Than 200 Victims, Including Cities, Hospitals
A federal grand jury has indicted two Iranians for allegedly waging SamSam ransomware attacks on more than 200 entities, including Atlanta and other municipalities and six healthcare organizations. They collected $6 million in ransoms and caused more than $30 million in losses to victims, U.S. prosecutors allege.

Google Faces GDPR Complaints Over Web, Location Tracking

Search Giant's Pervasive Tracking Isn't Clear to Consumers, Groups Contend
Consumer organizations in seven countries plan to file complaints alleging that Google is violating the EU's General Data Protection Regulation via its location, web and app activity tracking, in what could be a blow to the search giant's lucrative but data-hungry targeted advertising business.

Uber Fined $1.2 Million in EU for Breach Disclosure Delay

Credential Stuffing Attack Cracked Uber's Amazon S3 Buckets, Investigators Say
Uber has been slammed with $1.2 million in fines by U.K. and Dutch privacy regulators for its cover-up of a 2016 data breach for more than a year. The breach exposed millions of drivers' and users' personal details to attackers, whom Uber paid $100,000 in hush money and for a promise to delete the stolen data.

Court Approves Lenovo’s $7.3 Million Adware Settlement

Manufacturer Preinstalled Superfish Visual Discovery Adware on 800,000 Laptops
A court has preliminarily approved Lenovo's proposal to pay $7.3 million to settle a consolidated class action lawsuit filed over its preinstallation of Superfish adware onto laptops purchased by 800,000 consumers. Superfish, which has dissolved, already reached a $1 million settlement agreement.

PageUp Breach: ‘No Specific Evidence’ of Data Exfiltration

But Forensic Investigation Shows Attackers Had Exfiltration Tools in Place
Australian human resources software developer PageUp says it has found "no specific evidence" that attackers removed data, following the company warning in May that it had been breached. But investigators have found that attackers installed all of the tools they would have needed to exfiltrate data.

Amazon Snafu Exposed Customers’ Names and Email Addresses

Scant Detail on Incident and Unusual Email Notification Raises Eyebrows
Amazon has blamed a technical error for its inadvertent exposure of some customers' names and email addresses online. The online retailing giant maintains that its systems were not breached, says it has sent an email notification to all affected customers, and that the problem has been fixed.

The SOC Essentials for 2019

Trustwave's Kory Daniels Outlines the Must-Have Skills, Capabilities
What are the key differences between building a SOC for a large enterprise vs. for a small to midsized organization? Trustwave's Kory Daniels explains the distinction and outlines the must-have skills.

Cybercrime Conference Returns to Dublin

IRISSCERT to Focus on Crime Trends, Incident Response, Spam Fighting and Cybersecurity for Kids
The 10th annual IRISSCERT Cyber Crime Conference, to be held Thursday in Dublin, promises to round up crime trends and also offer updates on incident response lessons learned, spam fighting and even cybersecurity essentials for children.

Two Friends Who Hacked TalkTalk Receive Prison Sentences

Telecom Company Says Total Losses Due to Data Breach Stand at $99 Million
Two men who pleaded guilty to participating in the massive 2015 hack of London-based telecom company TalkTalk have been sentenced to serve time in jail. Police say they recovered data from a suspect's wiped and encrypted systems as well as chat messages that incriminated the pair of friends.

Magecart Spies Payment Cards From Retailer Vision Direct

Card-Sniffing JavaScript Posed as Google Analytics Script on Retailer's Sites
Online contact lens retailer Vision Direct says it suffered a data breach that exposed customers' names and complete payment card details. Researchers say fake Google Analytics JavaScript designed to capture card details appears to have been planted by the prolific cybercrime gangs known as Magecart.

Here’s Why Account Authentication Shouldn’t Use SMS

Database Blunder Left Two-Step Codes, Account Reset Links Exposed
A database security blunder revealed on Friday serves as a reminder that the days of SMS-based authentication should be over. The exposed database, which wasn't protected by a password, contained 26 million text messages, many of which were two-step verification codes and account-reset links.

The Privacy Penalty for Voting in America

States Shouldn't Serve Up on a Platter Voters' Email Addresses and Phone Numbers
Voting in the United States carries a huge privacy cost: states give away or sell voters' personal information to anyone who wants it. In this era of content micro-targeting, rampant misinformation and identity theft schemes, this trade in voters' personal data is both dangerous and irresponsible.

Dutch Police Bust ‘Cryptophone’ Operation

Another Secure Service - As Allegedly Marketed to Criminals - Fails to Deliver
Once again, a supposedly secure service allegedly marketed to criminals has proven to have limits. Dutch police have busted a "cryptophone" operation, allowing them to decrypt more than 258,000 encrypted chat messages, leading to a drug lab bust, 14 arrests and the seizure of cash, drugs and weapons.

‘Trump’ Spam Trumps All Other Spam

Love Him or Loathe Him, Surname Dominates Spam Emails, Proofpoint Finds
With the U.S. midterm elections occurring on Tuesday, the "trump" keyword remains king for spammers. "Spam campaigners understand the value of brands, and for spam as for ballots, and whether for or against, the election is all about Trump," security firm Proofpoint says.

Radisson Suffers Global Loyalty Program Data Breach

Hotel Giant Has Yet to Disclose Total Number of Breach Victims
Radisson Hotel Group has suffered a data breach that resulted in the theft of data for its global loyalty program members. The company, which operates 1,400 hotels, says the breach touched data for "less than 10 percent" of all Radisson Rewards members, but it hasn't released a victim count.

The Evolution of the Targeted Attack

As the threat landscape evolves, it becomes a game of survival of the fittest. Only the best attacks and attackers remain standing, and the result is a series of targeted ransomware attacks that now cost global enterprises millions of dollars per year. This is among the important findings of the Sophos 2019 Threat Report.

French Cinema Chain Fires Dutch Executives Over ‘CEO Fraud’

$21 Million Lost to Business Email Compromise Fraudsters
French film production and distribution company Pathe fired the two senior managers overseeing its Dutch operations after they fell victim to a business email compromise scam and approved $21 million in transfers to fraudsters. Many organizations remain at high risk from such scams.

Congress Approves New DHS Cybersecurity Agency

Bill Creating Cybersecurity and Infrastructure Security Agency Awaits President's Signature
The United States will soon officially have a single agency that takes the lead role for cybersecurity. Congress has passed legislation to establish the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security. The measure awaits President Trump's signature.

Romanian Hacker ‘Guccifer’ Extradited to US

Former Taxi Driver Receives Conditional Release From Prison in Romania
The notorious Romanian hacker known as Guccifer, who revealed the existence of Hillary Clinton's private email server and admitted to hacking numerous email and social media accounts, has reportedly been extradited from Romania to begin serving his 52-month U.S. prison sentence.