Author Archives: BankInfoSecurity.com RSS Syndication

Toyota Australia, Healthcare Group Hit By Cyberattacks

Country Has Faced a Series of Security Incidents in Recent Weeks
Australia has faced a few tough weeks on the cybersecurity front. Toyota Australia's computer systems were still down Friday after an attempted cyberattack. A healthcare group acknowledged it was the victim of a ransomware attack. And last week, suspected nation-state attackers hit Parliament's email systems.

Hackers Target Fresh Drupal CMS Flaw to Infiltrate Sites

CMS Project Team Patches "Highly Critical" Remote Code Execution Vulnerability
Patch alert: Some versions of the popular content management system Drupal have a "highly critical" flaw that attackers can exploit to remotely execute code. The Drupal project team has released updates to fix the problem, which is already being targeted by hackers.

Big Dump of Pakistani Bank Card Data Appears on Carder Site

Street Value of 60,000 Cards on Joker's Stash is $3 Million, Group-IB Says
The notorious carder site Joker's Stash is featuring a fresh batch of Pakistani banks' payment card data with an estimated street value of $3.5 million. Nearly all of the 70,000 bank cards are advertised as being from Meezan Bank, the country's largest Islamic bank.

11 Takeaways: Targeted Ryuk Attacks Pummel Businesses

Faulty Decryptor Often Shreds Victims' Data, McAfee and Coveware Warn
A rush by some media outlets to attribute a late-2018 alleged Ryuk ransomware infection at Tribune Publishing to North Korean attackers appears to have been erroneous, as many security experts warned at the time. Rather, multiple cybercrime gangs appear to be using Ryuk, say researchers at McAfee and Coveware.

Congress Scrutinizes Facebook Health Data Privacy Complaint

Committee Demands Answers About Consumers' Complaint Filed With FTC
A Congressional committee is demanding Facebook provide answers concerning a complaint filed with the FTC alleging misleading privacy practices involving personal health information. The complaint also alleged a data leak exposed the names of over 10,000 cancer patients participating in a Facebook group.

Facebook Smackdown: UK Seeks ‘Digital Gangster’ Regulation

But Can New Laws and Greater Oversight Fix UK's 'Fake News' Challenges?
Technology giants stand accused by a U.K. parliamentary committee of risking democracy in pursuit of profit, acting as monopolies and blocking attempts to hold them accountable. But Parliament's probe into disinformation and "fake news" reserves special scorn for Facebook CEO Mark Zuckerberg.

Password Managers Leave Crumbs in Memory, Researchers Warn

Popular Password Managers for Windows Fail to Tidy Up Before Locking Up Shop
A security audit of popular password manager has revealed some concerning weaknesses. Luckily, none of the problems are showstoppers that should put people off using such applications. But the research shows that some password managers need to more thoroughly scrub data left in memory.

Wendy’s Reaches $50 Million Breach Settlement With Banks

After Insurance, Fast-Food Chain's Breach Costs Are Nearly $34 Million
Fast-food giant Wendy's has reached a $50 million settlement agreement with financial institutions that sued after attackers planted RAM-scraping malware on point-of-sale systems in 1,025 of its restaurants in 2015 and 2016, stealing massive quantities of payment card data.

Police Push Free Decryptor for GandCrab Ransomware

But GandCrab Gang Appears to Already Be Testing New Decryptor-Proof Version
Good news for many victims of GandCrab: There's a new, free decryptor available from the No More Ransom portal that will unlock systems that have been crypto-locked by the latest version of the notorious, widespread ransomware. But the ransomware gang appears to already be prepping a new version.

Criminals, Nation-States Keep Hijacking BGP and DNS

While Exploitable Protocols and Processes Persist, Adoption of Secure Fixes Lags
The internet is composed of a series of networks built on trust. But they can be abused due to weaknesses in older protocols, such as Border Gateway Protocol and the Domain Name System, which were not designed to be secure and are now being abused for online crime and espionage.

Report: Facebook Faces Multibillion Dollar US Privacy Fine

FTC and Social Network Are Negotiating Record Penalty, Washington Post Reports
The Federal Trade Commission is reportedly negotiating a settlement with Facebook that includes a multibillion dollar fine for its privacy failures. But the social network is alarmed about the proposed settlement agreement's terms and conditions, The Washington Post reports.

WannaCry Hero Loses Key Motions in Hacking Case

Judge Says 'Terrible Hangover' Didn't Fuzz Suspect's Miranda Rights Clarity
A famed British computer security researcher has lost several key motions in a federal hacking case that stems from his alleged contribution to two types of banking malware. The rulings could complicate the challenges for the defense team of Marcus Hutchins, who remains in the U.S.

Roses are Red, Romance Scammers Make You Blue

Don't Fall for Fraudsters or You'll Be Poor and Brokenhearted Too
This Valentine's Day, authorities are once again warning individuals to watch out for anyone perpetrating romance scams. The FTC says Americans lost $143 million to romance scams in 2017 while in the U.K., Action Fraud says reported romance scam losses in 2018 topped $64 million.

Battling Big Breaches: Are We Getting Better?

Bad News, Based on the 5 Biggest Breaches in the Past 5 Years
What if organizations' information security practices have gotten so good that they're finally repelling cybercriminals and nation-state attackers alike? Unfortunately, the five biggest corporate breaches of the past five years - including Yahoo, Marriott and Equifax - suggest otherwise.

RSA Conference 2019: A Preview

What are some of the hottest issues that will be discussed at this year's RSA Conference, to be held March 4-8 in San Francisco? Britta Glade, content director for the world's largest data security event, says DevSecOps - as well as third-party risk and cloud-related issues - are emerging as key themes.

No-Deal Brexit Threatens British Crime-Fighting

Police Say Data-Sharing Alternatives 'Will Not Be As Efficient Or Effective'
British police say they're doing their best to cope with the possibility that the U.K. will crash out of the EU in 45 days and lose access to joint policing resources. But Richard Martin of the Met Police says replacements "will not be as efficient or effective as the tools we currently use."

Major Flaw in Runc Poses Mass Container Takeover Risk

Attackers Could 'Break Out' via Runc Flaw to Compromise All Containers on Host
Red Hat, Amazon and Google have issued fixes for a serious container vulnerability. The flaw in the "runc" container-spawning tool could allow attackers to craft a malicious container able to "break out" and gain root control of a host system, potentially putting thousands of other containers at risk.

US Intensifies Pressure on Allies to Avoid Huawei, ZTE

Secretary of State Pompeo Tours Europe to Discuss Countering China, Russia
The Trump administration is leading a broadside against Chinese telecommunications giants Huawei and ZTE. But concerns that Chinese networking gear could be used as backdoors for facilitating state-sponsored surveillance or disrupting critical infrastructure are not limited to America.

Apple Update: Drop Everything and Patch iOS

Zero Days Being Exploited; Apple Contributes to 'FacePalm' Bug Finder's Tuition
Apple has issued an iOS update that patches two flaws being exploited in the wild by attackers as well as the "FalmPalm" bug in Group FaceTime. Apple says it compensated the teenager who reported the FaceTime flaw and gave him an extra gift toward his tuition.

Stress Test: Police Visit Webstresser Stresser/Booter Users

Seized Customer Data Appears to Be Powering Ongoing Dutch and UK Probes
Hundreds of suspected customers of Webstresser, a DDoS stresser/booter site that was disrupted last year, are being visited by law enforcement agents and may see jail time. The police message: Using darknet cybercrime services doesn't guarantee anonymity, even if you pay with bitcoin.

German Antitrust Office Restricts Facebook Data Processing

Facebook Must Obtain Consent to Combine User Data From Different Sources
Germany's competition authority, the Bundeskartellamt, has prohibited Facebook from combining user data from different sources unless users consent, and it has also prohibited Facebook from blocking users who do not provide this consent. Facebook has one month to appeal the antitrust decision.

Ransomware Victims Who Pay Cough Up $6,733 (on Average)

Dharma/CrySiS, GandCrab and Globelmposter Strains Most Prevalent, Study Finds
Ransomware victims who opted to pay for the promise of a decryption key forked over an average of $6,733 in the fourth quarter of 2018, according to ransomware incident response firm Coveware. It says strains such as SamSam and Ryuk, which demand higher-than-average ransoms, are increasingly common.

Bangladesh Bank Sues to Recover Funds After Cyber Heist

New York Fed Provides Technical Assistance Aimed at Recovering Lost $81 Million
Bangladesh Bank, supported by the New York Fed, has filed a lawsuit in U.S. federal court to try to recover $81 million stolen via one of the biggest online bank heists in history. But the Philippine bank the lawsuit targets has dismissed the case as a "political stunt" designed to shift blame.

Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

The digital revolution has given healthcare organizations new tools to increase team efficiency and improve their customer experience. But it's also opened up new vectors that cybercriminals can use to attack. As your attack surface expands to web infrastructure that you don't own or control, it becomes increasingly difficult to protect your digital assets and your data. You must shift security priorities from prevention to detection and remediation.

Facebook Gets Its First Real Privacy Penalty – From Apple

Apple's Privacy Warning to Facebook: We Can Break You
Apple's conflict with Facebook this week resulted in the most effective and quickest punishment the social network has ever received over a privacy issue. But should a multi-billion dollar tech company like Apple be picking up the slack for the digital privacy enforcement failures of governments?

Stolen RDP Credentials Live On After xDedic Takedown

Customers of Notorious RDP Marketplace Expected to Move to Rival UAS Market
The notorious xDedic Marketplace Russian-language cybercrime forum and shop remains offline, following an international police takedown. Security experts expect xDedic customers to shift to UAS, a rival darknet market that also specializes in stolen and hacked remote desktop protocol credentials.

Inside Matrix and Emotet: How They Work, and How to Defend

Sophos is out with new reports on Matrix and Emotet, two different types of cyberattacks that are hitting enterprise defenses. Matrix is a targeted ransomware, an emerging type of attack Sophos expects to gain prominence, and Emotet is malware that has evolved over the years into an opportunistic, polymorphic threat that can wreak havoc in many different ways. How do these threats work, and how should you bolster your defenses? Sophos researcher John Shier offers his expertise.

Apple Slams Facebook for Monitoring App Given to Minors

Facebook's Internal iOS Apps Break After Apple Revokes Developer Certificate
Apple has revoked Facebook's enterprise certificate, leaving the social network's employees unable to access internal iOS apps, after Facebook used it to distribute an app that monitored smartphone activity, sometimes from minors, in exchange for monthly payments. Facebook says it did nothing wrong.

Yahoo’s Proposed Data Breach Lawsuit Settlement: Rejected

Judge Slams Attorneys' Fees, Security Shortcomings in $50 Million Proposal
Court order: Yahoo's proposed settlement for a class-action lawsuit must return to the drawing board, after a federal judge said a proposal to place $50 million into a settlement fund for breach victims lacked security specifics and awarded excessive attorneys' fees. The case could go to trial.

Underestimated Risk & Overestimated Security: When All You Do Is React, it May Be Too Late

For decades, IT professionals have been fighting malware, hackers, and other threats. Data protection, confidentiality, integrity and availability have long been threatened not only by amateur hackers, but by profit-oriented, well-organised criminals. Victims can usually only react because many of the usual methods for detecting malware require knowledge about specific attack techniques, about the behavior or about signatures of specific malware families.

Japan’s IoT Security Strategy: Break Into Devices

Nation to Allow Researchers to Brute-Force 200 Million Devices
Japan plans to identity vulnerable internet of things devices the same way hackers do: by trying to log into them. The country wants to gauge its cybersecurity readiness for next year when it hosts the summer Olympics. If vulnerable devices are found, the plan is to notify device owners.

Deal to Reopen U.S. Government Announced

President Trump Says He'll Sign Measure to Fund Government for Three Weeks
President Donald Trump announced Friday afternoon that the White House and Congress have reached a deal to temporarily end the 35-day federal government partial shutdown with a short-term funding bill that does not include money for a border wall.

Trump Adviser Stone Charged With Lying About WikiLeaks

Roger Stone Arrested as Part of Mueller Investigation Into Russian Interference
Roger Stone Jr., a longtime political adviser to President Donald Trump, has been arrested as part of Robert Mueller's Russian interference probe. Stone has been accused of lying to Congress about his communications with WikiLeaks over stolen Democratic Party documents and emails it published.

Why Do Data Brokers Access the Australian Electoral Roll?

Restricted Data Access Required by Anti-Money Laundering and Anti-Terrorism Laws
Massive data brokers - Equifax, Experian, Illion and others - are leveraging Australia's electoral roll, which is a tightly held and valuable batch of data. While this little-known practice might sound alarming, in fact it's required under Australia's anti-money laundering and anti-terrorism rules.

Police Arrest €10 Million IOTA Cryptocurrency Theft Suspect

Scheme Offered 'Free' Website for Generating Cryptocurrency Wallet Seeds
Police in England have arrested a 36-year-old man as part of an investigation into the theft of at least €10 ($11.3 million) in IOTA cryptocurrency since January 2018 from 85 victims worldwide, perpetrated via a malicious cryptocurrency seed generation website that stored users' private keys.

Key Drivers to Enable Digital Transformation in Financial Services

Digital transformation (DX) continues to drive growth across financial services firms, creating new opportunities to increase revenue and foster innovation. Cloud - whether public, private or a hybrid approach - is foundational to achieving DX objectives, as is secure, resilient and scalable network connectivity. Customers demand a seamless experience across all digital channels.

Contactless Payments: The New Wave

Security Leaders Discuss How to Balance Security vs. Convenience
As part of its ongoing push toward cashless payments, India is taking steps to ramp up the use of contactless payments, which are already becoming more common in Japan, South Korea, Australia, the U.K. and the U.S. What can be done to balance security vs. convenience?

France Hits Google with $57 Million GDPR Fine

Record Privacy Fine Sends Strong Signal to Data-Processing Technology Companies
France has hit Google with a 50 million euro ($57 million) fine for violating the EU's General Data Protection Regulation. The country's data regulator says Google doesn't inform users in a clear way how their data is being collected and processed for targeted advertising.

Report: Federal Trade Commission Weighs Facebook Fine

Facebook Probed by FTC Over Failures that Enabled Cambridge Analytica Scandal
The U.S. Federal Trade Commission is close to concluding its investigation into Facebook over the Cambridge Analytica scandal, the Washington Post reports, noting that the social network may face a record-setting fine, exceeding the $22.5 million fine the FTC in 2012 slammed on Google.

Data Breach Collection Contains 773 Million Unique Emails

2.7 Billion Email/Password Combo List Available for Credential Stuffing, Troy Hunt Warns
Australian security expert Troy Hunt says an 87 GB compilation of username and password combinations - drawn from more than 2,000 databases - includes 773 million unique email addresses for apparent use in credential-stuffing attacks. Takeaway: Use a unique password for every site, or else.

Why Software Bugs Are So Common

Recent Breach at Singapore Airlines Reveals Lack of Attention to Security at Development Stage
The recent exposure of customer data on the website of Singapore Airlines as a result of a software bug is further evidence of the persistent challenge of adequately addressing security during the development stage.

Facebook Deletes More Bogus Accounts Linked to Russia

Sputnik News Agency in Russia Created 'Fake Accounts,' Social Network Alleges
Facebook has removed hundreds of accounts, alleging that the account creators misrepresented their identity. The social network alleges that some of the accounts were surreptitiously created by employees of the state-owned Sputnik news agency in Moscow, which Sputnik disputes.

Insider Trading: SEC Describes $4.1 Million Hacking Scheme

Ukrainian Hacker Charged With Stealing Nonpublic 'Test Files' for 8 Traders
The U.S. Securities and Exchange Commission has charged seven individuals and two organizations with being part of an international scheme that hacked the SEC's EDGAR document system, stole nonpublic corporate information and used it to illegally earn $4.1 million via insider trading.