Category Archives: Data Breach

Rooster Teeth Productions suffered a payment card breach

Rooster Teeth Productions has suffered a data breach that exposed payment card information from shoppers on the company’s online store.

The popular production company Rooster Teeth Productions has suffered a data breach, hackers have stolen credit card and other payment data from users that made purchases on the company’s online store.

Rooster Teeth Productions, LLC is an American entertainment company that is known for its documentaries, including Red vs. Blue, RTDocs, Crunch Time, and Day 5.

The data breach took place on December 2, and the company discovered the incident the same day. The attackers planted a malicious script into the checkout page of the online store, it was developed to redirect shoppers to a fake payment page under the control of the attackers.

“On December 2, 2019, Rooster Teeth discovered that malicious code had been added to the Site earlier the same day.  The malicious code directed users entering a checkout on the Site to a spoofed webpage where they were asked to enter payment card details in order to complete their purchases.” reads the notice of data breach published on the company site. “This was inserted after the stage at which users entered their shipping data.  Users who completed the payment card details page were then directed to the real webpage, where they were asked to complete the forms again.”

Hackers have stolen customers’ names, email addresses, telephone numbers, physical addresses, and/or payment card information.

In response to the incident, the company staff removed the malicious code from the store, then it has sent data breach notifications to customers to the affected users.

“We removed the malicious code from the Site and took other steps to secure the Site against further unauthorized access.  The incident did not affect any other part of the Site or other information maintained by us.” continues the notice.

Rooster Teeth Productions is also offering them a free 1-year Experian IdentityWorks subscription.

Impacted users are recommended to remain vigilant for fraudulent activities and to review payment card or personal account statements for unauthorized charges.

Pierluigi Paganini

(SecurityAffairs – Rooster Teeth Productions, hacking)

The post Rooster Teeth Productions suffered a payment card breach appeared first on Security Affairs.

As malware and network attacks increase in 2019, zero day malware accounts for 50% of detections

Amid significant increases in both malware and network attacks, multiple Apache Struts vulnerabilities – including one used in the devastating Equifax data breach – appeared for the first time on WatchGuard’s list of most popular network attacks in Q3 2019. Massive fallout from the Equifax breach The report also highlights a major rise in zero day malware detections and, increasing use of Microsoft Office exploits and legitimate penetration testing tools. Apache Struts 2 Remote Code … More

The post As malware and network attacks increase in 2019, zero day malware accounts for 50% of detections appeared first on Help Net Security.

A Look Back at the Major Cyber Threats of 2019

Today we launch our 2019 Threats of the Year report; a look back at the major tools and tactics that cybercriminals have exploited over the past year.

Based on original research conducted for our ‘Threat of the Month’ blog series, we look into the impact of directed attacks against specific organizations, and how we can defend ourselves against these types of attack.

We also look at non-direct attacks – the attacks that are more of a numbers game for cybercriminals. In this case they are looking to hit as many victims as possible, without regard for the organizations or individuals that they affect.

Finally, we look at the cybercriminal ‘toolkit’. From remote access trojans, to hiding threats in encrypted traffic, we’ve seen various innovations in how cybercriminals have evaded detection this year.

As we look towards the end of the year (and decade), we also sought perspectives from Cisco Security experts looking back at 2019. When asked what one particular threat stood out this year, and to offer a New Year’s resolution for 2020 that all organizations could consider adopting, here’s what they said:

Martin Lee, Talos (Cisco Threat Intelligence)

This year will be remembered as the year when we saw that DNS data, as well as TLS certificates, could be ‘fake news’.

Although sporadic malicious activity had previously compromised DNS data, the discovery of the Sea Turtle campaign showed that DNS information could be compromised wholesale by attackers taking over top-level registries.

Consequently, legitimate domain-validated TLS certificates were granted to the attackers – since they controlled the domain’s DNS entries, meaning that the impersonation checking within TLS connections was subverted also. Attackers could thus divert a user from accessing a legitimate system to connect them to a malicious server while presenting a valid TLS certificate to authenticate the connection.

New Year’s resolution for 2020

Enable multi-factor authentication on every system that can support it. Passwords have never been a 100 percent effective or a secure mechanism for authenticating users. You can add two-factor authentication (2-FA) to all your system accounts so that even if someone steals or cracks your password, they can’t impersonate you to gain access to valuable data.

Andrea Kaiser, Cisco Umbrella (Protecting the DNS layer)

Malspam, or malicious unwanted email is still the predominant method used to cast a wide net and get up close and personal with the most vulnerable part of a network: users.

In 2019 we saw the Emotet botnet continue to spread malicious payloads and grow its victim base, expanding its malware-as-a-service tactic. Trickbot, Qakbot, IcedID, and Gootkit all spread through malicious document attachments as some of the payloads pushed by the Emotet botnet in 2019.

Emotet added the ability to hijack email threads by injecting responses into old or ongoing conversations from users’ email. The new response can include links or malicious attachments to download Emotet.

This is all possible due to Emotet’s ability to steal email content and mail account credentials. The initial access and further propagation of the botnet relies on the distribution of malspam. This past year showed that we need to be vigilant in looking for targeted social engineering attacks in our inboxes.

New Year’s resolution for 2020

Social engineering is a threat that can affect you regardless of it being used as a tactic of malware. It can be used in any social setting to gain sensitive information. Often times, all one needs to start the process is a tiny bit of information about a person – such as  the year you graduated or the city in which you were born. That one seed of information can lead to a path to compromise your personal data. My recommendation for your New Year’s resolution is to limit the online availability of your personal information. Take a look out our Consumer Data Privacy report to learn more.

Patrick Garrity, Cisco Duo (Access/Multi-Factor Authentication Security)

For those of us in access security (endpoint and MFA), we’re concerned about exploits targeting device operating system and browser software.

This year, two major examples affected the Google Chrome browser, including a zero-day vulnerability impacting all major operating systems, including Windows, Apple’s MacOS and Linux.

The vulnerability was a ‘use-after-free’ type, which is a memory corruption flaw that allows a threat actor to exploit modified data in the memory of a machine and escalate privileges on that machine. This means if a user opens a PDF in a compromised Chrome browser, an attacker can hijack the browser to gain access to their machine.

While Google quickly released a patch to protect against this vulnerability, it’s an important example to highlight the importance of gaining visibility into your users’ endpoints running out-of-date software and browsers.

New Year’s Resolution for 2020

Make sure your devices are up to date by regularly obtaining visibility into the security status of your users’ devices. Then notify users of their out-of-date software and enforce policies that require software updates before allowing access to applications. Or, block access from any device that doesn’t meet your organization’s policies or requirements.

To find out more about these and other threats of 2019, download the Cisco 2019 Threats of the Year report.

Sign up here to receive our Threat of the Month blog series.

We will be holding a Cisco Live chat on this threat report on 17th December at 9am PST. Tune in on or via any of our social channels – Twitter, Facebook, Youtube and our Security Community.

We encourage you to use this retrospective report in any security-focused board meetings or business planning sessions you might be holding over the next few months to guide you on planning the security tools and processes needed for 2020. You can also use it as a resource to help explain how your current security posture would perform with any such attacks, and identify any gaps.

The post A Look Back at the Major Cyber Threats of 2019 appeared first on Cisco Blogs.

Waco water bill attack just the latest in a wave of Click2Gov breaches

The City of Waco has warned residents that their online payments for water services may have been intercepted by hackers who stole credit card details. The heart of the problem lies in the third-party online payment software that Waco and several other cities and municipalities use to let residents pay their bills, pay parking fines, […]… Read More

The post Waco water bill attack just the latest in a wave of Click2Gov breaches appeared first on The State of Security.

Data Leak Exposes Birth Certificate Info of 750k

The personal data of more than 752,000 applicants filed to obtain copies of birth and death certificates was found on an unprotected Amazon Web Services database. 

The leaked data has been tracked back to a company that provides the online request forms for copies of birth and death certificates to state governments. States contracting with the company include California, New York, and Texas. The publicly available data includes names, mailing addresses, email addresses, phone numbers, family information, and birth dates. 

Cybersecurity company Fidus Information Security found the data online with no password protection a situation that was later verified by TechCrunch. Prior to publishing their findings warnings were sent to the company responsible for the data compromise. No action had been taken to secure the data at the time of publication of this blog post.

Misconfigured AWS storage continues to be a persistent source of data leaks and compromises, affecting companies including Capital One, Dow Jones, Sprint, and others. 

Read the original report here.

The post Data Leak Exposes Birth Certificate Info of 750k appeared first on Adam Levin.

Unsecured AWS bucket exposes over 750,000 birth certificate applications

A massive data leak made the headlines, over 750,000 birth certificate applications have been exposed online due to an unsecured AWS bucket.

Penetration testing firm Fidus Information Security discovered over 752,000 birth certificate applications that have been exposed online due to an unsecured AWS bucket. 

The huge trove of personal data has been exposed online by an unnamed company that allows its customers to get copies of their birth and death records from state governments in the United States.

“More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket. (The bucket also had 90,400 death certificate applications, but these could not be accessed or downloaded.)” reads the post published by TechCrunch. “The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data.”

The bucket also contained 90,400 death certificate applications, that anyway could not be accessed.

The exposed records include name, date of birth, current home address, email and phone number, names of family members, historical information (i.e. addresses), or the reason behind applying for the documents.

The content of the AWS bucket was updating daily, in just one week, the unnamed company owning the application added about 9,000 applications to the bucket. The applications dated back to late-2017, TechCrunch verified the authenticity of the data.

Fidus and TechCrunch attempted to contact the company via email prior to publication without success, they also informed Amazon that said it would inform the customer.

Pierluigi Paganini

(SecurityAffairs – AWS Bucket, birth certificate)

The post Unsecured AWS bucket exposes over 750,000 birth certificate applications appeared first on Security Affairs.

More than 44 million Microsoft user accounts are exposed to hack

Microsoft revealed that 44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking.

Microsoft discovered that 44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking because of using of compromised passwords.

Experts from the Microsoft threat research team analyzed a database containing 3 billion leaked credentials from different security breaches.

“The Microsoft identity threat research team checks billions of credentials obtained from different breaches (from multiple sources, including law enforcement and public databases) to look for compromised credentials in the Microsoft systems.” reads the post published by Microsoft. “As you can see on the right, so far, in 2019* the threat research team checked over 3 Billion credentials and found a match for over 44 million Azure AD and Microsoft Services Accounts.”

For each credential in the database belonging to its users, Microsoft forced a password reset, Microsoft recommends users to use MFA wherever possible.

Microsoft users’ accounts are exposed to the hack due to the bad habit of reusing passwords on multiple services and the adoption of weak passwords.

Multi-Factor Authentication (MFA) could drastically improve the security of the accounts, according to Microsoft 99.9% of identity attacks have been thwarted by enabling MFA.

“Once a threat actor gets hold of spilled credentials or credentials in the wild,” the report states, “they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.”

Microsoft urges Azure users to turn on MFA and offers solutions to protect customers from breach replay attacks (flag users as high risk and inform the administrator to enforce a password reset).

“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” concludes Microsoft.

“Microsoft also offers solutions to protect customers from breach replay attacks. This includes capabilities to flag users as high risk and inform the administrator to enforce a password reset.”

Pierluigi Paganini

(SecurityAffairs – Microsoft users, hacking)

The post More than 44 million Microsoft user accounts are exposed to hack appeared first on Security Affairs.

BYOD security challenges leave companies at risk

Organizations aren’t moving quickly enough on cybersecurity threats linked to the drive toward using personal mobile devices in the workplace, warns a QUT privacy researcher. QUT’s Dr Kenan Degirmenci BYOD security challenges everywhere Dr Kenan Degirmenci from QUT’s Science and Engineering Faculty’s School of Information Systems said workers worldwide expected to take their work with them whenever and wherever. But he warned Bring Your Own Device (BYOD) had opened up a can of worms for … More

The post BYOD security challenges leave companies at risk appeared first on Help Net Security.

Security Affairs newsletter Round 243

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Data of 21 million Mixcloud users available for sale on the dark web
Google warned 12K+ users targeted by state-sponsored hackers
Twitter account of Huawei Mobile Brazil hacked
Clop Ransomware attempts to disable Windows Defender and Malwarebytes
Europol seized 30,506 Internet domain names for IP Infringement
Ohio Election Day cyber attack attempt traced Russian-Owned Company
StrandHogg Vulnerability exploited by tens of rogue Android Apps
TrueDialog database leaked online tens of millions of SMS text messages
A flaw in Microsoft OAuth authentication could lead Azure account takeover
Experts discovered DLL hijacking issues in Kaspersky and Trend Micro solutions
Website of gunmaker Smith & Wesson hit by a Magecart attack
Mozilla removed 4 Avast and AVG extensions for spying on Firefox users
Talos experts found a critical RCE in GoAhead Web Server
Two malicious Python libraries were stealing SSH and GPG keys
China used the Great Cannon DDoS Tool against forum used by Hong Kong protestors
CyrusOne, one of the major US data center provider, hit by ransomware attack
Iran-Linked APT groups target energy, industrial sectors with ZeroCleare Wiper
The evolutions of APT28 attacks
CVE-2019-14899 flaw allows hijacking VPN connections on Linux, Unix systems
OpenBSD addresses authentication bypass, privilege escalation issues
VMware addresses ESXi issue disclosed at the Tianfu Cup hacking competition
Russia-linked Gamaredon group targets Ukraine officials
Vietnam-linked Ocean Lotus hacked BMW and Hyundai networks

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 243 appeared first on Security Affairs.

‘E-Skimming’ Is Real, and It May Already Have Grabbed Your Credit Card Information

I’m going to put my one takeaway tip upfront in this article, because it’s that important: Don’t use a debit card when you’re shopping online. While debit cards provide more protections than they used to, they are still a direct conduit to your actual money–not credit–and as such it’s just a bridge too far in the current environment of scam whack-a-mole we all have to deal with this holiday season.

Now for the news.

You may have heard that the Macy’s website was breached recently. It was an e-skimming attack, and a successful one. Hackers were able to intercept customer credit card information and other sensitive personal data by injecting a bit of rogue code into the Macy’s online shopping cart.

While it’s never good news for a major retailer, especially in the middle of the post-Halloween portion of the ramp-up for the holiday season, Macy’s is by no means alone. Tens of thousands of e-commerce sites have been compromised in similar attacks linked back to a hacking group (or groups) called Magecart.

Even though the threat posed by Magecart has now triggered an FBI warning to small and medium-sized businesses, the number of targeted entities and affected customers is expected to continue to spike this holiday season.

Here’s what businesses need to know.

What is E-skimming?

When we look at a webpage we’re essentially seeing the “skin” of a complex organism. There is a patchwork of files hosted on multiple servers that deliver code written by hundreds, if not thousands, of authors making that webpage look and function the way it does. Every piece of functionality on a site made to be more appealing to customers, or to glean more meaningful data about their behavior, requires the addition of modules, plug-ins, and scripts.

Taken at face value, the ever-expanding universe of plug-in functionality is great for businesses, since only big players have the time or money to acquire custom software. From a security point of view, this very same universe is the stuff of migraine headaches. Each extra line of code included on a site expands its attackable surface, and as we’ve seen most recently with Macy’s, a single compromised file can be used to compromise an entire site.

Enter Magecart.

Magecart’s methods vary (there have been over 40 documented techniques deployed), but the broad strokes are consistent. Once a weak point has been found on an e-commerce site (common methods including phishing, or targeting outdated versions of software with known vulnerabilities), code is inserted to “eavesdrop” on any information entered by a customer, and transmit that information to an offsite server.

The compromised business and the customer are none the wiser, as the attack doesn’t actually interfere with the processing of a payment card, and the first sign of trouble is usually a notification from a credit card company or bank that they suspect a fraudulent transaction.

The holiday season makes it even harder to pinpoint the source of the breach as shoppers are likely to order from many different websites. E-Sklimming is easy to deploy, hard to detect, and extremely lucrative.

How Can Business Owners Avoid Getting Got?

As with any other cybersecurity threat, there’s no one way to stop e-skimming exploits, especially given Magecart’s wide-ranging bag of tricks, but there are a few things we can do to minimize the risk.

  • Stay current with patches and upgrades: It’s important for any business to keep its website up to date, but for commerce sites, it’s mission critical. Every time an e-commerce platform releases a security update, it flashes a beacon to hackers to attack, since any site that hasn’t installed the update is vulnerable.

  • Train employees: Educate employees to better recognize phishing emails, to use strong passwords and be on the lookout for anything that seems out of the ordinary.

  • Practice cyber hygiene: Implement multi-factor authentication and be sure to change the default credentials on any software or hardware.

What Can Consumers Do?

The debit card tip is one that’s worth putting into practice. Otherwise, the best practices here are the same as those we should have in place in general. Basically, practice what I call the Three Ms in my book Swiped.

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit. Be careful when you click.

Monitor your accounts. Set up free transaction monitoring alerts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible.

Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises-oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

Despite an increase in the number and severity of data breaches affecting businesses, too many companies still haven’t gotten the message.

PCI compliance, the set of standards created by the payment card industry to safeguard customer financial information, has fallen for the second year in a row worldwide, and currently barely 1 in 5 businesses in the Americas are capable of passing an audit.

We’re most likely looking at the twilight of the good old days when any company could spend a minimal amount of money to get a functional shopping cart up and running. Cybersecurity is an investment in your company’s future. E-commerce sites can generate massive amounts of revenue (just ask Amazon), but they can also provide a point of entry for hackers to access a motherlode of financial information.

Let that old chestnut “forewarned is forearmed” be your watchword this holiday season.

The post ‘E-Skimming’ Is Real, and It May Already Have Grabbed Your Credit Card Information appeared first on Adam Levin.

Here’s What You Need to Know About Your Data Privacy in 2020

The end of 2019 is rapidly approaching, and with the coming of a new year comes the perfect opportunity to reflect on the past and plan for the months ahead. What will 2020 bring when it comes to cybersecurity and what can users do to ensure that they’re protected in the upcoming year? From new data privacy laws to how organizations collect and store user data, the new year will certainly bring plenty of security implications for users. Let’s take a look at a few predictions we have for the year to come.

More Awareness, More Regulations

After a security breach is disclosed, users often learn what can go wrong with their data and may start to wonder what will happen if their information gets into the wrong hands. That’s why new privacy laws will likely be implemented to empower users to better protect and control their data. For example, the new California privacy law set to go into effect January 2020 will allow consumers to instruct companies to delete their personal information and to opt-out of having their private data shared. These new regulations will allow users to better control their data and who has access to it. However, more regulations also create a more complicated landscape for individuals to navigate. Consumers will likely see more “consent” requests attached to any online data collection. That said, it is important to pay close attention to what consumers are agreeing to when they click “consent.”

With these new privacy laws, the method and level of transparency that organizations use to collect and store user data will likely come under scrutiny, particularly as data breaches become public. For example, companies make billions of dollars annually by buying and selling personal information that isn’t theirs to sell. The more data a company has on a user, the more insight cybercriminals have to infiltrate their digital life and trick them into sharing more information. 

New Tricks for the New Year

As more data is collected from various breaches, cybercriminals will look to leverage this information as a way to better understand which users to target and how exactly to target them. With the help of social engineering and artificial intelligence, these crooks will up the ante and turn old cyber tricks into sophisticated, unfamiliar threats. Take call spoofing, for example. By taking advantage of a user’s private data and new technology, cybercriminals could implement a fake call that appears to be coming from the user’s friend or family member. Because users are more likely to pick up a call from someone they know or a number that shares their same area code, cybercriminals increase the chances that their malicious attacks will be successful.

Dark Web Draws in More Data

With the number of breached records growing every day, users need to be aware of how crooks are leveraging this information in the cybercriminal underground and on the Dark Web. According to the McAfee Advanced Threat Research (ATR) team, more than 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone. This growing trend of personal online accounts being brokered on the Dark Web and the increasingly sophisticated threats that have recently emerged means that the 2019 holiday season could be the most dangerous yet.

With these predictions for the cybersecurity landscape in 2020, what resolutions can users make to help ensure that their data is protected? Follow these security tips to help safeguard your personal information:

  • Never reuse passwords. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. Ensure that all of your passwords are complex and unique.
  • Go directly to the source. Instead of clicking on a link in an email, it’s always best to check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.
  • Use a tool to help protect your personal information. A solution like McAfee Identity Theft Protection takes a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help keep identities personal and secure.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Here’s What You Need to Know About Your Data Privacy in 2020 appeared first on McAfee Blogs.

What do cybercriminals have in store for 2020?

As we look to 2020 and a new decade, cybersecurity will continue to be a top priority for businesses and consumers alike. To help organizations prepare for the next year and beyond, Experian released its forecast, which predicts the top five threats businesses and consumers should be aware of in order to keep their information safe. “Hackers are continuing to become more sophisticated with the tools at their disposal to gain control of personal devices … More

The post What do cybercriminals have in store for 2020? appeared first on Help Net Security.

Cyber Security Roundup for November 2019

In recent years political motivated cyber-attacks during elections has become an expected norm, so it was no real surprise when the Labour Party reported it was hit with two DDoS cyber-attacks in the run up to the UK general election, which was well publicised by the media. However, what wasn't well publicised was both the Conservative Party and Liberal Democrats Party were also hit with cyber attacks. These weren't nation-state orchestrated cyberattacks either, black hat hacking group Lizard Squad, well known for their high profile DDoS attacks, are believed to be the culprits.

The launch of Disney Plus didn’t go exactly to plan, without hours of the streaming service going live, compromised Disney Plus user accounts credentials were being sold on the black market for as little as £2.30 a pop. Disney suggested hackers had obtained customer credentials from previously leaked identical credentials, as used by their customers on other compromised or insecure websites, and from keylogging malware. It's worth noting Disney Plus doesn’t use Multi-Factor Authentication (MFA), implementing MFA to protect their customer's accounts would have prevented the vast majority of Disney Plus account compromises in my view.

Trend Micro reported an insider stolen around 100,000 customer accounts details, with the data used by cyber con artists to make convincing scam phone calls impersonating their company to a number of their customers. In a statement, Trend Micro said it determined the attack was an inside job, an employee used fraudulent methods to access its customer support databases, retrieved the data and then sold it on. “Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said. The employee behind it was identified and fired, Trend Micro said it is working with law enforcement in an on-going investigation.

Security researchers found 4 billion records from 1.2 billion people on an unsecured Elasticsearch server. The personal information includes names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

T-Mobile reported a data breach of some their prepaid account customers. A T-Mobile spokesman said “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities”.

A French hospital was hit hard by a ransomware attack which has caused "very long delays in care". According to a spokesman, medical staff at Rouen University Hospital Centre (CHU) abandon PCs as ransomware had made them unusable, instead, staff returned to the "old-fashioned method of paper and pencil". No details about the strain of the ransomware have been released.

Microsoft released patches for 74 vulnerabilities in November, including 13 which are rated as critical. One of which was for a vulnerability with Internet Explorer (CVE-2019-1429), an ActiveX vulnerability known to be actively exploited by visiting malicious websites.

It was a busy month for blog articles and threat intelligence news, all are linked below.


Seqrite UTM : Security Weapon Against Man In The Middle Attacks

Estimated reading time: 6 minutes

As implied in the name itself,

Man In The Middle Attack is a type of attack where a illegal person tries to intercept the communication between two parties.

Either to secretly overhear or to steal the critical data being exchanged, with the intention to spy or to destroy the communication & corrupt the data.

Basically, when you try to overhear any conversation between two entities without letting them know, it itself is a kind of MAN-IN-THE-MIDDLE-ATTACK.


But Before going further into Man-In-the-Middle attack, I want you to look around !

look at your smartphones, devices accessing internet, all the software applications you are using.

What do you think? What is driving all these things?

DATA! Right?

Well, all this data travels around ourselves with no bounds. From one source to another destination, data has no limitation at all. This unobserved traveling of data raises a huge question on the privacy and security of the data.

Have you ever given any thoughts about maintaining this privacy?

What if someone is already seeing all your data in your phone or using your private information to benefit his/her needs?

While data transmission takes place between client & server, attacker places itself between two endpoints of communication and interferes with the data transfer, while trying to acquire the critical information which is being exchanged.

Meanwhile the client and the server thinks that they are interacting with each other but they are actually dealing with the attacker.

Explanation :

Let’s Suppose A & B are two entities and C is the Man-in-the-middle. Now if A & B want to share information with each other, A will ask for a public key from B, so that A will send Encrypted data accessible with only that public key and only B will be able to open that information using that key. But, as soon as B sends its Public key to A, C present in the middle takes that key and sends its own public key to A.

A now assuming that key is of B, encrypts the required data and sends it to B again. Now C will decrypt that data using its own public key, read that data and alter the information as per requirement and send it to B with its Public key so that B will be able to decrypt the information, assuming that this information is directly coming from A and likewise this process continues. Both A & B doesn’t even get to know that they are actually not talking to each other.

Technically, whenever two party speak with each other, TCP connection gets establish. So what an attacker does is, it will divide that connection into two parts where 1 connection is between attacker and client and another one is between attacker and the server and attacker works as a proxy between them. Another way this attack can happen is through Man-In-The-Browser attack where an attacker put its Bot onto your system which collects all credentials and important information from your daily web browsing and eventually sends it to the attacker.


Attackers are always in search for any vulnerable network, where they can breach the security and access the data transfer. Attack is performed in two phases: First phase is ‘Interception’ or ‘Encryption’ and the second one is ‘Decryption’.

‘Encryption’ & ‘Decryption’

For Interception, public places like Railway Station, Airport, etc. are the most favorable one, as there are FREE WiFi n/w (People Just Love Free things). Attackers try to find a poorly secured network and search for any vulnerability. Attacker is between victim client computer and server to intercept the data, placing necessary tools to acquire the critical information exchanged, which victim is thinking to be secure. Data is intercepted now , it needs to be decrypted. Now comes the role of decryption, where data is been decrypted and further acted upon.

Too short right? Well it’s a brief explanation after all to get minimal idea. Now let’s understand it step wise.

There are few more ways to carry out network security attack. Let us discuss some of these attacks in brief:

Examples ~

1. Sniffing:

It is a process of analyzing and capturing the data packets containing sensitive information flowing from one network to another. Data flows from source to destination in the form of small data packets and the attackers manage to access these streams of data and pill out the private information needed to carry out the attack.

2. Packet Injection:

It is a technique where attacker disrupts the established network, by inserting his/her own packet with the regular flow of data between trusted entities, to avoid malicious activities to be over looked or ignored. This type of interference of packets process is used in DDoS and Man-In-The-Middle attacks.

3. Session Hijacking:

Whenever a user logs into a website, it sends a request through a browser to the server of the requested website. The request gets analyzed and a response is sent over the network to the user and a session is establishes for the user to get into the website. Meanwhile, the attacker tries to hijack that session and is in a position to intercept that session and is able to pull out the private information required to initiate the attack successfully.

4. SSL Stripping:

Attacker use this process when it strip off the SSL/TLS encryption used for secured connection, Switches user network connection from HTTPS to HTTP. Victim is vulnerable shifting from secured connection to un-secured connection, it is easy for attacker to push victim to its own environment, where attacker extracts information provided by the victim. KRACK, MITM are few of the attacks carried out by SSL stripping method.


Following are some of the steps we can follow in order to prevent such cyber-attacks :

  1. Use HTTPS connection over HTTP as HTTPS is more secured and a reliable way to connect to any network.

  2. Keeping Browser Cookies and cache cleared in order to prevent attacker from stealing information from those resources.

  3. Use of HSTS over HTTPS. This web server directive forces any Web-App to connect to HTTPS and block all other content that uses HTTP protocol.

  4. Do not click on un-necessary emails and advertisements.

  5. Do not use un-secured Public Wi-Fi access or make payments over it.

  6. Always keep required security tools updated to protect your system.

  7. Always keep your working network secured.

  8. Don’t ever download any pirated data.

SEQRITE Unified Threat Machine: IPS

Intrusion Prevention System

IPS is a network security system that protects your organization’s network from external attacks, intrusion attempts, malware and threats. It observe the incoming network traffic and identify the potential threats and responds according to the rules specified. This drops the packet that it determines to be malicious and block all further traffic flowing from that IP address or Port.

Seqrite UTM has a feature called Intrusion Prevention System. It monitor as well as block the vulnerability exploit that attackers use to interrupt and gain control of an application or machine. It consist of pre-configured set of signatures embedded, which are matches with the signatures of the entering data packets. If any incoming signature matches with an existing signature, the IPS either drops the packet or sets up an alarm.

Feature Explanation

Image below shows the status of IPS and various settings that comes under IPS and the relevant information such as

  1. Designated action to take.
  2. Alert or Drop the suspicious packet.
  3. Count of Occurrences & the Description.

You might need to add new signatures to your existing signature list. In Seqrite UTM IPS you can add your own custom signatures. You can do this using the advances tab on the IPS page.

Your organization may require to monitor all inbound, outbound, as well as intranet traffic. This feature allows you to monitor all or individual traffic types.





d) Man-In-The-Middle-Attack Prevention Using HTTPS and SSL, IJCSMC, Vol. 5, Issue. 6, June 2016, pg.569 – 579

The post Seqrite UTM : Security Weapon Against Man In The Middle Attacks appeared first on Seqrite Blog.

European cybersecurity market to exceed $65 billion by 2025

The European cybersecurity market is determined to exceed $65 billion by 2025, according to Graphical Research. This growth is attributed to strong government initiatives to promote data safety and hefty investments in cybersecurity solutions. Industry sectors and cybersecurity The increasing cases of data breaches and cyber attacks on critical business infrastructure have driven several business enterprises toward partnering with government agencies for enhanced cybersecurity. For instance, in July 2016, the EU Commission announced a Public-Private … More

The post European cybersecurity market to exceed $65 billion by 2025 appeared first on Help Net Security.

Insecure Database Exposes Millions of Private SMS Messages

Researchers discovered an unprotected TrueDialog database hosted by Microsoft Azure with diverse and business-related data from tens of millions of users.

Three Consequences of a Misaddressed Email

Article by Andrea Babbs, UK General Manager, VIPRE SafeSend

With the number and sophistication of cyber attacks increasing significantly, organisations have had to become aware and adapt to new and evolving digital threats. Yet, many would still consider the simple error of sending an email to the wrong contact trivial, at most embarrassing, but not of concern when it comes to data security. However, misaddressed emails have far-reaching consequences that can seriously impact an organisation, especially in highly regulated industries such as healthcare and finance. From fines to data breaches, what are the potential ramifications of sending an email to the wrong address?

Reputational and Financial Damage

While accidentally dialling a wrong number can be a little embarrassing, the same cannot be said for sending an email to the wrong contact. You could try to correct the error with a follow-up email to apologise and request that the recipient delete the message, but even if you’ve spotted the error it’s often too late. Moreover, the misuse of CC and BCC functions could expose your entire contact database, potentially giving your competitors an opportunity to lure your customers or employees away, or worse – exposing customer emails to potential hackers.

BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. While the company maintains that customer privacy remains a top priority, its customers were left wondering how they could trust BitMEX with huge personal assets in the aftermath of this data protection failure.

A similar incident in 2018 led to the Independent Inquiry into Child Sexual Abuse (IICSA) being fined £200,000 by the Information Commissioner’s Office (ICO) for failing to protect the identity of possible victims of child abuse after a human error accidentally exposed victim identities to third parties, when they included their email addresses in the ‘To’ rather than ‘BCC’ field. In the age of increased data protection regulations, this example demonstrates just how seriously the ICO takes these types of data breaches. The pain of embarrassment from sending an email to the wrong contact pales in comparison to the business pain from financial penalties.

Intellectual Property Loss
Should confidential corporate information fall into the wrong hands, the consequences could be devastating. Crucial company information such as trade secrets or blueprints of an unpatented new product leaking into the public domain could easily be intercepted by the competition, resulting in a lost competitive advantage.

All it takes is a simple missed or added character in the email address, autocorrect taking over, or simply pressing send too soon and the information that was once confidential is sitting in the wrong inbox. It could be that of an unknown individual, competitor, or even a cyber-criminal.

In 2018, Commonwealth Bank staff inadvertently sent 651 emails to an overseas company as they forgot to include ‘.au’ at the end of the domain that should have read ‘’. This data leak occurred over a long period without anyone noticing, so could have potentially exposed sensitive company data or private customer information to competitors, putting the company at serious risk. However, luckily on this occasion, the company confirmed that no customer data had been compromised.

Data Breach
The ICO found that misaddressed emails are the largest source of data loss for organisations – over 269 billion emails are sent around the world each day. Gone are the days when employees operated from a single office-based computer, the modern workforce is now working from potentially several locations across a number of devices. Combine this with increasing pressures on staff juggling deadlines and deliverables to perform better and faster, it’s no surprise that most don’t spend time verifying the accuracy of the email address they are about to send confidential information to – no organisation is immune to human error.

Hackers can capitalise on this complacent email culture by cleverly disguising emails to look like they are coming from inside the company, but actually, have a similar spoofed domain name that the employee would probably fail to spot on a first glance. Potentially opening the organisation up to a devastating hacking, malware or ransomware attack and a clear reason why Business Email Compromise (BEC) scams continue to be popular with cybercriminals.


The ramifications of misaddressed emails go far beyond just an embarrassing mishap – the threat that comes from accidental data leakage can be just as damaging as the external threat of cybercrime, especially as these leaks often go unnoticed for a period of time. Businesses need a clear strategy to address the issue of misaddressed emails and mitigate the associated risks to remain compliant and secure. What is required is a tool that prompts users for a double-check of their email based on set parameters, who it is being sent to, the contents and attachments. But this isn’t about adding time or delay to employees that are already under pressure – it’s about increasing awareness and improving email culture where mistakes can so easily be made.

TrueDialog database leaked online tens of millions of SMS text messages

Millions of SMS messages have been leaked by a database run by TrueDialog, a business SMS provider for businesses and higher education providers.

Security experts at vpnMentor discovered a database belonging to the US communications company, TrueDialog that was leaking millions of SMS messages. Most of the SMS included in the database were sent by businesses to potential customers. TrueDialog focuses on providing several different SMS programs including mass text messaging, marketing SMS options, urgent alerts, an Education SMS solution, and more. 

The company currently works with over 990 cell phone operators and has more than 5 billion subscribers.

“Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more.” reads the post published by vpnMentor.

“By not securing their database properly, TrueDialog compromised the security and privacy of millions of people across the USA.”

TrueDialog data leak

The database was left unsecured online and data was stored in plain text, it is hosted by Microsoft Azure and it runs on the Oracle Marketing Cloud.

According to the researchers the database included 1 billion entries belonging to over 100 million US citizens, last time they analyzed the archive it included 604 GB of data.

Experts found tens of millions of entries from messages sent via TrueDialog and conversations hosted on the platform. The sensitive data contained in these SMS messages included full names of recipients, TrueDialog account holders, TrueDialog users, the content of messages, email addresses, phone numbers of recipients and users, dates and times messages were sent, status indicators on messages sent (i.e. Read receipts, replies, etc.), TrueDialog account details.

“The data exposed was a mix of TrueDialog account holders, users, and 100s of millions of American citizens.” continues the post.

The database includes logs of the platform that revealed important details as to how the database is structured and managed.

The database also includes logs of internal system errors as well as many HTTP requests and responses that expose the site’s traffic.

vpnMentor attempted to report their discovery to TrueDialog but they never received a reply. The database was discovered on 26/11/19 and experts reported it to TrueDialog on 28/11/19, the database was secured on 29/11/19.

“The impact of this data leak can have a lasting impression for hundreds of millions of users. The available information can be sold to both marketers and spammers.” concludes vpnMentor. TrueDialod competitors could have gotten a look into their backend and seen how the company is run from within. This would have given them a way to copy, or improve upon, the business model that has brought TrueDialog success.”

Pierluigi Paganini

(SecurityAffairs – TrueDialog, data leak)

The post TrueDialog database leaked online tens of millions of SMS text messages appeared first on Security Affairs.

Data of 21 million Mixcloud users available for sale on the dark web

The online music streaming service Mixcloud was recently breached by a hacker that is attempting to sell stolen user data a dark web marketplace.

On Friday, the hacker that goes online with the handle “A_W_S” contacted multiple media outlets to disclose the hack, it also provided data samples as proof of the data breach.

The hack took place in early November and exposed data for more than 20 million user accounts. The hacker access to users’ data, including usernames, email addresses, SHA-2 hashed passwords, account sign-up dates and country, the last-login date, the internet (IP) address, and links to profile photos.

“We verified a portion of the data by validating emails against the site’s sign-up feature, though Mixcloud does not require users to verify their email addresses.” reads a post published by Techcrunch. “The exact amount of data stolen isn’t known. The seller said there were 20 million records, but listed 21 million records on the dark web. But the data we sampled suggested there may have been as many as 22 million records based off unique values in the data set we were given.”

The hacker was offering for sale the data dump for 0.27 bitcoin (around $2,000).

Image source: ZDNet

ZDNet reached several users whose data was included in the sample the hacker shared with them and several of them and several confirmed they had recently registered a Mixcloud account.

TechCrunch pointed out that the dark web seller is the same hacker that alerted TechCrunch to the StockX breach in August. At the time the hacker claimed to have stolen more than 6.8 million records from the company back in May.

On Saturday, Mixcloud disclosed the incident breach, the security notice published by the company confirms the hack, but highlights that accessed systems do not store data such as full credit card numbers or mailing addresses.

“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems.” reads the security notice published by the company.

“Our understanding at this time is that the incident involves email addresses,  IP addresses and securely encrypted passwords for a minority of Mixcloud users. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.”

Mixcloud confirmed that it is actively investigating the incident and recommended users reset passwords as a precautionary measure.

Pierluigi Paganini

(SecurityAffairs – Mixcloud, data breach)

The post Data of 21 million Mixcloud users available for sale on the dark web appeared first on Security Affairs.

7 Ways to Wreck a Cybercrook’s Holidays

holiday scams’Tis the season for giving and who better to give a giant headache to than the digital scammers working overtime to wreck our holidays? Can we spot and unravel every scam out there? Probably not. But, by taking a few minutes to get equipped to click, we can dodge common traps laid by cybercrooks and wreck their holidays before they get a chance to wreck ours.

Rock ‘Em Sock ‘Em Robo Calls

As informed as most of us may profess to be, American consumers continue to step into cyber traps every day. In fact, according to a recent McAfee survey, in 2019, 74% of those surveyed admitted to losing more than $100 in scams and almost a third (30%) losing more than $500. The survey also revealed that 48% of Americans have been or know someone who has been a victim of robocalling in 2019, making it the most prevalent scam of the year. Email phishing (41%) and text phishing (35%) are also tricks we fell for in 2019.

Cybercrooks call those stats a very happy holiday.

Are you equipped to click?

We can do our part to reduce these statistics. Before we all get distracted with shopping sprees or fall into sugar comas, call a family huddle. Discuss ways to avoid the digital traps and send cybercrooks into a maze of locked doors and dead ends. Here are a few ideas to get you started.

7 ways to wreck a cybercrook’s holidays

  1. Get real about cybercrime. Don’t sugar coat cybercrime for your kids. Here’s the truth: Over 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone, which puts a priceless amount of user data at risk. Crooks are targeting us. They are shopping the black web for stolen data to use in a variety of illegal ways. If we fail to lock our digital doors, the consequences can be emotionally and financially devastating and may last years.
  2. Shake up your passwords. Never use the same password. By uncovering one of your passwords,  cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. So change passwords often and use a variety, especially around the holidays when online shopping spikes.
  3. Verify emails. Slow down to examine emails. Instead of clicking on an email link, check directly with the source to verify an offer or shipment. Cybercriminals are getting very sophisticated. They are creating full websites that closely mimic brand retailers. Also, they are posing as friends, family, and colleagues in an attempt to get you to click a link that will download malicious malware onto your computer.
  4. Browse securely. Use a comprehensive security solution to help protect devices against malware, phishing attacks, and malicious websites.
  5. Use a tool to help protect your personal information. Take a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help your identity secure.
  6. Verify shipments. Cybercrooks understand consumer habits. They know you’ve likely ordered from several online retailers, so they will exploit that and try to confuse you by sending bogus shipment notifications or reward  you with “added offers.” The email will look legitimate. It will likely have a legitimate-looking email address and branding of the retailer or shipping company. Check directly with the source before clicking any link in an offer or shipment notification.
  7. Protect your identity. Criminals are on the prowl to find weak links anywhere personal data is kept — the includes credit card companies and banks. Get proactive in protecting your identity and the identities of your family members with personal and financial monitoring and recovery tools.

Even with the threats that exist around us, keep your sights fixed on the bigger picture. The holiday season is still merry and bright. People are still good. And, peace on earth — and in your home — is still possible this year. With a little foresight and a few cool tools, you are more than able to protect the things that matter most.

To stay informed on the latest digital news, trends, and family safety insights, subscribe to this and other McAfee blogs. Follow @McAfee_Family on Twitter to join the digital parenting conversation.

The post 7 Ways to Wreck a Cybercrook’s Holidays appeared first on McAfee Blogs.

The Future of Cybersecurity Insurance

Cybersecurity incidents and data breaches have become a normal part of the news cycle. It feels like every day you hear about a big corporation or organization suffering an attack that has put customer or user data in jeopardy. Sometimes this is because a security strategy was lacking; sometimes, the criminal’s attack was simply too […]… Read More

The post The Future of Cybersecurity Insurance appeared first on The State of Security.

Magento Marketplace Suffers Data Breach Exposing Users’ Account Info

If you have ever registered an account with the official Magento marketplace to bought or sold any extension, plugin, or e-commerce website theme, you must change your password immediately. Adobe—the company owning Magento e-commerce platform—today disclosed a new data breach incident that exposed account information of Magento marketplace users to an unknown group of hackers or individuals.

Adobe revealed that the Magento Marketplace was hacked

Adobe discloses security breach impacting Magento Marketplace users

Adobe discloses a security breach that affected the users of the Magento marketplace website, the incident was discovered last week.

Adobe disclosed a security breach that affected the users of the Magento Marketplace portal, the security team discovered the incident on November 21. The Magento Marketplace is a website for buying and downloading themes and plugins for e-stores running the Magento CMS.

Magento is the most popular content management solution (CMS) for building e-commerce website, Adobe acquired the company for $1.68 billion in 2018.

According to the data breach notification sent via email by Adobe to its customers, the hackers exploited a vulnerability in the Marketplace website to access account information for registered users. The company did not disclose the number of impacted accounts.

magento data-breach-notofications-email
Source ZDnet

Hackers accessed data of registered users and developers that registered on the portal to sell their plugins and themes.

Exposed data include name, email, store username (MageID), billing and shopping addresses, phone number, and some commercial information, while financial data and passwords were not compromised. In response to the incident, the company temporarily took down the Marketplace in order to fix the vulnerability exploited by hackers.

“On November 21, we became aware of a vulnerability related to Magento Marketplace. We temporarily took down the Marketplace in order to address the issue. The Marketplace is back online. This issue did not affect the operation of any Magento core products or services.” reads the security update published by Magento.

“We have notified impacted account holders directly. “

Pierluigi Paganini

(SecurityAffairs – Adobe, Magento)

The post Adobe revealed that the Magento Marketplace was hacked appeared first on Security Affairs.

As the online shopping season begins, consumers worry about cybercrime

A majority of U.S. consumers plan to do most of their holiday shopping online for the first time ever, yet a survey from F-Secure finds that most internet users remain concerned about their exposure to cybercrime. Major consumer trends The survey of shoppers highlighted 3 major trends among American consumers: Bank account hacking and data breaches are the biggest worries on the web. 62% are either worried or extremely worried about a hacker taking over … More

The post As the online shopping season begins, consumers worry about cybercrime appeared first on Help Net Security.

Major Hotel Group Leaks 1TB of Customer Data

One terabyte of data belonging to a major hotel booking platform was found leaked online.

A huge trove of customer data belonging to Gekko Group was found online in an unsecured format. The data contained a wide array of records, including full names, credit card details, client login information, email addresses, home addresses and hotel reservations. The personally identifiable information of children was included in several of the records.

“Our team was able to access this server because it was completely unsecured and unencrypted,” announced VPN review website vpnMentor in a blog article describing their findings. 

“The contents of the database could also help hackers and cybercriminals target the same companies in other ways. Using the information and accesses exposed, they could create effective phishing campaigns, or target companies with various forms of malicious software attacks: malware, spyware, ransomware, and more,” the article continued.

The leaked data also included information from affiliated platforms, including and

Gekko Group is a worldwide B2B hotel booking platform that serves over 600,000 hotels worldwide. It is owned by Accor Hotels, the largest hospitality company in Europe. Because the Gekko Group is based in France, the company is subject to fines under the EU General Data Protection Regulation, or GDPR. 

The post Major Hotel Group Leaks 1TB of Customer Data appeared first on Adam Levin.

Facebook and Twitter warn some users’ private data was accessed via third-party app SDK

Facebook and Twitter have announced that personal data related to hundreds of users may have been improperly accessed after users logged into third-party Android apps with their social media accounts.

Read more in my article on the Tripwire State of Security blog.

Security Affairs newsletter Round 241

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Experts found undocumented access feature in Siemens SIMATIC PLCs
Tianfu Cup 2019 Day 1 – Chinese experts hacked Chrome, Edge, Safari, Office365
Crooks use carding bots to check stolen card data ahead of the holiday season
Experts report a rampant growth in the number of malicious, lookalike domains
Google addressed an XSS flaw in Gmail
New NextCry Ransomware targets Nextcloud instances on Linux servers
Tianfu Cup 2019 – 11 teams earned a total of 545,000 for their Zero-Day Exploits
Adobe announces end of support for Acrobat 2015 and Adobe Reader 2015
Alleged Magecart hackers planted a software skimmer into Macys Website
Belorussian authorities blocked ProtonMail following a wave of bomb threats
CTHoW v2.0 – Cyber Threat Hunting on Windows
CVE-2019-2234 flaws in Android Camera Apps exposed millions of users surveillance
Ransomware infected systems at state government of Louisiana
Chicago student charged with writing code to spread ISIS propaganda
Hackers leak 2TB of Data From Cayman National Bank stolen by Phineas Fisher
Monero Project website has been compromised to deliver a coin stealer
Ransomware Revival: Troldesh becomes a leader by the number of attacks
A critical flaw in Jetpack exposes millions of WordPress sites
DePriMon downloader uses a never seen installation technique
ENISA publishes a Threat Landscape for 5G Networks
Google will pay up to $1.5m for full chain RCE for Android on Titan M chips
Microsoft warns of growing DoppelPaymer Ransomware threat
Roboto, a new P2P botnet targets Linux Webmin servers
AccorHotels subsidiary Gekko Group exposes hotels and travelers data in massive data leak
French Rouen hospital hit by a ransomware attack
Payment solutions giant Edenred announces malware infection
Personal and social information of 1.2B people exposed on an open Elasticsearch install
Russian author of NeverQuest banking malware gets 4 Years in U.S. Prison
T-Mobile discloses data breach affecting prepaid wireless customers
Catch Hospitality Group discloses PoS malware infection at its restaurants
Chinese smartphone vendor OnePlus discloses a new data breach
Kaspersky found dozens of flaws in 4 open-source VNC software

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 241 appeared first on Security Affairs.

Catch Hospitality Group discloses PoS malware infection at its restaurants

The Catch Hospitality Group has suffered a malware attack, a point-of-sale malware has infected systems (POS) at several restaurants of the chain.The Catch Hospitality Group has suffered a malware attack, a point-of-sale malware has infected systems (POS) at several restaurants of the chain.

Catch Hospitality Group announced that a PoS malware has infected its payment systems at NYC hotspots Catch NYC, Catch Rooftop, and Catch Steak restaurants.

The malicious code was designed to steal credit card information from customers.

The company launched an investigation after detecting the unauthorized activity on some of its payment processing systems, it also hired a cybersecurity firm to investigate the security breach.

The investigation revealed the presence of PoS malware on some of its payment systems. PoS malware is used by crooks to steal track data encoded on the magnetic stripe on credit cards, including the credit card number, expiration date, and internal verification code.

“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through these POS devices. There is no indication that other customer information was accessed.” reads the data breach notification published by Catch Hospitality Group.

Experts determined that the PoS malware was active on the payment systems in the two locations in different timeframes. For Catch NYC (including Catch Roof), the timeframe was from March 19, 2019 through October 17, 2019. For Catch Steak, the timeframe was September 17, 2019 through October 17, 2019.

Not all POS devices were infected, the company pointed out that it uses two different point-of-sale (POS) devices at its locations, one that is brought to your table by waitstaff and stationary ones at the bar and where the waitstaff enter orders. Portable POS devices are not affected because they utilize point-to-point encryption.

“The cards involved in this incident are cards used at the bar or in the rare circumstances that a card was swiped at the device where waitstaff enter orders.”

The company declared that it has removed the malware and implemented enhanced security measures for its payment systems.

Catch Hospitality Group reported the incident to its payment processor and notified the incident to law enforcement.

The company recommends customers to review their payment card statements for any unauthorized activity and urge them to immediately report any unauthorized charges to the card issuer.

Pierluigi Paganini

(SecurityAffairs – Catch Hospitality Group, PoS malware)

The post Catch Hospitality Group discloses PoS malware infection at its restaurants appeared first on Security Affairs.

Chinese smartphone vendor OnePlus discloses a new data breach

Chinese smartphone vendor OnePlus has suffered a new data breach, according to a company’s notice hackers accessed customers’ order information.

OnePlus disclosed a data breach, an “unauthorized party” accessed some customers’ order information, including names, contact numbers, emails, and shipping addresses.

“We want to update you that we have discovered that some of our users’ order information was accessed by an unauthorized party.” reads the statement published by the company. “We can confirm that all payment information, passwords and accounts are safe, but certain users’ name, contact number, email and shipping address may have been exposed. Impacted users may receive spam and phishing emails as a result of this incident.”

The company said that it took immediate measures to lock out the attackers and reinforce security. OnePlus notifies impacted users by email and reported the incident to the relevant authorities, an investigation is still ongoing.

oneplus data-breach notice

OnePlus discovered the breach last week while monitoring its systems.

“Last week while monitoring our systems, our security team discovered that some of our users’ order information was accessed by an unauthorized party,” the company said. ” We can confirm that all payment information, passwords and accounts are safe, but the name, contact number, email and shipping address in certain orders may have been exposed.”

OnePlus pointed out that not all customers were affected and that the attackers were not able to access financial information and, passwords, and associated accounts.

At the time of writing the company did not reveal details of the attack and the vulnerability exploited by the attackers.

The good news is that the company decided to launch an official bug bounty program by the end of December 2019.

“We’ve inspected our website thoroughly to ensure that there are no similar security flaws. We are continually upgrading our security program – we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December. ” concludes the company’s statement.

Anyway, let me suggest to change your OnePlus account password and to remain vigilant on suspicious and unsolicited emails that could attempt to trick you into revealing your credit card data or other sensitive data.

Early 2018, OnePlus disclosed another security breach that affected its online payment system. At the time, hackers stole credit card information belonging to up to 40,000 customers.

Pierluigi Paganini

(SecurityAffairs – OnePlus, hacking)

The post Chinese smartphone vendor OnePlus discloses a new data breach appeared first on Security Affairs.

OnePlus Suffers New Data Breach Impacting Its Online Store Customers

Chinese smartphone maker OnePlus has suffered a new data breach exposing personal and order information of an undisclosed number of its customers, likely, as a result of a vulnerability in its online store website. The breach came to light after OnePlus started informing affected customers via email and published a brief FAQ page to disclose information about the security incident. According

Personal and social information of 1.2B people exposed on an open Elasticsearch install

Security duo discovered personal and social information 1.2 billion people exposed online on an unsecured Elasticsearch server.

Researchers Bob Diachenko and Vinny Troia discovered an unsecured Eslasticsearch server containing an unprecedented 4 billion user accounts.

The database, discovered on October 16, 2019, contained more than 4 terabytes of data is the largest data leaks from a single source organization in history.

The leaked data contained names, email addresses, phone numbers, LinkedIn and Facebook profile information.

According to the researchers, it contains personal and social information that appears to originate from 2 different data enrichment companies.

“The discovered Elasticsearch server containing all of the information was unprotected and accessible via web browser at No password or authentication of any kind was needed to access or download all of the data.” reads the post published by the experts.

“The majority of the data spanned 4 separate data indexes, labeled “PDL” and “OXY”, with information on roughly 1 billion people per index. Each user record within the databases was labeled with a “source” field that matched either PDL or Oxy, respectively.”

social information Elasticsearch

Researchers believe the data in the PDL indexes originated from People Data Labs, a data aggregator and enrichment company.

The archive contained nearly 3 billion PDL user records associated with roughly 1.2 billion unique people. The archive included 650 million unique email addresses, the data belonging the three different PDL indexes were respectively scraped from LinkedIN (i.e. Email addresses and phone numbers), and social media profiles such as a person’s Facebook, Twitter, and Github URLs.

The experts reported their findings to PDL that replied that the exposed Elasticsearch instance doesn’t belong to them.The following is a partially redacted sample of my personal record, downloaded from the server.

“In order to test whether or not the data belonged to PDL, we created a free account on their website which provides users with 1,000 free people lookups per month.

“The data discovered on the open Elasticsearch server was almost a complete match to the data being returned by the People Data Labs API. The only difference being the data returned by the PDL also contained education histories.”

“When I checked my account on, the returned results were identical – including that phone number.
Since I have never seen this phone number appear in any of my previously breached/leaked records, this is a very good indication that the leaked database originated from PDL.”
continues the post.

The exposed archive also includes records that appear to belong to the data enrichment company

The “Oxy” database contained records scraped from LinkedIn, including recruiter information. Once notified of the discovery, OxyData told the researchers that the server did not belong to it.

The researchers speculate that the server was operated by an organization that is a customer of both People Data Labs and OxyData, anyway it is impossible in this phase to attribute the ownership of the server to a specific company.

“If this was a customer that had normal access to PDL’s data, then it would indicate the data was not actually “stolen”, but rather mis-used. This unfortunately does not ease the troubles of any of the 1.2 billion people who had their information exposed.” concludes the post.

“Because of obvious privacy concerns cloud providers will not share any information on their customers, making this a dead end.
Agencies like the FBI can request this information through legal process (a type of official Government request), but they have no authority to force the identified organization to disclose the breach.”

Pierluigi Paganini

(SecurityAffairs – Elasticsearch server, social information)

The post Personal and social information of 1.2B people exposed on an open Elasticsearch install appeared first on Security Affairs.

2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure

The digitalization of data allows it to move effortlessly and be accessed from devices and places around the world within a matter of seconds. This also makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a variety of reasons. However, not all of these purposes are well-intentioned. More often than not, cybercriminals use the abundance of digital data to their advantage. According to Ars Technica and security researcher Troy Hunt, password data and other personal information belonging to as many as 2.2 million users of two websites – a cryptocurrency wallet service and a gaming bot provider — has been posted on the Dark Web.

What information is included in these databases? The first data haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The cybercriminal who posted this 3.72GB database stated that it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes. The second haul contains data for about 800,000 accounts on RuneScape’s bot provider EpicBot, including usernames and IP addresses. Both databases include registered email addresses and hashed passwords.

So, what lessons can we learn from this data dump and what can we do to help secure our information? Check out the following security tips to help protect your digital data.

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords consistently to further protect your data.
  • Watch out for other cyberattacks. Be on high alert for other malicious attacks where cybercriminals could use stolen credentials to exploit users, such as spear phishing.
  • Check to see if you’ve been affected. If you or someone you know has a GateHub or EpicBot account, use this tool to check if you could have been potentially affected.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure appeared first on McAfee Blogs.

T-Mobile discloses data breach affecting prepaid wireless customers

Bad news for T-Mobile prepaid customer, the US-based telecom giant T-Mobile today disclosed a new data breach incident.

The US branch of the telecommunications giant T-Mobile disclosed a security breach that according to the company impacted a small number of customers of its prepaid service.

The cybersecurity team at T-Mobile discovered an unauthorized access to information associated with a limited number of its prepaid wireless account customers.

“We want to let you know about an incident that we recently identified and quickly corrected that impacted some of your personal information.reads the data breach notice published by the company.

Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities. None of your financial data (including credit card information) or social security numbers was involved, and no passwords were compromised.”


Exposed data includes name and billing address, phone number, account number, rate plan and features, like whether a customer has added an international calling feature.

“Rate plan and features of your voice calling service are ‘customer proprietary network information’ (‘CPNI’) under FCC rules, which require we provide you notice of this incident,” continues T-Mobile.

No financial information, social security numbers, and passwords were accessed by the attackers.

At the time of writing the company did not reveal details of the intrusion or the extent of the incident.

T-Mobile confirmed to have taken the necessary steps to lock out the attackers and immediately notified law enforcement of the security breach.

The company is notifying only affected customers through email, users can contact Customer Care to receive support and information on the incident.

The company is urging affected customers to update the PIN/passcode to access their accounts, let me suggest to not affected users to do the same.

Customers should remain vigilant on possible phishing messages that can use stolen data to trick victims into revealing sensitive data, passwords and financial information such as credit card information.

Another suggestion for T-Mobile customers is to monitor their bank and payment card statements for any suspicious activity and report to the bank if they find any.

In August 2018, T-Mobile announced it has suffered a security breach that exposed the personal information of up to 2 million T-mobile customers.

Pierluigi Paganini

(SecurityAffairs – data breach, T-Mobile)

The post T-Mobile discloses data breach affecting prepaid wireless customers appeared first on Security Affairs.

AccorHotels subsidiary Gekko Group exposes hotels and travelers data in massive data leak

Security experts from vpnMentor discovered that Gekko Group, an AccorHotels subsidiary, exposes hotels and travelers in a massive data leak.

Gekko Group is a leading European B2B hotel booking platform that also owns smaller hospitality brands, including Teldar Travel & Infinite Hotel. The AccorHotels subsidiary has a combined customer base of 600,000 hotels worldwide.

vpnMentor discovered a database exposed online that contained over 1 terabyte of data from Gekko Group brands and their clients. The archive also includes data belonging to external websites and platforms that Gekko Group system communicate with, including

“Hosted in France on servers belonging to OVH SA, the compromised database was huge, containing approximately 1TB of data.” reads the report published by vpnMentor.

“While the data belonged to AccorHotels – via their ownership of Gekko Group – it originated from many different businesses within Gekko Group. The bulk of the data came from two sources: Teldar Travel & Infinite Hotels.”

Data included in the database included:

  • Hotel and transport reservations (Full names, Email addresses, Home addresses, PII of children, Travel dates, Destination hotels, Reservation details (no. of guests, room types, etc.), Price of stays, Data from external reservations platforms (ie.
  • Credit card details
  • Personally Identifiable Information (PII) of various parties
  • Login credentials for client accounts Gekko Group-owned platforms and from platforms outside of the company umbrella.

The archive included data in numerous languages originating from multiple countries, mostly in Europe (Spain, The United Kingdom, The Netherlands, Portugal, France, Belgium, Italy, Israel).

Most of the records were originated from two companies owned by AccorHotels subsidiary, Teldar Travel and Infinite Hotel.

The database also contained many invoices exposing financial details of travel agents and their customers, and thousands of plain text passwords linked to accounts on Gekko Group-owned platforms. 

An attacker using the passwords could have had access to the account to carry out certain actions, including booking on the account credit, canceling existing bookings, accessing invoices, many more possibilities.

vpnMentor attempted to contact the Gekko Group and the AccorHotels without success, then it reported its findings to their hosting providers and the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s independent regulatory body for data security and privacy.

On November 13th, after a week of attempts of contacts, the researchers received a response from AccorHotels. The company secured the database almost immediately they received the info about the archive. Below the timeline of the incident:

  • Date discovered: 7/11
  • Date vendors contacted: 7/11
  • Date of 2nd contact attempt (if relevant): 10/11
  • Date of Response: 13/11
  • Date of Action:13/11

Pierluigi Paganini

(SecurityAffairs – AccorHotels subsidiary, data leak)

The post AccorHotels subsidiary Gekko Group exposes hotels and travelers data in massive data leak appeared first on Security Affairs.

Cyber threats continue to evolve, but security teams remain confident

Coming off of a year of major data breaches making headline news, it’s easy to draw the conclusion that security teams are losing the cybersecurity battle, a DomainTools survey reveals. Security teams remain confident Security pros are reporting real progress being made as confidence in their programs continues to grow: Thirty percent of respondents gave their program an “A” grade this year, doubling over two years from 15 percent in 2017. Less than four percent … More

The post Cyber threats continue to evolve, but security teams remain confident appeared first on Help Net Security.

T-Mobile Suffers Data Breach Affecting Prepaid Wireless Customers

Are you a T-Mobile prepaid customer? If yes, you should immediately create or update your associated account PIN/passcode as additional protection. The US-based telecom giant T-Mobile today disclosed a yet another data breach incident that recently exposed potentially personal information of some of the customers using its prepaid services. What happened? In a statement posted on its website

How Much is Your Data Worth on the Dark Web?

You may not know much about the dark web, but it may know things about you.

What is the Dark Web?

The dark web is a part of the internet that is not visible to search engines. What makes the dark web, dark? it allows users to anonymise their identity by hiding their IP addresses. This makes those using the dark web nearly impossible to identify.

Only 4% of the internet is available to the general public, which means a vast 96% of the internet is made up of the deep web. It’s important to note here, that the dark web is just a small section of the internet but it’s a powerful small sector.

How much are your bank details worth?
The dark web is full of stolen personal bank credentials. It’s common to see MasterCard, Visa, and American Express credentials on the dark web from a variety of different countries.

Credit card data in the US, UK, Canada and Australia increased in price anywhere from 33% to 83% in the time from 2015 to 2018. The average price for a UK Visa or Mastercard in 2015 was £9, however, this did increase to £17 in 2018. This is approximately an 83% increase. Bank accounts that can transfer funds in stealth mode to United Kingdom banks are considerably more expensive. An account with a £12,500 account balance goes for around £700.

How much are your subscription services worth?
The sale value of your PayPal credentials depends on the available account balance. PayPal details can be sold for as little as £40 and this can increase to £820 - £2,500 for an available balance of £6580.

Your Amazon, British Airways, Facebook, Fortnite and Netflix logins are also available on the dark web. These can go for around £7 which is surprising as they hold various information about your banking and identity. Stolen hotel loyalty programs and auctions accounts can cost as much as £1,150 due to the extensive information they provide the buyer.

Are you surprised to learn that even reward programs and viewing subscriptions can be purchased on dark web markets?

How much is your whole identity worth on the dark web
The average modern person now has many online accounts. These can range from email and Facebook to online shopping, food delivery and banking. Combine all of those accounts and the typical internet user's identity is worth around £987 to hackers. The personal loss for victims is of course much higher.

Jade works for Total Processing, an advanced independent payment gateway provider who answers only to our customers.

Inadequate data sanitization puts enterprises at risk of breaches and compliance failures

Global enterprises’ overconfidence and inadequate data sanitization are exposing organizations to the risk of data breach, at a time when proper data management should be at the forefront of everything they do, according to Blancco. Three quarters (73 percent) agreed that the large volume of different devices at end-of-life leaves their company vulnerable to a data security breach, while 68 percent said they were very concerned about the risk of data breach related to end-of-life … More

The post Inadequate data sanitization puts enterprises at risk of breaches and compliance failures appeared first on Help Net Security.

E-Skimming Strikes Again: Macy’s Confirms Magecart Data Breach

Macy’s has informed customers of an e-skimming data breach following the discovery of Magecart malware on its website.

In a letter to affected customers, the retailer said that it had detected malware on its e-commerce website on October 15 and that it had been active for a little over a week. 

“The unauthorized code was highly specific and only allowed the third party party to capture information submitted by customers,” stated the letter, explaining that user-submitted data on the site’s checkout and wallet pages could have been intercepted.

Compromised customer data potentially includes first name, last name, address, city, state, ZIP code, phone number, email address, and full payment card information including number, security code, and expiration date. 

Magecart attacks are a growing threat to online retailers and e-commerce sites, where rogue code is inserted into sites to “skim” customer card information. Prior targets of the malware include Ticketmaster, Newegg, British Airways, Forbes Magazine, MyPillow and the Atlanta Hawks. Researchers have found at least 40 separate variants of Magecart code exploits. 

Macy’s is offering affected customers 12 months of free identity protection services.

The post E-Skimming Strikes Again: Macy’s Confirms Magecart Data Breach appeared first on Adam Levin.

Hackers leak 2TB of Data From Cayman National Bank stolen by Phineas Fisher

New data leak threatens the world of finance after the Panama Papers, hackers published 2TB of the Cayman National bank’s confidential data.

The Cayman Islands are a fiscal paradise that attracts money of questionable origin from all over the world, for this reason, the content of a new data leak is scaring the global finance.

The Cayman National has a branch on the Isle of Man that focuses in offshore banking.

Hackers that go online with the handle Distributed Denial of Secrets have published 2TB of confidential data belonging to the Cayman National bank.

The Distributed Denial of Secrets group started releasing the materials on Saturday, it claimed that documents leaked contain evidence of money laundering by Russian oligarchs and other important people worldwide.

Distributed Denial of Secrets didn’t hacked the systems at the Cayman National, the group only released information that were stolen by the popular hacktivistPhineas Fisher.” Phineas Fisher is the same hacker that breached the surveillance firms HackingTeam and Gamma Group.

“Unicorn Riot has obtained the small HackBack announcement text released exclusively in Spanish, described as “Desde las montañas del Sureste Cibernético” (‘From the mountains of the Cyber Southeast’). It bills itself as a “HackBack” DIY guide for “Una guía DIY para robar bancos” (‘A DIY guide for robbing banks.’)  The announcement begins with a tongue-in-cheek dedication to “Subcowmandante Marcos” with an ASCII text-styled pipe-smoking cow referring to former Zapatista spokesperson Subcomandante Marcos.” reported the website Unicorn Riot.

“Also included in the announcement were introductions to common information security tools such as Metasploit and observations about previous major bank hacks, suspicious activities on SWIFT (an international financial network), and art such as a skeleton saying “Be Gay, Do Crimes” in Spanish.”

Distributed Denial of Secrets obtained the cache in two tranches for a total of about 2.21 Terabytes, it calls the leak Sherwood. Torrent file has been released here and mirrored by, with more info at Pastebin.)

“From the entire data set, an analysis of the locations of over 1,400 client accounts was released to Unicorn Riot including 780 from Isle of Man, 272 from Cyprus, 153 from the UK, 107 from the Cayman Islands, 51 from the British Virgin Islands, 12 from the Seychelles, 11 from the United States, 7 from Belize, 7 from Ireland, and a small number from other jurisdictions involved in offshore banking including Gibraltar, Jersey, Saint Kitts and Nevis, Barbados, Guernsey, Malta, and Mauritius.” continues Unicorn Riot.

“The XLS spreadsheet file, on its additional tabs, also includes detailed financial information about more than 3800 companies, trusts and individual accounts managed by Cayman National for clients around the world, including account balances. “

Cayman National doesn’t acknowledge the data leak, but experts noticed that many of its services would be unavailable on November 17 because of “a major upgrade and maintenance programme.”

Stay tuned …

Pierluigi Paganini

(SecurityAffairs – Cayman National bank, data leak)

The post Hackers leak 2TB of Data From Cayman National Bank stolen by Phineas Fisher appeared first on Security Affairs.

Game Company Wizards of the Coast Suffers Data Breach

Data belonging to more than 450,000 players of popular online games were exposed on an unprotected database accessible online.

Wizards of the Coast, the company behind games such as Magic: The Gathering, MTG Arena, and Magic Online accidentally left a database unprotected on an online Amazon Web Services storage bucket. The first and last names, email addresses, and passwords of 452,634 players and 470 employees were exposed. No financial data was thought to have been compromised.

“We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” said Bruce Dugan, a spokesperson for the company in a statement to

Wizards of the Coast notified U.K. data protection authorities in accordance with the EU’s GDPR data breach disclosure requirements, and emailed affected users.

As a precaution, all MTG Arena and Magic Online players will be required to reset their passwords within the next week. 

The post Game Company Wizards of the Coast Suffers Data Breach appeared first on Adam Levin.

Bogus Holiday Hiring Scams

Part-time employment opportunities increase around the holidays. Wherever there is a scramble to get something done quickly and there’s money involved, there are scams. 

Many jobs are posted online and require an application process, so how do you know you’re dealing with a legitimate employers?

Job scam warning signs.

  1. You are offered a job without an application, an interview, or sometimes even any contact with the employer. 
  2. You are asked to wire money for inventory or some other up-front fee for a work-at-home sales job. 
  3. The employer request your Social Security number, driver’s license number or any other sensitive personal information too early in the hiring process. 
  4. You are offered big money for little work—i.e., dream job, too good to be true. 
  5. A credit report is necessary, which requires your Social Security number (the skeleton key for identity-related fraud), and then they ask you for a processing fee. 
  6. You have to pay for the training necessary to do the job. 
  7. You are asked to cash a check and forward money to a third party. 
  8. Details about the job including responsibilities, hours and compensation are vague or unclear. 

Check Glassdoor for reviews of the employer. This won’t always work, but it’s a good place to start. 

Research the company online making sure they have a web presence with contact information, and check to see if there is any negative information about the company online. Read reviews. Check social media for the company’s name as well. And for good measure, see if they are in good standing with the Better Business Bureau. 

Remember that if you call a good scammer, you will not know it. Be careful. If you are asked for anything that could get you robbed—bank account numbers, mother’s maiden name or anything else that could be used as a security question—consider yourself targeted, and take evasive measures.

The post Bogus Holiday Hiring Scams appeared first on Adam Levin.

Alleged Magecart hackers planted a software skimmer into Macy’s Website

Macy’s has started notifying some of its customers that crooks used a software skimmer to steal their personal and financial information.

Macy’s has started notifying some of its customers that discovered a software skimmer on its website used by crooks to steal their personal and financial information.

The malicious software was discovered on October 15, attackers injected it into the checkout page and the My Account wallet page on the website.

Macy’s believes that the software skimmer was injected on October 7, it also notified law enforcement and it hired a forensic firm to help investigate the incident.

The analysis of the software skimmer revealed that it was designed to siphon data provided by customers on the desktop version of the Macy’s website. According to the notice published by the retailer, the mobile application and mobile website were not impacted.

“On October 15, 2019, we were alerted to a suspicious connection between and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on” reads the notice of data breach. “The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) pages: (1) the checkout page – if credit card data was entered and “place order” button was hit; and (2) the wallet page – accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.”

Information potentially accessed by the cybercriminals include: First Name; Last Name; Address; City; State; Zip; Phone Number; Email Address; Payment Card Number; Payment Card Security Code; Payment Card Month/Year of Expiration if the values for these items were typed into the webpage while on either the checkout page or in the My Account wallet page. Customers checking out or interacting with the My Account wallet page on a mobile device or on the mobile application were not involved in this incident.

Macy’s alerted payment card issuers and announced additional security measures to prevent such incidents in the future. The retailer announced it will offer 12-month identity protection services for affected customers.

According to the experts, the specific software skimmer used in the attack suggests the involvement of one of the Magecart groups.

A researcher who wishes to remain anonymous told to BleepingComputer that the attack was carried out by one of the Magecart groups, he also shared the obfuscated Magecar script that was injected into the Macy’s website.

“When the attackers compromised the Macy’s website, they altered the script to include an obfuscated Magecart script.” states BleepingComputer.

macys script
Magecart Script – Source Bleeping Computer

Pierluigi Paganini

(SecurityAffairs – Magecart, Macy’s)

The post Alleged Magecart hackers planted a software skimmer into Macy’s Website appeared first on Security Affairs.

Combating the Accidental Insider Data Leakage Threat

Article by Andrea Babbs, UK General Manager, VIPRE SafeSend

Cybercrime has rapidly become the world’s fastest growing form of criminal activity, and is showing no sign of slowing down with the number of attacks on businesses rising by more than 50% in the last year alone. While most corporates have made significant efforts to invest in cybersecurity defences to protect their organisations from the outside threat of cybercrime, few have addressed the risk of breaches that stem from the inside in the same way. Insider threats can come from accidental error, such as an employee mistakenly sending a sensitive document to the wrong contact, or from negligence such as an employee downloading unauthorised software that results in a virus spreading through the company’s systems.

We’re all guilty of accidentally hitting send on an email to the wrong person, or attaching the wrong document; but current levels of complacency around email security culture are becoming an ever greater threat. Few organisations have a clear strategy for helping their employees understand how a simple error can put the company at significant risk; even fewer have a strategy for mitigating that risk and protecting their staff from becoming an inside threat.

So where does the responsibility lie to ensure that company data is kept secure and confidential?
According to reports, 34% of all breaches are caused by insider fault, yet many employees are unaware of their responsibility when it comes to data protection. With employee carelessness and complacency the leading causes of data breaches - understandable when human error is inevitable in pressured working environments - there is clearly a lack of awareness and training. And while there is an obvious and urgent need for better employee education, should IT leaders not be doing more to provide the tools that take the risk of making accidental mistakes out of employees’ hands?

With simple technology in place that provides an essential double check for employees - with parameters determined by corporate security protocols - before they send sensitive information via email, accidental data loss can be minimised and an improved and proactive email security culture achieved. In addition to checking the validity of outbound and inbound email addresses and attachments - thereby also minimising the risk of staff falling foul of a phishing attack - the technology can also be used to check for keywords and data strings in the body of the email, to identify confidential or sensitive data before the user clicks send.

In order for organisations to limit the number of insider data breaches, it’s crucial for employees to understand the role they play in keeping the company’s data secure. But in addition to supporting employees with training, deploying an essential tool that prompts for a second check and warns when a mistake is about to be made, organisations can mitigate the risk of accidental error, and the potentially devastating consequences that might have on the business.

Email is arguably the key productivity tool in most working environments today; placing the full burden of responsibility for the security of that tool on employees is both an unnecessary overhead and, increasingly, a security risk. In contrast, supporting staff with a simple, extra prompt for them to double check they aren’t mistakenly sharing confidential data raises awareness, understanding and provides that essential security lock-step – before it’s too late.

Do your infosec habits make you vulnerable to fraud?

A third of Americans have been a victim of information fraud or identity theft. Despite notable data breaches in 2019, when asked if they update or change passwords/PINs after a company they do business with suffers a data breach, more than a quarter (28%) say only sometimes and nearly one in 10 (9%) say they don’t update their passwords at all, according to a Shred-it survey. Safeguarding sensitive data Four in ten (41%) Americans who … More

The post Do your infosec habits make you vulnerable to fraud? appeared first on Help Net Security.

Security Affairs newsletter Round 240

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Bad News: AI and 5G Are Expected to Worsen Cybersecurity Risks
Boardriders and its subsidiarities QuikSilver and Billabong infected with ransomware
Major ASP.NET hosting provider SmarterASP hit by ransomware attack
Apple Mail stores parts of encrypted emails in plaintext DB
Australian Govt agency ACSC warns of Emotet and BlueKeep attacks
CERTrating a new Tool to evaluate CERT/CSIRT maturity level
ZoneAlarm forum site hack exposed data of thousands of users
Bugcrowd paid over $500,000 in bug bounty rewards in one week
Buran ransomware-as-a-service continues to improve
Experts warn of spike in TCP DDoS reflection attacks targeting Amazon, SoftLayer and telco infrastructure
Facebook is secretly using iPhones camera as users scroll their feed
Mexican state-owned oil company Pemex hit by ransomware
TA505 Cybercrime targets system integrator companies
A flaw in PMx Driver can give hackers full access to a device
Adobe patch Tuesday updates addressed critical flaws in Media Encoder and Illustrator products
Microsoft Patch Tuesday updates fix CVE-2019-1429 flaw exploited in the wild
New TSX Speculative Attack allows stealing sensitive data from latest Intel CPUs
Russian man Aleksei Burkov extradited for running online criminal marketplace
Canadian intelligence agencies CSE and CSIS are divided on Huawei 5G ban
CVE-2019-3648 flaw in all McAfee AV allows DLL Hijacking
Experts found privilege escalation issue in Symantec Endpoint Protection
Flaws in Qualcomm chips allows stealing private from devices
Tracking Iran-linked APT33 group via its own VPN networks
A new sophisticated JavaScript Skimmer dubbed Pipka used in the wild
DDoS-for-Hire Services operator sentenced to 13 months in prison
New TA2101 threat actor poses as government agencies to distribute malware
The Australian Parliament was hacked earlier this year
Two men arrested for stealing $550,000 in cryptocurrency with Sim Swapping
Checkra1n, a working iPhone Jailbreak, was released
WhatsApp flaw CVE-2019-11931 could be exploited to install spyware

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 240 appeared first on Security Affairs.

Evaluating cyber risk during the holiday season

Fears of data loss, identity theft and fraud are leaving American consumers on edge this holiday season, and they’re prepared to hold their financial institution responsible for the damages. This is according to a new study released by Terbium Labs, which found that 68 percent of shoppers would hold their bank at least partly responsible for fraudulent activity, regardless of how the compromise occurred. The blame game Americans are on high alert heading into the … More

The post Evaluating cyber risk during the holiday season appeared first on Help Net Security.

For Caught in the Crossfire of Cyberwarfare

Authored by Dr Sandra Bell, Head of Resilience Consulting EMEA, Sungard Availability Services 

The 2019 National Cyber Security Centre’s (NCSC) Annual Review does not shy away from naming the four key protagonists when it comes to state-based cyber threats against our country. The review sites China, Russia, North Korea and Iran as being actively engaged in cyber operations against our Critical National Infrastructure and other sectors of society. That being said, the main cyber threat to businesses and individual citizens remains organised crime. But with the capability of organised crime matching some state-based activity and the sharing (if not direct support) of state-based techniques with cyber criminals, how are we expected to defend ourselves against such sophisticated cyberattack means?

The answer offered by Ciaran Martin, CEO of the NCSC, in his Forward to the 2019 Review only scratches the surface of the cultural change we need to embrace if we are to become truly cyber resilient to these modern-day threats.

“Looking ahead, there is also the risk that advanced cyberattack techniques could find their way into the hands of new actors, through the proliferation of such tools on the open market. Additionally, we must always be mindful of the risk of accidental impact from other attacks. Cyber security has moved away from the exclusive prevail of security and intelligence agencies towards one that needs the involvement of all of government, and indeed all of society.”

There are a few key points to draw out from this statement. Firstly, there is an acceptance that all of us may be collateral damage in a broader state-on-state cyberattack. Secondly, we should accept also that we maybe the victims of very sophisticated cyberattacks that have their roots in state-sponsored development. And finally, we must all accept that cyber security is a collective responsibility and, where businesses are concerned, this responsibility must be accepted and owned at the very top.

Modern life is now dependent on cyber security but we are yet to truly embrace the concept of a cyber secure culture. When we perceived terrorism as the major threat to our security, society quickly adopted a ‘reporting culture’ of anything suspicious, but have we seen the same mindset shift with regards to cyber threats? The man in the street may not be the intended target of a state-based or organised crime cyberattack but we can all easily become a victim, either accidentally as collateral damage or intentionally as low-hanging fruit. Either way we can all, individual citizens and businesses alike, fall victim to the new battleground of cyberwarfare.

What can business do in the face of such threats?
One could argue that becoming a victim of cybercrime is a when not an if. This can in turn bring about a sense of the inevitability. But what is clear when you see the magnitude of recent Information Commissioner’s Office (ICO) fines, is that businesses cannot ignore cyber security issues. A business that embraces the idea of a cybersecurity culture within its organisation will not only be less likely to be hit with a fine from the ICO should things go horribly wrong, but are also less likely to fall victim in the first place. Cyber security is about doing the basics well and preparing your organisation to protect itself, and responding correctly when an incident occurs.

Protecting against a new kind of warfare
Organisations need to prepare to potentially become the unintended targets of broad-brush cyberattacks, protecting themselves against the impact they could have on their operations and customer services. With each attack growing in its complexity, businesses must in-tow respond in a swift and sophisticated manner. Defence mechanisms need to be as scalable as the nefarious incidents they may be up against. To give themselves the best chance of ensuring that an attack doesn’t debilitate them and the country in which they operate, there are a few key things that businesses can do:

1) Act swiftly
A cyberattack requires an immediate response from every part of a business. Therefore, when faced with a potential breach, every individual must know how to react precisely and quickly. IT and business teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to Disaster Recovery arrangements if they believe there has been a data corruption. Business units need to invoke their Business Continuity Plans and the executive Crisis Management Team needs to assemble. This team needs to be rehearsed in cyber related crisis events and not just the more traditional Business Continuity type of crisis.

Both the speed and effectiveness of a response will be greatly improved if businesses have at their fingertips the results of a Data Protection Impact Assessment (DPIA) that details all the personal data collected, processed and stored, categorised by level of sensitivity. If companies are scrambling around, unsure of who should be taking charge and what exactly should be done, then the damage caused by the data encryption will only be intensified.

2) Isolate the threat
Value flows from business to business through networks and supply chains, but so do malware infections. Having adequate back-up resources not only brings back business availability in the wake of an attack, but it also serves to act as a barrier to further disruption in the network. The key element that cybercriminals and hacking groups have worked to iterate on is their delivery vector.

Phishing attempts are more effective if they’re designed using the techniques employed in social engineering. A study conducted by IBM found that human error accounts for more than 95 per cent of security incidents. The majority of the most devastating attacks from recent years have been of the network-based variety, i.e. worms and bots.

Right now, we live in a highly connected world with hyper-extended networks comprised of a multitude of mobile devices and remote workers logging in from international locations. Having a crisis communication plan that sets out in advance who needs to be contacted should a breach occur will mean that important stakeholders based in different locations don’t get forgotten in the heat of the moment.

3) Rely on resilience
Prevention is always better than cure. Rather than waiting until a data breach occurs to discover the hard way which threats and vulnerabilities are present in IT systems and business processes, act now.

It’s good business practice to continuously monitor risk, including information risk, and ensure that the controls are adequate. However, in the fast-paced cyber world where the threats are constantly changing this can be difficult in practice.

With effective Disaster Recovery and cyber focused Business Continuity practices written into business contingency planning, organisations remain robust and ready to spring into action to minimise the impact of a data breach.

The most effective way to test business resilience without unconscious bias risking false-positive results is via evaluation by external security professionals. By conducting physical and logical penetration testing and regularly checking an organisation’s susceptibility to social engineering, effective business continuity can be ensured, and back-up solutions can be rigorously tested.

Cyber Resilience must be woven into the fabric of business operations, including corporate culture itself. Crisis leadership training ensures the C-suite has the skills, competencies and psychological coping strategies that help lead an organisation through the complex, uncertain and unstable environment that is caused by a cyberattack, emerging the other side stronger and more competitive than ever before.

A look ahead to the future
A cyberattack is never insignificant, nor expected, but if a business suffers one it is important to inform those that are affected as quickly as possible. Given the scale at which these are being launched, this couldn’t be truer. It’s vital in the current age of state-backed attacks that businesses prioritise resilience lest they be caught in the crossfire. In a business landscape defined by hyper-extended supply chains, having a crisis communication plan that sets out in advance who needs to be contacted should a breach occur will mean that important stakeholders don’t get forgotten in the heat of the moment and that the most important assets remain protected.

Solara Medical Supplies Notifying Individuals Affected by Data Breach

Solara Medical Supplies, LLC (“Solara”) revealed that it’s in the process of notifying individuals potentially affected by a data breach. On November 13, Solara stated that it had learned of a security incident back in late-June 2019. The medical supplies provider said that an unknown actor used a phishing attack to access some of its […]… Read More

The post Solara Medical Supplies Notifying Individuals Affected by Data Breach appeared first on The State of Security.

Company Detected Years-Long Breach Only After Hacker Maxed Out Servers’ Storage

What could be even worse than getting hacked? It's the "failure to detect intrusions" that always results in huge losses to the organizations. Utah-based technology company InfoTrax Systems is the latest example of such a security blunder, as the company was breached more than 20 times from May 2014 until March 2016. What's ironic is that the company detected the breach only after it

Tech Companies Respond to the Concerns of Netizens ‘Digital Privacy’

Whistleblowers and electronic activists were shocked at the violation of privacy online for a long time.

Now a host of technology entrepreneurs aim to turn an increasing awareness of the problem into a money making business, and many have demonstrated their expertise at this week’s Lisbon Web Summit.

“With the current tensions, there is clearly a movement between people to recover their right to privacy,” organizer Paddy Cosgrave told the AFP.

“Creating custom cryptography in the device level is booming so that a third-party key stroke on your computer is unreadable. Several companies are trying to advance in this field,” said Cosgrave.

“I think you have an entire new market for your own digital identity, data control, data management and data monetization,” said American Brittany Kaiser, who lifted the data abuse scandal at Cambridge Analytica last year.

Also the role of Kaiser in Cambridge Analytica, “The Great Hack,” is the subject of a Netflix documentary.

-Blow the whistle-

Kaiser has co-created ‘ Own your data ‘ foundation to’ blame the whole sector’ and to denounce abuses by companies that collect data without express knowledge on the part of web users.

They cautioned that “it will be difficult to achieve the end of the mass adoption” of products and services designed to mitigate concerns of confidentiality, but after a year and a half of lobbying, the “shock of momentum” is seen.

Brave’s browser creator, Brendan Eich, Mozilla and Firefox and JavaScript’s guy noticed that “small minority groups were able to move markets, and that’s happening.”

The way forward is’ ordinary security,’ Eich said, with data protection and adblock capacities as key attributes of Brave.

Eich hopes that Brave has 10 million users by the end of the year, but said it needs to double or triple before it can generate revenue from opt-in online ads.

US “Crypto godfather” currencies, David Chaum, meanwhile believed that the digital world reached a critical juncture.

“This is like a historical moment. I think the killer app is obviously incorporated with transactions if you look at smartephones.

-Shocking’ scale-

Chaum is behind Elixxir, which aims to provide digital privacy through the deployment of a mobile messages app with a VPV in line with Chinese behemoth We Chat network, securing contact with blockchain security.

Briton David Chance also wants to transfer digital data security to another tier after leaving Google to begin a company, yourself. Online, which allows the public collection of information without permission.

“The scale of the problem is the most shocking thing,” says Chance. “We will find personal details for around 80 per cent of those who sign up for our Program. This could be a telephone number, email address or date of birth.” Companies are collecting information we want online and are using it to decide whether someone is getting work, credit or a loan. We say, “I feel like I am chasing some creeper. I feel like I’m being violated, “he said.

The post Tech Companies Respond to the Concerns of Netizens ‘Digital Privacy’ appeared first on .

Hackers Breach ZoneAlarm’s Forum Site — Outdated vBulletin to Blame

ZoneAlarm, an internet security software company owned by Israeli cybersecurity firm Check Point Technologies, has suffered a data breach exposing data of its discussion forum users, the company confirmed The Hacker News. With nearly 100 million downloads, ZoneAlarm offers antivirus software, firewall, and additional virus protection solutions to home PC users, small businesses, and mobile

Why Cybersecurity Breach Survivors are Valued Assets

Guest article By Ewen O’Brien, VP of Enterprise, EMEA at BitSight

No one wants to talk about their failures, especially in the cybersecurity realm where the stakes are high. But new insight from Symantec and Goldsmiths, University of London, finds that security professionals who have lived through a cybersecurity attack or breach could be the answer to protecting your organisation against future threats.

The report reveals that just over half of the 3,000 CISOs surveyed believe that learning from failure is incredibly valuable and a vital part of improving corporate cybersecurity postures. Indeed, these professionals may very well be your company’s best line of defence in the face of a potential cyberattack.

The Value of “Cybersecurity Breach Survivors”

Security professionals who have lived through an avoidable breach possess a unique mindset. They are less likely to experience burnout, are less indifferent to their work, less likely to think about quitting their job, feel less personally responsible for an incident, and are more likely to share their learning experiences. Cybersecurity breach survivors also have the first-hand experience of what works on the frontlines of security performance management and what doesn’t and are well versed in crisis management, recovery procedures, and team focus.

Furthermore, cyberattack veterans have unique perspectives on cybersecurity risk management. They understand that risk mitigation requires more than the right tools and technology. Unless an organisation takes a risk-based view of security, where all stakeholders (not just IT) understand the inherent threat of doing business in a digital world, then all the firewalls, endpoint protection, and other security measures won’t help.

Sharing Insights About Cybersecurity Breaches: The Best Defence
Unfortunately, while many businesses tend to extol the virtues of openness and information-sharing, cybersecurity remains a taboo subject for many. Cyber breaches are treated like a scarlet letter, and security teams are often hesitant to share information or discuss vulnerabilities that led to breaches and lessons learned from those incidents.

That might be why security professionals who’ve “been there and done it” remain unfortunately tight-lipped about their experiences. The Symantec/Goldsmiths study shows that 54% of respondents don’t discuss breaches or attacks with their industry peers, with 36% fearing that sharing this information could impact their professional reputation and career prospects.

This new report flips that thinking on its head, and boldly asserts several best practices: that these learnings should be shared, that company boards should foster a more open learning culture for security teams, and that data breach survivors should be at the top of your company's list of hiring priorities.

Indeed, sharing experiences is critically important, especially since everyone in the company must be involved in protecting the organisation. The cybersecurity skills shortage mandates that everyone, from the CEO on down, needs to take responsibility.

Not adhering to this policy can yield some sobering results. The average cost of a cyber breach has now reached $4.6 million per incident. But the impact extends beyond potential financial and reputational ruin. Security teams are also feeling the burn with 51% of tech executives experiencing cybersecurity burnout and stress-related illnesses as a result of cyberattacks, breaches, and outages.

Experience with Vulnerabilities Can Strengthen Security Performance Management 

We’re all vulnerable about our vulnerabilities. But cybersecurity professionals who have witnessed an attack first-hand should be applauded, not vilified. And they should feel confident that their experience can help their organisations be better prepared for the future. Their experiences--and the knowledge they’ve gained from those experiences--can be used to bolster security performance management and create a formidable front against potential threats.

Rogue TrendMicro Employee Sold Customer Data to Tech Support Scammers

Do you always uncomfortable trusting companies with your data? If so, you're not alone. While companies do much to protect themselves from external threats, insiders always pose the highest risk to a company's data. Unfortunately, when we say companies can't eliminate insider threat completely, cybersecurity firms, who are meant to protect others, are not an exception. Cybersecurity firm

Escaping the Egregious Eleven – Part One

Helping to define and examine the top perceived cloud security threats of the day, the ‘Egregious Eleven’ is the most recent iteration in an evolving set of summary reports published by the Cloud Security Alliance (CSA). It follows on from the ‘Treacherous Twelve,’ which they defined for us in 2016, and the ‘Notorious Nine,’ which […]… Read More

The post Escaping the Egregious Eleven – Part One appeared first on The State of Security.

Smashing Security #153: Cybercrime doesn’t pay (but Uber does)

The cybercrime lovebirds who hijacked Washington DC’s CCTV cameras in the run-up to Donald Trump’s inauguration, the truffle-snuffling bankers at the centre of an insider-trading scandal, and the hackers that Uber paid hush money to hide a security breach.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Lisa Forte.

Desjardins Data Breach Worse Than Originally Reported

The June data breach of Canadian financial institution Desjardins was wider in scope than initially reported and compromised the data of all 4.2 million of its individual members.

The breach, initially detected in December 2018 and announced in July 2019, was originally estimated to have affected 2.7 customers and 173,000 businesses. Desjardins announced the revised figure based on information shared by the Sûreté du Québec (SQ), the Quebec province’s police force. It is possible more businesses were impacted by the breach than originally estimated.

Compromised member data included names, addresses, birthdates, social insurance numbers, email addresses and transaction histories.

“This is not a new breach, this is the same breach with the same employee who did the same pattern [sic], but the bad news today is that the SQ is sure that it’s for the whole group and all the 4.2 million members,” said Desjardins chief executive Guy Cormier.

While Desjardins attributed the data breach to a single employee, no arrests have been made and an investigation is still ongoing.

The post Desjardins Data Breach Worse Than Originally Reported appeared first on Adam Levin.

Why PAM Should Be a CISO’s Top Priority

Privileged access management (PAM) consists of strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes and systems across an IT environment. By implementing an appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface and prevent, or at least mitigate, the damage arising […]… Read More

The post Why PAM Should Be a CISO’s Top Priority appeared first on The State of Security.

American Civil Liberties Union Sues FBI, DEA, and Justice Department Over Facial Recognition Secrecy

The ACLU (American Civil Liberties Union) sued the FBI, Drug Enforcement Administration (DEA), and Justice Department for records detailing their use of facial-recognition software. The ACLU lawsuit states that the three agencies have secretly implemented a nationwide surveillance technology that endangers American citizens’ privacy and civil rights.

The lawsuit also claims that the US government is secretly withholding information on how it uses a face-recognition database of millions of American people.

“Because of the FBI’s secrecy, details regarding how the agency is increasing its surveillance activities with face recognition technology is scarce,” said Kade Crockford of the American Civil Liberties Union in a statement.

The American Civil Liberties Union attorneys requested a federal court in Massachusetts to order the agencies to release documents about how the government uses and audits the facial-recognition software. How officials have communicated with firms that provide the facial-recognition software, and what internal guidelines and safeguards regulate its use.

“These technologies (facial-recognition) have the potential to facilitate undetectable, persistent, and suspicionless surveillance on an unprecedented scale, “the attorneys wrote. “Such mass surveillance would permit the government to pervasively track people’s movements and associations in ways that threaten core constitutional values.”

The ACLU lawsuit naming the Justice Department, the FBI,  and Drug Enforcement Administration said the agencies “failed to produce any responsive documents” in response to a Freedom of Information Act request.

Privacy activists claim that the FBI is currently collecting biometric data on US people’s faces, irises, walking patterns, and voices and has a database of nearly 640 million images of adults in the US.

“Mass surveillance and facial-recognition technology have the potential to alter our free society into one where we’re treated as suspects to be tracked and monitored by the government 24/7.”

Supporters of facial-recognition say it is a useful tool that can make it easier to catch culprits and ensure safety at public venues with large crowds.

But privacy and civil rights activists say the facial-recognition technology has flaws and could ensnare innocent people.

The ACLU lawsuit marks a new chapter in the growing resistance to the face-recognition technology, which has quickly become a far-reaching presence in people’s lives with little to no legislative approval or public debate.

The ACLU lawsuit filed in Massachusetts asks the US government to disclose more information on what data it has and who can access it.

When asked about the ACLU lawsuit, Drug Enforcement Administration (DEA) and FBI said they don’t comment on pending litigation. The  Justice Department declined to comment.

The post American Civil Liberties Union Sues FBI, DEA, and Justice Department Over Facial Recognition Secrecy appeared first on .

Leading Web Domain Name Registrars Disclose Data Breach

Another day, another massive data breach—this time affecting a leading web technology company, as well as both of its subsidiaries, from where millions of customers around the world have purchased domain names for their websites. The world's top domain registrars, Network Solutions, and disclosed a security breach that may have resulted in the theft of customers' account

Two Hackers Who Extorted Money From Uber and LinkedIn Plead Guilty

Two grey hat hackers have pleaded guilty to blackmailing Uber, LinkedIn, and other U.S. corporations for money in exchange for promises to delete data of millions of customers they had stolen in late 2016. In a San Jose courthouse in California on Wednesday, Brandon Charles Glover (26) of Florida and Vasile Mereacre (23) of Toronto admitted they accessed and downloaded confidential corporate

Nation of Georgia Hit By Major Cyberattack

The entire nation of Georgia has been hit by a cyberattack, the largest in that country’s history.

Indications are that the attack was politically motivated, thousands of websites suddenly featuring an image of former President Mikheil Saakashvili with the message “I’ll be back.” Additionally, at least two television stations were rendered non-functional as were the websites of several governmental agencies.

Local web hosting provider Pro-Service confirmed that it had been the target of the attack and that one of its servers had been successfully breached. In all, Pro-Service said that “some 15,000” websites had been affected by the attack.

The company later posted an update on its website stating that the “effects of the most massive cyberattack have been eliminated.” 

“With the scale and the nature of the targets, it’s difficult not to conclude that this was a state-sponsored attack,” said cybersecurity expert Alan Woodward to BBC News.

Georgia had previously been targeted by cyberattacks during the country’s 2008 conflict with Russia over the disputed region of South Ossetia. 

Despite the scope of the attack, no major utilities or critical services were affected.

The post Nation of Georgia Hit By Major Cyberattack appeared first on Adam Levin.

The damaging after-effects of a data breach

Think your organisation is unlikely to be affected by a data breach? Think again.

A Carbon Black study has found that 88% of UK businesses were breached last year, demonstrating just how widespread the threat is. If your organisation hasn’t yet suffered a data breach, it’s probably only a matter of time.

Indeed, you may already have fallen victim and simply not know it yet. The average time to detect a security incident is 206 days. That’s almost seven months.

Consider how much damage is being done in that time. The criminal hackers are probing your systems looking for more and more useful information, thousands, if not millions, of records are being compromised and the people whose information has been stolen are being subjected to all sorts of malicious acts without their knowledge.

How are breached businesses affected?

Organisations suffer in many ways when they fall victim to a data breach, but the most immediately worrying are the financial repercussions.

There are several costs associated with a data breach, such as:

  • Compensating affected customers;
  • Setting up breach response efforts, like helpdesks for affected customers and complementary credit checks;
  • Investigating the incident, which might include hiring a third party or paying your own security staff in overtime; and
  • Falling share prices.

There’s also the threat of regulatory penalties following a data breach. The disciplinary powers introduced in the GDPR (General Data Protection Regulation) has made this potentially by far the biggest financial cost of a data breach.

The GDPR gives supervisory authorities – which in the UK is the ICO (Information Commissioner’s Office) – the power to fine non-compliant organisations €20 million (about £17.5 million) or 4% of global annual turnover, whichever is greater.

Don’t overlook the reputational damage of a data breach

After paying off fines, the breached organisation must also deal with the damage to its reputation. It can be hard for the organisation to retain customers’ trust, particularly if the breach was widespread or caused by basic security errors.

Regardless, you are bound to see people take their business elsewhere after a breach and you’ll struggle to bring in new customers.

Unless it was a catastrophic breach, the loss of trust will subside over time as people forget about the incident and competitors suffer a similar fate. However, the damage will already have been done by then, with the breach halting your growth.

During this time, you must also hope that you don’t suffer another security incident, as this could compound the damage to such an extent that it’s impossible to recover from.

The dangers of collecting sensitive information

Data breaches are more likely to have bigger financial and reputational effects if sensitive personal data is involved. This includes information relating to an individual’s:

  • Political opinions;
  • Racial or ethnic origin;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data; and
  • Biometric data (where processed to uniquely identify someone).

The misuse of sensitive data can cause a lot more damage than the standard things that are involved in breaches, like names, addresses and financial details.

Whereas ‘normal’ personal data is generally used to commit fraud or launch personalised cyber attacks (which, although bad, are a one-off event), a breach of sensitive personal data can permanently disrupt the victim’s life.

For example, it can expose information that the individual wanted keeping private for fear that it would lead to prejudice. Think of the emotional damage that might occur if became publicly known that a data subject had a health condition or was a member of a controversial political party.

Similarly, consider the effects if biometric data was breached. This isn’t just a privacy breach; it can also have an irrevocable impact on their information security practices.

If they were using the information as a security mechanism (which is the most likely reason to share such information), it’s not as if they can reset their fingerprint, like you do when a password is breached.

The victim will forever know that their biometric data is out there and can potentially be used to access their accounts.

Organisations are therefore expected to take extra care when handling sensitive information. If it’s breached, the victims will be much less likely to forgive you and the ICO will come down much harder when issuing a fine.

Protect your organisation with a DPO

To help organisations tackle the threat of data breaches, the GDPR requires certain organisations to appoint a DPO (data protection officer). They are independent data protection experts who help organisations meet their regulatory obligations.

DPOs’ tasks include monitoring an organisation’s data protection policies, advising management on whether DPIAs (data protection impact assessments) are necessary and serving as a point of contact between the organisation and its supervisory authority.

Although not every organisation is required to appoint a DPO, many experts – including the European Data Protection Board – believe all organisations will benefit from assigning someone to take on the DPO’s responsibilities.

Finding someone with the right experience can be tricky, though, which is why many organisations are turning to third-party help.

DPO as a Service

Our sister company GRCI Law Limited is a legal consultancy specialising in data protection and cyber security.

Under its DPO as a service offering, a qualified, experienced member of the team will act as DPO for your organisation. The role of the DPO is to monitor your data protection activities and compliance with the GDPR, and to offer advice on a day-to-day basis.

Don't risk it. Cyber secure it.

You wouldn’t ignore a medical expert’s advice. Why risk your cyber health?

A version of this blog was originally published on 9 April 2019.

The post The damaging after-effects of a data breach appeared first on IT Governance Blog.

5 Digitally-Rich Terms to Define, Discuss with Your Kids

online privacy

Over the years, I’ve been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise.

Like the time I reprimanded my son for not thanking his friend’s mother properly before we left a birthday party. He was seven when his etiquette deficit disorder surfaced. Or the time I had a meltdown because my daughter cut her hair off. She was five when she brazenly declared her scorn for the ponytail.

The problem: I assumed they knew.

Isn’t the same true when it comes to our children’s understanding of the online world? We can be quick to correct our kids when they fail to exercise the best judgment or handle a situation the way we think they should online.

But often what’s needed first is a parental pause to ask ourselves: Am I assuming they know? Have I taken the time to define and discuss the issue?

With that in mind, here are five digitally-rich terms dominating the online conversation. If possible, find a few pockets of time this week and start from the beginning — define the words, then discuss them with your kids. You may be surprised where the conversation goes.

5 digital terms that matter

Internet Privacy

Internet privacy is the personal privacy that every person is entitled to when they display, store, or provide information regarding themselves on the internet. 

Highlight: We see and use this word often but do our kids know what it means? Your personal information has value, like money. Guard it. Lock it down. Also, respect the privacy of others. Be mindful about accidentally giving away a friend’s information, sharing photos without permission, or sharing secrets. Remember: Nothing shared online (even in a direct message or private text) is private—nothing. Smart people get hacked every day.
Ask: Did you know that when you go online, websites and apps track your activity to glean personal information? What are some ways you can control that? Do you know why people want your data?
Act: Use privacy settings on all apps, turn off cookies in search engines, review privacy policies of apps, and create bullet-proof passwords.

Digital Wellbeing

Digital wellbeing (also called digital wellness) is an ongoing awareness of how social media and technology impacts our emotional and physical health.

Highlight: Every choice we make online can affect our wellbeing or alter our sense of security and peace. Focusing on wellbeing includes taking preventative measures, making choices, and choosing behaviors that build help us build a healthy relationship with technology. Improving one’s digital wellbeing is an on-going process.
Ask: What do you like to do online that makes you feel good about yourself? What kinds of interactions make you feel anxious, excluded, or sad? How much time online do you think is healthy?
Digital wellness begins at home. To help kids “curb the urge” to post so frequently, give them a “quality over quantity” challenge. Establish tech curfews and balance screen time to green time. Choose apps and products that include wellbeing features in their design. Consider security software that blocks inappropriate apps, filters disturbing content, and curbs screen time.

Media Literacy

Media literacy is the ability to access, analyze, evaluate, and create media in a variety of forms. It’s the ability to think critically about the messages you encounter.

Highlight: Technology has redefined media. Today, anyone can be a content creator and publisher online, which makes it difficult to discern the credibility of the information we encounter. The goal of media literacy curriculum in education is to equip kids to become critical thinkers, effective communicators, and responsible digital citizens.
Ask: Who created this content? Is it balanced or one-sided? What is the author’s motive behind it? Should I share this?  How might someone else see this differently?
Act: Use online resources such as Cyberwise to explore concepts such as clickbait, bias, psychographics, cyberethics, stereotypes, fake news, critical thinking/viewing, and digital citizenship. Also, download Google’s new Be Internet Awesome media literacy curriculum.


Empathy is stepping into the shoes of another person to better understand and feel what they are going through.

Highlight: Empathy is a powerful skill in the online world. Empathy helps dissolve stereotypes, perceptions, and prejudices. According to Dr. Michelle Borba, empathetic children practice these nine habits that run contrary to today’s “selfie syndrome” culture. Empathy-building habits include moral courage, kindness, and emotional literacy. Without empathy, people can be “mean behind the screen” online. But remember: There is also a lot of people practicing empathy online who are genuine “helpers.” Be a helper.
Ask: How can you tell when someone “gets you” or understands what you are going through? How do they express that? Is it hard for you to stop and try to relate to what someone else is feeling or see a situation through their eyes? What thoughts or emotions get in your way?
Act:  Practice focusing outward when you are online. Is there anyone who seems lonely, excluded, or in distress? Offer a kind word, an encouragement, and ask questions to learn more about them. (Note: Empathy is an emotion/skill kids learn over time with practice and parental modeling).


Cyberbullying is the use of technology to harass, threaten, embarrass, shame, or target another person online.

Highlight: Not all kids understand the scope of cyberbullying, which can include spreading rumors, sending inappropriate photos, gossiping, subtweeting, and excessive messaging. Kids often mistake cyberbullying for digital drama and overlook abusive behavior. While kids are usually referenced in cyberbullying, the increase in adults involved in online shaming, unfortunately, is quickly changing that ratio.
Ask: Do you think words online can hurt someone in a way, more than words said face-to-face? Why? Have you ever experienced cyberbullying? Would you tell a parent or teacher about it? Why or why not?
Act: Be aware of changes in your child’s behavior and pay attention to his or her online communities. Encourage kids to report bullying (aimed at them or someone else). Talk about what it means to be an Upstander when bullied. If the situation is unresolvable and escalates to threats of violence, report it immediately to law enforcement.

We hope these five concepts spark some lively discussions around your dinner table this week. Depending on the age of your child, you can scale the conversation to fit. And don’t be scared off by eye rolls or sighs, parents. Press into the hard conversations and be consistent. Your voice matters in their noisy, digital world.

The post 5 Digitally-Rich Terms to Define, Discuss with Your Kids appeared first on McAfee Blogs.

Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open

Have you ever needed to get an X-ray or an MRI for an injury? It turns out that these images, as well as the health data of millions of Americans, have been sitting unprotected on the internet and available to anyone with basic computer expertise. According to ProPublica, these exposed records affect more than 5 million patients in the U.S. and millions more across the globe, equating to 16 million scans worldwide that are publicly available online.

This exposure affects data used in doctor’s offices, medical imaging centers, and mobile X-ray services. What’s more, the exposed data also contained other personal information such as dates of birth, details on personal physicians, and procedures received by patients, bringing the potential threat of identity theft closer to reality. And while researchers found no evidence of patient data being copied from these systems and published elsewhere, the implications of this much personal data exposed to the masses could be substantial.

To help users lock down their data and protect themselves from fraud and other cyberattacks, we’ve provided the following security tips:

  • Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open appeared first on McAfee Blogs.

Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know

cash appsI can’t recall the last time I gave my teenage daughter cash for anything. If she needs money for gas, I Venmo it. A Taco Bell study break with the roommates? No problem. With one click, I transfer money from my Venmo account to hers. She uses a Venmo credit card to make her purchase. To this mom, cash apps may be the best thing to happen to parenting since location tracking became possible. But as convenient as these apps may be, are they safe for your family to use?

How do they work?

The research company, eMarketer, estimates that 96.0 million people used Peer-to-Peer (P2P) payment services this year (that’s 40.4% of all mobile phone users), up from an estimated 82.5 million last year.

P2P technology allows you to create a profile on a transfer app and link your bank account or credit card to it. Once your banking information is set up, you can locate another person’s account on the app (or invite someone to the app) and transfer funds instantly into their P2P account (without the hassle of getting a bank account number, email, or phone number). That person can leave the money in their app account, move it into his or her bank account, or use a debit card issued by the P2P app to use the funds immediately. If the app offers a credit card (like Venmo does), the recipient can use the Venmo card like a credit card at retailers most anywhere. 

Some of the more popular P2P apps include Venmo, Cash App, Zelle, Apple Pay, Google Wallet,, Facebook Messenger, and Snapcash, among others. Because of the P2P platform’s rapid growth, more and more investors are entering the market each day to introduce new cash apps, which is causing many analysts to speculate on need for paper check transactions in the future.

Are they safe?

While sending your hard-earned money back and forth through cyberspace on an app doesn’t sound safe, in general, it is. Are there some exceptions? Always. 

Online scam trends often follow consumer purchasing trends and, right now, the hot transaction spot is P2P platforms. Because P2P money is transferred instantly (and irreversibly), scammers exploit this and are figuring out how to take people’s money. After getting a P2P payment, scammers then delete their accounts and disappear — instantly

In 2018 Consumer Reports (CR) compared the potential financial and privacy risks of five mobile P2P services with a focus on payment authentication and data privacy. CR found all the apps had acceptable encryption but some were dinged for not clearly explaining how they protected user data. The consumer advocacy group ranked app safety strength in this order: Apple Pay, Venmo, Cash App, Facebook Messenger, and Zelle. CR also noted they “found nothing to suggest that using these products would threaten the security of your financial and personal data.”

While any app’s architecture may be deemed safe, no app user is immune from scams, which is where app safety can make every difference. If your family uses P2P apps regularly, confirm each user understands the potential risks. Here are just a few of the schemes that have been connected to P2P apps.

cash apps

Potential scams

Fraudulent sellers. This scam targets an unassuming buyer who sends money through a P2P app to purchase an item from someone they met online. The friendly seller casually suggests the buyer “just Venmo or Cash App me.” The buyer sends the money, but the item is never received, and the seller vanishes. This scam has been known to happen in online marketplaces and other trading sites and apps.

Malicious emails. Another scam is sending people an email telling them that someone has deposited money in their P2P account. They are prompted to click a link to go directly to the app, but instead, the malicious link downloads malware onto the person’s phone or computer. The scammer can then glean personal information from the person’s devices. To avoid a malware attack, consider installing comprehensive security software on your family’s computers and devices.

Ticket scams. Beware of anyone selling concert or sporting event tickets online. Buyers can get caught up in the excitement of scoring tickets for their favorite events, send the money via a P2P app, but the seller leaves them empty-handed.

Puppy and romance scams. In this cruel scam, a pet lover falls in love with a photo of a puppy online, uses a P2P app to pay for it, and the seller deletes his or her account and disappears. Likewise, catfish scammers gain someone’s trust. As the romantic relationship grows, the fraudulent person eventually asks to borrow money. The victim sends money using a P2P app only to have their love interest end all communication and vanish.  

P2P safety: Talking points for families

Only connect with family and friends. When using cash apps, only exchange money with people you know. Unlike an insured bank, P2P apps do not refund the money you’ve paid out accidentally or in a scam scenario. P2P apps hold users 100% responsible for transfers. 

Verify details of each transfer. The sender is responsible for funds, even in the case of an accidental transfer. So, if you are paying Joe Smith your half of the rent, be sure you select the correct Joe Smith, (not Joe Smith_1, or Joe Smithe) before you hit send. There could be dozens of name variations to choose from in an app’s directory. Also, verify with your bank that each P2P transaction registers.

Avoid public Wi-Fi transfers. Public Wi-Fi is susceptible to hackers trying to access valuable financial and personal information. For this reason, only use a secure, private Wi-Fi network when using a P2P payment app. If you must use public Wi-Fi, consider using a Virtual Private Network (VPN).

cash apps

Don’t use P2P apps for business. P2P apps are designed to be used between friends and include no-commercial-use clauses in their policies. For larger business transactions such as buying and selling goods or services use apps like PayPal. 

Lock your app. When you have a P2P app on your phone, it’s like carrying cash. If someone steals your phone, they can go into an unlocked P2P app and send themselves money from your bank account. Set up extra security on your app. Most apps offer PINs, fingerprint IDs, and two-factor authentication. Also, always lock your device home screen.

Adjust privacy settings. Venmo includes a feed that auto shares when users exchange funds, much like a social media feed. To avoid a stranger seeing that you paid a friend for Ed Sheeran tickets (and won’t be home that night), be sure to adjust your privacy settings. 

Read disclosures. One way to assess an app’s safety is to read its disclosures. How does the app protect your privacy and security? How does the app use your data? What is the app’s error-resolution policy? Feel secure with the app you choose.

We’ve learned that the most significant factor in determining an app’s safety comes back to the person using it. If your family loves using P2P apps, be sure to take the time to discuss the responsibility that comes with exchanging cash through apps. 

The post Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know appeared first on McAfee Blogs.

Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt

Buying a car can be quite a process and requires a lot of time, energy, and research. What most potential car buyers don’t expect is to have their data exposed for all to see. But according to Threatpost, this story rings true for many prospective buyers. Over 198 million records containing personal, loan, and financial information on prospective car buyers were recently leaked due to a database that was left without password protection.

The database belonged to Dealer Leads, a company that gathers information on prospective buyers through a network of targeted websites. These targeted websites provide car-buying research information and classified ads for visitors, allowing Dealer Leads to collect this information and send it to franchise and independent car dealerships to be used as sales leads. The information collected included records with names, email addresses, phone numbers, physical addresses, IP addresses, and other sensitive or personally identifiable information – 413GB worth of this data, to be exact. What’s more, the exposed database contained ports, pathways, and storage info that cybercriminals could exploit to access Dealer Lead’s deeper digital network.

Although the database has been closed off to the public, it is unclear how long it was left exposed. And while it’s crucial for organizations to hold data privacy to the utmost importance, there are plenty of things users can do to help safeguard their data. Check out the following tips to help you stay secure:

  • Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your accounts for unusual activity. This will help you stop fraudulent activity in its tracks.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt appeared first on McAfee Blogs.

3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy

Even though most of us are aware of the potential risks, we continue to journal and archive our daily lives online publically. It’s as if we just can’t help it. Our kids are just so darn cute, right? And, everyone else is doing it, so why not join the fun?

One example of this has become the digital tradition of parents sharing first-day back-to-school photos. The photos feature fresh-faced, excited kids holding signs to commemorate the big day. The signs often include the child’s name, age, grade, and school. Some back-to-school photos go as far as to include the child’s best friend’s name, favorite TV show, favorite food, their height, weight, and what they want to be when they grow up.

Are these kinds of photos adorable and share-worthy? Absolutely. Could they also be putting your child’s safety and your family’s privacy at risk? Absolutely.

1. Posting identifying family photos

Think about it. If you are a hacker combing social profiles to steal personal information, all those extra details hidden in photos can be quite helpful. For instance, a seemingly harmless back-to-school photo can expose a home address or a street sign in the background. Cyber thieves can zoom in on a photo to see the name on a pet collar, which could be a password clue, or grab details from a piece of mail or a post-it on the refrigerator to add to your identity theft file. On the safety side, a school uniform, team jersey, or backpack emblem could give away a child’s daily location to a predator.

Family Safety Tips
  • Share selectively. Facebook has a private sharing option that allows you to share a photo with specific friends. Instagram has a similar feature.
  • Private groups. Start a private Family & Friends Facebook group, phone text, or start a family chat on an app like GroupMe. This way, grandma and Aunt June feel included in important events, and your family’s personal life remains intact.
  • Photo albums. Go old school. Print and store photos in a family photo album at home away from the public spotlight.
  • Scrutinize your content. Think before you post. Ask yourself if the likes and comments are worth the privacy risk. Pay attention to what’s in the foreground or background of a photo.
  • Use children’s initials. Instead of using your child’s name online, use his or her initials or even a digital nickname when posting. Ask family members to do the same.

2. Using trendy apps, quizzes & challengesfamily privacy

It doesn’t take much to grab our attention or our data these days. A survey recently conducted by the Center for Data Innovation found that 58 percent of Americans are “willing to share their most sensitive personal data” (including medical and location data) in return for using apps and services.

If you love those trendy face-morphing apps, quizzes that reveal what celebrity you look like, and taking part in online challenges, you are likely part of the above statistic. As we learned just recently, people who downloaded the popular FaceApp to age their faces didn’t realize the privacy implications. Online quizzes and challenges (often circulated on Facebook) can open you up to similar risk.

Family Safety Tips

  • Slow down. Read an app’s privacy policy and terms. How will your content or data be used? Is this momentary fun worth exchanging my data?
  • Max privacy settings. If you download an app, adjust your device settings to control app permissions immediately.
  • Delete unused apps. An app you downloaded five years ago and forgot about can still be collecting data from your phone. Clean up and delete apps routinely.
  • Protect your devices. Apps, quizzes, and challenges online can be channels for malicious malware. Take the extra step to ensure your devices are protected.

3. Unintentionally posting personal details

Is it wrong to want an interesting Facebook or Instagram profile? Not at all. But be mindful you are painting a picture with each detail you share. For instance: It’s easy to show off your new dog Fergie and add your email address and phone number to your social profile so friends can easily stay in touch. It’s natural to feel pride in your hometown of Muskogee, to celebrate Katie Beth‘s scholarship and Justin‘s home run. It’s natural to want to post your 23rd anniversary to your beloved Michael (who everyone calls Mickey Dee) on December 15. It’s also common to post about a family reunion with the maternal side of your family, the VanDerhoots.

family privacyWhile it may be common to share this kind of information, it’s still unwise since this one paragraph just gave a hacker 10+ personal details to use in figuring out your passwords.

Family Safety Tips

  • Use, refresh strong passwords. Change your passwords often and be sure to use a robust and unique password or passphrase (i.e., grannymakesmoonshine or glutenfreeformeplease) and make sure you vary passwords between different logins. Use two-factor authentication whenever possible.
  • Become more mysterious. Make your social accounts private, use selective sharing options, and keep your profile information as minimal as possible.
  • Reduce your friend lists. Do you know the people who can daily view your information? To boost your security, consider curating your friend lists every few months.
  • Fib on security questions. Ethical hacker Stephanie Carruthers advises people who want extra protection online to lie on security questions. So, when asked for your mother’s maiden name, your birthplace, or your childhood friend, answer with Nutella, Disneyland, or Dora the Explorer.

We’ve all unwittingly uploaded content, used apps, or clicked buttons that may have compromised our privacy. That’s okay, don’t beat yourself up. Just take a few hours and clean up, lockdown, and streamline your social content. With new knowledge comes new power to close the security gaps and create new digital habits.

The post 3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy appeared first on McAfee Blogs.

Attention Facebook Users: Here’s What You Need to Know About the Recent Breach

With over 2.4 billion monthly active users, Facebook is the biggest social network worldwide. And with so many users come tons of data, including some personal information that may now potentially be exposed. According to TechCrunch, a security researcher found an online database exposing 419 million user phone numbers linked to Facebook accounts.

It appears that the exposed server wasn’t password-protected, meaning that anyone with internet access could find the database. This server held records containing a user’s unique Facebook ID and the phone number associated with the account. In some cases, records also revealed the user’s name, gender, and location by country. TechCrunch was able to verify several records in the database by matching a known Facebook user’s phone number with their listed Facebook ID. Additionally, TechCrunch was able to match some phone numbers against Facebook’s password reset feature, which partially reveals a user’s phone number linked to their account.

It’s been over a year since Facebook restricted public access to users’ phone numbers. And although the owner of the database wasn’t found, it was pulled offline after the web host was contacted. Even though there has been no evidence that the Facebook accounts were compromised as a result of this breach, it’s important for users to do everything they can to protect their data. Here are some tips to keep in your cybersecurity arsenal:

  • Change your password. Most people will rotate between the same three passwords for all of their accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention Facebook Users: Here’s What You Need to Know About the Recent Breach appeared first on McAfee Blogs.

My Cloud WAF Service Provider Suffered a Data Breach…How Can I Protect Myself?

In the age of information, data is everything. Since the implementation of GDPR in the EU, businesses around the world have grown more “data conscious;” in turn, people, too, know that their data is valuable.

It’s also common knowledge at this point that data breaches are costly. For example, Equifax, the company behind the largest-ever data breach, is expected to pay at least $650 million in settlement fees.

And that’s just the anticipated legal costs associated with the hacking. The company is spending hundreds of millions of dollars in upgrading its systems to avert any future incidents. 

In the cloud WAF arena, data breaches are no strangers. Having powerful threat detection capabilities behind your cloud WAF service provider, while important, is not the only thing to rely on for data breach prevention. 

API security and secure SSL certificate management are just as important. 

So, what are some ways hackers can cause damage as it relates to cloud WAF customers? And how can you protect yourself if you are using a cloud WAF service?

The topics covered in this blog will answer the following:

  • What can hackers do with stolen emails?
  • What can hackers do with salted passwords?
  • What can hackers do with API keys?
  • What can hackers do with compromised SSL certificates?
  • What can I do to protect myself if I am using a cloud WAF?

► What can hackers do with stolen emails?

When you sign up for a cloud WAF service, your email is automatically stored in the WAF vendor’s database so long as you use their service. 

In case of a data breach, if emails alone are compromised, then phishing emails and spam are probably your main concern. Phishing emails are so common we often sometimes we forget how dangerous they are. 

For example, if a hacker has access to your email, they have many ways they can impersonate a legal entity (e.g. by purchasing a similar company domain) and send unsolicited emails to your inbox.


► What can hackers do with salted passwords?

Cloud WAF vendors that store passwords in their database without any hashing or salting are putting their customers at risk if there is a breach, and even more so if hackers already have email addresses. 

In this scenario, hackers can quickly take over your account or sell your login credentials online. But what if the WAF vendors salted the passwords? Hashing passwords can certainly protect against some hacker intrusions.

In the event of a password breach without salting/hashing, a hacker can get your website to validate your password when the website compares and matches the stored hash to the hash in the database.

This is where salting the hash can help defeat this particular attack, but it won’t guarantee protection against hash collision attacks (a type of attack on a cryptographic hash that tries to find two inputs that produce the same hash value).

In this scenario, systems with weak hashing algorithms can allow hackers access to your account even if the actual password is wrong because whether they insert different inputs (actual password and some other string of characters for example), the output is the same.

► What can hackers do with API keys?

Cloud WAF vendors that use or provide APIs to allow third-party access must place extra attention to API security to protect their customers. 

APIs are connected to the internet and transfer data and allows many cloud WAFs work to implement load balancers among other things via APIs. 

If API keys are not using HTTPS or API requests not being authenticated, then there is a risk for hackers to take over the accounts of developers. 

If a cloud WAF vendor is using a public API but did not register for an authorized account to gain access to the API, hackers can exploit this situation to send repeated API requests. Had the APIs been registered, then the API key can be tracked if it’s being used for too many suspicious requests. 

Beyond securing API keys, developers must also secure their cloud credentials. If a hacker gains access to this then they are able to possibly take down servers, completely mess up DNS information, and more. 

API security is not only a concern for developers but also for end users using APIs for their cloud WAF service as you’ll see in the next section. 

► What can hackers do with compromised SSL certificates?

Next, what happens if the SSL certificates WAF customers provided ends up in the hands of hackers? 

Let’s assume the hacker has both the API keys and SSL certificates. In this scenario, hackers can affect the security of the incoming and outgoing traffic for customer websites.

With the API keys, hackers can whitelist their own websites from the cloud WAF’s settings, allowing their websites to bypass detection. This allows them to attack sites freely.

Additionally, hackers could modify the traffic of a customer website to divert traffic to their own sites for malicious purposes. Because the hackers also have the SSL certificates then they can expose this traffic as well and put you at risk for exploits and other vulnerabilities.


► What can I do to protect myself if I am using a cloud WAF?

First, understand that your data is never 100% safe. If a company claims that your data is 100% safe, then you should be wary. No company can guarantee that your data will always be safe with them. 

When there is a data breach, however, cloud WAF customers are strongly encouraged to change their passwords, enable 2FA, upload new SSL certificates, and reset their API keys. 

Only two of these are realistic preventive measures (changing your passwords frequently and using 2FA), but it’s unlikely that you, as a customer, will frequently upload new SSL certificates and change your API keys. 

Thus, we recommend that you ask your WAF vendors about the security of not just the WAF technology itself but also how they deal with API security and how they store SSL certificates for their customers.

If you’d like to chat with one of our security experts and see how our cloud WAF works, submit the form below!


The post My Cloud WAF Service Provider Suffered a Data Breach…How Can I Protect Myself? appeared first on Cloudbric.

7 Questions to Ask Your Child’s School About Cybersecurity Protocols

Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?

There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions. 

The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.

Prime Targets

According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft. 

Top three cyberthreats

The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom. 

Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.

In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless. 

7 key questions to ask

  1. Does the school have a data security and privacy policy in place as well as cyberattack response plan?
  2. Does the school have a system to educate staff, parents, and students about potential risks and safety protocols? 
  3. Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
  4. Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
  5. Are data security and student privacy a fundamental part of onboarding new school employees?
  6. Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
  7. Does the school have any new technology initiatives planned? If so, how will it address student data protection?

The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.

Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same. 


The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.

14 Million Customers Affected By Hostinger Breach: How to Secure Your Data

Whether you’re a small business owner or a blogger, having an accessible website is a must. That’s why many users look to web hosting companies so they can store the files necessary for their websites to function properly. One such company is Hostinger. This popular web, cloud, and virtual private server hosting provider and domain registrar boasts over 29 million users. But according to TechCrunch, the company recently disclosed that it detected unauthorized access to a database containing information on 14 million customers.

Let’s dive into the details of this breach. Hostinger received an alert on Friday that a server had been accessed by an unauthorized third party. The server contained an authorization token allowing the alleged hacker to obtain further access and escalate privileges to the company’s systems, including an API (application programming interface) database. An API database defines the rules for interacting with a particular web server for a specific use. In this case, the API server that was breached was used to query the details about clients and their accounts. The database included non-financial information including customer usernames, email addresses, hashed passwords, first names, and IP addresses.

Since the breach, Hostinger stated that it has identified the origin of the unauthorized access and the vulnerable system has since been secured. As a precaution, the company reset all user passwords and is in contact with respective authorities to further investigate the situation.

Although no financial data was exposed in this breach, it’s possible that cybercriminals can use the data from the exposed server to carry out several other malicious schemes. To protect your data from these cyberattacks, check out the following tips:

  • Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your accounts for unusual activity. This will help you stop fraudulent activity in its tracks.
  • Reset your password. Even if your password wasn’t automatically reset by Hostinger, update your credentials as a precautionary measure.
  • Practice good password hygiene. A cybercriminal can crack hashed passwords, such as the ones exposed in this breach, and use the information to access other accounts using the same password. To avoid this, make sure to create a strong, unique password for each of your online accounts.

And, as always, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 14 Million Customers Affected By Hostinger Breach: How to Secure Your Data appeared first on McAfee Blogs.

Lights, Camera, Cybersecurity: What You Need to Know About the MoviePass Breach

If you’re a frequent moviegoer, there’s a chance you may have used or are still using movie ticket subscription service and mobile app MoviePass. The service is designed to let film fanatics attend a variety of movies for a convenient price, however, it has now made data convenient for cybercriminals to potentially get ahold of. According to TechCrunch, the exposed database contained 161 million records, with many of those records including sensitive user information.

So, what exactly do these records include? The exposed user data includes 58,000 personal credit cards and customer card numbers, which are similar to normal debit cards. They are issued by Mastercard and store a cash balance that users can use to pay so they can watch a catalog of movies. In addition to the MoviePass customer cards and financial information numbers, other exposed data includes billing addresses, names, and email addresses. TechCrunch reported that a combination of this data could very well be enough information to make fraudulent purchases.

The database also contained what researchers presumed to be hundreds of incorrectly typed passwords with user email addresses. With this data, TechCrunch attempted to log into the database using a fake email and password combination. Not only did they immediately gain access to the MoviePass account, but they found that the fake login credentials were then added to the database.

Since then, TechCrunch reached out to MoviePass and the company has since taken the database offline. However, with this personal and financial information publicly accessible for quite some time, users must do everything in their power to safeguard their data. Here are some tips to help keep your sensitive information secure:

  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, as always, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Lights, Camera, Cybersecurity: What You Need to Know About the MoviePass Breach appeared first on McAfee Blogs.

Cyber Security Roundup for July 2019

July was a month of mega data privacy fines. The UK Information Commissioners Office (ICO) announced it intended to fine British Airways £183 million for last September's data breach, where half a million BA customer personal records were compromised. The ICO also announced a £100 million fine for US-based Marriot Hotels after the Hotel chain said 339 million guest personal data records had been compromised by hackers. Those fines were dwarfed on the other side of the pond, with Facebook agreeing to pay a US Federal Trade Commission (FTC) fine of $5 billion dollars, to put the Cambridge Analytica privacy scandal to bed. And Equifax paid $700 million to FTC to settle their 2017 data breach, which involved the loss of at least 147 million personal records. Big numbers indeed, we are seeing the big stick of the GDPR kicking in within the UK, and the FTC flexing some serious privacy rights protection punishment muscles in the US. All 'food for thought' when performing cybersecurity risk assessments.

Through a Freedom of Information request, the UK Financial Conduct Authority (FCA) disclosure a sharp rise of over 1000% in cyber-incidents within UK financial sector in 2018. In my view, this rise was fueled by the mandatory data breach reporting requirement of the GDPR, given it came into force in May 2018. I also think the finance sector was reluctant to report security weakness pre-GDPR, over fears of damaging their customer trust. Would you trust and use a bank if you knew its customers were regularly hit by fraud?

Eurofins Scientific, the UK's largest forensic services provider, which was taken down by a mass ransomware attack last month, paid the cybercrooks ransom according to the BBC News. It wasn't disclosed how much Eurofins paid, but it is highly concerning when large ransoms are paid, as it fuels further ransomware attacks.

A man was arrested on suspicion of carrying out a cyberattack against Lancaster University. The UK National Crime Agency said university had been compromised and "a very small number" of student records, phone numbers and ID documents were accessed. In contrast, the FBI arrested a 33 old software engineer from Seattle, she is alleged to have taken advantage of a misconfigured web application firewall to steal a massive 106 million personal records from Capital One. A stark reminder of the danger of misconfiguring and mismanaging IT security components.

The Huawei international political rhetoric and bun fighting has gone into retreat. UK MPs said there were no technological grounds for a complete Huawei banwhile Huawei said they were 'confident' the UK will choose to include it within 5G infrastructure. Even the White House said it would start to relax the United States Huawei ban. It seems something behind the scenes has changed, this reversal in direction is more likely to be financially motivated than security motivated in my rather cynical view.

A typical busy month for security patch releases, Microsoft, Adobe and Cisco all releasing the expected barrage of security updates for their products. There was security updates released by Apple as well, however, Google researchers announced six iPhone vulnerabilities, including one that remains unpatched.


23M CafePress Accounts Compromised: Here’s How You Can Stay Secure

You’ve probably heard of CafePress, a custom T-shirt and merchandise company allowing users to create their own unique apparel and gifts. With a plethora of users looking to make their own creative swag, it’s no surprise that the company was recently targeted in a cybercriminal ploy. According to Forbes, CafePress experienced a data breach back in February that exposed over 23 million records including unique email addresses, names, physical addresses, phone numbers, and passwords.

How exactly did this breach occur? While this information is still a bit unclear, security researcher Jim Scott stated that approximately half of the breached passwords had been exposed through gaps in an encryption method called base64 SHA1. As a result, the breach database service HaveIBeenPwned sent out an email notification to those affected letting them know that their information had been compromised. According to Engadget, about 77% of the email addresses in the breach have shown up in previous breach alerts on HaveIBeenPwned.

Scott stated that those who used CafePress through third-party applications like Facebook or Amazon did not have their passwords compromised. And even though third-party platform users are safe from this breach, this isn’t always the case. With data breaches becoming more common, it’s important for users to protect their information as best as they can. Check out the following tips to help users defend their data:

  • Check to see if you’ve been affected. If you know you’ve made purchases through CafePress recently, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 23M CafePress Accounts Compromised: Here’s How You Can Stay Secure appeared first on McAfee Blogs.

5 Digital Risks That Could Affect Your Kids This New School Year

digital risks

digital risksStarting a new school year is both exciting and stressful for families today. Technology has magnified learning and connection opportunities for our kids but not without physical and emotional costs that we can’t overlook this time of year.

But the transition from summer to a new school year offers families a fresh slate and the chance to evaluate what digital ground rules need to change when it comes to screen time. So as you consider new goals, here are just a few of the top digital risks you may want to keep on your radar.

  1. Cyberbullying. The online space for a middle or high school student can get ugly this time of year. In two years, cyberbullying has increased significantly from 11.5% to 15.3%. Also, three times as many girls reported being harassed online or by text than boys, according to the U.S. Department of Education.
    Back-to-School Tip: Keep the cyberbullying discussion honest and frequent in your home. Monitor your child’s social media apps if you have concerns that cyberbullying may be happening. To do this, click the social icons periodically to explore behind the scenes (direct messages, conversations, shared photos). Review and edit friend lists, maximize location and privacy settings, and create family ground rules that establish expectations about appropriate digital behavior, content, and safe apps.Make an effort to stay current on the latest social media apps, trends, and texting slang so you can spot red flags. Lastly, be sure kids understand the importance of tolerance, empathy, and kindness among diverse peer groups.
  2. Oversharing. Did you know that 30% of parents report posting a photo of their child(ren) to social media at least once per day, and 58% don’t ask permission? By the age of 13, studies estimate that parents have posted about 1,300 photos and videos of their children online. A family’s collective oversharing can put your child’s privacy, reputation, and physical safety at risk. Besides, with access to a child’s personal information, a cybercriminal can open fraudulent accounts just about anywhere.
    Back-to-School Tip: Think before you post and ask yourself, “Would I be okay with a stranger seeing this photo?” Make sure there is nothing in the photo that could be an identifier such as a birthdate, a home address, school uniforms, financial details, or password hints. Also, maximize privacy settings on social networks and turn off photo geo-tagging that embeds photos with a person’s exact coordinates. Lastly, be sure your child understands the lifelong consequences that sharing explicit photos can have on their lives.
  3. Mental health + smartphone use. There’s no more disputing it (or indulging tantrums that deny it) smartphone use and depression are connected. Several studies of teens from the U.S. and U.K. reveal similar findings: That happiness and mental health are highest at 30 minutes to two hours of extracurricular digital media use a day. Well-being then steadily decreases, according to the studies, revealing that heavy users of electronic devices are twice as unhappy, depressed, or distressed as light users.
    Back-to-School Tip: Listen more and talk less. Kids tend to share more about their lives, friends, hopes, and struggles if they believe you are truly listening and not lecturing. Nurturing a healthy, respectful, mutual dialogue with your kids is the best way to minimize a lot of the digital risks your kids face every day. Get practical: Don’t let your kids have unlimited phone use. Set and follow media ground rules and enforce the consequences of abusing them.
  4. Sleep deprivation. Sleep deprivation connected to smartphone use can dramatically increase once the hustle of school begins and Fear of Missing Out (FOMO) accelerates. According to a 2019 Common Sense Media survey, a third of teens take their phones to bed when they go to sleep; 33% girls versus 26% of boys. Too, 1 in 3 teens reports waking up at least once per night and checking their risks
    Back-to-School Tip:
    Kids often text, playing games, watch movies, or YouTube videos randomly scroll social feeds or read the news on their phones in bed. For this reason, establish a phone curfew that prohibits this. Sleep is food for the body, and tweens and teens need about 8 to 10 hours to keep them healthy. Discuss the physical and emotional consequences of losing sleep, such as sleep deprivation, increased illness, poor grades, moodiness, anxiety, and depression.
  5. School-related cyber breaches. A majority of schools do an excellent job of reinforcing the importance of online safety these days. However, that doesn’t mean it’s own cybersecurity isn’t vulnerable to cyber threats, which can put your child’s privacy at risk. Breaches happen in the form of phishing emails, ransomware, and any loopholes connected to weak security protocols.
    Back-to-School Tip: Demand that schools be transparent about the data they are collecting from students and families. Opt-out of the school’s technology policy if you believe it doesn’t protect your child or if you sense an indifferent attitude about privacy. Ask the staff about its cybersecurity policy to ensure it has a secure password, software, and network standards that could affect your family’s data is compromised.

Stay the course, parent, you’ve got this. Armed with a strong relationship and media ground rules relevant to your family, together, you can tackle any digital challenge the new school year may bring.

The post 5 Digital Risks That Could Affect Your Kids This New School Year appeared first on McAfee Blogs.

Capital One Data Breach: How Impacted Users Can Stay More Secure

Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.

According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”

This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:

  • Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
  • Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.

Four Key Questions to ask following a Cyber Attack

Guest Article by Andy Pearch, Head of IA Services at CORVID

Cyber attacks are inevitable, but it’s how an organisation deals with them that can make or break their business. Have they got all the answers, and do they fully understand the implications? Can they be sure the attack won’t happen again?

Swift and comprehensive incident response is a critical step to ensuring the future security of a business and protecting its reputation. It’s not enough to be aware that an attack is taking (or has taken) place. There are four key questions organisations need to be able to answer following a cyber security breach – if a single answer is missing, the security team won’t have the full picture, leaving the business vulnerable to impending attacks. Not having this level of insight can also damage an organisation’s relationships with suppliers and affect customer confidence, as it means the business itself is not in control of the situation.

Andy Pearch, Head of IA Services at CORVID, outlines four key questions all organisations must be able to answer after a cyber attack.

1. How and where did the Security Breach take place?The first step of an effective incident response strategy is to identify how the attackers got in. Quite simply, if an organisation misses this first crucial step, attackers will exploit the same vulnerability for future cyber attacks. Guesswork won’t cut it – any security professional can hypothesise that “it was probably an email”, but security teams need clear evidence so they can fully analyse all aspects of the problem and devise an appropriate solution.

2. What Information was Accessed?
Understanding specifically what information was accessed by the attacker is paramount to knowing what impact the attack will have on the organisation. Identifying which departments were targeted or what types of information might have been stolen isn’t good enough; organisations need to be able to articulate exactly which files were accessed and when. 

Headlines about attackers stealing information are common, but just as importantly, you need to know the scope of the information they’ve seen, as well as the information they’ve taken. Not only will this inform the next steps that need to be taken, and shed light on which parts of the business will be affected, but it will also enable the organisation to remain compliant with legal obligations, for example, identifying if a data breach needs to be reported under GDPR.

3. How can Systems be Recovered Quickly?
Organisations will understandably want to get their IT estate back to normal as soon as possible to minimise damage to their business, service and reputation. If the compromise method is identified and analysed correctly, IT systems can be remediated in seconds, meaning users and business operations can continue without downtime for recovery.

4. How do you prevent it from happening again?
Knowing the IT estate has been compromised is useless without taking steps to make sure it doesn’t happen again. Managed Detection and Response (MDR) is all about spotting the unusual activity that indicates a potential breach. If a user is accessing files they would never usually touch, sending unexpected emails or reaching out to a new domain, for example, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to enable such detection, but also the time and skills to undertake thorough analysis to determine whether it is a breach or a false positive.

A managed approach not only takes the burden away from businesses, but also enables every company to benefit from the pool of knowledge built up as a result of detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised asset which can then be remediated.

Shifting Security Thinking
Clearly, GDPR has raised awareness that the risks associated with a cyber attack are not only financial, as hackers are actively seeking to access information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential to accept the fundamental shift in security thinking – protection is not a viable option given today’s threat landscape. When hackers are using the same tactics and tools as bona fide users, rapid detection and remediation must be the priority.