July 31, 2016 Internet mall hacked, 10+ million sets of personally identifiable information (PII) taken. Mall had no idea it had been hacked and were very surprised by ransom demand for over 2.89 trillion, but not US dollars. Who did it? Their neighbors. Story Tweet
July 31, 2016 Krebs calls another hospitality breach before the 60+ property hotel chain knew about it themselves. A few days later they start the “How NOT to run it” playbook with “You’re security is important to us.” Are you ready to stop this expensive recurring problem? Story Tweet
July 30, 2016 
Bitcoin is not money, at least in Florida. Does this help or hurt the growth of cybercurrency? Story Tweet
July 30, 2016 There are some clever crooks out there. You know not to return some unknown calls or messages that say “I am a lawyer, call me!” when that call comes from some area codes that charge considerable amounts for the calls and share the revenue with the person that suckered you into calling and keeps you on line, racking up revenue. Someone figured how to do that when requesting a two factor authentication (2FA) token and large providers are at risk for millions. Story Tweet
July 29, 2016 
NIST releases draft of updated Digital Authentication Guideline (DAG) calling two factor authentication via simple messaging systems (SMS) insecure and deprecating it so might not be included next time around. Story Tweet
July 29, 2016 
NIST/DAG draft recommends biometrics, but those have been spoofed since 2009! Story Tweet
July 28, 2016 
LastPass password manager found vulnerable by independent security researcher days ago. Fixed quickly. LassPass found vulnerable a year ago by another independent researcher. Fixed. How long did these vulnerabilities exist before discovery? Any more vulnerabilities in this security software that holds your passwords? Story Tweet
July 28, 2016 
Three years, 275+ cartoons, over 2,000 pages of material, and now this milestone. Tweet
July 28, 2016 Two ATM stories: Tweet Crooks get $2.2M jackpot from over 40 ATMs over a day. Story If you see this ATM would you use it? Story
July 28, 2016 One stop information and tools to combat ransomware, brought to you by two agencies of law enforcement and two cybersecurity firms. Story Tweet
July 27, 2016 Charge card fraud rate in USA is 47% over five years. With more than half a billion cards in service where are the public reports of 200+ million exposures? Are we being told? Story Tweet
July 27, 2016 3% of Tor hidden service directory nodes are doing more than they are supposed to be doing and degrading Tor security. These rogue nodes were unmasked by “Honey Onions” (Honions), the latest incarnation of the old Honey Trap. Where are they? See map on figure 3 of the report. Story Tweet
July 26, 2016 Another open database found by Chris Vickery. This one exposed the Oklahoma Highway Patrol and more. How many people accessed it before it was secured? No one knows. There is good news. Story Tweet
July 25, 2016 Hacker hits US and foreign brokerage firms to manipulate the price of low volume, or “thinly traded”, stocks. His account profits, the hacked ones lose. SEC didn’t name brokerage firm. Is yours secure? Story Tweet
July 25, 2016 SmartWatches and FitnessTrackers can record micro-movements of your hand as you enter your ATM code or passwords on a computer. The short-range wireless link to your smartphone can then transmit the information and zap! You’ve been hacked. There is an easy work around, but security continues to be an afterthought. This Update Start of the Story See also – RunKeeper Tweet
July 24, 2016 
Who hacked the DNC? Who benefits from the release timing? The answer to both could be the Russian Federation and it wouldn’t be their first assist to the Trump Organization. This Update Start of the Story Tweet
July 23, 2016 
Popular smart phone game hacked exposing 1.6 million of potentially 100 million users. Apple iOS and Google Android affected.
Story Tweet
July 23, 2016 Home Depot settlement moving forward. This Update Start of the Story Tweet
July 23, 2016 
Update to DNC leaked email. Attachments had donor information! The first one we found had an address and IP address in Switzerland. Yet the box for “I am a US citizen…” was checked. Is that legal? This Update Start of the Story Tweet
July 23, 2016 Crime and (sorta) Punishment – The hacker of SeaWorld, Japan, Thailand, China, UK police departments and sender of bomb threats to US airlines avoids jail. Why? He was 14 at the time. Judge orders education, community service, mom gets bill for court and something more that might really hurt … Story Tweet
July 23, 2016 
DNC not alone in getting hacked & published. WikiLeaks put 300,000 pre-coup emails from President Erdogan’s ruling party on line. In response Turkey has blocked WikiLeaks. Story Tweet
July 22, 2016 
StageFright equivalent has been in Mac and iPhone for years. Fixes in recent updates. Was this kept quiet until fixes were ready or was it just discovered? Story Tweet
July 22, 2016 Datadog, software as a service provider to many well known companies, got hacked. Good news, they protected the data well. Story Tweet
July 22, 2016 Some Tor nodes are shutting down. Riffle addresses the Tor weaknesses, but when will it be ready? Story Tweet
July 22, 2016 
Batch 1 of email hacked from DNC now available for you to search and read. More batches are expected. WikiLeaks put it on line, but who hacked? One cyber security firm has found two different organizations affiliated with Russia. Story Tweet
July 22, 2016 
MacKeeper NOT doing automatic updates for weeks to months. Check yours! Story Tweet
July 21, 2016 
Cybersecurity on the internet-of-things (IOT) still abysmally poor. UK watchdog sounds alarm again. Story Tweet
July 21, 2016 Library of Congress victim of denial of service attack for four days. Who benefits from cutting off such a resource from the rest of the world? Or, was a the DDoS attack cover for another activity? Story Tweet
July 21, 2016 
Update: Astro’s hacker going to jail for 46 months for five counts of computer hacking. Justice or a setting an example? This Update Start of the Story Tweet
July 21, 2016 “Phineas Fisher”, hacker of “The Hacking Team” (creator of spyware for nations to perform surveillance on its citizens) agreed to an interview, via a sock puppet. Story Tweet
July 19, 2016 Xiaomi (third largest smartphone manufacturer in the world) created the Me-You-I (MIUI) interface for its own Android devices and in other devices from Samsung, HTC, Nexus and others. A vulnerability was found. A patch is available for the 70+ million devices that are exposed. (This song sounds so familiar) Story Tweet
July 19, 2016 CIVIC wants your social security number to match against all others as they are used. Great idea to detect if yours was used, but isn’t that a lot of eggs in one place? How secure is that basket? Story Tweet
July 19, 2016 Update to CiCi’s breach: Six weeks after the story was broken by Krebs on Security the company admits over 100 stores were compromised. How? This Update Start of the Story Tweet
July 18, 2016 US Voter records found exposed in December 2015 now available on the DarkNet for about $350 per state. How did they get on line in the first place? No one seems to know and no “official” seems to care. This Update Start of the Story Tweet
July 18, 2016 Pokemon / GO players, and those around players, have done some very clever things. Some have done some decidedly not-clever things. Story Tweet
July 18, 2016 4 dating sites hacked so far in July exposing 2.2 million users. Some passwords stored in plain text. Story Tweet
July 17, 2016 Why should a crook bother with a duplicate key when they can reprogram your car to recognize a keyless entry fob they just happen to have? Secure? Ah, not so much. Story Tweet
July 16, 2016 
Was Windows ever really secure? In every currently supported version of Windows the computer’s connection to the printer can be exploited to allow remote code execution. Some crook can do whatever they want. The good news: there is a patch for that. Story Tweet
July 16, 2016 
Ubuntu forums hacked. 2 million exposed. Story Tweet
July 15, 2016 Update re malware to perform surveillance on energy grids prior to cyber espionage. Nation-state signature remains. The authors are not script-kiddies. This Update Start of the Story Tweet
July 15, 2016 Over past year UK railways were breached multiple times with surveillance malware to map multiple vulnerabilities. Story Tweet
July 15, 2016 Fiat Chrysler Automobiles (FCA) launches Bug Bounty Program. Considering cars have been hacked in very public ways since 2010 this is better-late-than never. Story Tweet
July 15, 2016 Update: Does FCA bug bounty program fall under a proposed Michigan law that makes hacking a car worth a life sentence? Might be nice to know before signing up! This Update Start of the Story Tweet
July 15, 2016 
Cops vs Crooks: Europol busted 105 crooks over 15 countries to crimp carding consortium. Story Tweet
July 15, 2016 Your Siri Works For Me Now! Barely audible commands buried in music or background noise can be understood by Siri, or other voice controlled assistants, to open web sites and download malware of the worst kind. Turning those assistants off might not be a good idea either. Story Tweet
July 15, 2016 That Google is the target of state-sponsored cyber attacks is understandable, but over 100 each day? Story Tweet
July 14, 2016 
FDIC hacked multiple times over several years. Why? Who hacked it? Hiding this from the public, maybe ok for “national security”, but hiding it from auditors and oversight weakens knowledge required for future security. What other agencies have been hacked and we’re not being told just how weak our national cybersecurity really is? Story Tweet
July 14, 2016 Sophisticated scout code for nation-level cyber-espionage found on the dark web. Its target are energy distribution systems. How secure are ours? Story Tweet
July 14, 2016 Pokemon/GO US Senator sends letter asking direct questions about that huge data slurp. Someone’s home is a “gym”. Ooops. Story Tweet
July 14, 2016 Did you access a website without permission? Did you share a password? Surprise! Thanks to two recent opinions from the Ninth District you could be a criminal. There is no doubt that one person accessed a web site in not-the-average manner, but the opinion missed a few words to describe that specificity and created a general condition. In the other, one judge dissented, but two others made password sharing a violation of 1986 CFAA and 1996 Economic Espionage Act. Kinda wide ranging. Web site without permission Password Sharing Tweet
July 14, 2016 
Pokemon/GO players not paying attention in the real world with decidedly unpleasant consequences. Story Tweet
July 13, 2016 Another hospitality breach: Omni Hotels first learned about it after 50,000+ charge cards were offered for sale on the web in February 2016. Earliest infection by POS malware December 2015. Public disclosure by Omni more than 6 months after infection. When they can’t detect a cyber security failure on their own is that good protection of your data? Story Tweet
July 13, 2016 
DEA used a StingRay without a warrant. US District Judge wrote in crystal clear language that violates the Fourth Amendment and suppressed the evidence obtained. This Story What the FBI told to cops about using StingRays More on cell skimmers Tweet
July 13, 2016 Medical supply company in Bronx, NY was breached exposing 34,000+ patient records. 2016 exposed count over 1.7B. Story Tweet
July 13, 2016 New reason not to pay ransomware. Story Tweet
July 12, 2016 
Pokemon/GO: You’d have to be in a cave or otherwise cut off from the world not to have heard of the latest Pokemon craze. What you don’t know are the dangers in downloading, the massive collection of data and more. You can learn more starting here or Beware the Download Source, Data Sucker & Privacy/Security Danger History of Pokemon/GO and the venture capital arm of the intelligence community. Tweet.
July 12, 2016 More on the DroidJack malware RAT found in some of the non-Google download sites. Looks like P/GO, plays like the game, also hijacks your phone for sending spam, DDoS ‘bot, and more. Story Tweet
July 12, 2016 Heading toward that virtual PokeStop? Keep your situational awareness on the real world. Crooks have created PokeStops to lure victims. Story Tweet
July 12, 2016 In early July 2016 we reported on the dangers of using a cloud-based provider. Later we found information on three of those affected customers. See this or these: Bizmatics / Stamford Podiatry Group Bizmatics / Integrated Health Solutions, P.C. Bizmatics / ENT and Allergy Center of Arkansas Tweet
July 12, 2016 The 1/1-6/30/2016 summary is on line. At over 1.6 billion exposures we’ve already broken the 2014 record. Disclosures are increasing and the average person is realizing how poorly too many companies “protect” their data. Summary Tweet
July 11, 2016 Theranos update. How much of what was said was whole truth, partial truth, spun truth, and more shades of gray leading up to lying by omission and outright untruth? This Update Start of the Story Tweet
July 11, 2016 One media company hosting five websites was apparently hacked over the July 4 holiday. The databases with about 1.8 million users are for sale. Story Tweet
July 10, 2016 Hacker got information from Amazon, requested bug bounty. They didn’t answer so he posted information on 80,000 people. Information confirmed to be previously unseen, i.e. “new”. Story Tweet
July 10, 2016 Netia, a major telecommunications provider in Poland, hacked to expose 615,000 subscribers. Story Tweet
July 10, 2016 The second largest cell provider in Iran (MTN) was hacked exposing personal information on 20 million subscribers. Information was available by sending a message to a ‘bot. Story Tweet
July 10, 2016 An advertising company in China distributed malware concealed in over 200 apps. Over 85 million phones became a ‘bot army to “click” on advertising which allowed the ad company to bill additional “click fees” of several hundred thousand dollars a month. Story Tweet
July 9, 2016 Update to Theranos. Multiple certificates revoked, no more payments from Medicare or Medicaid, civil penalty and more. Update #4 Start of the Story Tweet
July 8, 2016 
First of three stories affecting Android problems. The “Hummer” family of viruses (virii?) is world-wide and world-class nasty. The good news is there is a “killer app” for that. Story Tweet
July 8, 2016 Full Disk Encryption (FDE) for some Android devices is vulnerable to key extraction by crooks and cops. There may be no software fix. Story Tweet
July 8, 2016 
The “Godless” family of malware also spreading world wide. Story Tweet
July 8, 2016 Mac users – want to give up the security of your Keychain and open a backdoor for crooks to take over your computer? All it takes is a double click on a JPG file, that isn’t a picture, but launches Keydnap for OS/X. Story Tweet
July 8, 2016 Mac users – want some crook to remotely activate your web cam and take pictures, or worse? Meet the Eleanor-A malware for OS/X that arrives as a functional conversion utility. Story Tweet
July 7, 2016 
Update: Wendy’s breach four times larger than previously reported and again Wendy’s is not getting the story out first. This Update Start of the Story Tweet
July 7, 2016 
BMW has multiple vulnerabilities. Story Tweet
July 6, 2016 2 years later 200k machines still vulnerable to Heartbleed. This Update Start of the Story Tweet
July 6, 2016 Another warrant canary has sung its death song for a provider of secure messaging services. Does it mean that they were served? Maybe, maybe not. This Update Start of the Story Tweet
July 6, 2016 TP-Link Router Users BEWARE! Use the local IP address, not the domain names. They are not under TP Link control and may be malware bait. Story Tweet
July 5, 2016 
“Ashley Madison hook-up site to be probed by the Federal Trade Commission.” For false advertising. What did you think? Story Tweet
July 5, 2016 Chrome users beware Facebook tagging emails. Story Tweet
July 5, 2016 
Win10, not quite a polite request any more. Story Tweet
July 5, 2016 Apple can turn off your camera, whether you want to or not. Story Tweet
July 5, 2016 Chrome users beware Facebook tagging emails. Story Tweet
July 2, 2016 Is your refrigerator, smart television or CCTV sending spam, or worse? That is happening in increasing numbers. Story Tweet
July 2, 2016 When a cloud-based provider of health care back office services is hacked the patients can get exposed. HHS does not connect the dots and the provider avoids public mention. How many other of that provider’s customers were exposed? No one is saying. Story
July 1, 2016 Were you exposed in the MySpace hack of 5/27/2016? The hacked credentials are available for review. Story Tweet
