Twitter July 2016

NC3-I_want_it

Return to Twitter Index page

July 31, 2016  Internet mall hacked, 10+ million sets of personally identifiable information (PII) taken. Mall had no idea it had been hacked and were very surprised by ransom demand for over 2.89 trillion, but not US dollars. Who did it? Their neighbors.   Story  Tweet

July 31, 2016  Krebs calls another hospitality breach before the 60+ property hotel chain knew about it themselves. A few days later they start the “How NOT to run it” playbook with “You’re security is important to us.” Are you ready to stop this expensive recurring problem?  Story  Tweet

July 30, 2016  20160730-btcBitcoin is not money, at least in Florida. Does this help or hurt the growth of cybercurrency?   Story  Tweet

July 30, 2016  There are some clever crooks out there. You know not to return some unknown calls or messages that say “I am a lawyer, call me!” when that call comes from some area codes that charge considerable amounts for the calls and share the revenue with the person that suckered you into calling and keeps you on line, racking up revenue. Someone figured how to do that when requesting a two factor authentication (2FA) token and large providers are at risk for millions.   Story  Tweet

July 29, 2016  20160729-nistNIST releases draft of updated Digital Authentication Guideline (DAG) calling two factor authentication via simple messaging systems (SMS) insecure and deprecating it so might not be included next time around.  Story  Tweet

July 29, 2016  20160729-nist2NIST/DAG draft recommends biometrics, but those have been spoofed since 2009!  Story  Tweet
 
 
 
 
July 28, 2016  20160728-lastpassLastPass password manager found vulnerable by independent security researcher days ago. Fixed quickly. LassPass found vulnerable a year ago by another independent researcher. Fixed. How long did these vulnerabilities exist before discovery? Any more vulnerabilities in this security software that holds your passwords?   Story  Tweet

July 28, 2016  20160728-1001Three years, 275+ cartoons, over 2,000 pages of material, and now this milestone. Tweet

July 28, 2016  Two ATM stories: Tweet Crooks get $2.2M jackpot from over 40 ATMs over a day. Story  If you see this ATM would you use it? Story

July 28, 2016  One stop information and tools to combat ransomware, brought to you by two agencies of law enforcement and two cybersecurity firms.  Story  Tweet

July 27, 2016  Charge card fraud rate in USA is 47% over five years. With more than half a billion cards in service where are the public reports of 200+ million exposures? Are we being told?   Story  Tweet

July 27, 2016  3% of Tor hidden service directory nodes are doing more than they are supposed to be doing and degrading Tor security. These rogue nodes were unmasked by “Honey Onions” (Honions), the latest incarnation of the old Honey Trap. Where are they? See map on figure 3 of the report.  Story  Tweet

July 26, 2016  Another open database found by Chris Vickery. This one exposed the Oklahoma Highway Patrol and more. How many people accessed it before it was secured? No one knows. There is good news.   Story  Tweet

July 25, 2016  Hacker hits US and foreign brokerage firms to manipulate the price of low volume, or “thinly traded”, stocks. His account profits, the hacked ones lose. SEC didn’t name brokerage firm. Is yours secure?  Story  Tweet

July 25, 2016  SmartWatches and FitnessTrackers can record micro-movements of your hand as you enter your ATM code or passwords on a computer. The short-range wireless link to your smartphone can then transmit the information and zap! You’ve been hacked. There is an easy work around, but security continues to be an afterthought.  This Update  Start of the Story  See also – RunKeeper  Tweet

July 24, 2016  20160724-trumpWho hacked the DNC? Who benefits from the release timing? The answer to both could be the Russian Federation and it wouldn’t be their first assist to the Trump Organization.  This Update  Start of the Story  Tweet

July 23, 2016  20160723-kingsPopular smart phone game hacked exposing 1.6 million of potentially 100 million users. Apple iOS and Google Android affected.
  Story  Tweet

July 23, 2016  Home Depot settlement moving forward.  This Update  Start of the Story  Tweet

July 23, 2016  20160723-dncUpdate to DNC leaked email. Attachments had donor information! The first one we found had an address and IP address in Switzerland. Yet the box for “I am a US citizen…” was checked. Is that legal?   This Update  Start of the Story  Tweet

July 23, 2016  Crime and (sorta) Punishment – The hacker of SeaWorld, Japan, Thailand, China, UK police departments and sender of bomb threats to US airlines avoids jail. Why? He was 14 at the time. Judge orders education, community service, mom gets bill for court and something more that might really hurt …  Story  Tweet

July 23, 2016  20160723-turkeyDNC not alone in getting hacked & published. WikiLeaks put 300,000 pre-coup emails from President Erdogan’s ruling party on line. In response Turkey has blocked WikiLeaks.   Story  Tweet
 
 
July 22, 2016  20160721-appleStageFright equivalent has been in Mac and iPhone for years. Fixes in recent updates. Was this kept quiet until fixes were ready or was it just discovered?   Story  Tweet

July 22, 2016  Datadog, software as a service provider to many well known companies, got hacked. Good news, they protected the data well.   Story  Tweet

July 22, 2016  Some Tor nodes are shutting down. Riffle addresses the Tor weaknesses, but when will it be ready?   Story  Tweet

July 22, 2016  20160722-dncBatch 1 of email hacked from DNC now available for you to search and read. More batches are expected. WikiLeaks put it on line, but who hacked? One cyber security firm has found two different organizations affiliated with Russia.   Story  Tweet

July 22, 2016  20160722-mackeeperMacKeeper NOT doing automatic updates for weeks to months. Check yours!   Story  Tweet

July 21, 2016  20160721-babyCybersecurity on the internet-of-things (IOT) still abysmally poor. UK watchdog sounds alarm again.   Story  Tweet

July 21, 2016  Library of Congress victim of denial of service attack for four days. Who benefits from cutting off such a resource from the rest of the world? Or, was a the DDoS attack cover for another activity?   Story  Tweet

July 21, 2016  20160721-astroUpdate: Astro’s hacker going to jail for 46 months for five counts of computer hacking. Justice or a setting an example?   This Update   Start of the Story   Tweet

July 21, 2016  “Phineas Fisher”, hacker of “The Hacking Team” (creator of spyware for nations to perform surveillance on its citizens) agreed to an interview, via a sock puppet.   Story  Tweet

July 19, 2016  Xiaomi (third largest smartphone manufacturer in the world) created the Me-You-I (MIUI) interface for its own Android devices and in other devices from Samsung, HTC, Nexus and others. A vulnerability was found. A patch is available for the 70+ million devices that are exposed. (This song sounds so familiar)   Story  Tweet

July 19, 2016  CIVIC wants your social security number to match against all others as they are used. Great idea to detect if yours was used, but isn’t that a lot of eggs in one place? How secure is that basket?  Story  Tweet

July 19, 2016  Update to CiCi’s breach: Six weeks after the story was broken by Krebs on Security the company admits over 100 stores were compromised. How?   This Update  Start of the Story  Tweet

July 18, 2016  US Voter records found exposed in December 2015 now available on the DarkNet for about $350 per state. How did they get on line in the first place? No one seems to know and no “official” seems to care.  This Update  Start of the Story  Tweet

July 18, 2016  Pokemon / GO players, and those around players, have done some very clever things. Some have done some decidedly not-clever things.   Story  Tweet

July 18, 2016  4 dating sites hacked so far in July exposing 2.2 million users. Some passwords stored in plain text.  Story  Tweet

July 17, 2016  Why should a crook bother with a duplicate key when they can reprogram your car to recognize a keyless entry fob they just happen to have? Secure? Ah, not so much.  Story  Tweet

July 16, 2016  20160716-winWas Windows ever really secure? In every currently supported version of Windows the computer’s connection to the printer can be exploited to allow remote code execution. Some crook can do whatever they want. The good news: there is a patch for that.  Story  Tweet

July 16, 2016  20160716-ubuntuUbuntu forums hacked. 2 million exposed.  Story  Tweet
 
 
 
 
 
July 15, 2016  Update re malware to perform surveillance on energy grids prior to cyber espionage. Nation-state signature remains. The authors are not script-kiddies.  This Update   Start of the Story  Tweet

July 15, 2016  Over past year UK railways were breached multiple times with surveillance malware to map multiple vulnerabilities.  Story  Tweet

July 15, 2016  Fiat Chrysler Automobiles (FCA) launches Bug Bounty Program. Considering cars have been hacked in very public ways since 2010 this is better-late-than never.   Story  Tweet

July 15, 2016  Update: Does FCA bug bounty program fall under a proposed Michigan law that makes hacking a car worth a life sentence? Might be nice to know before signing up!  This Update  Start of the Story  Tweet

July 15, 2016  20160715-cvcCops vs Crooks: Europol busted 105 crooks over 15 countries to crimp carding consortium.  Story  Tweet

July 15, 2016  Your Siri Works For Me Now! Barely audible commands buried in music or background noise can be understood by Siri, or other voice controlled assistants, to open web sites and download malware of the worst kind. Turning those assistants off might not be a good idea either.   Story  Tweet

July 15, 2016  That Google is the target of state-sponsored cyber attacks is understandable, but over 100 each day?  Story  Tweet

July 14, 2016  20160716-fdicFDIC hacked multiple times over several years. Why? Who hacked it? Hiding this from the public, maybe ok for “national security”, but hiding it from auditors and oversight weakens knowledge required for future security. What other agencies have been hacked and we’re not being told just how weak our national cybersecurity really is?  Story  Tweet

July 14, 2016  Sophisticated scout code for nation-level cyber-espionage found on the dark web. Its target are energy distribution systems. How secure are ours?   Story  Tweet

July 14, 2016  Pokemon/GO US Senator sends letter asking direct questions about that huge data slurp. Someone’s home is a “gym”. Ooops.  Story  Tweet

July 14, 2016  Did you access a website without permission? Did you share a password? Surprise! Thanks to two recent opinions from the Ninth District you could be a criminal. There is no doubt that one person accessed a web site in not-the-average manner, but the opinion missed a few words to describe that specificity and created a general condition. In the other, one judge dissented, but two others made password sharing a violation of 1986 CFAA and 1996 Economic Espionage Act. Kinda wide ranging.  Web site without permission  Password Sharing  Tweet

July 14, 2016  20160714-pokemonPokemon/GO players not paying attention in the real world with decidedly unpleasant consequences.  Story  Tweet

July 13, 2016  Another hospitality breach: Omni Hotels first learned about it after 50,000+ charge cards were offered for sale on the web in February 2016. Earliest infection by POS malware December 2015. Public disclosure by Omni more than 6 months after infection. When they can’t detect a cyber security failure on their own is that good protection of your data?   Story  Tweet

July 13, 2016  20160713-stingrayDEA used a StingRay without a warrant. US District Judge wrote in crystal clear language that violates the Fourth Amendment and suppressed the evidence obtained.   This Story  What the FBI told to cops about using StingRays  More on cell skimmers  Tweet

July 13, 2016  Medical supply company in Bronx, NY was breached exposing 34,000+ patient records. 2016 exposed count over 1.7B.   Story  Tweet

July 13, 2016  New reason not to pay ransomware.   Story  Tweet

July 12, 2016  20160712-pokemonPokemon/GO: You’d have to be in a cave or otherwise cut off from the world not to have heard of the latest Pokemon craze. What you don’t know are the dangers in downloading, the massive collection of data and more. You can learn more starting here or Beware the Download Source, Data Sucker & Privacy/Security Danger  History of Pokemon/GO and the venture capital arm of the intelligence community.  Tweet.

July 12, 2016  More on the DroidJack malware RAT found in some of the non-Google download sites. Looks like P/GO, plays like the game, also hijacks your phone for sending spam, DDoS ‘bot, and more.  Story  Tweet

July 12, 2016  Heading toward that virtual PokeStop? Keep your situational awareness on the real world. Crooks have created PokeStops to lure victims.   Story  Tweet

July 12, 2016  In early July 2016 we reported on the dangers of using a cloud-based provider. Later we found information on three of those affected customers. See this or these:   Bizmatics / Stamford Podiatry Group  Bizmatics / Integrated Health Solutions, P.C.  Bizmatics / ENT and Allergy Center of Arkansas  Tweet

July 12, 2016  The 1/1-6/30/2016 summary is on line. At over 1.6 billion exposures we’ve already broken the 2014 record. Disclosures are increasing and the average person is realizing how poorly too many companies “protect” their data.   Summary  Tweet

July 11, 2016  Theranos update. How much of what was said was whole truth, partial truth, spun truth, and more shades of gray leading up to lying by omission and outright untruth?  This Update  Start of the Story  Tweet

July 11, 2016  One media company hosting five websites was apparently hacked over the July 4 holiday. The databases with about 1.8 million users are for sale.  Story  Tweet

July 10, 2016  Hacker got information from Amazon, requested bug bounty. They didn’t answer so he posted information on 80,000 people. Information confirmed to be previously unseen, i.e. “new”.   Story  Tweet

July 10, 2016  Netia, a major telecommunications provider in Poland, hacked to expose 615,000 subscribers.  Story  Tweet

July 10, 2016  The second largest cell provider in Iran (MTN) was hacked exposing personal information on 20 million subscribers. Information was available by sending a message to a ‘bot.  Story  Tweet

July 10, 2016  An advertising company in China distributed malware concealed in over 200 apps. Over 85 million phones became a ‘bot army to “click” on advertising which allowed the ad company to bill additional “click fees” of several hundred thousand dollars a month.  Story  Tweet

July 9, 2016  Update to Theranos. Multiple certificates revoked, no more payments from Medicare or Medicaid, civil penalty and more.  Update #4  Start of the Story  Tweet

July 8, 2016  20160708-hummerFirst of three stories affecting Android problems. The “Hummer” family of viruses (virii?) is world-wide and world-class nasty. The good news is there is a “killer app” for that.  Story  Tweet

July 8, 2016  Full Disk Encryption (FDE) for some Android devices is vulnerable to key extraction by crooks and cops. There may be no software fix.   Story  Tweet

July 8, 2016  20160708-godlessThe “Godless” family of malware also spreading world wide.  Story  Tweet

July 8, 2016  Mac users – want to give up the security of your Keychain and open a backdoor for crooks to take over your computer? All it takes is a double click on a JPG file, that isn’t a picture, but launches Keydnap for OS/X.   Story  Tweet

July 8, 2016  Mac users – want some crook to remotely activate your web cam and take pictures, or worse? Meet the Eleanor-A malware for OS/X that arrives as a functional conversion utility.   Story  Tweet

July 7, 2016  20160707-wendysUpdate: Wendy’s breach four times larger than previously reported and again Wendy’s is not getting the story out first.  This Update  Start of the Story  Tweet
 
 
 
July 7, 2016  20160707-bmwBMW has multiple vulnerabilities.  Story  Tweet

July 6, 2016  2 years later 200k machines still vulnerable to Heartbleed.  This Update  Start of the Story  Tweet

July 6, 2016  Another warrant canary has sung its death song for a provider of secure messaging services. Does it mean that they were served? Maybe, maybe not.  This Update  Start of the Story  Tweet

July 6, 2016  TP-Link Router Users BEWARE! Use the local IP address, not the domain names. They are not under TP Link control and may be malware bait.  Story  Tweet

July 5, 2016  20160705-probin“Ashley Madison hook-up site to be probed by the Federal Trade Commission.” For false advertising. What did you think?   Story  Tweet

July 5, 2016  Chrome users beware Facebook tagging emails.   Story  Tweet

July 5, 2016  20160705-win10Win10, not quite a polite request any more.  Story  Tweet

July 5, 2016  Apple can turn off your camera, whether you want to or not.   Story  Tweet

July 5, 2016  Chrome users beware Facebook tagging emails.  Story  Tweet

July 2, 2016  Is your refrigerator, smart television or CCTV sending spam, or worse? That is happening in increasing numbers.  Story  Tweet

July 2, 2016  When a cloud-based provider of health care back office services is hacked the patients can get exposed. HHS does not connect the dots and the provider avoids public mention. How many other of that provider’s customers were exposed? No one is saying.  Story

July 1, 2016  Were you exposed in the MySpace hack of 5/27/2016? The hacked credentials are available for review.  Story  Tweet

[ Some tweets tweaked for clarity
or revised URLs -ed ]
Return to Twitter Index page