Disney might bring to mind a warm and fuzzy happy ending, but such was not the case for a 31-year-old man who sent out a distress call from his boat, was rescued by a Disney cruise ship near Cuba, and then arrested in Miami for his alleged involvement with an Anonymous cyberattack against Boston Children’s Hospital.After Martin Gottesfeld and his wife pulled a ghost and vanished, relatives and his employer reported them missing. The FBI had been investigating him since October 2014, when the agency searched his house for evidence linking him to a cyberattack on the hospital. According to the DOJ press release, a few days ago, FBI “counterparts in the Bahamas” contacted Boston’s FBI to report that Gottesfeld was not a registered guest on the Disney cruise ship which rescued him at sea.To read this article in full or to leave a comment, please click here
Like it or not, you are lawfully free game to be surveilled and photographed when you leave the privacy of your house.If you commit a crime, then you should expect the police to release a surveillance video – although why the police found it important enough to release a video of Victoria Secret underwear thieves is unknown; the fact that the male and female team allegedly stole 80, then 120 sexy pairs of undies valued at $2,500 might have something to do with it.Then there’s photos, which can be taken with or without your consent, that could end up online.To read this article in full or to leave a comment, please click here
If you’d like an attacker to eavesdrop on your calls made on VoIP phones, then leave the default password in place. If not, then change it.Using default or weak passwords will continue to bite companies, but this time instead of spying via IP cameras, it was enterprise-grade VoIP phones being pwned. When a client asked information security consultant Paul Moore how to improve security without disrupting ease of VoIP phone deployment, Moore discovered the company was using the default password.To read this article in full or to leave a comment, please click here
If you want to work at Microsoft, then you likely have visited Microsoft Careers. The backend database for the mobile version of Microsoft’s jobs portal was misconfigured, exposing user information and leaving the site vulnerable to attack.Security researcher Chris Vickery has a knack for exposing leaky databases such the one that put 13 million MacKeeper users at risk, another which exposed personal information of 191 million voters, yet another held 18 million voter records with targeted profile data, and one that exposed 140,000 class and student records from Southern New Hampshire University; he also discovered a leaked Hello Kitty database with 3.3 million user accounts, some belonging to kids. This time, Vickery said he found another misconfigured MongoDB database which exposed registered users’ information and had write-access to the contents of the database.To read this article in full or to leave a comment, please click here
What if Alice and Bob represented countries that agreed to a nuclear disarmament treaty, but neither trusted the other enough to scan a warhead and observe the test results because the scans revealed sensitive information about their nuclear program? In the end, the countries agree to build a fissile material detector that would output only a “yes” or “no” as to if each country dismantled real warheads and not fakes.In essence, that was the scenario for the annual Underhanded C Contest which tasked programmers with solving “a simple data processing problem by writing innocent-looking C code, while covertly implementing a malicious function. This type of malicious program, in the real world, could let states take credit for disarmament without actually disarming.”To read this article in full or to leave a comment, please click here
On February 2016 Patch Tuesday, Microsoft released 13 security bulletins, six of which are rated as critical for remote code execution. The rest deal with fixing elevation of privilege, denial of service, and security feature bypass vulnerabilities.Rated critical
MS16-022 resolves 23 flaws in Adobe Flash Player by updating Flash libraries in Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. This patch is meant for all supported editions of Windows. It was ranked at the top of the list for patching, according to Qualys CTO Wolfgang Kandek, who called the patch a “packaging change” since “there is a real bulletin for it,” as opposed to a security advisory.To read this article in full or to leave a comment, please click here
If you are interested in the Internet of insecure Things, then you might like a new report which looks at the cybersecurity of connected vehicles, calling it "one of the biggest issues facing manufacturers today." Cyber Security in the Connected Vehicle attributed that threat to complexity, connectivity, and content. There's a "massive future security problem just around the corner," and it can't be fixed by trying to bolt on security during the implementation phase.Complexity was called "the worst enemy of security," as a connected car could have "approximately 100 million lines of code," compared to 8 million for an F-35 fighter jet. There has been a dramatic increase in Electronic Computing Units, with some high-end vehicles currently having about 100 ECUs. There has also been a rise in the diversity of in-vehicle systems which provide both luxury and critical features.To read this article in full or to leave a comment, please click here
Researchers found a complex backdoor malware which targets Skype, capturing video, audio and chat messages, as well as grabs screenshots and steals files, before sending the data back to the attacker.Researchers at Palto Alto Networks analyzed a new variant of backdoor malware that goes to “great lengths to avoid being detected and to evade the scrutiny of the malware analysis community.” T9000, is a newer variant of T5000, or the Plat1 malware family that APT actors used in spear phishing attacks after the disappearance of Malaysian Flight MH370. T9000 is being used in targeted attacks against multiple U.S. organizations, dropped by a RTF file, but its functionality indicates the malware is “intended for use against a broad range of users.”To read this article in full or to leave a comment, please click here
When you think “Einstein,” something along the lines of smart probably comes to mind. But the Department of Homeland Security's $6 billion EINSTEIN intrusion detection system is closer to dumb than smart, as the firewall fails to scan for 94% of common security vulnerabilities; it doesn’t even monitor web traffic for malicious content! That is supposed to be coming in 2016, with wireless network protection coming in 2018.The newest failings of EINSTEIN, aka the National Cybersecurity Protection System (NCPS), came after an audit and are highlighted in a harsh U.S. Government Accountability Office (GAO) report (pdf) which outlines a plethora of changes that need to be implemented.To read this article in full or to leave a comment, please click here
BleepingComputer is a valuable asset to the Internet, in my opinion, as it is often one of the first sites to warn of newly reported ransomware; volunteer security professionals also regularly provide answers to any number of other computer questions. Yet BleepingComputer is seriously under fire for daring to engage in free speech as Enigma Software is suing the site over a negative review of Enigma’s flagship anti-malware program SpyHunter.To read this article in full or to leave a comment, please click here
The Internet of Things increasingly includes “smart toys,” but no parent knowingly purchases a toy for their child that potentially risks the safety and privacy of their family. Those risks are caused by security flaws found in the Internet-connected toys. Unlike “dumb” toys, hackers could exploit “smart” toy vulnerabilities and potentially harvest a child’s name, birthdate, location and more.This time, Rapid7 revealed security flaws in Fisher-Price’s Smart Toy, an Internet-connected stuffed bear, and in the hereO GPS watch, a wearable location-tracking device.To read this article in full or to leave a comment, please click here
Microsoft’s InPrivate browsing is supposed to help you “surf the web without leaving a trail” and InPrivate browsing mode can be used in Edge. Microsoft says, “When you use Microsoft Edge in InPrivate mode, your browsing information, such as cookies, history, or temporary files, aren’t saved on your device after your browsing session has ended. Microsoft Edge clears all temporary data from your device.” Yet InPrivate browsing with Edge is a fail as it is not private and instead keeps browsing history.To read this article in full or to leave a comment, please click here
ThreatTrack Security wanted to know how the challenges facing malware analysts dealing with cyber threats have evolved in past two years. So the company had Opinion Matters conduct an independent blind survey of 207 security professionals dealing with malware analysis in the U.S. While the findings are not all sunshine and chocolate, only 11% said they investigated a data breach that was not disclosed to customers, compared to 57% who said the same back in 2013. Another piece of good news - fewer security analysts need to purge malware as a result of a company's senior leadership member visiting a porn site. In 2013, 40% of malware infections came from porn-surfing corporate bosses, compared to 26% in 2015.To read this article in full or to leave a comment, please click here
As if the steady rise of ransomware isn’t alarming enough, businesses that get hit with ransomware may not be unlucky targets of opportunity, but targets of choice as cyberthugs are setting ransom demands based on how much valuable data a business has.That is just one cybersecurity and online privacy trend found in the 2016 Data Protection and Breach Readiness Guide. With a nod to Data Privacy Day, the Online Trust Alliance (OTA) released its new guide as well as key findings from its analysis.To read this article in full or to leave a comment, please click here
This week on January 28 we will celebrate Data Privacy Day, which has a theme of "Respecting Privacy, Safeguarding Data and Enabling Trust." We'll get back to that... First Response
Qualcomm reportedly partnered with First Response to develop "the world's first smart pregnancy test, which connects through a mobile device to alert clinicians a patient is pregnant." It's just the first such home test to "capture electronically" and "then transmit that data to the clinicians," Chief Medical Officer Dr. James Mault told CRNtv. He added that for IoT to do well in medical verticals, it will "require connectivity infrastructure that can enable the data capture from a variety of devices and diagnostics and therapeutic instruments and allow that data to flow into the hands of clinicians of any type."To read this article in full or to leave a comment, please click here
Don’t you hate it when people want to kill the messenger instead of address the problems highlighted in the message?This time the messenger is Shodan as the IoT search engine added a new section featuring vulnerable webcams. Ars Technica reported, “The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.”To read this article in full or to leave a comment, please click here
Don't you hate it when people want to kill the messenger instead of address the problems highlighted in the message?This time the messenger is Shodan, as the IoT search engine added a new section featuring vulnerable webcams. Ars Technica reported, "The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores."To read this article in full or to leave a comment, please click here
Today, Veracode released "The State of Web and Mobile Application Security in Healthcare," made possible after Veracode, along with the Healthcare Information and Management Systems Society (HIMSS), surveyed 200 healthcare IT executives. The exploitation of vulnerabilities in apps was the greatest concern among those healthcare IT execs.Veracode reported, "Survey respondents cited the potential for loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top fears related to such security breaches."To read this article in full or to leave a comment, please click here
The synopsis for Breaking Bulbs Briskly by Bogus Broadcasts mentions the promise of smart energy and building automation, as well as the many unintended vulnerabilities that are introduced in the rush to bring IoT devices to market. The researchers believe “the ability to physically damage hardware by abusing network access is particularly interesting.” I agree.Frustrated by the “lack of functionality in current Z-Wave hacking tools,” ShmooCon presenters Joseph Hall and Ben Ramsey created and released a new, open source EZ-Wave tool. Not only did the duo discuss how to use the tool for pen-testing Z-Wave wireless automation networks, they also discussed “a rapid process for destroying florescent lights.” They added, “Once access is gained to an automated lighting system, regardless of the protocol used, we demonstrate how to destroy florescent lamps rated for 30K hours within a single night of abuse.”To read this article in full or to leave a comment, please click here
Heads-up if you use LastPass as a security research released LostPass code on GitHub that bad guys could jump on immediately and an attack could be in the wild even now. In essence, if you use LastPass then you could be tricked into handing over the keys – or master password – to your digital kingdom.The LostPass attack works best in Chrome, but if you think you could spot the phishing then think again; Sean Cassidy, CTO of cloud-based cybersecurity firm Praesidio, warned that a user would not be able to tell a difference between a LastPass message displayed in the browser and the fake LostPass message since “it’s pixel-for-pixel the same notification and login screen.”To read this article in full or to leave a comment, please click here
Ms. Smith