Monthly Archives: July 2015

Another government data breach: U.S. Census Bureau admits to hack

The U.S. Census Bureau admits that it was attacked and had data exfiltrated from its systems. One expert says this latest government data breach is another example that federal systems are not safe from attack.

The U.S. Census Bureau admitted that it is the latest federal agency to suffer a data breach, but asserted that the data stolen did not include any personally identifiable information (PII) related to censuses and surveys.

Census Bureau Director John H. Thompson said in a blog post that there was an attack detected early last week that targeted the Federal Audit Clearinghouse (FAC). Thompson described the FAC as being “used to collect single audit reporting packages from state and local governments, nonprofit organizations, and Indian tribes expending Federal awards.”

Infamous hacker group Anonymous has taken credit for the attack, and said it was in protest against the Transatlantic Trade and Investment Partnership and Trans-Pacific Partnership, which are controversial trade agreements currently being negotiated between the U.S. government and other nations.

Thompson did not give any specific details about the breach, saying only that “the database was compromised through a configuration setting” and that no PII data was taken. Thompson described the data stored on FAC as names, user names, email addresses, organization addresses and phone numbers.

“The hackers acquired the data illegally, but, as I indicated above, the Clearinghouse site does not store any confidential household or business data collected by the Census Bureau,” Thompson wrote. “That information remains safe, secure and on an internal network segmented apart from the external site and the affected database. Over the last three days, we have seen no indication that there was any access to internal systems.”

According to Thompson, the FAC system was shut down within 90 minutes of when the breach was detected, and will stay down until the investigation has been completed and security can be assured.

While the information stolen in this latest government data breach was not critical, Mark Kuhr, co-founder and CTO at Synack Inc., said the incident is more evidence beyond the OPM breach that the U.S. government is not safe from cyberattacks.

“Government agencies seem to have just as much trouble protecting sensitive data as the largest corporations in the world, as evidenced by the fact that this is the second federal government breach in a matter of months,” Kuhr said. “While there is a general notion that government agencies are unilaterally prepared when it comes to protecting against threats, this is fundamentally false. Whether the actor is a foreign government or hacktivist group, the Census Bureau breach is another example of a large organization that struggles to keep up with an ever-evolving adversary.”

 

Via: searchsecurity.techtarget

iPhone 7 rumor rollup: Solar-powered and worried about looks

Apple might as well just give up on coming out with an iPhone 6S or iPhone 7 after that, uh, devastating quarterly report in which it beat analysts’ estimates, saw earnings rise 38% and boasted of market share gains – only to see its stock price plummet. But let’s assume they’re going to keep plugging ahead.

Solar power to the rescue

In of the most breathless posts we’ve come across in some time, the Express out of the UK reports that “The Apple iPhone 7 might NEVER need to be recharged” (their CAPITALIZATION). The secret sauce will be sub-touchscreen solar power technology, for which Apple just received a patent.

Though by the end of this brief post, the reporter is already tamping down our expectations, noting that the patent is vague, that such technology is really not very new and that you just might not want to toss that Lightning cable quite yet.

MNR Daily also piled on this news bit, and is hopeful that the technology could address battery life shortcomings in the iPhone and Apple Watch. Though does note that even if solar charging isn’t just around the corner, power-saving advances will be available in iOS 9 for the iPhone 6S and 6S Plus later this year.

Speaking of the iPhone 6S…

Slashgear points to a Nowhereelse.fr post about front panels being readied for the iPhone 6S, as evidence that Apple is definitely planning to introduce new iPhones this fall. Except it does note that the panels are really the same size as those of the iPhone 6, so the Nowhereelse.fr photos don’t really prove much of anything.

Back to the iPhone 7

Slashgear, citing an Apple patent filing, reports that the iPhone 7 could actually look more like the iPhone 4 than the iPhone 6.

Today we’re having a peek at the possibility that the iPhone 7 could return to its slightly more retro “4” roots in look and feel. A refined look that worries more about fashionability than it does about falling to the ground, breaking into a million pieces. We’re talking about glass on the back of this next iPhone, not just sides that are (once again) flat.

The patent involves techniques for cutting into “a highly reflective and smooth surface,” presumably on an iPhone.

Latest iPhone 7 concept

Ivo Maric and Tomislay Rastovac dropped their slick iPhone 7 concept design onto the Internet this week via YouTube, showing off a metal frame, smooth sapphire glass, 16mp camera, syncing via a new “Apple Dock” and wireless charging capabilities.


via: networkworld

Costco, CVS, Rite Aid, Tesco Photo Sites Shuttered by Third-Party Data Breach

A breach at Staples subsidiary PNI Digital Media has impacted photo processing sites for major vendors across the U.S. and the U.K.

Following Walmart Canada’s recent shutdown of its Photocentre website, several other leading photo processing sites are following suit, including those run by Costco, CVS, Tesco and Rite Aid.

The link between all of them? They’re all clients of third-party service provider PNI Digital Media, which was acquired by Staples last year.

The Costco Photo Center website was recently taken down and replaced with a statement reading, in part, “As a result of recent reports suggesting that there may have been a security compromise of the third party vendor who hosts Costcophotocenter.com we are temporarily suspending access to the site. This decision does not affect any other Costco website or our in-store operations, including in-store photo centers.”

Similarly, the CVSPhoto.com site was replaced with a statement reading, in part, “We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services.”

And Rite Aid’s photo site now states, “We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data. The data that may have been affected is name, address, phone number, email address, photo account password and credit card information. Unlike for other PNI customers, PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information.”

In the U.K., the Tesco Photo site has also been taken down and replaced with a statement simply reading, “Tesco Photo is currently unavailable. We are sorry the Tesco Photo website and apps are currently unavailable for you to browse and order. We are doing everything we can to get up and running again as soon as possible.”

In a statement provided to Reuters, Staples vice president of global communications Kirk Saville said, “We take the protection of information very seriously. PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation.”

IDT911 chairman and founder Adam Levin told eSecurity Planet by email that businesses need to be sure to hire vendors with a clear track record of strong security practices. “When it comes to protecting consumer data, good cyber hygiene must be ingrained in a corporate culture and include everyone from the mailroom to the board,” he said. “An organization must demand the same from its partners and vendors.”

“A system is only as strong as its weakest link, and in incident after incident vendors are proving to be the weakest link,” Levin added.

And Tim Erlin, director of IT security and risk strategy at Tripwire, said several recent breaches have made information security teams aware of the risks of working with third party service providers. “While outsourcing may provide a reduction in cost to the business, the potential risk has to be part of the overall calculation,” he said.

“In these cases, where credit card data has been stolen from a third party vendor, it’s the major brand that hits the headlines,” Erlin added.

recent Forrester Consulting survey of IT security and risk management decision makers found that 79 percent of respondents said ensuring that business partners and third parties comply with their security requirements is a top IT security priority over the next 12 months.

When asked what third party security information they would like to monitor, 68 percent of respondents said they wanted to understand third party threat and vulnerability management practices, 67 percent said third party encryption policies and procedures, 66 percent said security incidence response processes, and 64 percent said threat intelligence practices.

Still, only 37 percent of respondents said they track any of those metrics on at least a monthly basis.

recent eSecurity Planet article examined several ways of minimizing the risks introduced by working with third-party vendors.

 

 

Via: esecurityplanet

T-Mobile to pay $17.5 million fine for 911 outages

T-Mobile USA will pay a US$17.5 million fine in a settlement with the U.S. Federal Communications Commission for two 911 emergency dialing outages on the company’s mobile network last year.

The separate but related outages left T-Mobile customers without the ability to dial in to emergency response centers for about three hours. In the settlement, T-Mobile agreed to strengthen its 911 service procedures and adopt compliance measures ensuring it adheres to the FCC’s 911 service reliability and outage notification rules in the future, the agency said in a press release.

The settlement represents the largest fine that the FCC has assessed against a carrier in connection with a 911 outage.

The FCC has “no higher priority than ensuring the reliability and resilience of our nation’s communications networks so that consumers can reach public safety in their time of need,” FCC Chairman Tom Wheeler said in a press release. “Communications providers that do not take necessary steps to ensure that Americans can call 911 will be held to account.”

T-Mobile’s network suffered two 911 outages on Aug. 8, 2014. Both outages were nationwide outages, affecting almost all of T-Mobile’s then 50 million customers. It’s unclear how many T-Mobile customers tried to call 911 during the outages.

T-Mobile, in a statement, said the safety of its customers is “extremely important and we take the responsibility to provide reliable 911 service very seriously.”

The company said it has made “significant changes and improvements across a number of our systems” since last year and will continue working to improve those systems.

The FCC Enforcement Bureau found that T-Mobile did not provide timely notification of the outages to all affected 911 call centers, as required by FCC rules. The investigation also found that the outages would have been avoided if T-Mobile had safeguards in its 911 network architecture.

The compliance program in the settlement requires T-Mobile to develop new processes to identify risks that could result in disruptions to 911 services, detect future outages and take remedial actions, including prompt notifications to affected emergency call centers.

This settlement is the fourth major enforcement action involving 911 outages that the FCC has taken this year. In April, the FCC entered a $16 million settlement with CenturyLink and a $1.4 million settlement with Intrado Communications in connection with an April 2014 multi-state outage that lasted for longer than six hours. In March, the FCC settled with Verizon for $3.4 million for the same outage.

Might want to also check out: SLAPPED! The year in tech industry fines

Via: cio

Walmart Canada Hacked

An unidentified source told The Globe and Mail that as many as 60,000 customers may be affected.

Walmart Canada recently shut down its Photocentre online photo processing website in response to what it described as a “potential compromise of customer credit card data.”

“Our customers’ privacy is of the utmost importance,” the companystated. “We immediately launched an investigation and will be contacting customers who may be impacted.”

While the company says it doesn’t beleive any Walmart.ca, Walmart.com or in-store purchases are affected, it does recommend that all Walmart Canada Online Photocentre customers monitor their card accounts carefully and alert their financial institution to any unauthorized charges.

“We have also notified the Office of the Privacy Commissioner of Canada and will continue to work proactively with Canada’s privacy regulators as the investigation continues,” Walmart Canada added.

Customers with questions or concerns are advised to contact (888) 763-4077.

An unidentified source told The Globe and Mail that as many as 60,000 customers could be affected.

Walmart Canada’s Photocentre website is operated by a third party service provider, PNI Digital Media, which was acquired by Staples in 2014.

In a statement provided to The Star, a Staples spokesperson said, “We take the protection of information very seriously. PNI is investigating a potential credit card data security issue.”

“If an issue is discovered, it is important to note that consumers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis,” the spokesperson added.

Staples also suffered a data breach last fall when banks identified a pattern of credit and debit card fraud indicating that several Staples locations in the northeastern U.S. had been infected with point-of-sale malware. The company later acknowledged that 115 stores were impacted, and approximately 1.16 million customer debit and credit card may have been affected.

A recent eSecurity Planet article offered advice on improving database security.

 

Via: esecurityplanet

The University of Pittsburgh Medical Center (UPMC) Suffers Fourth Data Breach in Three Years

A file containing 722 members’ protected health information was mistakenly sent to the wrong email address.

The University of Pittsburgh Medical Center (UPMC) Health Plan recently announced that 722 of members’ protected health information (PHI) may have been exposed when a file containing the data was sent to the wrong email address.

The breach was discovered on June 4, 2015, and an investigation determined that the file contained patient names, member ID numbers, birthdates, phone numbers, primary physician’s office names, and insurance plan types.

Social Security numbers and medical histories were not exposed.

UPMC Health Plan contacted the recipient of the email (though it’s not clear what response, if any, they received), retrained staff on email procedures, reported the breach to the U.S. Department of Health and Human Services, and sent notification letters to all affected members.

Members with questions are advised to contact Member Services at (888) 876-3764.

“We apologize for any anxiety or inconvenience that this incident may cause our members,” UPMC Insurance Services Division chief compliance officer William Gedman said in a statement. “Based on our ongoing investigation, we will make all changes necessary to further enhance our already stringent privacy protections.”

“UPMC Health Plan is committed to doing our utmost to minimize the chance that this type of issue will occur again,” Gedman added.

Lately, however, it has been occurring again and again — UPMC has been hit by a string of data breaches over the past few years, including earlier this year when third-party medical billing company Medical Management, LLC (MML) acknowledged that a former MML employee may have inappropriately accessed about 2,200 UPMC patients’ personal information.

“We hold our vendors to the same high privacy standards that we have for ourselves,” UPMC vice president of privacy and information security John Houston said at the time. “Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.”

In April 2014, UPMC announced that as many as 27,000 employees’ personal information, including Social Security numbers, may have been exposed in a data breach. At the time of the announcement, at least 788 UPMC employees had already been victims of tax fraud.

And in November 2013, UPMC notified almost 1,300 patients that their medical records had been inappropriately accessed by a former employee. “We will continue to make significant investments in employee training and the best available tools for managing the use of our patients’ electronic records,” Houston said at the time. “However, there is no fail-safe system, and we ultimately depend on the integrity, vigilance and honesty of all of our employees.”

A recent study conducted by the Ponemon Institute and sponsored by ID Experts found that fully 91 percent of healthcare organizations have been hit by at least one data breach in the past two year, 39 percent have experienced two to five data breaches, and 40 percent have suffered more than five.

“Cyber criminals recognize two critical facts of the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) healthcare organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data,” the report stated.

 

 

Via: esecurityplanet

Employee Error Causes Army National Guard Data Breach

All current and former National Guard members since 2004 may be affected.

 

The U.S. Army National Guard recently announced that all current and former National Guard members since 2004 could be affected by an accidental disclosure of personal data.

The breach occurred when files containing personal information were inadvertently transferred to a non-DoD-accredited data center by a contract employee, according to National Guard spokesman Maj. Earl Brown.

The data potentially exposed includes names, Social Security numbers, birthdates and home addresses.

“The National Guard Bureau takes the control of personal information very seriously,” Brown said in a statement. “After investigating the circumstances of these actions, and the information that was transferred, the Guard has determined, out of an abundance of caution, to inform current and past Guard personnel that their Personally Identifiable Information (PII) was among the files that were transferred.”

However, Brown said the Guard doesn’t expect the data to be used unlawfully.

“This was not a hacking incident, in which the intent was to use data for financial gain,” Brown said. “Nonetheless, the Guard believes that individuals potentially affected need to know about the breach and what actions they can take to protect themselves from potential identity theft.”

The National Guard breach is unrelated to the recent data breaches at the Office of Personnel Management.

National Guard members with questions are advised to contact (877) 276-4729 or visithttp://www.nationalguard.mil/Features/IdentityTheft.aspx.

Fortscale CEO Idan Tendler told eSecurity Planet by email that even though the breach wasn’t malicious, there is a key lesson to be learned from it.

“The fact of the matter is that many employees and contractors have access to sensitive data, and whether it’s deliberate or not, exposing that data and potentially putting that information in the hands of criminals can have far-reaching effects and potentially damaging consequences,” Tendler said. “As a result, organizations must remain vigilant, monitoring their networks for abnormal or suspicious user behavior to prevent these types of breaches from occurring and ensuring their crown jewels are kept safe.”

 

Via: esecurityplanet

‘Undo Send’ — How to Unsend Emails in Gmail


Sending an important and confidential email to one of my friends and mistakenly clicked send to someone else. Holy crap!

This is something experienced by everyone of us at some point. When we accidentally hit the reply-all button, send an email to the wrong person, or sometimes forget to attach a file, and then left only with an instant pain of regret. It feels like there is no going back. Isn’t it?

But to make you go back and rectify your mistakes, Google has rolled out a new feature that delays sending your email for 30 seconds after you hit Send, so that you can recall it if you want to make some changes.

You Have 30 Seconds to Unsend an Email

After the feature remained in public beta for six years, Google has finally brought this life-saving “Undo Send” feature to the main settings on the Web version of Google’s Gmail service.

Once enabled, the Undo Send feature offers you up to 30-second window to “undo” sending an outgoing email after you hit the send button — just in case you change your mind.

Since March 2009, Undo Send feature has buried in Gmail’s Labs section, which Google uses to test out new features for Gmail. However, now the feature is available in Gmail’s settings under the “General” tab.

Here’s How to enable Undo Send option:

  • Go to the gear icon in the top-right corner of your Gmail window and open Settings from the menu
  • In General setting, scroll down for Undo Send, which is disabled by default
  • Click Enable and select a cancellation period up to 30 seconds
  • Hit Save Changes at the bottom

Once done, every time you send an email the yellow dialogue box will appear that displays “Your message has been sent,” giving you an option to Undo it. When you Click on it, the email will reopen, un-sent, in the composition window.

For now, Undo Send feature is not available for the Gmail mobile app for smartphone devices. However, the company is planning to roll out the feature for the mobile app soon.

 

Via: thehackernews

Turning Windows users into Linux users with MakuluLinux Aero

Slick, sleek, and fast and very Windows-like … this is a distro that could get your users on the path of OS righteousness.

Did you know that hippos are one of the most dangerous animals in the world? They can run at up to 20 miles per hour and more people are killed by hippos every year than are killed by lions and tigers combined.

As it happens, the hippo is also the mascot of one of the most impressive end user-oriented Linux distributions available,MakuluLinux, which is also interesting for another reason, it’s a realistic path for migrating Linux users to Windows.

The problem for many users is that most Linux distros pose a steep learning curve simply because they’re habituated to the way Windows looks and feels and most distros don’t look or feel anything like Windows. If this is the kind of problem you face then there’s a variant of MakuluLinux that might make your users’ transition much easier: MakuluLinux Aero.

Mark Gibbs

MakuluLinux running the Aero desktop environment

Created in South Africa, MakuluLinux (“Makulu” is the Zulu word for “big chief”) is both Ubuntu- and Debian-based. The distro runs on a PAE kernel and, according to the distro’s creator, Jacque Montague Raymer, “provides a Sleek, Smooth and Stable user experience that is able to run on any computer from old to new, from netbooks to notebooks, desktops to server stations” and he isn’t kidding; MakuluLinux is slick and sleek and supports KDEUnityXfce, LXFCE (an interesting mashup by MakuluLinux author of LXDE, Xfce, and Compiz, with Emerald themes), and Cinnamon desktop environments.

According to the MakuluLinux site the impetus for creating MakuluLinux Aero was requests from the MakuluLinux community and they point out that it’s not a clone but rather Windows-like.

 Based on the Cinnamon desktop environment, MakuluLinux Aero requires a 64-bit platform and its features include:

  • Debian Kernel : 3.16.0.48 with rolling updates
  • Cinnamon 2.4.8
  • Netflix and Popcorn Time live streaming
  • EFI/Secure boot compatible
  • Huge driver base support
  • Complete office productivity suite
  • SteamLinux and Steam Windows
  • Wine and PlayOnLinux
  • Mega Limited (a New Zealand based hosting provider that provides 50Gb of free online storage) cloud sync
  • Firewall and antivirus

    The distro also includes Makulu Constructor which is:

    … a built in constructor tool [that] lets you quickly and easily create a 100% snapshot of your LIVE system as it is, save it into a ISO that can be then re-installed on a new computer. It comes complete with a livemode, installer and full EFI/Secure boot. In fact, this release was compiled with the same constructor tool, which is evidence of how powerful it is. Make any changes to your desktop, doesn’t matter how big or small, then hit the construct button and let the constructor go to work. when it’s done out pops a bootable EFI ready ISO. It’s all automated with almost no interaction required from the user. This ISO can be put onto a DVD or usb and installed on any other computer. You can now customize your system to your heart’s desire and then make a complete installable backup to either store somewhere safely, or to install on a chain of computers. It has never ever been this easy to compile Linux before, with just one click of a button!

    I installed MakuluLinux Aero in a virtual machine under Virtualbox from the downloaded ISO; a totally painless task. In operation, MakuluLinux Aero is, as billed, very Windows-like and migrating a user from the Microsoft world to the Linux world shouldn’t be hard at all.

    MakuluLinux’s author notes:

    Whatever you do, DO NOT install cinnamon-tools in menu options. cinnamon-installer is not fully compatible with current cinnamon build.

    Please Guys, when updating don’t do a dist-upgrade and don’t update via synaptic if you arent prepared to deal with the consequences, use the update manager, that is why it is there, it also produces MUCH safer updates and wont easily break your system.

    You have been warned.

    The system’s performance is excellent and as a business productivity environment it’s got everything you need. If you’re looking for the next step in evolving your users into the open source world, MakuluLinux Aero is a great way to go about it. MakuluLinux Aero gets a Gearhead rating of 5 out of 5.

    Via: networkworld

Wi-Fi password-sharing feature in Windows 10 raises security concerns

With the launch of Windows 10, anyone who walks into your house and gets your Wi-Fi password for their PC could potentially let all their friends onto your network, thanks to a new feature that has ignited controversy online.

Called Wi-Fi Sense, the feature is designed to make it easier for people to get Internet access for their devices while they’re on the go by automatically logging them into wireless hotspots. It does so with a two-pronged approach: by logging users into select open networks and also by allowing them to share secured connections with their friends (and vice versa). Perhaps unsurprisingly, that has drawn the ire of people who care about wireless security.

If someone with a Windows 10 device logs on to a new network, they can check a box to share that access with their contacts, who could include their Facebook friends, Outlook.com contacts and people on their Skype contact list. This isn’t exactly a new feature—Microsoft introduced it with Windows Phone 8.1 last year, but it didn’t make much of a splash at the time because not that many people use Windows Phone.

Craig Mathias, a principal at the Farpoint Group who specializes in wireless technology, said in an email that the feature was “a cheap hack.” He went on to say that the Wi-Fi Alliance’s Passpoint technology, which makes it possible for some devices to connect securely to wireless networks without going through a login process, is “more important.”

“And no one should ever leave Wi-Fi access wide open,” he said.

To hear Microsoft pitch Wi-Fi Sense, it’s a security feature, not a flaw. Using the new technology, people can let their friends access their home network without having to provide them with the password, which cuts down on those annoying conversations that take place when someone is trying to get Internet access. What’s more, contacts who are able to log into a network only using Wi-Fi Sense don’t actually see the password.

According to a FAQ about the feature, a user who shares network access sends the password through an encrypted connection to a Microsoft server, where it’s stored in an encrypted form before being handed off securely to any of their friends who needs it based on location data from their device. Microsoft says that someone who gets access through Wi-Fi Sense will only have access to the Internet and won’t be able to get to any other computers or other devices on the network.

Of course, all that relies on the feature working as intended. While it’s not clear exactly how Microsoft is storing passwords on a client device, it’s possible that someone sufficiently motivated would be able to find and extract the wireless password for a network they get access to thanks to their friends. An attacker could also friend people on Facebook in order to get access to networks using Wi-Fi Sense. All of this relies on the Microsoft database storing wireless network information remaining secure, to boot.

Wi-Fi Sense doesn’t work with networks secured using 802.1X, which is often used by enterprises to keep their networks on lockdown, so that should give some small comfort to network administrators.

Ultimately, people who want to make sure that their Wi-Fi network is unavailable to Wi-Fi Sense users can rename it to include “_optout” at the end of the SSID. For example, a network called “foobar_optout” would be ineligible for sharing through Wi-Fi Sense, while one that’s just called “foobar” would be usable with Microsoft’s sharing feature.

If you don’t want to change your network’s name, Microsoft suggests that you manually enter the network’s password for your guests and make sure the checkbox to share the network is turned off.

 

Via: networkworld