Monthly Archives: November 2017

Another misconfigured Amazon server has resulted in the exposure of personal data – this time on 50,000 Australian employees that were left unsecure by a third-party contractor.

This is country’s second largest data breach since the information of 550,000 blood donors was leaked last year.

Records including full names, passwords, salaries, IDs, phone numbers, and some credit card data were left exposed with 25,000 of the records coming from AMP Ltd, 17,000 records belonging to Cimic Group Ltd. subsidiary UGL Ltd, 4,770 from Australian government departments, and 1,500 from Rabobank, according to iTnews.

None of the organizations impacted named the third party responsible. A Polish researcher by the moniker “Wojciech” spotted the exposed server by conducting a search for Amazon S3 buckets set to open, with “dev”, “stage”, or “prod” in the domain name, and containing specific file types like xls, zip, pdf, doc and csv.

The database backups were made in March 2016 and Wojciech told the publication most of the credit card numbers had been cancelled and that many of the records were available in duplicate. Even though the payment information may be useless, researchers warn the stolen information could still be used in conjunction with other information for social engineering attacks and to break into other sites if credentials are shared between platforms.

“In the hands of fraudsters and criminal organizations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world,” Lisa Baergen, director at NuData Security told SC Media. “Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.”

Baergen added that any personal information can be valuable to fraudsters and that everything that can be used to compile an identity will be used. To protect themselves, users should enable two factor authentication whenever possible.

via:  scmagazine

Whether it’s to “bring the world closer together” or improve its public image, Facebook today announced Community Boost. Facebook tells me it’s investing tens of millions of dollars into the program that will travel to 30 cities around the U.S. in 2018. It will teach digital job skills to the unemployed, internet literacy to those just getting online, startup methodology to entrepreneurs and customer growth to small business owners.

Unsurprisingly, though, all these skills revolve around Facebook, which Facebook clearly thinks is the key to a better life. Stops on the tour include Houston, St. Louis, Albuquerque, Des Moines and Greenville, South Carolina — which are conspicuously all red states that voted for Trump in the 2016 election. Perhaps Facebook hopes to reduce unemployment that led to the dissatisfaction with current political systems which landed us Trump.

Facebook cites research by Morning Consult indicating “62% percent of US small businesses using Facebook said having digital or social media skills is an important factor in their hiring decisions — even more important than where a candidate went to school.” Houston Mayor Sylvester Turner says that “We’re happy to welcome Facebook to Houston to boost our residents’ digital skills and make sure our vibrant community of entrepreneurs and small businesses gets more out of the internet.”

The program might be perceived as less self-serving if Facebook had concentrated on teaching skills beyond it site, like how to make a good-looking resume or handle job interviews. So while the intention behind Facebook Community Boost might be honest, it’s tough to interpret it as altruistic while Facebook is amidst congressional hearings into election interference on its platform and is toying with the entire journalism industry as it sucks out ad dollars and jobs.

Here’s a look at Facebook’s plans for the program, with the parts where people learn to better use Facebook bolded.

• If you’re looking for a job, we’ll provide training to help you improve your digital and social media skills. According to the research, 62% percent of US small businesses using Facebook said having digital or social media skills is an important factor in their hiring decisions — even more important than where a candidate went to school.

• If you’re an entrepreneur, we’ll have training programs on how to use technology to turn an idea into a business or show you ways to create a free online presence using Facebook.

• If you’re a business owner we’re going to offer ways your business can expand its digital footprint and find new customers around the corner and around the globe.

• If you’re getting online for the first time or you want to support your community, we’ll provide training on digital literacy and online safety. And we’ll also help community members use technology to bring people together, with features like Events and Groups.

All that said, it’s hard to imagine any of the other tech giants like Google, Apple or Amazon pouring resources into something so directly tied to improving people’s socioeconomic mobility. Similar to Mark Zuckerberg’s 2017 challenge to meet people from every U.S. state that finished today in Missouri, you can either see it as just publicity, or as Facebook legitimately wanting to get out and hear from its constituency. Users can request Community Boost come to their city by filling out this form.

“One of the things I’m most proud of is that 70 million small businesses use Facebook to connect with customers,” writes Zuckerberg about today’s announcement. “That’s 70 million people who now have access to the same tools the big guys have. Now we need to make it easier for people to start and build new businesses or find jobs and opportunities, and in the process strengthen their communities.”

Facebook tells me it’s invested more than $1 billion into supporting small businesses since 2011 through programs like Boost Your Business classes, which teaches social media management, and the Blueprint online learning hub that 1 million businesses have looked to for social marketing skills. Facebook also is building a digital marketing curriculum to train 3,000 Michiganders in the next two years.

[Update: Facebook contacted me after I published this story to emphasize that “Facebook Community Boost will provide more than just training on Facebook.” One way it plans to do that is through partnerships with tech training schools for adults and coding bootcamps like Grand Circus in Michigan. These could help people go beyond basic social media skills and get actual computer science education.]

It will take a lot more to convince people Facebook is a benevolent force in the world. Even though its heart is often in the right place, Facebook has demonstrated an inability to predict the misuse and negative secondary impacts of its platform or do enough preemptively to prevent these problems. But if it wants to mend the rift in U.S. society, getting more people employed is a good start.

via:  techcrunch

Logitech will be deliberately bricking every unit of the Harmony Link, a universal hub which allows users to control their home theater systems and a variety of other devices from their smartphones, on March 16th, 2018. According to Bleeping Computer, on that date Logitech will issue a firmware update that permanently disables the devices. As Popular Science additionally noted, the Harmony Link relies upon a cloud-based service to function that will be taken offline, ensuring that users will be locked out no matter what.

Rory Dooley, head of Logitech Harmony, told Gizmodo in a statement that the decision to turn off the devices “does not impact Logitech’s commitment to Logitech Harmony customers,” adding that those within a one-year warranty period could exchange their devices for free for an upgraded Harmony Hub. Other owners can get a “one-time discount offer” (35 percent, per Bleeping Computer) on the $100 replacement.

Dooley told Gizmodo they had discontinued support for the devices because of the expiration of a security license, and that the product only had a “small user base.”

“The technology certificate (for Harmony Link) is an encryption certification that expires in the spring of 2018, which may open the product up to potential security vulnerabilities,” Dooley added. “We’ve refocused development resources on newer technologies, and therefore, we are not updating the Harmony Link certificate.”

While Dooley said the product was last sold by Logitech in 2015, Bleeping Computer reported the company “held fire sales for Harmony Link devices in the past months, offering the universal hubs at lowered prices and with a warranty of only three months.” It also noted that users on Logitech’s forums claimed the terms “class action lawsuit” were being censored.

Discontinuing support for an aging product is pretty par for the course and more or less inevitable, given it’s impossible to expect companies to commit resources to maintaining old technology forever. Deliberately bricking those products while encouraging them to migrate to a newer model is, on the other hand, a considerably rarer thing to do—though consumers should be wary that with the rise of networked home electronics, companies can choose to turn off their tech at the flick of a button.

As Ars Technica noted, Harmony Link owners on web forums don’t seem to have noticed any significant problems with their devices and likely expected to continue using them until they stopped functioning. Them’s the breaks, apparently.

via: BleepingComputer , gizmodo

In a security hearing that called both Equifax and Yahoo’s past and present executives to Washington, D.C., we’re learning a bit more about what Yahoo didn’t know about the biggest hack in history.

When pressed about how Yahoo failed to recognize that 3 billion accounts — and not 500 million as first reported — were compromised in what was later revealed to be a state-sponsored attack by Russia, former Yahoo CEO Marissa Mayer admitted that the specifics of the attack still remain unknown.

“To this day we have not been able to identify the intrusion that led to this theft,” Mayer told the Senate Commerce Committee. “We don’t exactly understand how the act was perpetrated. That certainly led to some of the areas where we had gaps of information.”

Notably, while Mayer is no longer with the company, Verizon Chief Privacy Officer Karen Zacharia, also present on the panel, did not chime in to disagree with that assessment.

Yahoo did not notice that it had been compromised in 2013 and 2014 until third-party evidence of the hack was presented to the company by law enforcement in 2016. Yahoo then began working with the Department of Justice and the FBI, and the agencies concluded that in 2014 the company was a victim of a massive Russian state-sponsored attack for which it was in no way prepared.

“Yahoo worked closely with law enforcement, including the Federal Bureau of Investigation, who were ultimately able to identify and expose the hackers responsible for the attacks,” Mayer said in her testimony. “We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo’s systems.”

According to Zacharia, Verizon obtained new details on the hack after it acquired Yahoo in June of 2017. The new parent company acted within a week to disclose the vastly widened scope of the attack, which tripled to 3 billion affected users.

“We obtained new information from a third party and reviewed it with the assistance of the same outside forensic experts that Yahoo had used previously,” Zacharia explained in her opening remarks. “Based on that review, we concluded that all accounts — and not just a subset — were impacted by the 2013 security incident.”

via:  techcrunch

Pro-ISIS hackers hijacked the websites of roughly 800 U.S. schools and educational districts on Monday, after compromising their web hosting provider, various news outlets have reported.

The hacking group Team System Dz claimed responsibility for the cyberattack, which redirected users to a website displaying ISIS messages and a recruitment video, as well as an image of former Iraqi president Saddam Hussein, according to the International Business Times UK.

The websites’ hosting services provider, Atlanta-based SchoolDesk, reportedly confirmed the attack, noting in a statement that it responded to the incident “immediately” by taking down the impacted websites.

“Our technical staff discovered that a small file had been injected into the root of one of the SchoolDesk websites, redirecting approximately 800 school and district websites to an iFramed YouTube page containing an audible Arabic message, unknown writing and a picture of Saddam Hussein,” the statement reads. “Although the exact method and point of intrusion is not yet fully known (possibly an SQL injection or through a user account with a weak password), we have added multiple layers of redundant protection to prevent this from happening again, as well as taking many additional methods to research how this was accomplished and by whom.”

The IBT UK further reports that educational districts in Connecticut, Louisiana, New Jersey, and Virginia were affected.

In June, Team System DZ attacked government websites in Ohio, Maryland and New York, defacing them with a pro-ISIS message that read, in part, “I Love Islamic state.” The hackers used the same phrasing in the school cyberattack.

via:  scmagazine

The internet-connected devices that broke the internet in 2016 — what kid needs a Wi-Fi connected teddy bear? — sell like mad to consumers who have little idea if any security lies below the interfaces.

One year after the Mirai botnet attacks brought some of the biggest tech companies to their knees, a new bill introduced on Friday aims to create a voluntary cybersecurity certification program to “independently identify, verify, and label compliant Internet-of-Things devices with strong cybersecurity standards.”

The bill, known as the “Cyber Shield Act,” was introduced in the Senate by Sen. Edward Markey, D-Mass., and in the House of Representatives by Rep. Ted Lieu, D-Calif.

The act would establish an advisory committee to evaluate devices like cameras, cellphones, laptops and baby monitors. Companies meeting the standards could display a label on their products that would better inform customers on security issues.

“It is critical that we prioritize developing products with the security of consumers’ information in mind,” Lieu said in a statement on Friday. “The government and tech companies share an obligation to develop more transparency around the security of our favorite devices.”

These devices, more commonly categorized as the Internet of Things, are rapidly proliferating across the world and are notoriously insecure. The companies selling Wi-Fi-enabled juicers and internet-connected children’s toys often fail to provide adequate cybersecurity, even though they’re subject to the same threats as any other internet-connected device.

With some of these connected products, cybersecurity work can be relegated to an afterthought or ignored altogether — even when the product has no need to be connected to the internet.

The Cyber Shield program’s committee would be made up of industry representatives, cybersecurity experts, public interest advocates and federal experts in certification and cybersecurity. The committee would have a website with a database of certified products. They’ll be mandated to review benchmarks at least every two years.

Markey said the bill would “help ensure consumers can reliably identify more secure products and rewards manufacturers that adopt the best cybersecurity practices.”

A similar bill that would impose security standards on Internet of Things devices purchased by the federal government was introduced earlier this year by Rep. Robin Kelly, D-Ill.

Read Act here: Cyber Shield Act of 2017

via:  cyberscoop

The Homeland Security Department should speed up how quickly it shares information about cyber and physical threats facing critical infrastructure sectors, according to half the respondents in a Government Accountability Office review.

During the lag time between when Homeland Security learns of threat information and when it passes that information along to industry, that information grows less valuable, those industry representatives said, and sometimes, by the time it arrives, it’s already old news.

Those criticisms came from three out of six industry representatives GAO interviewed, all of whom sit on coordinating councils that establish information sharing processes between their industries and the government.

The other three representatives “reported that DHS generally provides threat information in a timely manner,” GAO said.

One of the industry representatives who said Homeland Security is too slow at information sharing also noted that information from the department is “very credible and a major resource often used by security managers proposing security upgrades to their respective chief executive officers.”

Three of the six representatives also noted that cyber threat information shared by the government has become increasingly important.

The representatives were from the manufacturing, nuclear and transportation sectors.

Representatives from two of those three sectors said Homeland Security’s cyber and physical vulnerability assessments for specific companies are useful. They were less bullish, however, on sector-wide assessments the department conducts because vulnerabilities vary widely from one company to another.

The 55-page report does not include any recommendations.

What GAO Found

The Department of Homeland Security (DHS) primarily conducts assessments for each of the three elements of risk—threat, vulnerability, and consequence—for critical infrastructures from the three sectors GAO reviewed—Critical Manufacturing; Nuclear Reactors, Materials, and Waste; and Transportation Systems. In limited circumstances, DHS generates risk assessments that both incorporate all three elements of risk and cover individual or multiple subsectors.

• Threat: DHS’s Office of Intelligence and Analysis assesses threats—natural or manmade occurrences, entities, or actions with the potential to cause harm, including terrorist attacks and cyberattacks—and disseminates this information to critical infrastructure owners and operators. For example, the Transportation Security Administration provides threat intelligence to mass transit security directors and others through joint classified briefings.

• Vulnerability: DHS officials provide various tools and work directly with owners and operators to assess asset and facility vulnerabilities—physical features or operational attributes that render an asset open to exploitation, including gates, perimeter fences, and computer networks. For example, DHS officials conduct voluntary, asset-specific vulnerability assessments that focus on physical infrastructure during individual site visits.

• Consequence: DHS officials also assess consequence— the effect of occurrences like terrorist attacks or hurricanes resulting in losses that impact areas such as public health and safety, and the economy—to better understand the effect of these disruptions on assets.

These assessments help critical infrastructure owners and operators take actions to improve security and mitigate risks. Six private sector representatives told GAO that threat information is the most useful type of risk information because it allows owners and operators to react immediately to improve their security posture. For example, one official from the Transportation Systems sector said that government threat information is credible and is critical in supporting security recommendations to company decision-makers.

DHS uses the results of its risk assessments to inform the department’s strategic planning and to guide outreach to infrastructure owners and operators. Critical infrastructure risk information is considered within DHS’s strategic planning. Specifically, according to DHS officials, risk information informs the Department’s Quadrennial Homeland Security Review (QHSR)—a process that identifies DHS’s critical homeland security missions and its strategy for meeting them. DHS also uses risk information to guide outreach to critical infrastructure owners and operators. For example, DHS officials annually prioritize the most critical assets and facilities nationwide and categorize them based on the severity of the estimated consequences of a significant disruption to the asset or facility. DHS officials then use the results to target their assessment outreach to the infrastructure owners and operators categorized as higher risk. DHS officials also told GAO that they use risk information after an incident, such as a natural disaster, to quickly identify and prioritize affected infrastructure owners and operators to help focus their response and recovery assistance outreach.

Why GAO Did This Study

The nation’s critical infrastructure includes cyber and physical assets and systems across 16 different sectors whose security and resilience are vital to the nation. The majority of critical infrastructure is owned and operated by the private sector. Multiple federal entities, including DHS, work with infrastructure owners and operators to assess their risks.

GAO was asked to review DHS’s risk assessment practices for critical infrastructure. This report describes:(1) DHS’s risk assessment practices in 3 of 16 critical infrastructure sectors and private sector representatives’ views on the utility of this risk information, and (2) how this risk information influences DHS’s strategic planning and private sector outreach.

GAO selected 3 of 16 sectors–Critical Manufacturing; Nuclear Reactors, Materials, and Waste; and Transportation Systems–to examine based on their varied regulatory structures and industries. GAO reviewed DHS guidance related to infrastructure protection, the QHSR and DHS Strategic Plan, and plans for the selected critical infrastructure sectors. GAO interviewed DHS officials responsible for critical infrastructure risk assessments, and the owner and operator representatives who serve as chairs and vice-chairs of coordinating councils for the 3 selected sectors. Information from the 3 sectors is not generalizable to all 16 sectors but provides insight into DHS’s risk management practices.

GAO provided a draft of this report to DHS and relevant excerpts to the council representatives interviewed during this review. Technical comments provided were incorporated as appropriate.

via:  nextgov, gao.gov

Over one million Android users unknowingly downloaded a fake version of the popular WhatsApp messaging service from the Google Play Store.

Disguised as an “update,” the app was designed to look nearly identical to the official version, and claimed to be developed by “WhatsApp Inc.”

Over the weekend, however, several users on Reddit flagged the deceiving app, warning others that it was intended to serve users with ads to download other apps.

“The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called “whatsapp.apk,” explained one Reddit user with the handle dextersgenius.

“The app also tries to hide itself by not having a title and having a blank icon,” added the Reddit user.

The phony app was downloaded at least one million times before it was removed from the Google Play Store.

“I can confirm that the app was removed from Google Play and the developed account was suspended for violating our program policies,” said a Google spokesperson on Friday.

In this instance, the fraudsters’ intentions were to generate advertising revenue, but experts warn that the same technique can be used to distribute more harmful malware, hacking victims and stealing their personal information stored on the device.

As always, users are advised to review apps carefully before downloading, including reading user reviews and checking the requested permissions.

via:  tripwire

The healthcare insurer will offer employees 55 and older who meet certain requirements an early retirement package.

Humana is laying off 1,300 employees, about 3 percent of its workforce, the Louisville-based insurance giant told workers in an email Monday.

The positions will be eliminated shortly after the start of the new year. Another 1,150 people took voluntary buyouts and will be leaving next year, the email said.

The email said affected employees are being informed this week that their current positions will be eliminated but added that they may apply for another job at Humana. As of Monday, there were more than 1,450 open positions.

Employees who are being laid off will be offered career counseling for the remainder of their time at Humana and two weeks of pay for every year of service at the company.

In the email, the insurance company said it had been taking a series of measures during the year “to position the company for long-term sustainable success,” including the buyouts, which were offered in September.

Spokeswoman Kate Marx did not immediately respond to a question about what prompted the layoffs, but Courier Journal reported that the company was jettisoning workers because it needed fewer of them after deciding it was withdrawing from coverage under the federal Affordable Care Act.

Courier Journal reported in March that Humana would be eliminating an unspecified number of positions in Louisville and at sites in other states under a realignment and that those affected included top managers as well as entry-level employees.

The disclosures came after Humana’s acquisition by Aetna was called off.

To be eligible for the buyout, employees had to be 55 and have at least five years at the company, although those numbers in combination had to add up to 65.

Marx said in September that Humana had about 12,500 employees in Louisville. It had 51,600 employees nationwide last year.

The layoffs come as Humana has been on a roll. In early August, the company reported that second-quarter net income surged to $650 million and that adjusted earnings per share for the quarter rose 20 cents, to $3.49 from $3.29 a year ago. Analysts had forecast about $3.08 per share.

It will release its third-quarter earnings report on Wednesday.

Humana CEO Bruce Broussard’s compensation last year was $19.7 million, including stock and option awards and nearly $2 million in incentive pay. His total compensation for last year represented a 91 percent increase over the $10.3 million he received the prior year.

Background: Humana to cut jobs, offer early retirement packages to some employees

The latest: With $37B Aetna deal off, Humana will listen to other offers

via:  courier-journal

Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.

Attackers are combining credential phishing, credit card data theft, and malware into a single campaign targeting banking details.

While it’s common to see attacks involving phishing or malware, the combination of these tactics in a single campaign targeting Android devices of financial services and banking customers indicates the extent to which attackers are willing to play a longer game in order to get to their goal.

The attacks combine phishing with the distribution of the Marcher Android trojan, a form of banking malware which has been active since at least late 2013. Lures previously used to distribute Marcher include a fake software update, a fake security update, and a fake mobile game.

Marcher first originated on Russian underground forums but has since become a global threat, with the trojan targeting bank customers around the world.

campaign has been ongoing since January and uses a multistep scheme to target customers of Austrian banks.

The attacks begin with phishing emails containing a shortened bit.ly link to a fake version of the Bank Austria login page, which has been registered to a number of different domains containing ‘bankaustria’ in the title, in an effort to trick the user into believing they’re visiting the official site.

Those who visit the fake Bank Austria page are asked for their customer details, following which they are asked for their email address and phone number. These details provide the attackers with everything they need to move onto using social engineering to conduct the next stage of the campaign.

Fake Bank Austria page

Image: Proofpoint

Using the stolen information, the attackers send the users a warning in an message featuring Bank Austria branding which claims the target doesn’t have the “Bank Austria Security App” installed on their smartphone.

The message claims EU money laundering guidelines mean that the new Bank Austria app is mandatory for customers and that failure to install it will lead to the account being blocked. The user is directed to a shortened URL and with the claim that following the link will lead to the installation of the app.

Those who click through to this are provided with additional instructions on how to download the app, which says the user needs to alter their security settings to allow the download of applications from unknown sources — a part of the Android ecosystem which attackers regularly exploit to install malware, which in this case enables the installation of Marcher.

The fake app requires extensive permissions including writing and reading external storage, access to precise location, complete control over SMS messages, the ability to read contact data, the ability to read and write system settings, the ability to lock the device and more.

Once fully installed, the malware places a legitimate looking icon on the phone’s home screen, again using branding stolen from Bank Austria.

But this version of Marcher isn’t just a banking trojan, it also enables the direct theft of credit card details. Those who’ve installed Marcher are asks for their credit card information when they open applications such as the Google Play store.

The attackers also ask for information including data of birth, address, and password to ensure they have all the data they require to fraudulently exploit the stolen credentials. Each of the overlays are designed to look official via the use of stolen branding.

Data suggests almost 20,000 people clicked through to the campaign, potentially handing their banking details and personal information into the hands of hackers. Similar campaigns have also started targeting Raffeisen and Sparkasse banks.

Proofpoint warns that this type of attack could become more common.

“As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments. Moreover, as we use mobile devices to access the web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here,” wrote researchers.

In order to avoid falling victim to this type of campaign, users should be wary of unusual domains in general and should be sceptical of any email communication from a bank asking for any sort of credentials. Users should also be wary of downloading apps from unofficial sources which ask for extensive permissions.

via:  zdnet