0 Comments
KrebsOnSecurity was honored this month with the 2017 President’s Award for Public Service from the Information Systems Security Association, a nonprofit organization for cybersecurity professionals. The award recognizes an individual’s contribution to the information security profession in the area of public service. It’s hugely gratifying to have received this award, mainly because of the company I now keep. Past ISSA President’s Award winners include former White House cybersecurity advisers Richard A. Clarke (2003) and the late Howard Schmidt (2016); DEF CON and Black Hat founder Jeff Moss (2011); Hacking Exposed authors George Kurtz, Stuart McClure and Joel Scambray (2015); as well as Liam O’Murchu, Eric Chien, and Nicolas Falliere, the team at Symantec credited for their groundbreaking analysis of the Stuxnet Worm (2012). “[Krebs’] analysis of the bad actors and the dark web shines a light on the criminals and their methods that attack information security,” the ISSA said in explaining the award. “The information that he exposes to the light of day makes the jobs of white hats and blue teamers easier.” I’m very grateful to the ISSA for this award, and wish a hearty congratulations to the other ISSA 2017 award recipients. from https://krebsonsecurity.com/2017/10/krebs-given-issas-presidents-award/ Big-three consumer credit bureau Equifax says it has removed third-party code from its credit report assistance Web site that prompted visitors to download spyware disguised as an update for Adobe’s Flash Player software. On Wednesday, security expert and blogger Randy Abrams documented how browsing a page at Equifax’s consumer information services portal caused his browser to be served with a message urging him to download Adobe Flash Player. “As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL,” Abrahms wrote. “The URL brought up one of the ubiquitous fake Flash Player Update screens. ” Ars Technica’s Dan Goodin was the first to cover the discovery, and said the phony Flash Player installer was detected by several antivirus tools as “Adware.Eorezo,” an intrusive program that displays advertisements in Internet Explorer and may install browser toolbars and other unwanted programs. Several hours after Goodin’s piece went live, Equifax disabled the page in question, saying it was doing so out of “an abundance of caution” while it investigated the claims. In a follow-up statement shared with KrebsOnSecurity this afternoon, however, Equifax said the problem stemmed from a “third-party vendor that Equifax uses to collect website performance data,” and that “the vendor’s code running on an Equifax Web site was serving malicious content.” Equifax did not say who the third party vendor was. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” reads the statement. “Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.” That closing line of Equifax’s statement may do little to assuage a public that has grown increasingly weary of Equifax’s various security and public relations failures since it announced on Sept. 7, 2017 that hackers broke into the company’s servers and stole Social Security numbers and other sensitive data on more than 145 million Americans. On Sunday, KrebsOnSecurity published a story warning that Equifax’s payroll and tax administration site made it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax. Equifax disabled that service just hours after the story ran, replacing it with a message stating the site was under maintenance. Four days later, that site remains offline. from https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/ Hyatt Corp. is alerting customers about another credit card breach at some hotels, the second major incident with the hospitality chain in as many years. Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. “Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities,” the company said in a statement. “Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates. The hotel chain said the incident affected payment card information – cardholder name, card number, expiration date and internal verification code – from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved. In late 2015, Hyatt announced that for about four months that year hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Only five of the Hyatt properties affected in this most recent breach included U.S. locations, including three resorts in Hawaii and one each in Guam and Puerto Rico. The nation with the largest number of Hyatt properties impacted was China (18). The company has published a list of the affected hotels here. Each time one of these breach stories breaks, I hear from a number of readers who say they believe their cards were impacted based on some fraudulent activity on their cards. One thing I try to stress to those readers is that there are so many merchants both online and offline that are compromised by card-stealing malicious software that it is very likely that their card numbers were stolen from multiple victim companies. The most important thing to bear in mind with all these card breaches is that consumers are not liable for fraudulent charges, it still usually falls to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges. For anyone curious about why the hotel industry has been so heavily targeted over the past few years, check out some of the case studies published by Trustwave Spiderlabs. Organized crime groups (most notably the Carbanak gang) have been targeting customer service and reservations specialists at various hospitality chains with tailored social engineering attacks that involve well-aged fake companies and custom malware. from https://krebsonsecurity.com/2017/10/hyatt-hotels-suffers-2nd-card-breach-in-2-years/
Vote For Chance To Win a Flagship Handset!iMend.com are proud to be nominated as a finalist for Best Service and Repair in the 2017 What Mobile Awards For 12 years the What Mobile Awards have been the UK’s biggest mobile consumer voted awards – decided, not by judges or journalists, but by the thousands of readers of What Mobile and visitors to WhatMobile.net. We would like to thank all our team, technicians and customers who have supported iMend.com this year Final voting is now open for the Award. We would be really grateful if you could vote for us by clicking here Oh, and don’t forget, as a thank you for completing the voting survey, you’ll be in with a chance to win a flagship handset! The post iMend Nominated For Best Service And Repair At What Mobile Awards 2017! appeared first on iMend Blog. from https://www.imend.com/blog/imend-nominated-for-best-service-and-repair-at-what-mobile-awards-2017/ Microsoft on Tuesday released software updates to fix at least 62 security vulnerabilities in Windows, Office and other software. Two of those flaws were detailed publicly before yesterday’s patches were released, and one of them is already being exploited in active attacks, so attackers already have a head start. Roughly half of the flaws Microsoft addressed this week are in the code that makes up various versions of Windows, and 28 of them were labeled “critical” — meaning malware or malicious attackers could use the weaknesses to break into Windows computers remotely with no help from users. One of the publicly disclosed Windows flaws (CVE-2017-8703) fixed in this batch is a problem with a feature only present in Windows 10 known as the Windows Subsystem for Linux, which allows Windows 10 users to run unmodified Linux binary files. Researchers at CheckPoint recently released some interesting research worth reading about how attackers might soon use this capability to bypass antivirus and other security solutions on Windows. The bug quashed this week that’s being actively exploited resides in Microsoft Office (CVE-2017-11826), and Redmond says attackers could seize control over a vulnerable system just by convincing someone to open a booby-trapped Word file. Another Office vulnerability, (CVE-2017-11776), involves a flaw in Outlook’s ability to encrypt messages; SEC-Consult has more details on this bug. Another critical flaw (CVE-2017-11779) addresses a scary vulnerability in the domain name system (DNS) component of Windows 8 and Windows Server 2012. According to research from Bishop Fox, the security firm credited with finding and reporting the bug, this flaw could be exploited quite easily to gain complete control over vulnerable systems if the attacker controls or compromises a local network (think Wi-Fi hotspot). Normally, Adobe uses Microsoft’s Patch Tuesday (the second Tuesday of each month) to release its own fixes for Flash Player, Reader and other products. However, this time around the company has no security updates available. Adobe did release a new version of Flash that includes bug fixes (v. 27.0.0.159), but generally speaking only even-numbered Flash releases include security fixes. For additional commentary on October’s bundle of updates from Microsoft, see these blogs from security vendors Ivanti and Qualys. For those looking for a straight-up list of which patches deserve priority, check out the always useful roundup from the SANS Internet Storm Center. from https://krebsonsecurity.com/2017/10/microsofts-october-patch-batch-fixes-62-flaws/ Equifax Inc. said today an investigation into information stolen in the epic data breach the company disclosed on Sept. 7 revealed that intruders took a file containing 15.2 million UK records. The company says it is now working to inform 693,665 U.K. consumers whose data was stolen in the attack. Previously, Equifax said the breach impacted approximately 400,000 U.K. residents. But in a statement released Tuesday, Equifax said it would notify 693,665 U.K. consumers by mail that their personal information was jeopardized in the breach. This includes: -12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed. The numbers include data that Equifax held on U.K. consumers as far back as 2011, the company said. Equifax did not say whether any of the above-mentioned data was encrypted. Meanwhile, the U.K.’s National Cyber Security Centre is warning residents to be on their guard against phishing attacks made to look like communications from Equifax about the breach. “Another risk to UK citizens affected by this data breach is that they could be on the receiving end of more targeted and realistic phishing messages,” the NCSC wrote. “Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as: ‘To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number’. These phishing messages may be unrelated to Equifax and may use more well known brands. It is unlikely that any organisations will ask their customers to reset security information or passwords as a result of the Equifax breach, but this may be a tactic employed by criminals.” ANALYSISEquifax has been widely criticized for continuously bungling their public response to this still-unfolding data disaster, and today’s update about the extent of the breach in the U.K. was no exception. The Equifax Web site that hosts today’s press release serves “mixed content,” meaning it includes elements that are served over both encrypted and unencrypted pages. The practical effect of this varies depending on which browser you’re using, but some browsers will display a security warning when this happens. That mixed content error may have something to do with a missing image in the press release. That press release was supposed to include an image that breaks down what exactly was stolen from U.K. residents — as detailed in the bulleted list above — but apparently the graphic was either removed or moved pre- or post-publication. Here’s what the press release looks like in Firefox (Equifax still hasn’t fixed this): In Chrome: In Internet Explorer: It’s fairly terrifying when you realize that a company which can’t even issue a press release without managing to omit the most important piece of information in it wields so much power over consumers. Nothing says ‘we care about your security and privacy’ like a message which warns “you got hacked!” and then fails to tell you what that actually means. I’ve been spending quite a bit of time looking at Equifax’s various Web properties over the past few weeks and I have to say it gets scarier the more I look. First it was the discovery that Equifax’s consumer dispute portal in Argentina was protected by nothing more than the username and password “admin/admin.” It’s worth noting that, as mentioned countless times by Equifax’s former CEO in front of several congressional committees last week, the breach of sensitive data on 145.5 million Americans began with lax security at just such a dispute portal (the company declined to say which). Earlier this week I pointed out that the company’s TALX Web site made it trivial to find the salary history of large chunk of the American population, armed with nothing more than someone’s date of birth and Social Security number (both data points, by the way, that were stolen on 145.5 million Americans, thanks to Equifax). The company responded by taking the site offline a few hours after that story ran on Sunday. That site is still “under maintenance,” according to Equifax. While Equifax has stressed that it will offer free credit monitoring services to victims of its own breach, it is still using the entire incident to drive traffic to areas of its consumer business that make the company oodles of money, such as “FREE* credit report & score” services for only £14.95 per month. It’s impossible to understand how Equifax could fail to notice the atrocious optics here, unless of course it really doesn’t care. By the way, if you’re somehow just tuning in to news about this breach, don’t sweat it: Here’s a Q&A that explains what’s at stake and what you should do. from https://krebsonsecurity.com/2017/10/equifax-hackers-stole-info-on-693665-uk-residents/ |
ABOUT MEHi my name is Anthony I am 32 years old from Houston. I am working in local store selling electronic devices. I have been interested in eclectronics since childhood and I like to reacd about it. Archives
April 2019
Categories |