Monthly Archives: December 2013

//December

Linkedin is a good marketing tool, but what else can it be used for?

Linkedin is ripe with information about people.  In a targeted attack, facebook and linkedin would probably be the two places to start gathering information.  Many people lock down facebook, but Linkedin doesn't have the same privacy controls and in fact, often times the information on linkedin is meant to be public.  What linkedin provides is a free, centralized source for that information. Source: http://securityaffairs.co/wordpress/19446/cyber-crime/linkedin-targeted-attacks.html

By | 2014-01-24T20:35:17+00:00 December 23rd, 2013|Compliance, Phishing, Privacy, Social Engineering|0 Comments

Who was affected by the php.net attack?

Geographic breakdown of machines infected by DGA Changer This is related to our initial post about the PHP.net attack and whether or not the source code was compromised.  According to this article, "One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts." Source: http://arstechnica.com/security/2013/12/hackers-who-breached-php-net-exposed-users-to-highly-unusual-malware/    

Are the websites you’re using tracking what you type?

Source - http://nakedsecurity.sophos.com/2013/12/17/are-the-websites-youre-using-tracking-what-you-type/ Backspacing, the select all/delete, hitting cancel or whatever it takes to avoid telling the world whatever it was that you typed may have been logged. Self-Censorship on Facebook (PDF), that describes a study conducted by two Facebook researchers said they used code they had embedded in the web pages to determine if anything had been typed into the forms in which we compose status updates or comment on people's posts. If the content wasn't shared within 10 minutes, it was marked as self-censored. Acording to Facebook: "the things you explicitly choose not to share aren't entirely private." Facebook spent [...]

Poor Patching, Communication Facilitated July Dept. of Energy Breach

Source: http://threatpost.com/poor-patching-communication-facilitated-july-dept-of-energy-breach/103200 The U.S. Department of Energy is describes what lead to July breach Failures around vulnerability management, access controls and a general lack of communication between decision makers Hackers were able to penetrate a Web-facing application and steal personal information on 104,179 current and former employees, dependents and contractors. They had access to information that could have included Names, addresses, Social Security numbers, dates of birth and bank account information, unencrypted DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data but also to install software updates, purchased in March, that would [...]

Two Missing BCBS laptops may impact 800k people

Source: http://threatpost.com/two-missing-insurance-laptops-may-impact-800k-people/103202 Someone broke into the offices of Horizon Blue Cross Blue Shield of New Jersey and stole two laptops that contained the sensitive information of more than 800,000 members The medical insurance provider claims that the machines were locked to an employee workstation inside Horizon’s Newark headquarters The laptops are password protected but also admitted that they had failed to encrypt them Stolen machines may have contained member names, addresses, dates of birth, Horizon Blue Cross Blue Shield of New Jersey identification numbers, Social Security numbers, and clinical information Horizon Blue Cross Blue Shield of New Jersey claims that they have no [...]

Target Stores said have data breach of over 40 million customers

Source: http://news.cnet.com/8301-1009_3-57616054-83/target-investigating-massive-black-friday-data-breach-report/ Everyone will be attacked, and many will be breached.  Have you taken steps to protect your organization or made plans for how to react in the event of a data breach?  Securit360 offers services to fortify your security programs, train your employees, and measure your vulnerabilities. [av_button label='Contact Us' link='page,35' link_target='_blank' color='theme-color' custom_bg='#444444' custom_font='#ffffff' size='small' position='right' icon_select='no' icon='ue800' font='entypo-fontello']    

Missing Thumb Drive Compromises User Data

Do you have policies in place to protect your client's data?  Do you verify that your employees are following those policies?  It was reported that nearly 19000 users were compromised because someone lost a thumb drive that was not encrypted, even though there was a policy in place saying it should have been.  Read More Do you need help creating or reviewing your policies?  Do your policies meet regulations? [av_button label='We can help' link='page,35' link_target='_blank' color='theme-color' custom_bg='#444444' custom_font='#ffffff' size='small' position='right' icon_select='no' icon='ue800' font='entypo-fontello']

Microsoft December Security Bulletin

Today Microsoft released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. http://blogs.technet.com/b/srd/archive/2013/12/10/assessing-risk-for-the-december-2013-security-updates.aspx