Sunday, September 13, 2015

Issue 29 - Week of Sep 7th

1.       Data breach exposes 10M health records from New York insurer, "More than 10 million records were exposed in a data breach of health insurer Excellus BlueCross BlueShield and a partner company. Excellus revealed the breach on Wednesday, telling customers they would receive identity-monitoring services and that the FBI is investigating the crime. The records included Social Security numbers and other identifying information, as well as claims members made to pay for medical care." That's only a fraction of the size of a similar hack earlier this year, but it raises the question, "Again?" This blog for the week of May 18th had reported that breach of 1.1M records.

2.       Britain’s Largest Bank And Insurer Admit to Massive Data Theft. Website of RSA (Royal Insurance and Sun Alliance) had the following update - A storage device that contained information about some of our customers is missing and has been reported as stolen. The privacy and security of our customers’ personal information is a top priority for RSA. We value the trust our customers place in us to keep their personal information secure and we regret the concern that this loss may cause. We’re making available two years of identity protection to anyone affected by this incident as well as providing more information on this site on how to protect your personal information.

3.       When hackers swiped an estimated 37 million accounts associated with AshleyMadison.com, a site which helps married people cheat on their partners, there was a rush to find out what had been stolen. A month after the breach was reported, hackers released the first cache of stolen data and the list of the worst passwords in the Ashley Madison breach just got longer -- and a lot more depressing. '123456', '12345', 'password', 'default', '123456789' are the top five passwords.

4.       Researcher discloses zero-day vulnerability in FireEye "Last week, Kristian Erik Hermansen of a German firm ERNW, disclosed a zero-day vulnerability in FireEye's core product, which if exploited, results in unauthorized file disclosure. As proof, he also posted a brief example of how to trigger the vulnerability and a copy of the /etc/passwd file. What's more, he claimed to have had three other vulnerabilities, and said they were for sale." FireEye responded to this by releasing patches for all the vulnerabilities but not before issuing an Injunction to the researcher - refraining him from going public and in the process facing significant wrath from the internet community for  stifling not only free speech but the ability to warn and educate their customers.

5.       Websense Security Labs identified a rising trend in bold, well-researched, targeted fraud attacks using typo-squatting and false headers as their primary gambit. Since then, these fraudulent attacks have continued, logging immense gains in both volume and success: the FBI’s Internet Crime Complaint Center (IC3) reports a 270% increase in identified victims and dollar losses since January. Typo-squatting is a technique in which the hacker registers a fake domain with only one character’s difference to the target domain or feature transposed characters. Most often hackers exploit these domains - within hours of registration and according the IC3, the money trail takes several hops around the world, but primarily ends up in Asian banks (specifically mainland China and Hong Kong).

6.       Mozilla admitted last week that its Bugzilla bug tracking system was breached by an attacker, who was then able to get access to information about unpatched zero-day bugs. According to Mozilla, the attacker was able to breach a user's account that had privileged access to Bugzilla, including the non-public zero-day flaw information. As far as Mozilla has been able to determine at this time, the attacker accessed approximately 185 bugs that were non-public. Of those bugs, Mozilla considered 53 to be severe vulnerabilities.

7.       DOE Hacked 159 Times From 2010 To 2014, Report Says. It's no surprise that the US Department of Energy (DOE) is a major target for cyber-attacks, but new data shows just how often the agency gets hit, the agency reported 1,131 attack attempts during a 48-month period, of which 159 were "successful," the publication reports.

8.       Over two months after Italian surveillance software maker Hacking Team had its internal data leaked by hackers, vendors are apparently still fixing zero-day exploits from the company's arsenal. On Tuesday (Patch Tuesday), Microsoft published 12 security bulletins covering 56 vulnerabilities in the new Edge browser, Internet Explorer, Windows, Office, Skype for Business, .NET Framework and some of its other software products.

9.       "The New York Times on Monday reported that Apple was served a court order by the Justice Department this summer over an investigation involving drug and gun crime, demanding it provide real time access to text messages sent between suspects using iPhones. Apple reportedly said its iMessage system was encrypted and, as a result, it couldn't comply with the order. Consequently, the company can't provide the same interception capabilities to law enforcement officials under US wiretap laws as telecoms operators can."


10.   Digital India and ‘Make in India’ are two initiatives launched by the Government of India. According to Avinash Kadam (Advisor, ISACA India) - these initiatives would succeed only if the industries and enterprises prosper. The industries and enterprise would prosper only if they take care of the 4 Ms of manufacturing (Man, Machine, Material and Method) and now, most importantly, the cyber security.

2014 – 783 Breaches – 80 Million records.
2015 (till 8th Sep 2015) – 541 Breaches – 140 Million records.

2 comments: