Categories
Social Engineering>Phishing|Compliance>Privacy

Linkedin is a good marketing tool, but what else can it be used for?

Linkedin is ripe with information about people.  In a targeted attack, facebook and linkedin would probably be the two places to start gathering information.  Many people lock down facebook, but Linkedin doesn’t have the same privacy controls and in fact, often times the information on linkedin is meant to be public.  What linkedin provides is a free, centralized source for that information.

Source: http://securityaffairs.co/wordpress/19446/cyber-crime/linkedin-targeted-attacks.html

Categories
Information Security|Computer & Network Security>Malware

Who was affected by the php.net attack?

Geographic breakdown of machines infected by DGA Changer

This is related to our initial post about the PHP.net attack and whether or not the source code was compromised.  According to this article, “One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts.”

Source: https://arstechnica.com/security/2013/12/hackers-who-breached-php-net-exposed-users-to-highly-unusual-malware/

Categories
Information Security|Compliance>Privacy|Social Engineering|Computer & Network Security>Vulnerabilities

Are the websites you’re using tracking what you type?

Source – http://nakedsecurity.sophos.com/2013/12/17/are-the-websites-youre-using-tracking-what-you-type/

  • Backspacing, the select all/delete, hitting cancel or whatever it takes to avoid telling the world whatever it was that you typed may have been logged.
  • Self-Censorship on Facebook (PDF), that describes a study conducted by two Facebook researchers said they used code they had embedded in the web pages to determine if anything had been typed into the forms in which we compose status updates or comment on people’s posts.
  • If the content wasn’t shared within 10 minutes, it was marked as self-censored.
  • Acording to Facebook: “the things you explicitly choose not to share aren’t entirely private.”
  • Facebook spent 17 days tracking abandoned posts in a manner that some might find discomforting and readers are reminded that the internet allows website owners to be far, far more invasive.
Categories
Compliance|Information Security>Data Breach|Computer & Network Security>Patches|Computer & Network Security>Vulnerabilities

Poor Patching, Communication Facilitated July Dept. of Energy Breach

Source: http://threatpost.com/poor-patching-communication-facilitated-july-dept-of-energy-breach/103200

  • The U.S. Department of Energy is describes what lead to July breach
  • Failures around vulnerability management, access controls and a general lack of communication between decision makers
  • Hackers were able to penetrate a Web-facing application and steal personal information on 104,179 current and former employees, dependents and contractors.
  • They had access to information that could have included Names, addresses, Social Security numbers, dates of birth and bank account information, unencrypted
  • DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data but also to install software updates, purchased in March, that would have prevented the breach and instead sat for five months in a testing environment, cost significantly less than the expected $3.7 million price tag for credit monitoring and other recovery costs.
Categories
Information Security>Asset Management|Information Security>Data Breach|Compliance>Encryption|Compliance>Privacy

Two Missing BCBS laptops may impact 800k people

Source: http://threatpost.com/two-missing-insurance-laptops-may-impact-800k-people/103202

  • Someone broke into the offices of Horizon Blue Cross Blue Shield of New Jersey and stole two laptops that contained the sensitive information of more than 800,000 members
  • The medical insurance provider claims that the machines were locked to an employee workstation inside Horizon’s Newark headquarters
  • The laptops are password protected but also admitted that they had failed to encrypt them
  • Stolen machines may have contained member names, addresses, dates of birth, Horizon Blue Cross Blue Shield of New Jersey identification numbers, Social Security numbers, and clinical information
  • Horizon Blue Cross Blue Shield of New Jersey claims that they have no reason to believe that the thieves targeted the stolen laptops because of the information stored within them.
  • “Due to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible,”
Categories
Information Security>Data Breach|Compliance>PCI|Compliance>Privacy|Computer & Network Security>Vulnerabilities

Target Stores said have data breach of over 40 million customers

Source: http://news.cnet.com/8301-1009_3-57616054-83/target-investigating-massive-black-friday-data-breach-report/

Everyone will be attacked, and many will be breached.  Have you taken steps to protect your organization or made plans for how to react in the event of a data breach?  Securit360 offers services to fortify your security programs, train your employees, and measure your vulnerabilities.

[av_button label=’Contact Us’ link=’page,35′ link_target=’_blank’ color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’ size=’small’ position=’right’ icon_select=’no’ icon=’ue800′ font=’entypo-fontello’]

 

 

Categories
Information Security>Asset Management|Computer & Network Security|Information Security>Data Breach|Compliance>Encryption|Compliance>HIPPA

Missing Thumb Drive Compromises User Data

Do you have policies in place to protect your client’s data?  Do you verify that your employees are following those policies?  It was reported that nearly 19000 users were compromised because someone lost a thumb drive that was not encrypted, even though there was a policy in place saying it should have been.  Read More

Do you need help creating or reviewing your policies?  Do your policies meet regulations?

[av_button label=’We can help’ link=’page,35′ link_target=’_blank’ color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’ size=’small’ position=’right’ icon_select=’no’ icon=’ue800′ font=’entypo-fontello’]

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Microsoft December Security Bulletin

Today Microsoft released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important.

http://blogs.technet.com/b/srd/archive/2013/12/10/assessing-risk-for-the-december-2013-security-updates.aspx