A collection point
...and some of my own.
Chrome cripples movie studio Mac Pros Danny Bradbury: It’s not often that a single software bug can bring an entire industry to a virtual standstill, but it happened last week – and experts finally found an unlikely culprit. The problem began on Monday 22 September when reports emerged of a problem with Macs running Avid software. Avid is an editing suite that production companies use to put movies and TV programs together. A few days ago, movie editors started reporting that Mac Pros running Avid software were crashing. If users tried to restart their machines, they wouldn’t reboot. Imagine how you’d be feeling if you were working on something with a deadline of hours, like a news segment. According to a Google post explaining the incident, Chrome damaged the file system on macOS. Chrome removed a symbolic link (symlink), which is a shortcut to a linked object. The system treats the symlink as the linked object. Keystone removed the /var symlink, which threw the affected Macs into disarray. If your computer is on OS X 10.11 or later and you haven’t taken steps to disable SIP, this issue cannot affect you. If it isn't you will have to reinstall the MacOS from macOS recovery. Vimeo sued for storing face-prints of people without their say-so. Lisa Vaas: You didn’t tell me that you’re collecting and storing my faceprint, you didn’t tell me why or for how long, you didn’t get my written OK to do it, and you haven’t told us how long you’re retaining our biometrics or how we can get you to nuke them, another Illinois resident has said in yet another proposed facial recognition class action lawsuit based on the state’s we’re-not-kidding-around biometrics law. This one’s against the video-sharing, face-tagging website Vimeo. The complaint was filed on 20 September on behalf of potentially thousands of plaintiffs under the Illinois Biometric Information Privacy Act (BIPA). Illinois resident Bradley Acaley is lead plaintiff. The suit takes aim at Vimeo’s Magisto application: a short-form video creation platform purchased by Vimeo in April 2019 that uses facial recognition to automatically index the faces (along with the gender, age, race, and location) of people in videos so they can be face-tagged. Facebook is facing a similar class-action suit. Patel v. Facebook, first filed in 2015 for violating Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent in what Facebook has claimed is the largest privately held database of facial recognition data in the world. Google wins landmark case: Right To Be Forgotten (RTBF)only applies in EU Since 2015, Google and the French data privacy regulator, CNIL, have been wrestling over how wide a net that implies. Does the amnesia only include results returned to Europeans? Or does it pertain to Google’s worldwide list of domains? Last Tuesday, the European Court of Justice (ECJ) ruled in Google’s favor: RTBF is EU-only, it decreed. Google was inundated with RTBF requests after Launching its RTBF form in May 2018. One man who tried to kill his family wanted a link to a news article about it taken down. Other requests came in from a politician with a murky past and a convicted pedophile. By the end of the first day, 12,000 Europeans had submitted the form. For a while, the rate hummed along at 10,000 requests per day. Nearly a third of the requests related to a fraud or scam, one-fifth concerned serious crime, and 12% were connected to arrests having to do with child abuse imagery. By May 2018, the initial flood had ebbed. Google was refusing a majority of them anyway: it was accepting between 42% and 44% of the requests per year. According to its most recent transparency report, as of 7 Sept. 2019, it had cumulatively granted 45% of RTBF search requests, or about 846,000 links. Microsoft rushes out fix for Internet Explorer zero-day The zero-day (CVE-2019-1367) was reported to Microsoft by Clément Lecigne of Google’s Threat Analysis Group. It’s a remote code execution (RCE) flaw in the browser’s scripting engine that could allow an attacker to install programs; view, change, or delete data or create new accounts with full user rights. No further details have been made public in the advisory, but as with most browser vulnerabilities, exploitation would involve luring unpatched users to a malicious website on a Windows machine where IE is set as the default browser. Microsoft’s own security chief told everyone back in February of this year, to stop using IE, and move on to a more modern browser, a better Security solution is just to uninstall IE in the first place in W10…. Settings > Apps > optional features. Apps Selling for Hundreds of Dollars on Google Play Store Giulio Saggin.: Android apps that are being sold by unscrupulous developers who are abusing a loophole in the policy that allows users to download and use apps at no cost for a short trial period. If the user doesn't want to use the app beyond the trial period, they need to uninstall the app and inform the developer they no longer wish to use the app. If this isn't done, the app developer charges the user. Usually this is a few dollars. The loophole lies in 'charging the user'. Deceitful developers start by making users sign up with payment information before they can use the app. Many users don't read the fine print which tells them that, in order to fully stop using the app, they have to explicitly tell the developer they are cancelling the trial period. When users fails to do this, the exorbitant charges start. In the case of one app, the developer charges users €104.99 (US$115) after 72 hours, while the makers of another app go even further and charge users €214.99 (US$235) when the trial ends. Airbus Suppliers Hit in State-Sponsored Attack Paris (AFP):There have been four major attacks on Airbus in the last 12 months, according to two security sources involved in investigating the hacking. The group has long been considered a tempting target because of the cutting-edge technologies that have made it one of the world's biggest commercial plane manufacturers, as well as a strategic military supplier. In January, it admitted to a security incident that "resulted in unauthorized access to data", but people with knowledge of the attacks outlined a concerted and far bigger operation over the last year. Hackers targeted British engine-maker Rolls-Royce and the French technology consultancy and supplier Expleo, as well as two other French contractors working for Airbus. "Very large companies are very well protected, it's hard to pirate them, so smaller companies are a better target," said Rhomain Bottan of BoostAerospace. How did they do it? "The sophisticated attack targeted the VPN which connected the company to Airbus," the source said. Airbus suppliers sometimes operate in a VPN linking them with colleagues at the plane-maker. What were they after? A particular nation state has been repeatedly failing certification of a couple commercial passenger aircraft they were/are developing and "At the time of the intrusions, a state-owned aerospace company was working to develop a comparable engine." Has the "like" button had its last "thumbs up"? A mounting body of research points to the number of content Likes – or lack thereof – negatively influencing some users’ self-esteem, it may be time to question whether the "like" button might have turned out to be a force for bad. Recent studies have linked increased depression, poor sleeping habits, and unhealthy body image in children and teens with higher use of social media and digital devices. Facebook and Instagram are currently running tests in Canada, Australia, Brazil, Ireland, Italy, Japan and New Zealand to determine the outcome of the "like" button. Extinction may be on the horizon. Marriott hotels data breach: post mortem Josh Fruhlinger: On September 8, 2018, an internal security tool flagged as suspicious an attempt to access the internal guest reservation database for Marriott's Starwood brands, which include the Westin, Sheraton, St. Regis, and W hotels. This prompted an internal investigation that determined, through a forensics process that Marriott has not discussed in detail, that the Starwood network had been compromised sometime in 2014 — back when Starwood had been a separate company. Marriott purchased Starwood in 2016, but nearly two years later, the former Starwood hotels hadn't been migrated to Marriott's own reservation system and were still using IT infrastructure inherited from Starwood. In their investigation, Marriott found data that the attackers had encrypted and attempted (probably successfully) to remove from the Starwood systems. By November, they had managed to decrypt that data and discovered that it included information from up to 500 million guest records, though those undoubtedly include duplicate records or multiple records pertaining to individual guests. Many of the records include extremely sensitive information like credit card and passport numbers. Now aware of the severity of the breach, Marriott released a statement on November 30, 2018. Marriott first became aware that they'd been hacked when a security tool flagged an unusual database query. (The tool was actually monitored by Accenture, who had been running IT and infosecurity for Starwood before the merger and continued to do for the legacy network afterwards.) The database query was made by a user with administrator privileges, but analysis quickly revealed that the person to whom that account was assigned was not the one who made the query; someone else had managed to take control of account. A Remote Access Trojan (RAT) along with MimiKatz, a tool for sniffing out username/password combos were found in system memory. Together, these two tools could have given the attackers control of the administrator account. It's not clear how the RAT was placed onto the Starwood server, but such Trojans are often downloaded from phishing emails. Cultural and business factors that we might label the root cause of the breach. What stands out here is not the attack's success in breaching Starwood's systems — most security experts today believe it's almost impossible to keep all attackers at bay all the time — but rather that the attack went undetected for four years, because after Marriott acquired Starwood in September 2016, most of Starwood's corporate staff, including those managing information technology and security, were laid off. Hundreds of millions of people had their passport and credit card numbers stolen. Credit card numbers were stored in encrypted form, but the encryption keys were stored on the same server, and were also taken in the breach. As for the passport numbers, while some were encrypted, the majority were simply saved in the clear. Who did it? Techniques used point to a nation state looking for details on high profile business people. And now you know. Data of Nearly 5 Million DoorDash Users, Dashers, Merchants is Breached In early September the company became aware of unusual activity by a third-party service provider and launched an investigation, engaging the services of external security experts to assess what happened. From this, it was determined the third party had accessed some DoorDash user data on May 4 this year. DoorDash said in a statement that "users who joined after April 5, 2018 are not affected ... and the data accessed includes names, email addresses, delivery addresses, phone numbers and hashed, salted passwords." Some consumers had the last four digits of their payment cards exposed, but not the full card number or CVV. Similarly, some Dashers and merchants had the last four digits of their bank account number exposed but not the full account information. Around 100,000 Dashers had their driver’s license numbers accessed. Cybercriminals shop for admin access to healthcare portals When people think about hackers and their targets, most assume cybercriminals are after bank account numbers or financial institutions. But a new study from cybersecurity firm IntSights shows hackers are now honing in on healthcare institutions for lucrative information to steal. IntSight's new research report "Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry" looks at what methods cybercriminals are using and what healthcare organizations can do to protect themselves. "If you would have told me 15 years ago, 'Hey let's go target the database manager for this insurance company,' I wouldn't even know where to begin," said IntSight chief security officer Etay Maor. "But today, I go online, and there's websites and free software which will map it out and give you an organizational chart from CEO to secretary, all based on Linkedin information and other things. Working out spearfishing attacks then becomes easy at that point. The infrastructure is not as advanced as other places, and healthcare data is extremely valuable. There's so much info that can be used for all kinds of things," Maor said. "If I'm a cybercriminal, and I steal a credit card, great, maybe I can use it or not. If I steal a patient's data? I can do insurance fraud, I can do account takeover, or financial fraud. I can create static IDs or order drugs. That's why credit cards on the dark web go for $1, and healthcare information or patient data goes for $50." What Are Zero-Knowledge Proofs? Lily May Newman: Zero-knowledge techniques are mathematical methods used to verify things without sharing or revealing underlying data. Think of a payment app checking whether you have enough money in your bank account to complete a transaction without finding out anything else about your balance. Or an app confirming a password's validity without needing to directly process it. In this way, zero-knowledge proofs can help broker all sorts of sensitive agreements, transactions, and interactions in a more private and secure way. Zero-knowledge protocols are probabilistic assessments, which means they don't prove something with the complete certainty that simply revealing it would. Instead, they provide small pieces of unlinkable information that can accumulate to show that the validity of an assertion is overwhelmingly probable. Researchers at MIT first started developing the concept of a zero-knowledge proof in the 1980s. A classic example of the utility of zero-knowledge proofs describes two millionaires, Alice and Bob, who want to know which of them has more money without revealing how much wealth they each have. The techniques have come into prominence over the past decade in a more concrete way thanks in part to their usefulness in blockchain applications like cryptocurrencies. For example, zero-knowledge proofs can be used to validate cryptocurrency transactions managed on a blockchain and combat fraud without revealing data about which wallet a payment came from, where it was sent, or how much currency changed hands. By contrast, digital currency that doesn't incorporate zero-knowledge proofs, like Bitcoin, reveals all of that information. As is unfortunately often the case, the enormous potential of zero-knowledge proofs can sometimes lead the phrase to be over-used. "Zero-knowledge is one of the most misused terms," says Jean-Philippe Aumasson, CEO of the Swiss IoT encryption company Teserakt AG. "It's sometimes used to refer to user encryption when the server has 'zero knowledge' of the data. And there's also 'zero-knowledge architecture,' but these don't necessarily have much to do with zero-knowledge proofs." "Zero-knowledge is probably the most useful technology we've got, and we've barely begun to use it," iPhone iOS 13 Lockscreen Bypass Flaw Exposes Contacts Lindsey O'Donnell: The hack was first discovered by researcher Jose Rodriguez, an Apple enthusiast based in Spain who has found a slew of previous iPhone bypasses. This latest one could enable someone with physical access to a vulnerable iPhone to bypass the passcode authorization screen, and exists in the beta version of Apple’s soon-to-be-released mobile operating system, iOS 13. iOS 13 won’t be released to the masses until Sept. 19, but Rodriguez confirmed that the flaw works on the Gold Master (GM) version of iOS 13, which has been shipped out to developers (although it does appear to be fixed in beta versions of iOS 13.1, which is slated to be released on Sept. 30, Rodriguez said). Once the victim’s phone receives the FaceTime call, instead of answering the attacker clicks the “custom” option, and then respond with a text message. From there, the user must use Apple’s voice-over feature — which allows users to make requests to Siri using voice commands — to request to change the “to” field of the text message, and the “to” field then pulls up the phone’s contact list. That allows a user to look through the victims’ address book and siphon contacts, phone numbers and email addresses. The attack has been tested and confirmed by various news outlets in the iOS 13 GM running on an iPhone X. So, if you are worried about your contacts being exposed this way, it might be worth waiting for 13.1 at the end of the month. National Security Is in Trump's Hands Matt Laslo for Wired: The week began with revelations, first reported by CNN, that US intelligence agencies had pulled a high-level spy who gained the trust of senior officials inside the Kremlin, over fears the asset could be compromised. Then on Tuesday, the president jettisoned yet another national security advisor even as global conflicts, from Afghanistan and Iran to Venezuela, continue to simmer. It's not comforting to know that while most presidents just a single national security advisor during their whole presidential stay, Trump is on his fourth. Telegram fixes ‘unsend message’ bug that held on to your pictures by Danny Bradbury: Imagine this: you’re at a party one Saturday night and, at 1 a.m. decide to send your best pal a picture of yourself doing a headstand wearing nothing but a pink tutu, slamming a liter of Smithwick’s finest from a beer bong. Unfortunately, your best pal’s name is Sue, which also happens to be your boss’s name, and you selected the wrong contact. Telegram introduced its ‘unsend message‘ feature in version 3.16 back in 2017. It’s another feature in an app that has attracted privacy advocates everywhere for its ability to cloak communications, but security researcher Dhiraj Mishra has uncovered a flaw. The Android version of Telegram stores any images received in the /Telegram/Telegram Images/ folder. When deleting a message, you’d expect it to delete the image as well. In fact, it left the picture intact in the folder. The recipient would have to know to look there, of course, but if they checked, they’d be able to see you in all your tutu-sporting, beer-bonging glory. Bang goes your promotion. The company fixed the bug in version 5.11 so one again, it is safe to don you're dancing apparel. Facebook says location data in iOS 13, Android 10 may be "confusing" The post explains how Facebook’s app collects and uses background location data from smartphones: “background,” as in, when you’re not actually using the app. iOS 13 will show users a map of where apps have been tracking you when requesting permission. The notifications show a map of the specific location data a given app has tracked, displaying the snail-slime trails that we all leave behind in our daily travels and which so many apps are eager to sniff at for marketing purposes. iOS 13 will also give users reports on what apps are up to if you do choose to grant them the ability to continually monitor your location in the background. Android 10 also addresses apps that snoop on location data using other means, including by looking at Wi-Fi access points or checking folders for location data left by other apps. Android 10 requires specific fine location permissions for apps accessing selected Wi-Fi, telephony, and Bluetooth functions. It also has a new feature called scoped storage, which restricts an app’s access to files on external storage, only giving it access to its specific directory and media types. Make no mistake: Facebook thinks it’s better with location data: "It powers features like check-ins and makes planning events easier. It helps improve ads and keep you and the Facebook community safe. Features like Find Wi-Fi and Nearby Friends use precise location even when you’re not using the app to make sure that alerts and tools are accurate and personalized for you." Massive email fraud bust snares 281 suspects by Lisa Vaas: Operation reWired – a globe-spanning, four-month-long crackdown on email fraud involving law enforcement agencies in 10 countries – has resulted in the arrest of 281 people suspected of running BEC (business email compromise) scams. The US Department of Justice (DOJ) on Tuesday announced that the operation, which kicked off in May 2019, led to the seizure of nearly $3.7 million in assets and repatriations. Out of the 281 arrests, 167 were in Nigeria, 74 in the US, 18 in Turkey, and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK. Chief Don Fort, with the US Internal Revenue Service’s (IRS’s) Criminal Investigation unit, said in the DOJ’s release that the criminal network was complex, and it had a lot more going on besides talking businesses into making bogus wire transfers. Investigators discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in tax refunds, he said. What’s a BEC (business email compromise) scam? These scams typically involve legitimate business email accounts that have been hijacked, be it through social engineering or hacking, to initiate unauthorized transfers. The scammers often target employees who hold the pursestrings and businesses that work with foreign suppliers and/or businesses that are in the habit of executing wire transfer payments. As the DOJ explained in its announcement, the criminal networks that run BEC scams also go after individuals, be it through people buying real estate, the elderly, and others, by convincing them to make wire transfers to bank accounts that the crooks control. We saw an example of a real estate scam earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia. Sometimes the fraudsters will impersonate a key employee or business partner after they’ve seized control of that person’s email account. Sometimes, they’ll find their victims through romance and lottery scams. And sometimes, they’ll use dating sites to recruit money mules to help them launder the ill-gotten booty. Last month, the FBI said that this recruitment of money mules on dating sites is on the rise. BEC scammers aren’t fussy: Besides fraudulent wire transfers, they’ll sometimes go after fraudulent requests for checks… or sensitive personally identifiable information (PII)… or employee tax records… or any/all of the above. Google experiments with DNS-over-HTTPS in Chrome Following hot on Mozilla’s trail, Google officially announced its own DNS-over-HTTPS (DoH) experiment in Chrome this week. Mozilla recently announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. This provides some privacy protections compared with regular DNS queries. Nevertheless, Google clearly doesn’t want to be outdone. It published a blog post on Tuesday providing more detail on DoH functionality that it will include in Chrome 78. Google is taking a slightly different approach to Mozilla, though. For one thing, it won’t change the user’s DNS provider. When Chrome makes a web request, it will check to see if that provider is on a list of DoH-friendly DNS services which Google says it has vetted for strong security and privacy. Only if it is on that list will it switch to DoH. This brings a significant benefit, according to the search and advertising giant: "By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same. For instance, malware protection or parental control features offered by the DNS provider will continue to work." Right now, there are six providers in that list alongside Google itself: CleanBrowsing, Cloudflare (which is Mozilla’s DoH provider of choice), DNS.SB, OpenDNS, and IBM’s Quad9. Google is making the service available on all Chrome-supported platforms with the exception of Linux and iOS. For now, the experiment will roll out to “a fraction” of Chrome users, although Google didn’t respond to questions about how they will be selected or where they are. If you’re one of them, you will be able to opt-out by disabling the flag, accessible in Chrome 78 by typing the following into your address bar: chrome://flags/#dns-over-https Chrome 78 will enter beta sometime between 19 and 26 September 2019, and is due for a stable release on 22 October 2019. Cyber-security incident at US power grid entity linked to unpatched firewalls A cyber-security incident that impacted a US power grid entity earlier this year was not as dangerous as initially thought, the North American Electric Reliability Corporation (NERC) said last week. In a report highlighting the "lessons learned" from a past incident, NERC said hackers repeatedly caused firewalls to reboot for about ten hours, on March 5, 2019. The incident impacted firewalls deployed at multiple power generation sites operated by a "low-impact" operator and did not cause any disruption in the electric power supply. The inciden impacted network perimeter firewalls, which, on March 5, were mysteriously going down for periods of up to five minutes. The firewall reboots continued for hours, prompting the power grid operator to start an investigation. "Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability," The reboots stopped after the operator deployed the proper patches. The power grid operator eventually discovered that they had failed to apply firmware updates for the firewalls that were under attack. The reboots stopped after the operator deployed the proper patches. Parts of Wikipedia Offline After 'Malicious' Attack The server of the Wikimedia Foundation, which hosts the site, suffered a "massive" Distributed Denial of Service (DDoS) attack, the DDoS attacks involved legions of zombie computers -- machines infected with viruses and commanded to simultaneously visit a website. Such a massive onslaught of demand can overwhelm website computer servers, slowing service or knocking them offline and in this case did. Wikimedia condemned the breach of its server, saying it threatened "everyone's fundamental rights to freely access and share information." Chinese Group Built Advanced Trojan by Reverse Engineering NSA Attack Tool APT3 quietly monitored an NSA attack on its systems and used the information to build a weapon of its own. Chinese threat actor APT3 quietly monitored the US National Security Agency's use of a highly sophisticated cyber attack tool and then reverse engineered the code to build an advanced Trojan of its own called Bemstour. That conclusion is based on analysis of Bemstour after attacks on targets in multiple countries, including Belgium, Hong Kong and the Philippines. APT3 developed the exploit by reverse-engineering the NSAs EternalRomance, but then tweaked it so it could be used to target more systems. APT3's Bemstour leveraged the same Windows zero-day as the one used in EternalRomance (CVE-2017-0143). In addition the group also created an exploit for another Windows zero-day (CVE-2019-0703). Both flaws have been patched. "The main takeaway is that we see evidence for the first time of a nation-state collecting and reusing foreign attack tools to recreate their own. We heard of that happening in theory; but now we have evidence to support it." Police Use of Facial Recognition is OK, Say Americans According to the Pew Research Center, 56 percent of Americans said that they trusted police and government officials to use facial recognition technology responsibly, including situations in which no consent is given. Around 50% said it is OK for law enforcement to use facial recognition tools to assess security threats in public spaces. But, when asked about other types of organizations using the technology, survey respondents were much less enthusiastic with 36 percent saying they could trust technology companies... and a less enthusiastic 18 % saying they trusted advertisers to use facial recognition responsibly. Note that there are age and racial skews to this data with caucasians coming in with the highest trust ratings and blacks and hispanics far lower. Age wise, younger respondents trusted less while older demographics seemed to be more trusting of the police using this data. Apple: Your iPhone Is Secure, Google Is Just 'Stoking Fear' Michael Kan: Apple is pushing back on reports that iOS has a security problem. Apple said Friday that an iPhone hack disclosed last week by Google was targeting members of the Uighur Muslim community—not the public at large, as some had feared. "Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case," Apple said a statement. "Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies," Apple added. Google researchers uncovered 14 previously unknown vulnerabilities in iOS that were being used by a mysterious group to deliver spyware to iPhones. "Splintering" Makes Hacking Passwords 14 Million Percent Harder Kevin Townsend: The Australian Tide Foundation has announced details of a distributed ledger technology (DLT) password protection system using 'splintering' to deliver password security that is massively greater than the traditional central hashed database. This is a component of a wider project to develop a new marketplace for a new personal data economy. The Tide Protocol will use distributed ledger (blockchain and encryption) technology to create a secure but open marketplace where PII can be safe, but sold. The infrastructure creates a secure vault for personal data where only the user has a key to his/her own data. This ensures that only the user can agree to the sale of that data. In its own words, Tide is creating "an open-source framework that operates on a decentralized blockchain-based architecture. The Tide cryptocurrency (Tide Settlement Tokens) will power the economy, managing both access permissions and remuneration across the ecosystem." The Tide Protocol runs on an EOS-based DLT, using EOS' asynchronous Byzantine Fault Tolerance Delegated Proof of Stake (aBFT-DPoS). This has already achieved more than 4,000 transactions per second (TPS) where the Bitcoin network handles 7 TPS, and Ethereum handles 15 TPS. As the first stage of launching its full vision of a new personal data economy, Tide has announced its 'splintering' encryption technology for the secure storage of passwords. Rather than the traditional method of storing user passwords as hashed and salted entries in a single centralized database, splintering breaks the password into tiny sections, hashes and salts each of them individually, and then stores them in the vaults of a distributed ledger. "This technique," says Tide, "makes it tremendously more difficult to reconstruct one complete password, let alone all the passwords, using either reverse engineering or common brute force attack methods." It mentions that breaches "like those suffered by Capital One, Equifax and Marriott cost companies in many ways, including large fines, legal problems and PR crises, not to mention loss of customer trust." The splintering technology was tested against the 60 million passwords stolen and leaked from LinkedIn. Tide's engineers found that splintering reduced the odds of a successful dictionary attack from 100% to 0.00072%; that is, a 14 million percent improvement. Scams and Ransomware Cost Kiwis $6.5m in 3 Months Sarah Coble: A report published Thursday by the government's national Computer Emergency Response Team (CERT NZ) revealed that $6.5 million in direct financial losses reported nationwide in the second quarter of 2019. CERT NZ's findings show a marked increase in the number of cybersecurity attacks inflicted on businesses and individuals across NZ between quarters one and two of this year. Q2 showed a 21% increase over quarter one. Out of all the cybercrime reported in quarter two, 23% involved some type of financial loss. "Scams and Fraud" was the highest reported category in quarter two, making up 38% of all reports. 19% were related to buying and selling goods online. Hackers who hit Texas with ransomware attack demanded $2.5 million and got zip In the early morning hours of Friday August 16th 2019, hackers managed to infiltrate the networks of 22 local government organizations in Texas via a third-party services provider, planting ransomware that encrypted data and disrupted business-critical services. The hackers’ demand? $2.5 million for the decryption keys to unlock the data. But Texas decided to do something different from the other states hit by ransomware: they didn’t pay up. Within hours of receiving notice of the event, state and federal teams were executing the plan and in the field at the most critically impacted sites to begin eradicating the malware and assessing impact to systems. By day four, response teams had visited all impacted sites and state response work had been completed at more than 25% of those sites. One week after the attack began, all sites were cleared for remediation and recovery. This is all very impressive, of course, but chances are that the clean-up and recovery – combined with the disruption to normal services – has actually cost more money than it would have cost to pay the cybercriminals who were holding it to ransom…. And that cost is likely to be passed on to taxpayers ultimately, but at least it is a step in the right direction, discouraging ransom attacks. |
Linking the world
Sharing is caring Archives
May 2024
Categories |