A bit of this, a bit of that, and an insurance lawsuit

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A phish­ing attack against Bit­coin pay­ment proces­sor Bit­Pay has cost the com­pa­ny $1.8 mil­lion. A hack­er pos­ing as Bit­Pay CFO Bryan Krohn sent emails in Decem­ber from his account autho­riz­ing the trans­fer of 5,000 Bit­coin in three sep­a­rate trans­ac­tions to SecondMarket—ostensibly, the one Bit­Pay cus­tomer from whom it does not require advance pay­ment. The email account of David Bai­ley, founder of Bit­coin quar­ter­ly yBit­coin, was com­pro­mised first. Krohn then received an email appear­ing to be from Bai­ley request­ing he review mod­i­fi­ca­tions made in a Google doc­u­ment. Krohn believes his log-in cre­den­tials were stolen when he entered them to access the sup­posed doc­u­ment. Bit­Pay filed a claim for loss­es, which its insur­ance com­pa­ny, Mass­a­chu­setts Bay Insur­ance Co., denied. Bit­Pay is suing MBIC, cit­ing breach of con­tract, bad faith fail­ure to pay, and statu­to­ry dam­ages. It is seek­ing $950,000 in dam­ages plus court fees. Source: Amer­i­can Banker

Getting carded in a new way

sh_wisconsin_280Wis­con­sin res­i­dents will get new driver’s licens­es and ID cards this fall. Offi­cials with the Wis­con­sin Depart­ment of Trans­porta­tion say the new cards will be the most secure in the Unit­ed States and are designed to curb fraud and iden­ti­ty theft. The cards are made from poly­car­bon­ate and include a laser-engraved black and white pho­to, UV ink and a raised sig­na­ture, date of birth, expi­ra­tion date and ID num­ber. The cards also are stiffer than the old ones, Wis­DOT offi­cials say. Source: KSTP, Saint Paul, Minn.

Don’t bug me; really

A secu­ri­ty com­pa­ny has dis­cov­ered how to obtain high-lev­el per­mis­sions on Bugzil­la, the vul­ner­a­bil­i­ty data­base used by Mozil­la as well as a host of open-source projects and pri­vate busi­ness­es. These data­bas­es con­tain such sen­si­tive infor­ma­tion as details on vul­ner­a­bil­i­ties that orga­ni­za­tions have been told about, but are yet to fix. From here, it is poten­tial­ly pos­si­ble for an attack­er to view details on unpatched prob­lems, which could then be deployed against peo­ple who use Mozil­la prod­ucts, or any of the oth­er affect­ed pieces of soft­ware. Source: Wired

Hey, not my job, man

A top nation­al intel­li­gence offi­cial says the intel­li­gence com­mu­ni­ty had no respon­si­bil­i­ty to warn the Office of Per­son­nel Man­age­ment about vul­ner­a­bil­i­ties that led to the mas­sive hack of more than 21 mil­lion sen­si­tive fed­er­al employ­ee records—despite the inci­dent now being a sig­nif­i­cant nation­al secu­ri­ty risk. In a response let­ter to Sen. Ron Wyden, D-Ore., Nation­al Coun­ter­in­tel­li­gence Exec­u­tive William Evan­i­na, said, “Exec­u­tive branch over­sight of agency infor­ma­tion secu­ri­ty poli­cies and prac­tices rests with the Office of Man­age­ment and Bud­get (OMB) and the Depart­ment of Home­land Secu­ri­ty (DHS). The statu­to­ry author­i­ties of the Nation­al Coun­ter­in­tel­li­gence Exec­u­tive … do not include either iden­ti­fy­ing infor­ma­tion tech­nol­o­gy (IT) vul­ner­a­bil­i­ties to agen­cies or pro­vid­ing rec­om­men­da­tions to them on how to secure their IT sys­tems.” Source: CNN

Got a tiger by the tail

sh_tiger_280A hack­ing group called Iron Tiger has been steal­ing tril­lions of bytes of con­fi­den­tial data from the U.S. gov­ern­ment, U.S. defense con­trac­tors and relat­ed com­pa­nies in the Unit­ed States and abroad, secu­ri­ty com­pa­ny Trend Micro reports in its research paper, “Oper­a­tion Iron Tiger: Explor­ing Chi­nese Cyber Espi­onage Attacks on U.S. Defense Con­trac­tors.” Numer­ous U.S.-based secu­ri­ty tech inten­sive com­pa­nies were hacked and con­tin­u­ous­ly mon­i­tored since 2013 until this year, Trend Micro reports. The attack­ers’ efforts at tar­get­ing VIPs, engi­neers and pub­lic relations/communication offi­cers was evi­denced even as recent­ly as Feb. 17, 2015, when mail of a cor­po­rate strate­gic direc­tor at West­ing­house Elec­tric was breached. Source: Forbes

Bad news means business is booming

A broad­en­ing wave of cyber attacks is drum­ming up clients for defense com­pa­nies as anx­i­ety about the loss of sen­si­tive data spreads from mil­i­tary chiefs to com­pa­ny boss­es. Banks, util­i­ties and media groups are the new cus­tomers of defense com­pa­nies who are gen­er­at­ing a grow­ing pro­por­tion of their rev­enues from cyber secu­ri­ty, help­ing to off­set low­er spend­ing by West­ern gov­ern­ments on tra­di­tion­al weapons. Mil­i­tary chiefs at an arms fair in Lon­don warned that far from the bat­tle­field, cyber attacks have opened a new front in which com­pa­nies, as well as gov­ern­ments, must defend them­selves. “It will no longer just be the phys­i­cal space that is con­test­ed, but the vir­tu­al space also, and the lat­ter con­test may even come to dom­i­nate pro­ceed­ings,” Air Chief Mar­shal Andrew Pul­ford, head of Britain’s Roy­al Air Force, said. Source: Reuters

Different place, same problem

sh_malware_280F-Secure Labs has warned that a hack­er group known as “the Dukes” is engaged in Russ­ian intel­li­gence gath­er­ing. The gang has used a fam­i­ly of unique mal­ware toolsets to steal infor­ma­tion by infil­trat­ing com­put­er net­works and send­ing the data back to attack­ers. The report stat­ed the group has been using these toolsets to launch cyber attacks that sup­port Russ­ian intel­li­gence gath­er­ing for at least sev­en years. Tar­gets have includ­ed the Min­istry of Defence of Geor­gia, the min­istries of for­eign affairs in both Turkey and Ugan­da, as well as oth­er gov­ern­ment insti­tu­tions and polit­i­cal think tanks in the Unit­ed States, Europe and Cen­tral Asia, accord­ing to F-Secure. Source: Com­put­er Weekly

Telecom settles after telling too much

Cal­i­for­nia reg­u­la­tors approved a $33 mil­lion set­tle­ment with Com­cast in con­nec­tion with an unau­tho­rized dis­clo­sure of unlist­ed names, phone num­bers and address­es of 75,000 of the telecom­mu­ni­ca­tions giant’s cus­tomers. The names, phone num­bers and address­es of the unlist­ed and non­pub­lished cus­tomers became avail­able on Comcast’s online direc­to­ry, in one or more rur­al phone books, and through nation­wide direc­to­ry assis­tance, because of Comcast’s errors, the state Pub­lic Util­i­ties Com­mis­sion said. As part of the set­tle­ment, Com­cast agreed to pay a $25 mil­lion fine to the state trea­sury and the state Attor­ney General’s Office, and to under­take $8.4 mil­lion in resti­tu­tion to affect­ed cus­tomers. Source: The Con­tra Cos­ta (Calif.) Times

Patients losing their patience

sh_patient breach_280Hos­pi­tal oper­a­tor Sut­ter Health said per­son­al infor­ma­tion on more than 2,500 patients was improp­er­ly emailed by a for­mer employ­ee in 2013, rep­re­sent­ing a pos­si­ble breach of patient data. The for­mer employ­ee at Sut­ter Physi­cian Ser­vices emailed the records of 2,582 patients to a per­son­al account with­out autho­riza­tion. They includ­ed name, date of birth, insur­ance iden­ti­fi­ca­tion num­ber, date of ser­vice and billing code. In two cas­es, a driver’s licens­es num­ber was accessed, and in one case the patient’s Social Secu­ri­ty num­ber was includ­ed. The com­pa­ny said no finan­cial infor­ma­tion was leaked. This is the third data breach for Sut­ter this year. In Jan­u­ary and March, hun­dreds of patients’ charts were stolen from Sut­ter hos­pi­tals. Source: Health Care IT News

We’ll keep you safe, but there’s a catch

Secu­ri­ty firm AVG can sell search and brows­er his­to­ry data to adver­tis­ers to “make mon­ey” from its free antivirus soft­ware, a change to its pri­va­cy pol­i­cy has con­firmed. The updat­ed pol­i­cy explained that AVG can col­lect “non­per­son­al data,” which could be sold to third par­ties. The pri­va­cy pol­i­cy takes effect on Oct. 15, but AVG said the abil­i­ty to col­lect search his­to­ry data also had been includ­ed in pre­vi­ous pri­va­cy poli­cies, with dif­fer­ent word­ing. AVG’s poten­tial abil­i­ty to col­lect and sell brows­er and search his­to­ry data placed the com­pa­ny “square­ly into the cat­e­go­ry of spy­ware,” said Alexan­der Hanff,  chief exec­u­tive of Think Pri­va­cy. “Antivirus soft­ware runs on our devices with ele­vat­ed priv­i­leges so it can detect and block mal­ware, adware, spy­ware and oth­er threats,” he said. “It is utter­ly uneth­i­cal to [the] high­est degree and a com­plete and total abuse of the trust we give our secu­ri­ty soft­ware.” An AVG spokesper­son said that in order to con­tin­ue offer­ing free secu­ri­ty soft­ware, the com­pa­ny may, in the future, “employ a vari­ety of means, includ­ing sub­scrip­tion, ads and data mod­els.” Source: Wired UK

Google found guilty in Russian court

sh_google guiltyA Russ­ian court found Google guilty of breach­ing pri­va­cy with its tar­get­ed adver­tis­ing. A Moscow city court ordered the search engine provider to pay a fine of 50,000 rubles to a Russ­ian man who sued them for ille­gal­ly read­ing his emails. Google reject­ed the court’s decision—which could open the door for a slew of fur­ther cases—by insist­ing that its tar­get­ed ads were han­dled by an auto­mat­ed sys­tem. “Humans are not read­ing your emails. Our auto­mat­ed sys­tems scan emails in order to pre­vent spam reach­ing your inbox and to detect bad things like mal­ware,” the search provider said. Source: Indi­an Express