A bit of this, a bit of that, and an insurance lawsuit

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A phishing attack against Bitcoin payment processor BitPay has cost the company $1.8 million. A hacker posing as BitPay CFO Bryan Krohn sent emails in December from his account authorizing the transfer of 5,000 Bitcoin in three separate transactions to SecondMarket—ostensibly, the one BitPay customer from whom it does not require advance payment. The email account of David Bailey, founder of Bitcoin quarterly yBitcoin, was compromised first. Krohn then received an email appearing to be from Bailey requesting he review modifications made in a Google document. Krohn believes his log-in credentials were stolen when he entered them to access the supposed document. BitPay filed a claim for losses, which its insurance company, Massachusetts Bay Insurance Co., denied. BitPay is suing MBIC, citing breach of contract, bad faith failure to pay, and statutory damages. It is seeking $950,000 in damages plus court fees. Source: American Banker

Getting carded in a new way

sh_wisconsin_280Wisconsin residents will get new driver’s licenses and ID cards this fall. Officials with the Wisconsin Department of Transportation say the new cards will be the most secure in the United States and are designed to curb fraud and identity theft. The cards are made from polycarbonate and include a laser-engraved black and white photo, UV ink and a raised signature, date of birth, expiration date and ID number. The cards also are stiffer than the old ones, WisDOT officials say. Source: KSTP, Saint Paul, Minn.

Don’t bug me; really

A security company has discovered how to obtain high-level permissions on Bugzilla, the vulnerability database used by Mozilla as well as a host of open-source projects and private businesses. These databases contain such sensitive information as details on vulnerabilities that organizations have been told about, but are yet to fix. From here, it is potentially possible for an attacker to view details on unpatched problems, which could then be deployed against people who use Mozilla products, or any of the other affected pieces of software. Source: Wired

Hey, not my job, man

A top national intelligence official says the intelligence community had no responsibility to warn the Office of Personnel Management about vulnerabilities that led to the massive hack of more than 21 million sensitive federal employee records—despite the incident now being a significant national security risk. In a response letter to Sen. Ron Wyden, D-Ore., National Counterintelligence Executive William Evanina, said, “Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS). The statutory authorities of the National Counterintelligence Executive … do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems.” Source: CNN

Got a tiger by the tail

sh_tiger_280A hacking group called Iron Tiger has been stealing trillions of bytes of confidential data from the U.S. government, U.S. defense contractors and related companies in the United States and abroad, security company Trend Micro reports in its research paper, “Operation Iron Tiger: Exploring Chinese Cyber Espionage Attacks on U.S. Defense Contractors.” Numerous U.S.-based security tech intensive companies were hacked and continuously monitored since 2013 until this year, Trend Micro reports. The attackers’ efforts at targeting VIPs, engineers and public relations/communication officers was evidenced even as recently as Feb. 17, 2015, when mail of a corporate strategic director at Westinghouse Electric was breached. Source: Forbes

Bad news means business is booming

A broadening wave of cyber attacks is drumming up clients for defense companies as anxiety about the loss of sensitive data spreads from military chiefs to company bosses. Banks, utilities and media groups are the new customers of defense companies who are generating a growing proportion of their revenues from cyber security, helping to offset lower spending by Western governments on traditional weapons. Military chiefs at an arms fair in London warned that far from the battlefield, cyber attacks have opened a new front in which companies, as well as governments, must defend themselves. “It will no longer just be the physical space that is contested, but the virtual space also, and the latter contest may even come to dominate proceedings,” Air Chief Marshal Andrew Pulford, head of Britain’s Royal Air Force, said. Source: Reuters

Different place, same problem

sh_malware_280F-Secure Labs has warned that a hacker group known as “the Dukes” is engaged in Russian intelligence gathering. The gang has used a family of unique malware toolsets to steal information by infiltrating computer networks and sending the data back to attackers. The report stated the group has been using these toolsets to launch cyber attacks that support Russian intelligence gathering for at least seven years. Targets have included the Ministry of Defence of Georgia, the ministries of foreign affairs in both Turkey and Uganda, as well as other government institutions and political think tanks in the United States, Europe and Central Asia, according to F-Secure. Source: Computer Weekly

Telecom settles after telling too much

California regulators approved a $33 million settlement with Comcast in connection with an unauthorized disclosure of unlisted names, phone numbers and addresses of 75,000 of the telecommunications giant’s customers. The names, phone numbers and addresses of the unlisted and nonpublished customers became available on Comcast’s online directory, in one or more rural phone books, and through nationwide directory assistance, because of Comcast’s errors, the state Public Utilities Commission said. As part of the settlement, Comcast agreed to pay a $25 million fine to the state treasury and the state Attorney General’s Office, and to undertake $8.4 million in restitution to affected customers. Source: The Contra Costa (Calif.) Times

Patients losing their patience

sh_patient breach_280Hospital operator Sutter Health said personal information on more than 2,500 patients was improperly emailed by a former employee in 2013, representing a possible breach of patient data. The former employee at Sutter Physician Services emailed the records of 2,582 patients to a personal account without authorization. They included name, date of birth, insurance identification number, date of service and billing code. In two cases, a driver’s licenses number was accessed, and in one case the patient’s Social Security number was included. The company said no financial information was leaked. This is the third data breach for Sutter this year. In January and March, hundreds of patients’ charts were stolen from Sutter hospitals. Source: Health Care IT News

We’ll keep you safe, but there’s a catch

Security firm AVG can sell search and browser history data to advertisers to “make money” from its free antivirus software, a change to its privacy policy has confirmed. The updated policy explained that AVG can collect “nonpersonal data,” which could be sold to third parties. The privacy policy takes effect on Oct. 15, but AVG said the ability to collect search history data also had been included in previous privacy policies, with different wording. AVG’s potential ability to collect and sell browser and search history data placed the company “squarely into the category of spyware,” said Alexander Hanff,  chief executive of Think Privacy. “Antivirus software runs on our devices with elevated privileges so it can detect and block malware, adware, spyware and other threats,” he said. “It is utterly unethical to [the] highest degree and a complete and total abuse of the trust we give our security software.” An AVG spokesperson said that in order to continue offering free security software, the company may, in the future, “employ a variety of means, including subscription, ads and data models.” Source: Wired UK

Google found guilty in Russian court

sh_google guiltyA Russian court found Google guilty of breaching privacy with its targeted advertising. A Moscow city court ordered the search engine provider to pay a fine of 50,000 rubles to a Russian man who sued them for illegally reading his emails. Google rejected the court’s decision—which could open the door for a slew of further cases—by insisting that its targeted ads were handled by an automated system. “Humans are not reading your emails. Our automated systems scan emails in order to prevent spam reaching your inbox and to detect bad things like malware,” the search provider said. Source: Indian Express