Financial fitness could take a hit from physical fitness efforts

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A vul­ner­a­bil­i­ty in Fit­Bit fit­ness track­ers report­ed to the ven­dor in March could still be exploit­ed. The wear­ables are open on their Blue­tooth ports, accord­ing to research by Fortinet. The attack can spread to oth­er com­put­ers to which an infect­ed Fit­Bit con­nects. Attacks over Blue­tooth require a hack­er to be with­in meters of a tar­get device. Mal­ware can be deliv­ered 10 sec­onds after devices con­nect, mak­ing even fleet­ing prox­im­i­ty a prob­lem.  “An attack­er sends an infect­ed pack­et to a fit­ness track­er near­by at Blue­tooth dis­tance, then the rest of the attack occurs by itself, with­out any spe­cial need for the attack­er being near,” says Fortinet researcher Axelle Apvrille. Source: The Reg­is­ter

We already hate going to the DMV

Six peo­ple, includ­ing a Cal­i­for­nia DMV clerk, face fed­er­al iden­ti­ty theft charges after pros­e­cu­tors say they sold Puer­to Rican birth cer­tifi­cates and match­ing Social Secu­ri­ty num­bers to peo­ple seek­ing new iden­ti­ties. The sus­pects sold them to peo­ple will­ing to pay up to $5,000 for new iden­ti­ties, the U.S. Attorney’s Office said in a state­ment. Many cus­tomers were felons, pros­e­cu­tors said. “This iden­ti­ty theft scheme was par­tic­u­lar­ly insid­i­ous because it both vic­tim­ized the indi­vid­u­als whose iden­ti­ties were stolen and required the active par­tic­i­pa­tion of a gov­ern­ment offi­cial,” U.S. Attor­ney Eileen Deck­er said in a state­ment. “The fact that a DMV offi­cial abused her posi­tion of author­i­ty in com­mit­ting this crime is egre­gious since such con­duct can under­mine the public’s con­fi­dence in a gov­ern­ment insti­tu­tion entrust­ed with our per­son­al infor­ma­tion.” Source: The Los Ange­les Times

No such thing as a skeleton key, Apple says

sh_skeleton key_280Apple told a judge that access­ing data stored on a locked iPhone would be “impos­si­ble” with devices using its lat­est oper­at­ing sys­tem, but the com­pa­ny has the “tech­ni­cal abil­i­ty” to help law enforce­ment unlock old­er phones. Apple’s posi­tion was laid out in a brief, after a fed­er­al mag­is­trate judge in Brook­lyn sought its input as he weighed a Jus­tice Depart­ment request to force the com­pa­ny to help author­i­ties access a seized iPhone dur­ing an inves­ti­ga­tion. In court papers, Apple said that for the 90 per­cent of its devices run­ning iOS 8 or high­er, grant­i­ng the Jus­tice Department’s request “would be impos­si­ble to per­form” after it strength­ened encryp­tion meth­ods. Those devices include a fea­ture that pre­vents any­one with­out the device’s pass­code from access­ing its data, includ­ing Apple itself. Source: Reuters via The Telegraph

Spending spree, but not the fun kind

U.S. busi­ness­es spent more than $2 bil­lion for cyber insur­ance last year as inter­est in this cov­er­age grew fol­low­ing high-pro­file data breach­es, says the Insur­ance Infor­ma­tion Insti­tute (I.I.I.). “More than 60 car­ri­ers offer stand-alone cyber insur­ance poli­cies, and Marsh, a major insur­ance bro­ker, esti­mates the U.S. cyber insur­ance mar­ket was worth more than $2 bil­lion in gross writ­ten pre­mi­ums in 2014, with some esti­mates sug­gest­ing that fig­ure has the poten­tial to triple by 2020, grow­ing to $7.5 bil­lion,” said Robert Hartwig, pres­i­dent of the I.I.I. and an econ­o­mist. An I.I.I. white paper exam­ines where the cyber threats are com­ing from—from for­eign gov­ern­ments and crim­i­nal enter­pris­es to dis­grun­tled employees—and how busi­ness­es can pro­tect them­selves from the sub­stan­tial eco­nom­ic fall­out of a data breach. The paper also sur­veys the rapid­ly evolv­ing mar­ket for cyber insur­ance, includ­ing pric­ing and lim­its pur­chased. Source: PR Newswire

License to steal control of your phone

sh_phone hack_280British spies soon will have the right to hack into smart­phones and com­put­ers. Law­mak­ers plan to pass laws allow­ing a wide range of elec­tron­ic sur­veil­lance, reports sug­gest. Agen­cies MI5, MI6 and GCHQ are set to be hand­ed new pow­ers to take con­trol of devices, giv­ing agents access to doc­u­ments, pho­tographs and com­mu­ni­ca­tions. A rise in encryp­tion soft­ware, which scram­bles data, has made much crim­i­nal com­mu­ni­ca­tion unread­able once inter­cept­ed. Intel­li­gence agents increas­ing­ly pre­fer hack­ing a device, mean­ing they can take com­plete con­trol of it by exploit­ing vul­ner­a­bil­i­ties in soft­ware. They can then take con­trol of smart­phone cam­eras to pho­to­graph tar­gets and instruct micro­phones to record con­ver­sa­tions. Source: The Mir­ror

Ach! Germans lose a bundle in Telekom hack

Crim­i­nals have stolen tens of thou­sands of euros from dozens of peo­ple across Ger­many after find­ing a way around sys­tems that text a code to con­firm trans­ac­tions to online bank­ing users. The total amount lost in the scam is like­ly to be more than 1 mil­lion euros ($1.3 mil­lion). Mil­lions of bank cus­tomers use the “mTan” sys­tem to make sure that only they can car­ry out trans­ac­tions with their bank online. After the account hold­er has entered infor­ma­tion, the bank texts a code to their phone, which they then have to enter. How­ev­er, Deutsche Telekom mobile cus­tomers have been vic­tim­ized despite the safe­guards. Hack­ers got into their com­put­ers and stole bank pass­words, then their mobile phone num­bers. They then con­tact­ed Deut­shce Tele­com and said they want­ed to acti­vate a new SIM card, mean­ing they received all calls and texts meant for the cus­tomer. The com­pa­ny says it now has tight­ened secu­ri­ty meth­ods. Source: The Local

So, what does a CIA director say in emails? Now we may know

sh_wikileaks_250Wik­iLeaks began post­ing what it claims are the con­tents of CIA Direc­tor John Brennan’s pri­vate email, days after a teenag­er claimed to have hacked into his account. The six ini­tial emails date from 2007 and 2008, and include per­son­al infor­ma­tion as well as draft ver­sions of advice and pol­i­cy posi­tions. Addi­tion­al doc­u­ments will be post­ed “over the com­ing days,” Wik­iLeaks said, while claim­ing that Bren­nan used the account “occa­sion­al­ly for sev­er­al intel­li­gence relat­ed projects.” Among the released doc­u­ments is a draft ver­sion of Brennan’s secu­ri­ty clear­ance ques­tion­naire, which con­tains detailed infor­ma­tion about his life and biog­ra­phy, includ­ing his pass­port num­ber, home tele­phone num­ber, and a list of home address­es dat­ing back to his child­hood home in 1963. The doc­u­ment also con­tains Brennan’s wife’s Social Secu­ri­ty num­ber as well as birth­dates, names and oth­er infor­ma­tion about close fam­i­ly mem­bers. Source: The Hill

Patch me up

Ora­cle has fixed a vul­ner­a­bil­i­ty in Java that a Russ­ian cyber espi­onage group used to launch attacks ear­li­er this year. At the same time, Ora­cle fixed 153 oth­er secu­ri­ty flaws in Java and a wide range of its oth­er prod­ucts, it said. The Java vul­ner­a­bil­i­ty can be used to bypass the user con­fir­ma­tion require­ment before a Web-based Java appli­ca­tion is exe­cut­ed by the Java brows­er plug-in. This type of pro­tec­tion mech­a­nism is com­mon­ly referred to as click-to-play. The flaw was report­ed to Ora­cle by secu­ri­ty researchers from Trend Micro, who first spot­ted the vul­ner­a­bil­i­ty in July in attacks launched by a Russ­ian hack­er group dubbed Pawn Storm that com­mon­ly tar­gets mil­i­tary and gov­ern­men­tal insti­tu­tions from NATO mem­ber coun­tries. The vul­ner­a­bil­i­ty was being used to enable the exe­cu­tion of a mali­cious Java appli­ca­tion with­out user inter­ac­tion. That appli­ca­tion was designed to exploit a sep­a­rate vul­ner­a­bil­i­ty that also was unpatched at the time, to install mal­ware on com­put­ers. Ora­cle patched the more seri­ous code exe­cu­tion flaw in July, but left the fix for the click-to-play bypass for the Octo­ber quar­ter­ly secu­ri­ty update released this week. … Days after the first pub­lic jail­break for iOS 9 devices hit the Web, it appears that Apple has closed two exploits used by Chi­nese hack­ing team Pan­gu, whose unteth­ered jail­break let users jail­break near­ly all iPhone, iPad and iPod touch devices run­ning iOS ver­sions 9.0 through 9.0.2. In a secu­ri­ty doc­u­ment post­ed on Apple’s web­site, the com­pa­ny cred­its Pan­gu with dis­cov­er­ing two vul­ner­a­bil­i­ties in the iOS oper­at­ing sys­tem that have now been patched. These include one vul­ner­a­bil­i­ty that would allow a mali­cious appli­ca­tion to ele­vate priv­i­leges, and anoth­er that would allow a mali­cious appli­ca­tion to exe­cute arbi­trary code with ker­nel priv­i­leges. Sources: InfoWorld; Tech Crunch

No nukes—no nuke hacks, that is

sh_nuclear power_nukes_280Stuxnet was a wake-up call for the nuclear indus­try, says Andrea Cav­ina, nuclear secu­ri­ty pro­fes­sion­al at Coresecure.org. “When I start­ed work at the Inter­na­tion­al Atom­ic Ener­gy Agency (IAEA) in 2006, there was no spe­cif­ic focus on com­put­er secu­ri­ty,” he said. Cav­ina was tasked with draft­ing the first good prac­tice guide on cyber­se­cu­ri­ty, the only per­son work­ing part-time at the IAEA on cyber­se­cu­ri­ty. “But every­thing changed in 2011 when Stuxnet hit the head­lines, and now there are five peo­ple work­ing full-time on cyber­se­cu­ri­ty,” he said. Stuxnet was the first known exam­ple of “weaponized” mal­ware, in the sense that it was direct­ed at a spe­cif­ic tar­get, it was extreme­ly com­plex, and its pay­load was destruc­tive. Cav­ina said that, although there is no ele­ment of cyber­se­cu­ri­ty unique to the nuclear indus­try, attacks are typ­i­cal­ly high­ly tar­get­ed, and there is no pos­si­bil­i­ty of risk trans­fer. The indus­try also shares some chal­lenges of oth­er high­ly reg­u­lat­ed indus­tries where there is lit­tle oppor­tu­ni­ty for main­te­nance and down times. “The nuclear indus­try has to deal with a lot of lega­cy equip­ment and has few oppor­tu­ni­ties to update soft­ware,” Cav­ina said. Source: Com­put­er Weekly

Facebook case heads to Austrian court

An Aus­tri­an appeals court has decid­ed that a pri­va­cy com­plaint by a Vien­nese activist against Face­book can be tried in Aus­tria, over­turn­ing a region­al court’s rejec­tion of the case and adding to the head­winds the social net­work is fac­ing in Europe. Max­i­m­il­ian Schrems lodged a com­plaint in 2013 against Face­book about alleged pri­va­cy vio­la­tions, claim­ing the company’s data-use pol­i­cy was invalid under Euro­pean Union law. A region­al court in Vien­na reject­ed his com­plaint, say­ing it didn’t have juris­dic­tion for the case. The high­er court decid­ed that the case can be heard in Aus­tria but didn’t decide whether Face­book has vio­lat­ed pri­va­cy rules. Schrems also has lodged a com­plaint in Ire­land, where Face­book has its EU head­quar­ters. Ger­man con­sumer group VZBV said it has filed a law­suit against Face­book, and reg­u­la­tors in sev­er­al Euro­pean coun­tries are inves­ti­gat­ing the company’s pri­va­cy pol­i­cy. Face­book said, “We’re pleased that the court affirmed the key rul­ings that these claims could not pro­ceed as a glob­al class action and that Irish data-pro­tec­tion law applies.” Source: The Wall Street Journal