Financial fitness could take a hit from physical fitness efforts

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A vulnerability in FitBit fitness trackers reported to the vendor in March could still be exploited. The wearables are open on their Bluetooth ports, according to research by Fortinet. The attack can spread to other computers to which an infected FitBit connects. Attacks over Bluetooth require a hacker to be within meters of a target device. Malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem.  “An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance, then the rest of the attack occurs by itself, without any special need for the attacker being near,” says Fortinet researcher Axelle Apvrille. Source: The Register

We already hate going to the DMV

Six people, including a California DMV clerk, face federal identity theft charges after prosecutors say they sold Puerto Rican birth certificates and matching Social Security numbers to people seeking new identities. The suspects sold them to people willing to pay up to $5,000 for new identities, the U.S. Attorney’s Office said in a statement. Many customers were felons, prosecutors said. “This identity theft scheme was particularly insidious because it both victimized the individuals whose identities were stolen and required the active participation of a government official,” U.S. Attorney Eileen Decker said in a statement. “The fact that a DMV official abused her position of authority in committing this crime is egregious since such conduct can undermine the public’s confidence in a government institution entrusted with our personal information.” Source: The Los Angeles Times

No such thing as a skeleton key, Apple says

sh_skeleton key_280Apple told a judge that accessing data stored on a locked iPhone would be “impossible” with devices using its latest operating system, but the company has the “technical ability” to help law enforcement unlock older phones. Apple’s position was laid out in a brief, after a federal magistrate judge in Brooklyn sought its input as he weighed a Justice Department request to force the company to help authorities access a seized iPhone during an investigation. In court papers, Apple said that for the 90 percent of its devices running iOS 8 or higher, granting the Justice Department’s request “would be impossible to perform” after it strengthened encryption methods. Those devices include a feature that prevents anyone without the device’s passcode from accessing its data, including Apple itself. Source: Reuters via The Telegraph

Spending spree, but not the fun kind

U.S. businesses spent more than $2 billion for cyber insurance last year as interest in this coverage grew following high-profile data breaches, says the Insurance Information Institute (I.I.I.). “More than 60 carriers offer stand-alone cyber insurance policies, and Marsh, a major insurance broker, estimates the U.S. cyber insurance market was worth more than $2 billion in gross written premiums in 2014, with some estimates suggesting that figure has the potential to triple by 2020, growing to $7.5 billion,” said Robert Hartwig, president of the I.I.I. and an economist. An I.I.I. white paper examines where the cyber threats are coming from—from foreign governments and criminal enterprises to disgruntled employees—and how businesses can protect themselves from the substantial economic fallout of a data breach. The paper also surveys the rapidly evolving market for cyber insurance, including pricing and limits purchased. Source: PR Newswire

License to steal control of your phone

sh_phone hack_280British spies soon will have the right to hack into smartphones and computers. Lawmakers plan to pass laws allowing a wide range of electronic surveillance, reports suggest. Agencies MI5, MI6 and GCHQ are set to be handed new powers to take control of devices, giving agents access to documents, photographs and communications. A rise in encryption software, which scrambles data, has made much criminal communication unreadable once intercepted. Intelligence agents increasingly prefer hacking a device, meaning they can take complete control of it by exploiting vulnerabilities in software. They can then take control of smartphone cameras to photograph targets and instruct microphones to record conversations. Source: The Mirror

Ach! Germans lose a bundle in Telekom hack

Criminals have stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users. The total amount lost in the scam is likely to be more than 1 million euros ($1.3 million). Millions of bank customers use the “mTan” system to make sure that only they can carry out transactions with their bank online. After the account holder has entered information, the bank texts a code to their phone, which they then have to enter. However, Deutsche Telekom mobile customers have been victimized despite the safeguards. Hackers got into their computers and stole bank passwords, then their mobile phone numbers. They then contacted Deutshce Telecom and said they wanted to activate a new SIM card, meaning they received all calls and texts meant for the customer. The company says it now has tightened security methods. Source: The Local

So, what does a CIA director say in emails? Now we may know

sh_wikileaks_250WikiLeaks began posting what it claims are the contents of CIA Director John Brennan’s private email, days after a teenager claimed to have hacked into his account. The six initial emails date from 2007 and 2008, and include personal information as well as draft versions of advice and policy positions. Additional documents will be posted “over the coming days,” WikiLeaks said, while claiming that Brennan used the account “occasionally for several intelligence related projects.” Among the released documents is a draft version of Brennan’s security clearance questionnaire, which contains detailed information about his life and biography, including his passport number, home telephone number, and a list of home addresses dating back to his childhood home in 1963. The document also contains Brennan’s wife’s Social Security number as well as birthdates, names and other information about close family members. Source: The Hill

Patch me up

Oracle has fixed a vulnerability in Java that a Russian cyber espionage group used to launch attacks earlier this year. At the same time, Oracle fixed 153 other security flaws in Java and a wide range of its other products, it said. The Java vulnerability can be used to bypass the user confirmation requirement before a Web-based Java application is executed by the Java browser plug-in. This type of protection mechanism is commonly referred to as click-to-play. The flaw was reported to Oracle by security researchers from Trend Micro, who first spotted the vulnerability in July in attacks launched by a Russian hacker group dubbed Pawn Storm that commonly targets military and governmental institutions from NATO member countries. The vulnerability was being used to enable the execution of a malicious Java application without user interaction. That application was designed to exploit a separate vulnerability that also was unpatched at the time, to install malware on computers. Oracle patched the more serious code execution flaw in July, but left the fix for the click-to-play bypass for the October quarterly security update released this week. … Days after the first public jailbreak for iOS 9 devices hit the Web, it appears that Apple has closed two exploits used by Chinese hacking team Pangu, whose untethered jailbreak let users jailbreak nearly all iPhone, iPad and iPod touch devices running iOS versions 9.0 through 9.0.2. In a security document posted on Apple’s website, the company credits Pangu with discovering two vulnerabilities in the iOS operating system that have now been patched. These include one vulnerability that would allow a malicious application to elevate privileges, and another that would allow a malicious application to execute arbitrary code with kernel privileges. Sources: InfoWorld; Tech Crunch

No nukes—no nuke hacks, that is

sh_nuclear power_nukes_280Stuxnet was a wake-up call for the nuclear industry, says Andrea Cavina, nuclear security professional at “When I started work at the International Atomic Energy Agency (IAEA) in 2006, there was no specific focus on computer security,” he said. Cavina was tasked with drafting the first good practice guide on cybersecurity, the only person working part-time at the IAEA on cybersecurity. “But everything changed in 2011 when Stuxnet hit the headlines, and now there are five people working full-time on cybersecurity,” he said. Stuxnet was the first known example of “weaponized” malware, in the sense that it was directed at a specific target, it was extremely complex, and its payload was destructive. Cavina said that, although there is no element of cybersecurity unique to the nuclear industry, attacks are typically highly targeted, and there is no possibility of risk transfer. The industry also shares some challenges of other highly regulated industries where there is little opportunity for maintenance and down times. “The nuclear industry has to deal with a lot of legacy equipment and has few opportunities to update software,” Cavina said. Source: Computer Weekly

Facebook case heads to Austrian court

An Austrian appeals court has decided that a privacy complaint by a Viennese activist against Facebook can be tried in Austria, overturning a regional court’s rejection of the case and adding to the headwinds the social network is facing in Europe. Maximilian Schrems lodged a complaint in 2013 against Facebook about alleged privacy violations, claiming the company’s data-use policy was invalid under European Union law. A regional court in Vienna rejected his complaint, saying it didn’t have jurisdiction for the case. The higher court decided that the case can be heard in Austria but didn’t decide whether Facebook has violated privacy rules. Schrems also has lodged a complaint in Ireland, where Facebook has its EU headquarters. German consumer group VZBV said it has filed a lawsuit against Facebook, and regulators in several European countries are investigating the company’s privacy policy. Facebook said, “We’re pleased that the court affirmed the key rulings that these claims could not proceed as a global class action and that Irish data-protection law applies.” Source: The Wall Street Journal