Route to breach hacked through Cisco routers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Secu­ri­ty researchers have uncov­ered clan­des­tine attacks across three con­ti­nents on the routers that direct traf­fic around the Inter­net, poten­tial­ly allow­ing sus­pect­ed cyber spies to har­vest vast amounts of data while going unde­tect­ed. A high­ly sophis­ti­cat­ed form of mali­cious soft­ware, dubbed SYN­ful Knock, has been implant­ed in routers made by Cis­co, the world’s top sup­pli­er, U.S. secu­ri­ty research firm Fire­Eye said. Routers are attrac­tive to hack­ers because they oper­ate out­side the perime­ter of fire­walls, anti-virus, behav­ioral detec­tion soft­ware and oth­er secu­ri­ty tools used to safe­guard data traf­fic. They had been con­sid­ered vul­ner­a­ble to sus­tained denial-of-ser­vice attacks, but not out­right takeover. “If you (seize con­trol of) the router, you own the data of all the com­pa­nies and gov­ern­ment orga­ni­za­tions that sit behind that router,” Fire­Eye Chief Exec­u­tive Dave DeWalt said. “This is the ulti­mate spy­ing tool, the ulti­mate cor­po­rate espi­onage tool, the ulti­mate cyber crime tool.” Source: For­tune

Banking on class action against Target

sh_target_400A  judge cer­ti­fied a class action against Tar­get brought by sev­er­al banks over the retailer’s mas­sive data breach in 2013. U.S. Dis­trict Judge Paul Mag­nu­son in St. Paul, Minn., said the banks could pur­sue their claims togeth­er over the breach, which com­pro­mised at least 40 mil­lion cred­it cards dur­ing the hol­i­day sea­son. Tar­get did not imme­di­ate­ly com­ment on the deci­sion. In a state­ment, Charles Zim­mer­man, one of the lawyers rep­re­sent­ing the banks, said, “This impor­tant rul­ing brings finan­cial insti­tu­tions one step clos­er to col­lec­tive­ly hold­ing Tar­get account­able for its unprece­dent­ed data breach.” The deci­sion, which makes a set­tle­ment with the banks more like­ly, comes four weeks after Tar­get agreed to pay as much as $67 mil­lion to finan­cial insti­tu­tions that issue Visa cards, in a deal struck direct­ly with the card net­work. Ear­li­er this year, a pro­posed $19 mil­lion set­tle­ment with Mas­ter­Card fell through when not enough banks accept­ed the agree­ment. Source: Reuters

Android might be vulnerable to hack

sh_android lock screen_180A secu­ri­ty ana­lyst at the Uni­ver­si­ty of Texas’s infor­ma­tion secu­ri­ty office has found that the wide­spread ver­sion 5 of Android is vul­ner­a­ble to an easy lock-screen-bypass attack. The hack con­sists of basic steps such as enter­ing a long, arbi­trary col­lec­tion of char­ac­ters into the phone’s Emer­gency Call dial pad and repeat­ed­ly press­ing the cam­era shut­ter but­ton. UT’s John Gor­don says the trick offers full access to the apps and data on affect­ed phones. By using that access to enable devel­op­er mode, he says that an attack­er also could con­nect to the phone via USB and install mali­cious soft­ware. “If, say, you give your phone to a TSA agent dur­ing extend­ed screen­ing, they could take some­thing from it or plant some­thing on it with­out you know­ing.” Source: Wired

A hard lesson to learn

Char­lotte-Meck­len­burg, N.C., schools noti­fied more than 7,000 peo­ple who applied for jobs with the school sys­tem that their per­son­al infor­ma­tion was shared with an out­side con­trac­tor with­out pri­or autho­riza­tion. But the school dis­trict says the infor­ma­tion was not used mali­cious­ly and the con­trac­tor has agreed to destroy the data. The data was used to com­pile an online data­base of poten­tial new employ­ees. Infor­ma­tion that was pro­vid­ed to the con­trac­tor includ­ed appli­cants’ name, address, and Social Secu­ri­ty num­ber. Source: WCNC, Char­lotte, N.C.

Just say nyet!

sh_kremlin_280Hack­ers made a “very pow­er­ful” attack on the Krem­lin web­site, the Russ­ian gov­ern­ment said. Krem­lin spokesman Dmit­ry Peskov linked the attack on the elec­tion commission’s web­site to region­al elec­tions in Rus­sia. “Defense sys­tems worked, though it was not easy,” he said. “The attack was rather strong.” He said he had no infor­ma­tion on who might have been behind the attack, which caused the web­site to shut down briefly. Source: Radio Free Europe

It’s just business; wait a minute …

Cyber thieves steal hun­dreds of mil­lions of dol­lars a year from the bank accounts of U.S. busi­ness­es. And many busi­ness own­ers are sur­prised to find out their bank is not oblig­ed to make them whole. David Krier’s Vol­un­teer Voy­ages lost more than $14,000 through fraud­u­lent with­drawals from his busi­ness account, and he says his bank “refused to cov­er any of my loss­es.” While indi­vid­u­als are pro­tect­ed when it comes to fraud­u­lent trans­fers from their bank accounts, that’s not the case for small busi­ness­es, even if they’re owned by a sin­gle per­son. In Krier’s case, a cyber crook com­man­deered the deb­it card he used to cov­er the costs of for­eign trips. Kri­er expect­ed that his bank would reim­burse him. At first, he says, the staff at the local bank said, “Not a prob­lem.” But lat­er, Kri­er says, the bank told him, “It’s a busi­ness account, so you’re out of luck.” Source: Nation­al Pub­lic Radio

The timing isn’t quite right

sh_china president_280The Unit­ed States does not plan to impose sanc­tions on Chi­nese enti­ties for eco­nom­ic cyber attacks ahead of next week’s U.S. vis­it by Chi­nese Pres­i­dent Xi Jin­ping, a U.S. offi­cial and a per­son briefed on the White House’s think­ing said. The offi­cial, who spoke on con­di­tion of anonymi­ty, sug­gest­ed the rea­son was to avoid cast­ing a shad­ow over Xi’s vis­it rather than the emer­gence of any major agree­ment between the two sides about how to han­dle the issue. Impos­ing sanc­tions before Xi’s high-pro­file vis­it would be a diplo­mat­ic dis­as­ter, said the per­son briefed on the White House’s think­ing. Source: Reuters

A benefit that won’t be taxed 

Busi­ness­es affect­ed by data breach­es often offer some form of free cred­it mon­i­tor­ing or iden­ti­ty theft pro­tec­tion to peo­ple affect­ed by the breach. Though these ser­vices may be unable to pre­vent fur­ther fraud­u­lent activ­i­ty entire­ly, they do pro­vide an added ben­e­fit by alert­ing breach vic­tims of sus­pi­cious activ­i­ty. Some peo­ple won­dered if the val­ue of the ser­vice had to be includ­ed in tax­able gross income. In a recent Inter­nal Rev­enue Bul­letin, Announce­ment 2015–22 con­firms that the IRS “will not assert” that the val­ue of these ser­vices is tax­able. This means that if an indi­vid­ual gets iden­ti­ty pro­tec­tion ser­vices as a result of a data breach, he or she is not required to report the val­ue of the pro­tec­tion ser­vices in per­son­al income. Source: H&R Block

Training program goes into Brown out

sh_brown university_280Brown University’s new online sex­u­al assault pre­ven­tion train­ing for first-year stu­dents was hacked, caus­ing the site to be tak­en down and pre­vent­ing some stu­dents from com­plet­ing the pro­gram, said Ravi Pendse, vice pres­i­dent for Com­put­ing and Infor­ma­tion Ser­vices. The pro­gram, called Agent of Change, expe­ri­enced a breach in web­site secu­ri­ty that com­pro­mised impor­tant stu­dent data, said Rus­sell Carey, exec­u­tive vice pres­i­dent for plan­ning and pol­i­cy, and Maud Man­del, dean of the Col­lege. Stu­dents’ pri­vate infor­ma­tion such as stu­dent iden­ti­fi­ca­tion num­bers, email address­es, Agent of Change user names and pass­words, gen­der iden­ti­ty, race, eth­nic­i­ty, rela­tion­ship sta­tus, sex­u­al ori­en­ta­tion and insti­tu­tion name were vul­ner­a­ble to the intru­sion, accord­ing to a news release by We End Vio­lence, the third-par­ty ven­dor of Agent of Change. Source: The Brown Dai­ly Herald

160 million and counting

A Russ­ian hack­er plead­ed guilty in the biggest data-breach case in U.S. his­to­ry, admit­ting he helped steal 160 mil­lion cred­it card num­bers. Vladimir Drinkman, 34, said in fed­er­al court in Cam­den, N.J., that he con­spired with four oth­er men to pil­lage cred­it card num­bers from Heart­land Pay­ment Sys­tems, 7-Eleven Inc., the Han­naford Bros. gro­cery chain, and at least 14 oth­er com­pa­nies from 2005 to 2012. Pros­e­cu­tors said Drinkman helped find vul­ner­a­bil­i­ties in infor­ma­tion sys­tems and used mal­ware to steal pass­words and card num­bers. Three oth­er alleged co-conspirators—two Rus­sians and one Ukrainian—remain at large. Drinkman plead­ed guilty to con­spir­a­cy to gain unau­tho­rized access to com­put­ers and con­spir­a­cy to com­mit wire fraud. He faces as long as 30 years in prison for the wire fraud charge. Source: The Globe and Mail