Route to breach hacked through Cisco routers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Security researchers have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyber spies to harvest vast amounts of data while going undetected. A highly sophisticated form of malicious software, dubbed SYNful Knock, has been implanted in routers made by Cisco, the world’s top supplier, U.S. security research firm FireEye said. Routers are attractive to hackers because they operate outside the perimeter of firewalls, anti-virus, behavioral detection software and other security tools used to safeguard data traffic. They had been considered vulnerable to sustained denial-of-service attacks, but not outright takeover. “If you (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router,” FireEye Chief Executive Dave DeWalt said. “This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cyber crime tool.” Source: Fortune

Banking on class action against Target

sh_target_400A  judge certified a class action against Target brought by several banks over the retailer’s massive data breach in 2013. U.S. District Judge Paul Magnuson in St. Paul, Minn., said the banks could pursue their claims together over the breach, which compromised at least 40 million credit cards during the holiday season. Target did not immediately comment on the decision. In a statement, Charles Zimmerman, one of the lawyers representing the banks, said, “This important ruling brings financial institutions one step closer to collectively holding Target accountable for its unprecedented data breach.” The decision, which makes a settlement with the banks more likely, comes four weeks after Target agreed to pay as much as $67 million to financial institutions that issue Visa cards, in a deal struck directly with the card network. Earlier this year, a proposed $19 million settlement with MasterCard fell through when not enough banks accepted the agreement. Source: Reuters

Android might be vulnerable to hack

sh_android lock screen_180A security analyst at the University of Texas’s information security office has found that the widespread version 5 of Android is vulnerable to an easy lock-screen-bypass attack. The hack consists of basic steps such as entering a long, arbitrary collection of characters into the phone’s Emergency Call dial pad and repeatedly pressing the camera shutter button. UT’s John Gordon says the trick offers full access to the apps and data on affected phones. By using that access to enable developer mode, he says that an attacker also could connect to the phone via USB and install malicious software. “If, say, you give your phone to a TSA agent during extended screening, they could take something from it or plant something on it without you knowing.” Source: Wired

A hard lesson to learn

Charlotte-Mecklenburg, N.C., schools notified more than 7,000 people who applied for jobs with the school system that their personal information was shared with an outside contractor without prior authorization. But the school district says the information was not used maliciously and the contractor has agreed to destroy the data. The data was used to compile an online database of potential new employees. Information that was provided to the contractor included applicants’ name, address, and Social Security number. Source: WCNC, Charlotte, N.C.

Just say nyet!

sh_kremlin_280Hackers made a “very powerful” attack on the Kremlin website, the Russian government said. Kremlin spokesman Dmitry Peskov linked the attack on the election commission’s website to regional elections in Russia. “Defense systems worked, though it was not easy,” he said. “The attack was rather strong.” He said he had no information on who might have been behind the attack, which caused the website to shut down briefly. Source: Radio Free Europe

It’s just business; wait a minute …

Cyber thieves steal hundreds of millions of dollars a year from the bank accounts of U.S. businesses. And many business owners are surprised to find out their bank is not obliged to make them whole. David Krier’s Volunteer Voyages lost more than $14,000 through fraudulent withdrawals from his business account, and he says his bank “refused to cover any of my losses.” While individuals are protected when it comes to fraudulent transfers from their bank accounts, that’s not the case for small businesses, even if they’re owned by a single person. In Krier’s case, a cyber crook commandeered the debit card he used to cover the costs of foreign trips. Krier expected that his bank would reimburse him. At first, he says, the staff at the local bank said, “Not a problem.” But later, Krier says, the bank told him, “It’s a business account, so you’re out of luck.” Source: National Public Radio

The timing isn’t quite right

sh_china president_280The United States does not plan to impose sanctions on Chinese entities for economic cyber attacks ahead of next week’s U.S. visit by Chinese President Xi Jinping, a U.S. official and a person briefed on the White House’s thinking said. The official, who spoke on condition of anonymity, suggested the reason was to avoid casting a shadow over Xi’s visit rather than the emergence of any major agreement between the two sides about how to handle the issue. Imposing sanctions before Xi’s high-profile visit would be a diplomatic disaster, said the person briefed on the White House’s thinking. Source: Reuters

A benefit that won’t be taxed 

Businesses affected by data breaches often offer some form of free credit monitoring or identity theft protection to people affected by the breach. Though these services may be unable to prevent further fraudulent activity entirely, they do provide an added benefit by alerting breach victims of suspicious activity. Some people wondered if the value of the service had to be included in taxable gross income. In a recent Internal Revenue Bulletin, Announcement 2015-22 confirms that the IRS “will not assert” that the value of these services is taxable. This means that if an individual gets identity protection services as a result of a data breach, he or she is not required to report the value of the protection services in personal income. Source: H&R Block

Training program goes into Brown out

sh_brown university_280Brown University’s new online sexual assault prevention training for first-year students was hacked, causing the site to be taken down and preventing some students from completing the program, said Ravi Pendse, vice president for Computing and Information Services. The program, called Agent of Change, experienced a breach in website security that compromised important student data, said Russell Carey, executive vice president for planning and policy, and Maud Mandel, dean of the College. Students’ private information such as student identification numbers, email addresses, Agent of Change user names and passwords, gender identity, race, ethnicity, relationship status, sexual orientation and institution name were vulnerable to the intrusion, according to a news release by We End Violence, the third-party vendor of Agent of Change. Source: The Brown Daily Herald

160 million and counting

A Russian hacker pleaded guilty in the biggest data-breach case in U.S. history, admitting he helped steal 160 million credit card numbers. Vladimir Drinkman, 34, said in federal court in Camden, N.J., that he conspired with four other men to pillage credit card numbers from Heartland Payment Systems, 7-Eleven Inc., the Hannaford Bros. grocery chain, and at least 14 other companies from 2005 to 2012. Prosecutors said Drinkman helped find vulnerabilities in information systems and used malware to steal passwords and card numbers. Three other alleged co-conspirators—two Russians and one Ukrainian—remain at large. Drinkman pleaded guilty to conspiracy to gain unauthorized access to computers and conspiracy to commit wire fraud. He faces as long as 30 years in prison for the wire fraud charge. Source: The Globe and Mail