Accounting giant Deloitte hit by hack that went undetected for some time

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Deloitte, one of the “big four” account­ing firms, was tar­get­ed by a sophis­ti­cat­ed hack that com­pro­mised the con­fi­den­tial emails and plans of some blue-chip clients in a cyber­se­cu­ri­ty attack that went unno­ticed for months. The com­pa­ny pro­vides audit­ing, tax con­sul­tan­cy and high-end cyber­se­cu­ri­ty advice to some of the world’s biggest banks, multi­na­tion­al com­pa­nies, media enter­pris­es, phar­ma­ceu­ti­cal firms and gov­ern­ment agen­cies. Clients across all sec­tors had mate­r­i­al in the com­pa­ny email sys­tem that was breached. The hack was dis­cov­ered in March, but attack­ers may have had access to sys­tems since Octo­ber or Novem­ber 2016. The hack­er com­pro­mised the firm’s glob­al email serv­er through a sin­gle-pass­word administrator’s account that could have giv­en them priv­i­leged, unre­strict­ed access to all areas. In addi­tion to emails, hack­ers had access to user names, pass­words, IP address­es, and archi­tec­tur­al dia­grams for busi­ness­es and health infor­ma­tion. Some emails had attach­ments with sen­si­tive secu­ri­ty and design details. Source: The Guardian

College students: Do you have what it takes to crack the code?

Reg­is­tra­tion is open for the 2017 Code­break­er Chal­lenge, a con­test that asks col­lege stu­dents to use reverse engi­neer­ing or the abil­i­ty to take apart code and fix from scratch a fic­tion­al break-in of a gov­ern­ment data sys­tem. The sce­nario helps the Depart­ment of Home­land Secu­ri­ty dis­arm an impro­vised explo­sive device using cyber­se­cu­ri­ty skills. “Reverse engi­neer­ing is a cru­cial skill for those involved in the fight against mal­ware, advanced per­sis­tent threats, and sim­i­lar mali­cious cyber activ­i­ties,” the Nation­al Secu­ri­ty Administration’s con­test site says. Source: Voice of America

Hackers might have driven away with Sonic customers’ credit card numbers

Mil­lions of cred­it card num­bers may have been stolen in a secu­ri­ty breach at the fast food chain Son­ic Dri­ve-In. About 5 mil­lion cred­it and deb­it card accounts were put up for sale by hack­ers on Sept. 18. Many of the cards in the for-sale batch recent­ly had been used at Son­ic loca­tions. It’s not clear if all the stolen cred­it card num­bers were linked to Son­ic; oth­er com­pa­nies also might have been affect­ed. Source: Mon­ey magazine

Russian hackers targeted election systems in 21 states

The Depart­ment of Home­land Secu­ri­ty noti­fied 21 states that their elec­tion sys­tems were tar­get­ed by Rus­sia-affil­i­at­ed hack­ers in an attempt to influ­ence the 2016 elec­tion. In most states tar­get­ed, the hack­ers were engaged in pre­lim­i­nary activ­i­ties such as scan­ning. In oth­ers, hack­ers attempt­ed to infil­trate sys­tems and failed, but in some, with only Illi­nois con­firmed so far, elec­tion sys­tems were com­pro­mised suc­cess­ful­ly. Accord­ing to Home­land Secu­ri­ty, none of these attempts were aimed at the sys­tems that tab­u­late votes. Source: Tech Crunch

Federal regulators to be embedded into credit-monitoring companies

Cred­it report­ing agen­cies are going to have to get used to “a new regime” in the wake of the Equifax con­sumer data hack, says Richard Cor­dray, direc­tor of the Con­sumer Finan­cial Pro­tec­tion Bureau. Equifax, Tran­sUnion and Exper­ian will get embed­ded reg­u­la­tors to ensure that sim­i­lar breach­es of pri­vate infor­ma­tion don’t hap­pen again. “There has to be a scheme of pre­ven­tive mon­i­tor­ing in place.” Source: CNBC

Equifax CEO out after data breach, could take millions of dollars with him

Equifax CEO Richard Smith stepped down after the cred­it report­ing agency dis­closed a dis­as­trous hack to its com­put­er sys­tem that exposed the sen­si­tive per­son­al infor­ma­tion of 143 mil­lion Amer­i­cans. Even if a review finds Smith at fault, he could walk away with a retire­ment pack­age of at least $18.4 mil­lion, along with the val­ue of the stock and options award­ed dur­ing his 12-year tenure. Source: ABC

Senators skewer SEC for delay in reporting 2016 data breach

Sen­a­tors grilled the chair­man of the Secu­ri­ties and Exchange Com­mis­sion on its han­dling of a 2016 data breach that was dis­closed last week. The hack breached the SEC’s sys­tem for han­dling cor­po­rate fil­ings intend­ed for investors, known as EDGAR, rais­ing con­cerns that hack­ers may have gained advance looks at fil­ings and engaged in insid­er trad­ing. SEC Chair­man Jay Clay­ton ordered an inves­ti­ga­tion, and the orga­ni­za­tion has cre­at­ed a cyber unit to tar­get mar­ket manip­u­la­tion, hack­ing and dark-web oper­a­tives. Source: The Los Ange­les Times

Apple privacy site explains policies, gives examples of how things work

Apple launched a revamped and redesigned pri­va­cy web­site designed to make its pri­va­cy poli­cies more acces­si­ble to con­sumers. The site out­lines how Apple’s com­mit­ment to pri­va­cy ben­e­fits users through exam­ples of such fea­tures as Apple Pay and an iPhone’s pass code. One sec­tion cov­ers apps and fea­tures, includ­ing iMes­sage, Apple Pay, Health, Ana­lyt­ics, Safari, iCloud, CarPlay, Edu­ca­tion, Pho­tos, Siri, Apple Music, News, and Maps. Source: Mac Rumors

DHS to monitor immigrants’ social media accounts; privacy advocates balk

Pri­va­cy and free­dom of expres­sion groups have slammed Depart­ment of Home­land Secu­ri­ty plans to mon­i­tor and col­lect social media infor­ma­tion on all immi­grants to the Unit­ed States. The depart­ment pub­lished a new rule under the Pri­va­cy Act of 1974 in the Fed­er­al Reg­is­ter, detail­ing how it intends to expand the infor­ma­tion it col­lects when deter­min­ing a person’s immi­gra­tion sta­tus to include social media han­dles and poten­tial­ly even search his­to­ries. The new require­ment is to take effect Oct. 18. Source: Newsweek

New technique will keep private messages private

Researchers have devel­oped a tech­nique that ensures that only a sender and the recip­i­ent can read a mes­sage. With cur­rent end-to-end encryp­tion, if an attack­er com­pro­mis­es a recipient’s device, they can inter­cept, read and alter all future com­mu­ni­ca­tions with­out the sender or recip­i­ent know­ing. The new pro­to­col forces attack­ers to leave evi­dence of any such activ­i­ty and alerts users to take action. Source:

Safari system update to gather data without collecting personal information

The Mac OS High Sier­ra updates to Safari will include dif­fer­en­tial pri­va­cy tech­nol­o­gy, which will gath­er infor­ma­tion from user habits to iden­ti­fy web­sites that use exces­sive pow­er and crash the brows­er by monop­o­liz­ing too much mem­o­ry. Dif­fer­en­tial pri­va­cy is a method for col­lect­ing large swaths of infor­ma­tion with­out grab­bing any per­son­al­ly iden­ti­fy­ing data in the process, so none of the infor­ma­tion can be traced back to the user. Source: Tech Crunch