Hello Kitty fans say hello to hackers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The database for SanrioTown.com—the online interactive community for the popular Hello Kitty brand—has been discovered online, potentially compromising 3.3 million user accounts. Internet security researcher Chris Vickery says the posted information includes a wide range of private user information such as first and last names, gender, country of origin, email addresses, and password hint questions and answers. Two backup servers that contained mirrored data from the site also were found. “Kids are going to be even more connected in the future, and while some of the information shared about them now might not bear the same consequence, they will be living in a world where they will have Apple Pay and Google Wallet and other things,” Peter Tran, senior director at network security company RSA, said. “The data itself might not be an immediate snatch-and-grab now, but it is a treasure trove of information that hackers could mine through for future generations going forward.” Source: CBS News

Cyber spies jump Juniper Networks’ federal firewall 

sh_firewall_280The Department of Homeland Security and federal agencies are in incident-response mode as they work to remove listening posts in software planted by suspected cyber spies. The unauthorized code can allow attackers to invisibly decrypt communications passing through Juniper Networks firewalls, the company says. The existence of the three-year-old bug was disclosed on Dec. 17. The government has spent about $13 million on Juniper products since 2012, according to the federal funding-tracker USASpending.gov. The government is scouring its IT inventory to identify affected Juniper systems—plus any information that ever touched a Juniper firewall. Reports suggest foreign assailants might have taken advantage of a weakness that the National Security Agency allegedly placed in a popular encryption formula. Source: NextGov

Apple has a rather negative reaction to British plan

Apple says a British plan to give intelligence agencies extra online surveillance powers could weaken the security of personal data for millions of people and paralyze the tech sector. The U.K. unveiled proposals for new online powers last month that it said were needed to keep the country safe from criminals, fraudsters and militants, including the right to find out which websites people visit. Critics, however, say the Investigatory Powers Bill gives British spies authority beyond those available in other Western countries, including the United States, and that it constitutes an assault on personal freedom. “We believe it is wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat,” Apple said. Source: LiveMint

Your boarding pass might let bad guys in

sh_boarding pass_280Those friendly holiday skies might not be so kind if you’re careless with hard copies of your airline boarding pass. “Boarding passes are a potential treasure trove to an identity thief,” said Professor William Kresse of Governors State University. “Some airlines print right on the boarding pass such things as … first name, last name, and your frequent-flier number.” Others place it into a bar code, and certain scanner apps can pull the information. Kresse says once a thief has that data, they go after your frequent-flier account online. “They can go into your account, and they can change your flights; they can steal the miles you have banked,” Kresse said. “If you have your credit card tied on the frequent-flier account, they can purchase gift cards for that airline up to $1,000.” Source: KGO-TV, San Francisco

Soldiers step into the fray

The U.S. military is about to open a digital front against Islamic State terrorists, Pentagon sources say, as the cyber campaign managed by the State Department has reported little success. Pentagon officials have been asked to show options to the White House, officials who spoke on condition of anonymity said. The U.S. Cyber Command in Fort Meade, Md., could use malware to disrupt Islamic State propaganda and recruitment efforts online, the officials said. Source: RT Network

The risk of water, water, everywhere was high

sh_dam_280Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City two years ago, sparking concerns that reached to the White House, say former and current U.S. officials. The breach came amid attacks by hackers linked to Iran’s government against the websites of U.S. banks, and just a few years after American spies had damaged an Iranian nuclear facility with a sophisticated computer worm called Stuxnet. The still-classified dam intrusion illustrates a top concern for U.S. officials as they enter an age of digital state-on-state conflict. America’s power grid, factories, pipelines, bridges and dams—all prime targets for digital armies—are largely unprotected on the Internet. And, unlike in a traditional war, it is sometimes difficult to know whether or where an opponent has struck. In the case of the dam hack, federal investigators initially thought the target might have been a much larger dam in Oregon. Source: The Wall Street Journal

Locking down life’s not-so-little ‘oops’ moments

Identity-theft protection company LifeLock is paying $100 million to consumers to settle charges by federal regulators that it failed to take adequate measures to protect customers’ personal data under a court order. The Federal Trade Commission says it’s the largest settlement it has won in this type of enforcement case. The 2010 order by a federal court required LifeLock to secure customers’ data, such as credit card and Social Security numbers, and to avoid false advertising claims. The order resulted from an action brought by the FTC and attorneys general in 35 states, alleging that LifeLock used false claims to promote its services. The company paid $12 million in that settlement, which went mostly to customer refunds, and agreed to make changes to its business practices. The FTC said that LifeLock violated the order by failing to maintain “a comprehensive information-security program” and to avoid deceptive advertising. Source: The Associated Press via The Dallas Morning News

This script is based on a true story

sh_script_280A Bahamian man hacked into celebrities’ email accounts to steal unreleased movie and TV scripts and private sex tapes and sought to peddle some of the scripts, boasting to an undercover agent that he had dossiers on at least 130 accounts of stars and big shots in entertainment, sports and media, federal prosecutors said. Alonzo Knowles is being held without bail after a court appearance on criminal copyright infringement and identity theft charges as prosecutors described a scheme that also involved proffering an actor’s passport, Social Security numbers for three professional athletes, unreleased tracks from a singer-songwriter’s upcoming album, and an explicit video grabbed from a radio host’s email account. Source: The Associated Press via U.S. News & World Report

Just say nein, security expert tells German banks

Cybersecurity researcher Karsten Nohl warned German banks that their retail payment systems have security flaws that could let fraudsters steal payment card PIN codes, create fake cards or siphon funds from customer or merchant accounts. Nohl, who is credited with revealing major security threats in mobile phones, automobiles, security cards and thumb-size USB drives, said he found critical weaknesses in software that runs retail point-of-sale terminals in Germany. Source: Reuters

A large pepperoni, and 130 stolen identities to go

sh_pizza delivery_280Backtracking a pizza delivery charge lead to the discovery of 130 victims of the largest identity theft in Eau Claire County, Wis. Investigators believe two suspects stole mail from homeowners to search for information that could be used to forge checks. Officer Kyle Roder said the alleged thefts were discovered after one of the victims reported errant charges on his bank account, including a pizza delivery charge. “Our officers … found thousands of pieces of mail that belonged to well over a hundred different victims in Eau Claire and the surrounding area,” Roder says. Source: WEAU, Eau Claire, Wis.

Federal agencies get new cyber rules—finally

Agencies have new guidelines for keeping track of their cybersecurity work force, according to a provision in the 2016 omnibus spending package that Congress passed. The Federal Cybersecurity Workforce Assessment Act of 2015 is one of several cybersecurity measures bundled in the new budget, which requires each agency to identify all positions that carry out some kind of cyber function. The Office of Personnel Management, the National Institute of Standards and Technology and the Department of Homeland Security will set up implementation procedures agencies use to identify cyber, cyber-related and IT-related civilian positions. A plan for noncivilian positions is scheduled sometime within the next 18 months. Source: Federal News Radio

There’s low, and then there’s really low

sh_nursing home_280Nursing home workers across the country are posting embarrassing and dehumanizing photos of elderly residents on social media networks such as Snapchat, violating their privacy, dignity and, sometimes, the law. ProPublica has identified 35 instances since 2012 in which workers at nursing homes and assisted-living centers have surreptitiously shared photos or videos of residents, some of whom were partially or completely naked. At least 16 cases involved Snapchat, a social-media service in which photos appear for a few seconds, then disappear with no lasting record. Some have led to criminal charges, including a case filed earlier this month in California against a nursing assistant. Posting patients’ photos without their permission may violate the Health Insurance Portability and Accountability Act, the federal patient privacy law that carries civil and criminal penalties. Source: ProPublica

New legislation brings new business for European cyber insurers

New European legislation on data privacy is boosting demand for cyber insurance, after such companies as TalkTalk and Experian were affected by hackers earlier this year. The European Union agreed to force companies to report breaches likely to harm individuals to national authorities within 72 hours. Until now, insurers say many European companies shown little interest in cyber cover. But anticipation of the European law has boosted demand, says Paul Bantick, technology, media & business services U.K. focus group leader at insurer Beazley. “We have seen clients buying policies because they know that this is coming,” Bantick said. “Breaches are going to get more expensive, they are going to get more complex, and they (clients) want insurers to help with both of those issues.” Source: Telecom Engine

This doesn’t scan: Lawsuit targets Facebook tagging 

sh_facial recognition_280A lawsuit claims Facebook’s biometric faceprints violate user privacy. Facebook disputes the claim, although it has avoided rolling out facial recognition in Europe and Canada, presumably over similar concerns. If the latest complaints are upheld, it could mean a profound shift in how Facebook treats user photos, potentially even pushing the feature out of the U.S. entirely. The case focuses on the Illinois Biometric Information Privacy Act, which deals with fingerprints, voiceprints, and scans of facial geometry. According to the law, anyone collecting those identifiers has to notify users in advance, say why they’re being collected, and how long they’re being retained. It also puts strict limits on how those identifiers can be shared and how long they can be stored. Photographs are explicitly ruled out as a biometric, but the plaintiffs argue the relevant biometric is the facial geometry scans created from those photographs. If Facebook were a simple photo service, it wouldn’t have to worry about biometrics at all—but the plaintiffs argue that as long as the company is using those photos to create and apply faceprints, the Illinois law applies. Source: The Verge