Many companies have the same software that gave hackers access to Equifax data

More than 50,000 orga­ni­za­tions are using out­dat­ed and leaky ver­sions of Apache, the soft­ware whose Struts app gave hack­ers a back door into Equifax—even though free fix­es have been avail­able for nine months, accord­ing to Sonatype, a firm that mon­i­tors down­loads of open-source soft­ware. Cor­po­rate Amer­i­ca has been slow to update its open-source soft­ware, even after the Equifax hack that exposed 143 mil­lion people’s sen­si­tive data. “When you take on use of an open-source project, you’re out­sourc­ing soft­ware devel­op­ment to strangers,” says Sonatype CEO Wayne Jack­son. “The thing that makes that even worse is the hack­ing com­mu­ni­ty has an infor­ma­tion advan­tage over the users of open source,” he added. The Equifax hack is one of the largest in his­to­ry. Experts project that peo­ple will feel the reper­cus­sions for decades to come, as it con­tains Social Secu­ri­ty num­bers, address­es, cred­it card infor­ma­tion and driver’s license num­bers. Equifax dis­closed that it had been hacked from May to July, and that it was aware of the soft­ware flaws but hadn’t fixed them. The com­pa­ny had been the tar­get of oth­er suc­cess­ful hacks going back to March. … Equifax tweet­ed a link to a would-be phish­ing site to a vic­tim of its mas­sive breach rather than the breach infor­ma­tion site it intend­ed. “Hi! For more infor­ma­tion about the prod­uct and enroll­ment, please vis­it: [the url of the fake site] -Tim,” tweet­ed Equifax from its offi­cial account. Sources: The New York Post; The Hill

Hackers post internal files from music joint venture Vevo 

Vevo, a joint ven­ture between Uni­ver­sal Music Group, Sony Music Enter­tain­ment, Abu Dhabi Media, Warn­er Music Group, and Alpha­bet (Google’s par­ent com­pa­ny), were hacked. Rough­ly 3.12 ter­abytes worth of inter­nal files have been post­ed online. The Our­Mine hack­er squad claimed respon­si­bil­i­ty for the breach, the same group that hijacked Wik­iLeaks’ DNS short­ly after they took over HBO’s Twit­ter account. Last year, they took over Mark Zuckerberg’s Twit­ter and Pin­ter­est accounts, and also hit Buz­zFeed and TechCrunch. The leaked cache con­tains office doc­u­ments, videos and pro­mo­tion­al mate­ri­als. Source: Giz­mo­do

FireEye says Iranian government behind hackers’ group

A pri­vate cyber­se­cu­ri­ty firm says a hack­ing group spon­sored by the Iran­ian gov­ern­ment tar­get­ed orga­ni­za­tions in the Unit­ed States, the Mid­dle East and Asia. Fire­Eye, which gath­ers cyber intel­li­gence and responds to inci­dents through its Man­di­ant sub­sidiary, says the Iran­ian hack­ing group has tar­get­ed com­pa­nies involved in the petro­chem­i­cal indus­try and in mil­i­tary and com­mer­cial avi­a­tion. Fire­Eye dubbed the group APT33—APT stands for “advanced per­sis­tent threat”—and says it has hacked tar­gets through spear phish­ing emails. Source: NBC News

Avast sends out CCleaner with malware to almost 3 million users

Antivirus firm Avast inad­ver­tent­ly dis­trib­uted a tro­janized ver­sion of CClean­er, a pop­u­lar PC tune-up tool, for near­ly a month, infect­ing an esti­mat­ed 2.27 mil­lion users. Hack­ers hijacked and hid mal­ware inside CClean­er for down­load from Aug. 15 through Sept. 12. Any­one who down­loaded the 5.33 ver­sion or updat­ed their exist­ing prod­uct in that time became infect­ed with a ver­sion of the Floxif mal­ware, a covert back­door capa­ble of spy­ing on every­thing they did online. Source: The (U.K.) Register

Medicare begins campaign to notify users about new, safer cards

Medicare is get­ting ready to issue all 60 mil­lion ben­e­fi­cia­ries new cards with new ID num­bers as a way to com­bat iden­ti­ty theft and fraud. The roll­out begins next April, but the agency already is begin­ning its out­reach cam­paign. The agency has set up a web­site, is send­ing out hand­books to all enrollees, and has call cen­ters ready to answer ques­tions. Until now, Medicare used people’s Social Secu­ri­ty num­bers. The new iden­ti­fiers will be a ran­dom­ly gen­er­at­ed sequence of 11 num­bers and let­ters. Source: Nation­al Pub­lic Radio

Police say physical therapist stole IDs to pay for cosmetic surgery 

A Hunt­ing­ton Sta­tion, N.Y., woman has been accused of steal­ing the per­son­al infor­ma­tion of phys­i­cal ther­a­py patients to pay for cos­met­ic surgery. Suf­folk Coun­ty Police say Andrea Echevar­ria went through records of Deer Park PTDC and used the infor­ma­tion to open a line of cred­it that she used to pay $15,000 for fat injec­tions to increase the size of her buttocks—a pro­ce­dure known as the “Brazil­ian butt lift.” Source: WCBS, New York

Microsoft takes the battle to bad guys with advanced threat protection

Microsoft plans to add a new tool to its Microsoft 10 soft­ware that auto­mates what a secu­ri­ty pro­fes­sion­al would do in response to a hack­ing. A test ver­sion of the fea­ture will be avail­able as part of the company’s Win­dows Defend­er “advanced threat pro­tec­tion” prod­uct, its cor­po­rate secu­ri­ty ser­vice, before the end of the year. The goal is not only to find the bad guys and breach­es, but also fix them. Source: For­tune

Signaling system signals a need for more security

White-hat hack­ers exposed a flaw in the glob­al tele­com net­work, affect­ing what’s known as Sig­nalling Sys­tem No. 7 (SS7). Benev­o­lent hack­ers from Pos­i­tive Tech­nolo­gies took con­trol of a Coin­base bit­coin wal­let and pil­fered funds via the SS7 flaws. These weak­ness­es, despite fix­es being avail­able for years, remain open and allow any­one with access to send and receive mes­sages to and from cell phones, with var­i­ous attacks allow­ing silent inter­cep­tion of SMS texts, calls and loca­tion data. Source: Forbes

Free DNA kit giveaway canceled over privacy concerns

A pro­mo­tion­al give­away of DNA test­ing kits from Orig3n at a Bal­ti­more Ravens game was halt­ed due, in part, to con­cerns about pri­va­cy. Orig3n had planned to give away gene-test­ing kits to 55,000 peo­ple attend­ing the game. The com­pa­ny was to test four genes, includ­ing one linked to pow­er and sprint­ing abil­i­ty, and fans were to reg­is­ter with Orig3n to find out their results. The company’s pri­va­cy pol­i­cy orig­i­nal­ly indi­cat­ed that Orig3n might share data with third par­ties. Source: Genome Web

Cyber threats close schools in part of Montana

More than 30 pub­lic and pri­vate schools in Montana’s Flat­head Val­ley can­celed class­es last week because sev­er­al schools received cyber threats. More than 15,000 stu­dents stayed home. A ran­som let­ter was sent to school offi­cials from a hack­er or group of hack­ers call­ing them­selves The Dark Over­lord. The threats are thought to be com­ing from abroad. Source: CBS News

Bankers group endorses CyberScout cybersecurity protection program

The Amer­i­can Bankers Asso­ci­a­tion endorsed data breach ser­vices offered by Cyber­Scout to help banks stay a step ahead of breach threats. CyberScout’s DataRiskStages offers a data secu­ri­ty pro­gram to sup­port banks and bank cus­tomers before and after a data breach. The pro­gram helps banks com­ply with local and nation­al breach laws, devel­op inci­dence response plans. and offer staff aware­ness tools before a data breach occurs. In a post-breach sit­u­a­tion, the sys­tem pro­vides an assess­ment of the breach and rec­om­mend­ed reme­di­a­tion. Full dis­clo­sure: Cyber­Scout spon­sors Third­Cer­tain­ty. Source: Bank­ing Journal