Many companies have the same software that gave hackers access to Equifax data
News Roundup
By Byron Acohido, ThirdCertainty
More than 50,000 organizations are using outdated and leaky versions of Apache, the software whose Struts app gave hackers a back door into Equifax—even though free fixes have been available for nine months, according to Sonatype, a firm that monitors downloads of open-source software. Corporate America has been slow to update its open-source software, even after the Equifax hack that exposed 143 million people’s sensitive data. “When you take on use of an open-source project, you’re outsourcing software development to strangers,” says Sonatype CEO Wayne Jackson. “The thing that makes that even worse is the hacking community has an information advantage over the users of open source,” he added. The Equifax hack is one of the largest in history. Experts project that people will feel the repercussions for decades to come, as it contains Social Security numbers, addresses, credit card information and driver’s license numbers. Equifax disclosed that it had been hacked from May to July, and that it was aware of the software flaws but hadn’t fixed them. The company had been the target of other successful hacks going back to March. … Equifax tweeted a link to a would-be phishing site to a victim of its massive breach rather than the breach information site it intended. “Hi! For more information about the product and enrollment, please visit: [the url of the fake site] -Tim,” tweeted Equifax from its official account. Sources: The New York Post; The Hill
Hackers post internal files from music joint venture Vevo
Vevo, a joint venture between Universal Music Group, Sony Music Entertainment, Abu Dhabi Media, Warner Music Group, and Alphabet (Google’s parent company), were hacked. Roughly 3.12 terabytes worth of internal files have been posted online. The OurMine hacker squad claimed responsibility for the breach, the same group that hijacked WikiLeaks’ DNS shortly after they took over HBO’s Twitter account. Last year, they took over Mark Zuckerberg’s Twitter and Pinterest accounts, and also hit BuzzFeed and TechCrunch. The leaked cache contains office documents, videos and promotional materials. Source: Gizmodo
FireEye says Iranian government behind hackers’ group
A private cybersecurity firm says a hacking group sponsored by the Iranian government targeted organizations in the United States, the Middle East and Asia. FireEye, which gathers cyber intelligence and responds to incidents through its Mandiant subsidiary, says the Iranian hacking group has targeted companies involved in the petrochemical industry and in military and commercial aviation. FireEye dubbed the group APT33—APT stands for “advanced persistent threat”—and says it has hacked targets through spear phishing emails. Source: NBC News
Avast sends out CCleaner with malware to almost 3 million users
Antivirus firm Avast inadvertently distributed a trojanized version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users. Hackers hijacked and hid malware inside CCleaner for download from Aug. 15 through Sept. 12. Anyone who downloaded the 5.33 version or updated their existing product in that time became infected with a version of the Floxif malware, a covert backdoor capable of spying on everything they did online. Source: The (U.K.) Register
Medicare begins campaign to notify users about new, safer cards
Medicare is getting ready to issue all 60 million beneficiaries new cards with new ID numbers as a way to combat identity theft and fraud. The rollout begins next April, but the agency already is beginning its outreach campaign. The agency has set up a website, is sending out handbooks to all enrollees, and has call centers ready to answer questions. Until now, Medicare used people’s Social Security numbers. The new identifiers will be a randomly generated sequence of 11 numbers and letters. Source: National Public Radio
Police say physical therapist stole IDs to pay for cosmetic surgery
A Huntington Station, N.Y., woman has been accused of stealing the personal information of physical therapy patients to pay for cosmetic surgery. Suffolk County Police say Andrea Echevarria went through records of Deer Park PTDC and used the information to open a line of credit that she used to pay $15,000 for fat injections to increase the size of her buttocks—a procedure known as the “Brazilian butt lift.” Source: WCBS, New York
Microsoft takes the battle to bad guys with advanced threat protection
Microsoft plans to add a new tool to its Microsoft 10 software that automates what a security professional would do in response to a hacking. A test version of the feature will be available as part of the company’s Windows Defender “advanced threat protection” product, its corporate security service, before the end of the year. The goal is not only to find the bad guys and breaches, but also fix them. Source: Fortune
Signaling system signals a need for more security
White-hat hackers exposed a flaw in the global telecom network, affecting what’s known as Signalling System No. 7 (SS7). Benevolent hackers from Positive Technologies took control of a Coinbase bitcoin wallet and pilfered funds via the SS7 flaws. These weaknesses, despite fixes being available for years, remain open and allow anyone with access to send and receive messages to and from cell phones, with various attacks allowing silent interception of SMS texts, calls and location data. Source: Forbes
Free DNA kit giveaway canceled over privacy concerns
A promotional giveaway of DNA testing kits from Orig3n at a Baltimore Ravens game was halted due, in part, to concerns about privacy. Orig3n had planned to give away gene-testing kits to 55,000 people attending the game. The company was to test four genes, including one linked to power and sprinting ability, and fans were to register with Orig3n to find out their results. The company’s privacy policy originally indicated that Orig3n might share data with third parties. Source: Genome Web
Cyber threats close schools in part of Montana
More than 30 public and private schools in Montana’s Flathead Valley canceled classes last week because several schools received cyber threats. More than 15,000 students stayed home. A ransom letter was sent to school officials from a hacker or group of hackers calling themselves The Dark Overlord. The threats are thought to be coming from abroad. Source: CBS News
Bankers group endorses CyberScout cybersecurity protection program
The American Bankers Association endorsed data breach services offered by CyberScout to help banks stay a step ahead of breach threats. CyberScout’s DataRiskStages offers a data security program to support banks and bank customers before and after a data breach. The program helps banks comply with local and national breach laws, develop incidence response plans. and offer staff awareness tools before a data breach occurs. In a post-breach situation, the system provides an assessment of the breach and recommended remediation. Full disclosure: CyberScout sponsors ThirdCertainty. Source: Banking Journal