Cloudflare problem spills cloudburst of data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A seri­ous bug in Cloudflare’s soft­ware caused such sen­si­tive data as pass­words, cook­ies and authen­ti­ca­tion tokens to spill in plain­text from its cus­tomers’ web­sites, a blow for the con­tent deliv­ery net­work, which offers enhanced secu­ri­ty for more than 5 mil­lion web­sites. Any­one who noticed the error could col­lect a vari­ety of very per­son­al infor­ma­tion that typ­i­cal­ly is encrypt­ed or obscured. Some data was auto­mat­i­cal­ly cached by search engines, mak­ing it par­tic­u­lar­ly dif­fi­cult to clean up. Cloud­flare had to approach Google, Bing, Yahoo and oth­er search engines and ask them to man­u­al­ly scrub the data. The leak may have been active as ear­ly as Sept. 22, 2016, almost five months before a secu­ri­ty researcher at Google’s Project Zero dis­cov­ered it and report­ed it to Cloud­flare. How­ev­er, the most severe leak­age occurred between Feb. 13 and Feb. 18, when around 1 in every 3,300,000 HTTP requests to Cloud­flare sites would have caused data to be exposed. Attack­ers could have accessed the data in real-time, or lat­er through search engine caches. Cloud­flare dis­cov­ered no evi­dence that hack­ers had dis­cov­ered or exploit­ed the bug, not­ing that Cloud­flare would have seen unusu­al activ­i­ty on their net­work if an attack­er were try­ing to access data from par­tic­u­lar web­sites. Source: Tech Crunch

Painful diagnosis: Many Americans have had health care information stolen

One in four U.S. con­sumers has had per­son­al med­ical infor­ma­tion stolen from tech­nol­o­gy sys­tems, accord­ing to a sur­vey from Accen­ture. The find­ings show that half of those who expe­ri­enced a breach were vic­tims of med­ical iden­ti­ty theft and had to pay approx­i­mate­ly $2,500 in out-of-pock­et costs per inci­dent, on aver­age. Most often, the stolen iden­ti­ty was used to pur­chase items or used for fraud­u­lent activ­i­ties, such as billing for care or fill­ing pre­scrip­tions. Breach­es were most like­ly to occur in hos­pi­tals, fol­lowed by urgent-care clin­ics, phar­ma­cies, physician’s offices and health insur­ers. Half of con­sumers who expe­ri­enced a breach found out about it through not­ing an error on their cred­it card state­ment or ben­e­fits expla­na­tion. Source: Busi­ness Wire

Apple phone break-in cost is news, media companies tell FBI in suit

sh_iphone_280Three news cor­po­ra­tions sued the FBI, ask­ing the judge to force the bureau to reveal how much it cost to unlock the iPhone used by Syed Rizwan Farook in the San Bernardi­no, Cal­i­for­nia, shoot­ings in Decem­ber 2015. The Asso­ci­at­ed Press, Vice Media, and Gan­nett said there is no rea­son for the FBI not to dis­close this infor­ma­tion, since such details do not com­pro­mise nation­al secu­ri­ty. Source: Soft­pe­dia

Defense secretary follows through on cybersecurity plan from Obama 

Defense Sec­re­tary Jim Mat­tis is ask­ing Pen­ta­gon lead­ers to devel­op a plan to improve sup­port of cyber oper­a­tions and infor­ma­tion man­age­ment. Mat­tis issued a memo on orga­ni­za­tion­al and struc­tur­al reforms, instruct­ing offi­cials to address sev­er­al sug­ges­tions put forth in the fis­cal year 2017 Nation­al Defense Autho­riza­tion Act (NDAA) signed by Pres­i­dent Oba­ma in Decem­ber, includ­ing plans to boost the military’s cyber oper­a­tions. Source: The Hill

Stolen pictures worth a thousand embarrassing moments for model 

sh_emily-ratajkowski_400Mod­el and actress Emi­ly Rata­jkows­ki has been tar­get­ed in a fresh hack, with as many as 200 pri­vate pho­tographs stolen. The hack has come to light after Celebri­ty Big Broth­er con­tes­tant Helen Wood alleged she was sent the cache of pho­tographs online—with the sender beg­ging her to include them in her Dai­ly Star col­umn. Source: Metro

More business executives minding their own cyber business

The threat of cyber attacks is among the biggest wor­ries for busi­ness­es around the world, accord­ing to a study of com­pa­nies in 79 coun­tries. The No. 1 issue for exec­u­tives in busi­ness con­ti­nu­ity and resilience is the threat from hack­ers, with 88 per­cent of com­pa­nies in the sur­vey “extreme­ly con­cerned” or “con­cerned” at the risk. “Cyber attacks and data breach­es con­tin­ue to cost orga­ni­za­tions bil­lions of dol­lars annu­al­ly, a sum that is only like­ly to go up,” said BCI Exec­u­tive Direc­tor David Thorp. Source: Bloomberg

That ‘missing font’ isn’t, so don’t download a ‘fix’ for Chrome

sh_google chrome_400Secu­ri­ty researchers dis­cov­ered a new hack­ing vec­tor for Chrome that prompts users to down­load a “miss­ing font,” then tricks them into installing mal­ware on their sys­tems. The researcher noticed the trap while brows­ing an unnamed Word­Press web­site. The hack­ers use JavaScript to tam­per with the text ren­der­ing, caus­ing it to resem­ble mis-encod­ed text in place of actu­al con­tent. The script then prompts users to fix the issue by updat­ing the “Chrome font pack.” Source: The Next Web

Hacker thumbs nose at Trump immigration efforts 

sh_muslim-ban_280An Iraqi hack­er going by the online han­dle of Pro_Mast3r ~ hacked and defaced a serv­er asso­ci­at­ed with pres­i­den­tial cam­paign fundrais­ing for Don­ald Trump. The tar­get­ed serv­er secure2.donaldjtrump.com was defaced Sun­day evening. Iraq is among sev­en coun­tries whose cit­i­zens Trump tar­get­ed in his immi­gra­tion ban. Source: Hack­Read

Russian hacks prompt feds to launch three investigations

The FBI is pur­su­ing at least three sep­a­rate probes relat­ing to alleged Russ­ian hack­ing of the pres­i­den­tial elec­tions. The Pitts­burgh field office, which runs many cyber­se­cu­ri­ty inves­ti­ga­tions, is try­ing to iden­ti­fy the peo­ple behind breach­es of the Demo­c­ra­t­ic Nation­al Committee’s com­put­er sys­tems. The bureau’s San Fran­cis­co office is try­ing to iden­ti­fy the peo­ple who called them­selves “Guc­cifer 2” and post­ed emails stolen from Clin­ton cam­paign man­ag­er John Podesta’s account. Coun­ter­in­tel­li­gence agents in Wash­ing­ton are pur­su­ing leads from infor­mants and for­eign com­mu­ni­ca­tions inter­cepts. Source: Reuters

If world turns its back on North Korea, that nation’s cyber attacks could rise

sh_north-korea_280North Korea has an elite squad of 6,800 state hack­ers engaged in glob­al fraud, black­mail and online gam­bling, togeth­er gen­er­at­ing an esti­mat­ed annu­al rev­enue of $860 mil­lion, accord­ing to the Korea Insti­tute of Lib­er­al Democ­ra­cy in Seoul. “Their illic­it activ­i­ties have always been high­ly adapt­able,” says Pro­fes­sor Sheena Gre­it­ens, at the Uni­ver­si­ty of Mis­souri. “Cyber crime would like­ly become a high­er pri­or­i­ty in the regime’s eyes if oth­er avenues of rev­enue gen­er­a­tion are closed off.” Source: Time

Health care organizations’ cyber budgets get healthier

Health care orga­ni­za­tions are boost­ing cyber­se­cu­ri­ty bud­gets, accord­ing to a study from Thales e-Secu­ri­ty, which finds 81 per­cent of  those in the Unit­ed States and 76 per­cent of those glob­al­ly will increase infor­ma­tion secu­ri­ty spend­ing this year. In the Unit­ed States, reg­u­la­tions such as the HiTech Act’s Elec­tron­ic Patient Care Report­ing require­ments are dri­ving orga­ni­za­tions to dig­i­tize data, which means infor­ma­tion is exposed to more peo­ple, in more places and on more devices. Source: Beta News

When W stands for, ‘Watch out what you do with W-2s’ 

sh_w-2-form_280Nurs­ing home chain Amer­i­can Senior Com­mu­ni­ties fell vic­tim to an email scam tar­get­ing W-2 tax forms, affect­ing all of the company’s more than 17,000 employ­ees. The com­pa­ny con­firmed the breach, in which a pay­roll proces­sor answered what appeared to be an email from a com­pa­ny offi­cial and pro­vid­ed employ­ee W-2 tax infor­ma­tion, includ­ing names, address­es and Social Secu­ri­ty num­bers to an off­shore phish­ing scam­mer. The com­pa­ny, which will pro­vide employ­ees with free cred­it mon­i­tor­ing and report­ing ser­vices, said no res­i­dent or per­son­al health infor­ma­tion was com­pro­mised. Source: Indi­anapo­lis Star

Businesses stock up on bitcoin to cover possible ransom payments

sh_Bitcoin_280Cor­po­ra­tions are stock­pil­ing bit­coin, the dig­i­tal cur­ren­cy, so they can quick­ly meet ran­som demands rather than lose valu­able cor­po­rate data. The com­pa­nies are respond­ing to cyber­se­cu­ri­ty experts who recent­ly changed their advice on how to deal with the grow­ing prob­lem of extor­tion­ists tak­ing con­trol of the com­put­ers. “It’s a moral dilem­ma. If you pay, you are help­ing the bad guys,” said Paula Long, CEO of Data Grav­i­ty, a com­pa­ny that helps clients secure cor­po­rate data. But, she added, “You can’t go to the moral high ground and put your com­pa­ny at risk.” Source: The Detroit News

Health care company pays $5.5 million to settle breach case

The Depart­ment of Health and Human Ser­vices’ Office for Civ­il Rights’ announced a $5.5 mil­lion set­tle­ment with Memo­r­i­al Health­care Sys­tems to resolve alleged HIPAA vio­la­tions. The set­tle­ment arose out of the improp­er dis­clo­sure of patient records of more than 100,000 peo­ple. Source: Mon­daq

Flash a red light on that letter about your traffic violation 

sh_red-light_280 Scam­mers claim­ing to be police are send­ing fraud­u­lent emails claim­ing the recip­i­ent was caught via traf­fic cam­era while dri­ving neg­li­gent­ly. The emails, which often include traf­fic pho­tos, tell the vic­tim to click on a link to read the full noti­fi­ca­tion. That will down­load a .zip file that con­tains a mali­cious JavaScript file, which infects devices with mal­ware. Source: Kommando.com

There’s low, and then there’s really low

Con artists are using video relay ser­vices (VRS) to try to scam deaf and hard of hear­ing indi­vid­u­als, the IRS says, warn­ing that they should not trust calls just because they’re made through VRS, as inter­preters do not screen calls for valid­i­ty. To learn more about the lat­est tax phone scams, go to IRS.gov and type “scam” in the search field. IRS YouTube videos are avail­able on a vari­ety of top­ics in Amer­i­can Sign Lan­guage with open-cap­tions and voice over. Source: NBC Mon­tana