Cloudflare problem spills cloudburst of data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A serious bug in Cloudflare’s software caused such sensitive data as passwords, cookies and authentication tokens to spill in plaintext from its customers’ websites, a blow for the content delivery network, which offers enhanced security for more than 5 million websites. Anyone who noticed the error could collect a variety of very personal information that typically is encrypted or obscured. Some data was automatically cached by search engines, making it particularly difficult to clean up. Cloudflare had to approach Google, Bing, Yahoo and other search engines and ask them to manually scrub the data. The leak may have been active as early as Sept. 22, 2016, almost five months before a security researcher at Google’s Project Zero discovered it and reported it to Cloudflare. However, the most severe leakage occurred between Feb. 13 and Feb. 18, when around 1 in every 3,300,000 HTTP requests to Cloudflare sites would have caused data to be exposed. Attackers could have accessed the data in real-time, or later through search engine caches. Cloudflare discovered no evidence that hackers had discovered or exploited the bug, noting that Cloudflare would have seen unusual activity on their network if an attacker were trying to access data from particular websites. Source: Tech Crunch

Painful diagnosis: Many Americans have had health care information stolen

One in four U.S. consumers has had personal medical information stolen from technology systems, according to a survey from Accenture. The findings show that half of those who experienced a breach were victims of medical identity theft and had to pay approximately $2,500 in out-of-pocket costs per incident, on average. Most often, the stolen identity was used to purchase items or used for fraudulent activities, such as billing for care or filling prescriptions. Breaches were most likely to occur in hospitals, followed by urgent-care clinics, pharmacies, physician’s offices and health insurers. Half of consumers who experienced a breach found out about it through noting an error on their credit card statement or benefits explanation. Source: Business Wire

Apple phone break-in cost is news, media companies tell FBI in suit

sh_iphone_280Three news corporations sued the FBI, asking the judge to force the bureau to reveal how much it cost to unlock the iPhone used by Syed Rizwan Farook in the San Bernardino, California, shootings in December 2015. The Associated Press, Vice Media, and Gannett said there is no reason for the FBI not to disclose this information, since such details do not compromise national security. Source: Softpedia

Defense secretary follows through on cybersecurity plan from Obama 

Defense Secretary Jim Mattis is asking Pentagon leaders to develop a plan to improve support of cyber operations and information management. Mattis issued a memo on organizational and structural reforms, instructing officials to address several suggestions put forth in the fiscal year 2017 National Defense Authorization Act (NDAA) signed by President Obama in December, including plans to boost the military’s cyber operations. Source: The Hill

Stolen pictures worth a thousand embarrassing moments for model

sh_emily-ratajkowski_400Model and actress Emily Ratajkowski has been targeted in a fresh hack, with as many as 200 private photographs stolen. The hack has come to light after Celebrity Big Brother contestant Helen Wood alleged she was sent the cache of photographs online—with the sender begging her to include them in her Daily Star column. Source: Metro

More business executives minding their own cyber business

The threat of cyber attacks is among the biggest worries for businesses around the world, according to a study of companies in 79 countries. The No. 1 issue for executives in business continuity and resilience is the threat from hackers, with 88 percent of companies in the survey “extremely concerned” or “concerned” at the risk. “Cyber attacks and data breaches continue to cost organizations billions of dollars annually, a sum that is only likely to go up,” said BCI Executive Director David Thorp. Source: Bloomberg

That ‘missing font’ isn’t, so don’t download a ‘fix’ for Chrome

sh_google chrome_400Security researchers discovered a new hacking vector for Chrome that prompts users to download a “missing font,” then tricks them into installing malware on their systems. The researcher noticed the trap while browsing an unnamed WordPress website. The hackers use JavaScript to tamper with the text rendering, causing it to resemble mis-encoded text in place of actual content. The script then prompts users to fix the issue by updating the “Chrome font pack.” Source: The Next Web

Hacker thumbs nose at Trump immigration efforts

sh_muslim-ban_280An Iraqi hacker going by the online handle of Pro_Mast3r ~ hacked and defaced a server associated with presidential campaign fundraising for Donald Trump. The targeted server was defaced Sunday evening. Iraq is among seven countries whose citizens Trump targeted in his immigration ban. Source: HackRead

Russian hacks prompt feds to launch three investigations

The FBI is pursuing at least three separate probes relating to alleged Russian hacking of the presidential elections. The Pittsburgh field office, which runs many cybersecurity investigations, is trying to identify the people behind breaches of the Democratic National Committee’s computer systems. The bureau’s San Francisco office is trying to identify the people who called themselves “Guccifer 2” and posted emails stolen from Clinton campaign manager John Podesta’s account. Counterintelligence agents in Washington are pursuing leads from informants and foreign communications intercepts. Source: Reuters

If world turns its back on North Korea, that nation’s cyber attacks could rise

sh_north-korea_280North Korea has an elite squad of 6,800 state hackers engaged in global fraud, blackmail and online gambling, together generating an estimated annual revenue of $860 million, according to the Korea Institute of Liberal Democracy in Seoul. “Their illicit activities have always been highly adaptable,” says Professor Sheena Greitens, at the University of Missouri. “Cyber crime would likely become a higher priority in the regime’s eyes if other avenues of revenue generation are closed off.” Source: Time

Health care organizations’ cyber budgets get healthier

Health care organizations are boosting cybersecurity budgets, according to a study from Thales e-Security, which finds 81 percent of  those in the United States and 76 percent of those globally will increase information security spending this year. In the United States, regulations such as the HiTech Act’s Electronic Patient Care Reporting requirements are driving organizations to digitize data, which means information is exposed to more people, in more places and on more devices. Source: Beta News

When W stands for, ‘Watch out what you do with W-2s’

sh_w-2-form_280Nursing home chain American Senior Communities fell victim to an email scam targeting W-2 tax forms, affecting all of the company’s more than 17,000 employees. The company confirmed the breach, in which a payroll processor answered what appeared to be an email from a company official and provided employee W-2 tax information, including names, addresses and Social Security numbers to an offshore phishing scammer. The company, which will provide employees with free credit monitoring and reporting services, said no resident or personal health information was compromised. Source: Indianapolis Star

Businesses stock up on bitcoin to cover possible ransom payments

sh_Bitcoin_280Corporations are stockpiling bitcoin, the digital currency, so they can quickly meet ransom demands rather than lose valuable corporate data. The companies are responding to cybersecurity experts who recently changed their advice on how to deal with the growing problem of extortionists taking control of the computers. “It’s a moral dilemma. If you pay, you are helping the bad guys,” said Paula Long, CEO of Data Gravity, a company that helps clients secure corporate data. But, she added, “You can’t go to the moral high ground and put your company at risk.” Source: The Detroit News

Health care company pays $5.5 million to settle breach case

The Department of Health and Human Services’ Office for Civil Rights’ announced a $5.5 million settlement with Memorial Healthcare Systems to resolve alleged HIPAA violations. The settlement arose out of the improper disclosure of patient records of more than 100,000 people. Source: Mondaq

Flash a red light on that letter about your traffic violation

sh_red-light_280 Scammers claiming to be police are sending fraudulent emails claiming the recipient was caught via traffic camera while driving negligently. The emails, which often include traffic photos, tell the victim to click on a link to read the full notification. That will download a .zip file that contains a malicious JavaScript file, which infects devices with malware. Source:

There’s low, and then there’s really low

Con artists are using video relay services (VRS) to try to scam deaf and hard of hearing individuals, the IRS says, warning that they should not trust calls just because they’re made through VRS, as interpreters do not screen calls for validity. To learn more about the latest tax phone scams, go to and type “scam” in the search field. IRS YouTube videos are available on a variety of topics in American Sign Language with open-captions and voice over. Source: NBC Montana