I recognize that face … and so does Facebook

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

 Face­book is launch­ing an app called Moments to make it eas­i­er to share pho­tos with friends. Moments scans your cam­era for famil­iar faces to help share pho­tos with the peo­ple in the pic­ture. The social net­work already is using facial recog­ni­tion tech­nol­o­gy to make tag sug­ges­tions on Face­book, but Moments takes it to the next lev­el. If your friends use the app, they will see all pho­tos they were tagged in. If they haven’t installed the Moments app yet, they will receive a noti­fi­ca­tion that says they have pho­tos wait­ing for them. Source: Dig­i­tal Trends

Heading them off at the pass

Hack­ers have bro­ken into Last­Pass, a com­pa­ny that lets peo­ple store pass­words online so they can access them all with a sin­gle mas­ter pass­word. The invaders got access to user email address­es, pass­word reminders, and encrypt­ed ver­sions of mas­ter pass­words, rais­ing wor­ries about the prac­tice of keep­ing all pass­words in a sin­gle place on the Inter­net. “Attack­ers seem to have all they need to start brute-forc­ing mas­ter pass­words,” said Tod Beard­s­ley, a research man­ag­er at cyber­se­cu­ri­ty firm Rapid7. Hack­ers also grabbed user pass­word reminders. If your ques­tion is some­thing like, “Where were you born?” hack­ers can find the date using pub­lic records or social-media accounts. Source: CNN

sh_dept of homeland security_400

OPM not only hack target

As many as 390,000 cur­rent and for­mer Depart­ment of Home­land Secu­ri­ty employ­ees, con­trac­tors and job appli­cants may have had their pri­vate data com­pro­mised in a new­ly dis­closed com­put­er hack. DHS spokesman S.Y. Lee said inter­nal notices about the data breach at Key­Point Gov­ern­ment Solu­tions were sent to employ­ees. Key­Point pro­vides back­ground checks for secu­ri­ty clear­ances for the fed­er­al gov­ern­ment. The Key­Point hack is sep­a­rate from the hacks of the Office of Per­son­nel Man­age­ment dis­closed ear­li­er this month. Source: NBC News

In the trade

The FBI and the Jus­tice Department’s inves­ti­ga­tion into whether St. Louis Car­di­nals front office per­son­nel hacked into a net­work used by the Hous­ton Astros was launched after doc­u­ments from the net­work were post­ed to a hack­ing forum, Anonbin.com, an anony­mous forum used for shar­ing hacked or leaked infor­ma­tion. While the hacked data­base report­ed­ly con­tained “pro­pri­etary sta­tis­tics and scout­ing reports,” the leaked doc­u­ments focused on inter­nal dis­cus­sions about trades. The most eye-open­ing rev­e­la­tion was that the Astros had a good shot to trade for Mia­mi Mar­lins’ Gian­car­lo Stan­ton, but balked at the ask­ing price. Source: Busi­ness Insider

sh_red light_400

Seeing red

The pos­si­bil­i­ty of cyber crim­i­nals hack­ing into and manip­u­lat­ing Wash­ing­ton, D.C.‘s traf­fic light sys­tem is prompt­ing trans­porta­tion lead­ers to inves­ti­gate where and how hack­ers are like­ly to strike. Amid claims from a hack­er that he hacked D.C.’s traf­fic lights dur­ing a 2014 vis­it, D.C.’s Depart­ment of Trans­porta­tion “is start­ing a cyber­se­cu­ri­ty audit project this sum­mer in which we will eval­u­ate poten­tial secu­ri­ty vul­ner­a­bil­i­ties to the DDOT oper­a­tions sys­tem net­work,” said Kei­th St. Clair, act­ing DDOT com­mu­ni­ca­tions direc­tor. Argen­tine secu­ri­ty researcher Cesar Cer­ru­do said he “found he could turn red lights green and green lights red,” but St. Clair says that’s not pos­si­ble. Source: WTOP, Wash­ing­ton, D.C.

Need for speed

ThreatQuo­tient has craft­ed a prod­uct designed to cut the time it takes to iden­ti­fy and mit­i­gate a cyber threat by act­ing as a cen­tral repos­i­to­ry for all threat intel­li­gence. Secu­ri­ty teams can search through an opti­mized data­base of known threats and pull up the infor­ma­tion they need to make quick deci­sions. When a threat is detect­ed, the time it takes to iden­ti­fy it from a large data­base of sources, check whether the sys­tem has encoun­tered it before, then use that knowl­edge to deter­mine a course of action can be ago­niz­ing­ly long, co-founder Wayne Chi­ang said. To make the process more effi­cient, ThreatQuotient’s soft­ware sug­gests which sources of data are most rel­e­vant to a busi­ness. For exam­ple, a retail com­pa­ny would want more insight on the kinds of attacks that retail­ers — as opposed to finan­cial insti­tu­tions — face, Chi­ang said. Source: The Wash­ing­ton Post

sh_big brother phone_400

Big brother is watching—and listening

A vul­ner­a­bil­i­ty in soft­ware on Sam­sung Galaxy phones lets hack­ers look through the phones’ cam­era, lis­ten to the micro­phone, read incom­ing and out­go­ing texts and install apps, accord­ing to researchers. Until Sam­sung fix­es the prob­lem, there is lit­tle that own­ers of the phone can do beyond stay­ing off unse­cured Wi-Fi net­works. The hack exploits a prob­lem with the IME key­board soft­ware, which peri­od­i­cal­ly asks a serv­er whether it needs updat­ing. Hack­ers can pre­tend to be the serv­er, and send mali­cious code to the phone. Source: The (U.K.) Independent

They are driven

A flaw in Uber’s web­site let a hack­er take over a page. Secu­ri­ty researcher Austin Epper­son didn’t try to steal per­son­al details or spread mal­ware; instead, he used the hack to dis­play an ad for Uber’s rival Lyft. Epper­son was able to hack a micro-site on Uber’s web­site through a flaw in a new peti­tion it launched to try to per­suade San Fran­cis­co to let the com­pa­ny oper­ate on Mar­ket Street. Uber says the sec­tion of the web­site in ques­tion wasn’t con­nect­ed to any user login infor­ma­tion. There’s no evi­dence that any per­son­al data was stolen due to the vul­ner­a­bil­i­ty. Source: Busi­ness Insider

sh_drug infusion pump_400

Don’t pump up the volume

Secu­ri­ty researcher Bil­ly Rios says he’s found seri­ous vul­ner­a­bil­i­ties in sev­er­al mod­els of drug-infu­sion pumps, which would allow a hack­er to sur­rep­ti­tious­ly and remote­ly change the amount of drugs admin­is­tered to a patient. The vul­ner­a­bil­i­ties affect at least five mod­els of drug-infu­sion pumps made by Hos­pi­ra, a com­pa­ny with more than 400,000 intra­venous drug pumps installed in hos­pi­tals around the world, he says. Rios sus­pects that the company’s Plum A+3 and its Sap­phire and Sap­phire­Plus mod­els are vul­ner­a­ble, too. Hos­pi­ra did not respond to Wired’s request for com­ment. Source: Wired


Big Bing theory

Microsoft is encrypt­ing traf­fic on its search engine Bing by default. The com­pa­ny has offered encrypt­ed search as an option for about a year and a half, but is mak­ing the fea­ture stan­dard. The soft­ware giant notes that it will con­tin­ue to include refer­rer strings in search­es let­ting web­mas­ters know that a par­tic­u­lar vis­i­tor to their site came from Bing, but actu­al query terms will no longer be passed on. Mar­keters still will be able to get such infor­ma­tion as aggre­gat­ed key­words and rank­ing data via Bing’s adver­tis­er tools, but Microsoft says this infor­ma­tion is made avail­able “with­out com­pro­mis­ing the secu­ri­ty of (cus­tomers).” Source: The Verge

Revenge is a dish of many flavors

While North Kore­an involve­ment in the Sony cyber attack shouldn’t be dis­count­ed, the sto­ry might be more com­plex, cyber psy­chol­o­gist Mary Aiken said dur­ing a pan­el about cyber secu­ri­ty host­ed by Loy­ola Mary­mount School of Film and Tele­vi­sion. “We’re not rul­ing out North Korea; what we’re say­ing is that it’s not as sim­ple as it seems,” Aiken said. “It can be a con­ver­gence of inter­ests. That’s what dif­fer­en­ti­ates cyber from the real world. It’s so easy to syn­di­cate.” Ralph Echemen­dia, a hack­ing expert, echoed Aiken’s argu­ment. “I think it def­i­nite­ly was a revenge hack,” he said. “Was it state-spon­sored or by some oth­er par­ties? It could be five guys sit­ting in Rus­sia for all we know.” Source: The Hol­ly­wood Reporter

sh_hacking dead_400

Dead wrong

Thieves using the iden­ti­ties of the deceased are going to geneal­o­gy web­sites to steal their Social Secu­ri­ty num­bers and oth­er per­son­al infor­ma­tion to file fraud­u­lent tax returns. Post­mortem iden­ti­ty theft is wide­spread, with the names and per­son­al data of 2.5 mil­lion dead Amer­i­cans used to fraud­u­lent­ly apply for cred­it cards, loans, tax refunds and util­i­ty ser­vices every year, says Stephen Cogge­shall of ID Ana­lyt­ics, an iden­ti­ty-theft pro­tec­tion com­pa­ny. “Their Social Secu­ri­ty num­bers are some­times eas­i­er to find than cre­den­tials of the liv­ing,” he says. Source: AARP Bul­letin

They’re killing it

A third few­er Amer­i­cans say they had phones stolen last year com­pared with 2013, accord­ing to a Con­sumer Reports study. An esti­mat­ed 2.1 mil­lion Amer­i­cans had their phones stolen last year, down from 3.1 mil­lion in 2013. Apple start­ed let­ting users clear their data and dis­able their iPhones remote­ly in 2013 with its “Find My iPhone” fea­ture, and Android is expect­ed to build in the func­tion soon. That makes it hard­er for thieves to do much with a stolen smart­phone: If it doesn’t work, it’s not worth much on the black mar­ket. Source: The Wash­ing­ton Post

Posted in Data Security, Identity Theft, Security & Privacy Weekly News Roundup