CyberScout is the nation’s premier consultative provider of identity and data risk management, resolution and education services.

Good thing that hacker’s on our side

Good thing that hacker’s on our side
March 11, 2016

sh_Facebook hack_750

A white hat hacker has revealed a vulnerability that granted him the means to hack into any Facebook user’s account. The social media giant granted him a bug bounty of $15,000 for alerting them to the issue. Security researcher Anand Prakash said the “simple vulnerability” allowed him full access to another user’s Facebook account without the need for any interaction. The means to gain access was achieved through resetting a new password. The flaw, Prakash discovered, was the way in which certain Facebook-beta URLs were lacking routine cybersecurity measures. With the exploit, Prakash was able to view a profile’s messages, credit/debit card details stored in the payments section of the profile, personal photos and more. Essentially, he had gained complete access to the account. Source:

A cookie that’s lost its taste

sh_cookies_280Verizon Wireless will pay $1.35 million to settle an FCC probe into its practice of inserting so-called “super cookies” into its customers’ mobile Internet traffic without their knowledge or consent. At issue are tracking cookies intended to serve up relevant ads. Verizon inserts these identifiers, known as UIDH, into Web traffic to identify customers and, ultimately, deliver them targeted ads. Researchers found that Verizon partners could track users even if they deleted cookies. “Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers’ opt-in consent before sharing UIDH with third parties, and will obtain customers’ opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family,” the FCC says. Source: PC magazine

Frequent treatments without a cure

Those stricken with a long-term illness can be more vulnerable to identity theft because they are constantly in need of health care and Social Security numbers, driver’s licenses and insurance cards often are used for ongoing appointments and treatments. “Your medical history or bill shows all your treatments,” said Kathy Middleton, business solutions specialist with LegalShield. Check your explanation of benefits thoroughly and make sure that you actually had a procedure done or you went to an appointment, or if you are in the hospital, that you were given a certain type of medication, she said. “You want to make sure that all records are matching up. If anything looks suspicious, question it.” Source: QC Online

You might want to take the bus, instead

sh_Korea rail_280South Korea’s National Intelligence Service has accused North Korea of attempting to hack into railway control systems and wiretap officials’ smartphones as tensions continue to mount on the peninsula. The National Intelligence Service said North Korean hackers penetrated the smartphones of dozens of senior South Korean officials, stealing text and voice messages. The intelligence service also claimed the North’s cyber attacks targeted emails of South Korean railway workers in attempts to gain control of railroad control systems. According to accounts by defectors from the North, the secretive country is building up its cyber capabilities that enable it to disrupt or destroy computer systems controlling telecommunications and other utilities. Source:

Hack may render Apple, FBI standoff moot

sh_Siri iPhone_280Donald Gambino at Startup Panel thinks he has figured out a way that the FBI can access an iPhone 6 without the new software. An iPhone 6 used by the San Bernardino, Calif., terrorists remains locked, and the FBI is demanding Apple build an alternative operating system that can break into the phone. So far, Apple has refused, despite a court order mandating the hack. Gambino claims to have discovered a glitch in the phone’s connection to Siri that allows a user to break into the iPhone 6 without knowing the passcode. The one major caveat is that the phone must have Siri enabled to be susceptible to the glitch, and it’s unknown if the San Bernardino man activated the voice-activated personal assistant. Source:

Sharing knowledge to shore up strength

More than 1,100 cybersecurity professionals gathered in Washington, D.C., for Cyber Storm V, a cybersecurity simulation that tests their ability to handle debilitating cyber attacks. The biennial event, mandated by Congress, builds on real-world events. The Homeland Security Department runs the weeklong event hosted by the U.S. Secret Service. Participants face simulated malware attacks and counter them, as a way to test and improve upon their preparedness. The event is becoming increasingly important as the attacks on both the government and private sectors are growing in intensity and frequency, said Suzanne Spaulding, cyber official at Homeland Security, in a statement. “The challenge is here and now.” Source: Health Care IT News

A cloudburst over that stay in sunny Florida

sh_Florida storm_280Rosen Hotels and Resorts in Central Florida said people who visited their hotels in the past 17 months could be at risk in a data breach, and anyone who used credit cards at the Rosen Center on International Drive and their other locations could be affected. The breach went undetected for almost a year and a half before guests started noticing a pattern of unauthorized charges after using their cards during hotel stays. A cybersecurity team found that someone installed malware on the company’s payment-card network, leaching cardholder names, numbers, expiration dates, and verification codes. Anyone staying at a Rosen hotel between September 2014 and this past February may have been affected. Source: Fox35 Orlando

Adding real insult to those injured

Cancer treatment provider 21st Century Oncology Holdings has warned 2.2 million patients and employees that their sensitive data may have been stolen in a cyber attack. Hackers accessed a key database to steal data including patients’ names, Social Security numbers, physicians’ names, diagnosis and treatment information, as well as insurance records. The clinic chain says there is no evidence to suggest medical records were part of the haul. The medical group is offering those affected a year of free credit monitoring. Source: ZDNet

Getting serious about security in the C-suite

sh_C-suite_280Comcast hired Noopur Davis in the newly created role of Senior Vice President of Product Security and Privacy for the Technology and Product team. Before joining Comcast, Davis led product security, product quality, enterprise agility, project management center of excellence, interoperability and content validation initiatives across Intel Security’s entire product line. At Comcast, Davis will oversee a full-lifecycle approach to product security and privacy that embeds security and privacy throughout the development process, from product inception to end of life, the company said. Source:

Court doesn’t ‘Like’ that button

sh_facebook_220A court in Germany has ruled that Facebook’s “Like” button can be used in a way that violates European privacy laws. The case was brought by a consumer group against an online shopping site that relied on the user recommendation feature, a Dusseldorf regional court said. In a comment, Facebook said the case is “specific to a particular website and the way they have sought consent from their users in the past.” The site is now believed to have been updated. Source: The (U.K.) Daily Mail

Trying to pull a few weeds

A court in the Netherlands has ordered Google to hand over the contact details of accounts linked to fake reviews that attacked a Dutch nursery. The nursery, which was not named in the proceedings, won a court order against Google to reveal details on who was responsible for a series of fake reviews alleging child abuse using the company’s Google+ social network. The reviews were visible through searches and Google Maps. One of the fake reviewers took on the identity of a dead woman. Google refused to take down the fake reviews at the request of the nursery, saying that they fell under freedom of speech protections, prompting a court case. Google was ordered to pay fees and divulge the IP addresses of the users posting the fake reviews. A Google spokesperson said: “We’ve received the ruling and are currently reviewing it.” Source: The Guardian

Homing in on a legal settlement

sh_home depot_280Home Depot says it’s willing to pay up to $19.5 million to settle a class-action lawsuit brought by shoppers affected by a massive security breach that exposed credit card information belonging to 56 million customers. The retailer’s offer includes the creation of a $13 million fund that would compensate customers for out-of-pocket expenses such as reasonably traceable fraud. The remaining money would go toward legal fees and associated expenses. Home Depot also promised to adopt new data security measures to protect its customers’ personal and financial information. The company said its settlement offer, which still requires court approval, was not an admission of liability in the matter. Source: CNet

Patch me up

sh_microsoft_280Microsoft pushed out 13 security updates to fix 39 vulnerabilities in its various Windows operating systems and software. Five updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site. Source: Krebs on Security

Leaving the country won’t help

Security blog Talos Intel noticed an uptick in tax phishing campaigns targeting Ireland, and an investigation found that such scams have affected many nations. Many phishing attempts are in English, except emails targeting Denmark, Italy and Sweden. Most campaigns did not have any clear similarities, indicating that the same threat actors initiated them. One campaign from March 2015, however, was interesting in that a very similar message was being sent to the United Kingdom, Canada and the United States at the same time. Based on the similarity of the messages, it appears that the same threat actor was behind all of them. The text of each email is essentially identical except for country customizations, such as the different currencies for each country and different tax agencies. Source: Talos Intel


The post Good thing that hacker’s on our side appeared first on Third Certainty.

Offer 24/7 CyberScout Protection

CyberScout's partnership options help you safeguard the identity and privacy of your policyholders, customers, members and employees. Discover how a customized program can help build brand loyalty, customer retention, and quickly generate long-term recurring revenue.

Get Started