Security & Privacy Weekly News Roundup, Vol. 1, Issue 11

Security & Privacy Weekly News Roundup, Vol. 1, Issue 11

Don’t be at ease: A Federal Trade Commission study found that military members are victims of ID theft at twice the normal rate. As deployments last longer, experts advise troops to put an active-duty alert on their accounts. Potential lenders will know that there’s the possibility of ID theft, because the account-holder is deployed. Other experts advise going for a full credit freeze, as some troops’ family members might try to take advantage of their absences. And active-duty soldiers should check their accounts while they’re away. Source: MainStreet

Over the hedge: The Department of Justice told hedge fund investors that their data could be at risk if hackers breach trading systems, and it urged them to boost cybersecurity. “Hedge funds hold a tremendous amount of capital, incredibly sensitive proprietary information and valuable algorithms, but they … often have very weak IT,” said John Carlin, assistant attorney general for national security. He told managers they need to share information, and failure to report incidents is a “payday” for hackers. Source: The Financial Times

Call for vaccines: The health care industry is not prepared for data breaches, security incidents and criminal attacks, says a report by the Ponemon Institute. “Health care providers either lack the resources, staff or the technical innovations to meet the changing cyber-threat environment, said Larry Ponemon, CEO of the Ponemon Institute. The 2015 Study on Privacy and Security of Healthcare Data concluded that no health care organization is immune to a data breach. Half of the organizations surveyed have “little or no confidence” in their ability to detect every theft or loss of patient data. Source: NBC News

From the tool box: Many consumers dislike having their phone numbers pop up on recipients’ phones when they make calls. With the Burner app and an Android or Apple smartphone, users can create unlimited phone numbers at the touch of a button. When users make a call through the app, it hides their real numbers and provides random numbers that show up as their caller IDs. Those returning calls will reach users on that generated number, which can later be discarded. Source: KABC, Los Angeles

Patch me up: Adobe has released updates for Flash Player, Reader and Acrobat, patching vulnerabilities in the software. The Flash Update for Windows, Mac OS X, and Linux patches vulnerabilities that would allow an attacker to remotely take control of the compromised computer. The update addresses four memory corruption vulnerabilities, one heap overflow flaw, an integer overflow bug, three types of confusion bugs, and a use-after-free vulnerability that allows an attacker to run code remotely and control a machine. Source: ThreatPost

There will be consequences: National Security Agency Director Michael Rogers said it was essential to prove that cyber criminals, including governments, will be reprimanded for their actions. “Because an opponent comes at us in the cyber domain doesn’t mean we have to respond in the cyber domain,” Rogers said, adding that conventional military weapons could be considered in response to cyber attacks. Source: SC Magazine

Close those eyes: The Justice Department withdrew its appeal of a lower court’s ruling that said it was illegal for police to attach a webcam to a utility pole and spy on a suspected drug dealer’s house in Washington state for six weeks. The government did not comment on its decision to drop the appeal. The video camera operated 24 hours a day. Footage was synced to the computer of a detective who could operate the camera via its pan-and-zoom capabilities. Source: Ars Technica

Tired of it all: Consumers are little moved by revelations of corporate data security lapses and do little about it. Information from credit-monitoring firm Experian says that fewer than one in 10 consumers who have had personal data exposed in a major breach take advantage of credit-monitoring services offered by the company responsible for the breach. “There’s definitely breach fatigue going on,” said Michael Bruemmer, of Experian. Many consumers affected by breaches don’t sign up for free credit- and identity theft-monitoring services. Source: Security Ledger

Lots of bots: Researchers at Incapsula have identified a massive distributed denial-of-service botnet made up of hijacked small office and home routers. A report by the security firm says several dozen customers have been targeted by tens of thousands of malware-infected routers. Compromised devices are infected with a piece of malware known as Spike and MrBlack, a Linux bot. The attacks started in December 2014. Over a 121-day period, the company recorded attack traffic coming from more than 40,000 IP addresses spread across 1,600 global ISPs. Source: Security Week

Hold on there! Internet pioneer Paul Vixie says inexpensive and quick-to-deploy new domain names are good news for bad guys and bad news for good guys. He’s proposing a “cooling-off period” for DNS providers to activate domains, which he says would help minimize abuse. Domain names are as cheap as $10, he notes, and created in less than 30 seconds. He says there’s no nonmalicious reason anyone would want a large number of cheap domain names activated in less than 30 seconds. “We’ve seen how it benefits criminals” in their online activity, he says. Source: Dark Reading

Don’t count your money yet: Most lawsuits filed after data breaches, which often seek class-action status, will be tossed out, legal experts say. The majority get dismissed after judges rule that attorneys representing plaintiffs failed to prove that defendants suffered an actual or threatened injury, experts say, pointing to the Supreme Court’s 2013 decision in Clapper v Amnesty International. In that case, the court rejected plaintiffs’ effort to establish standing by arguing about the possibility of future injury. Source: Bank Info Security

Who is who? Content management system WordPress is being hit by a new type of malware that steals user log-in credentials, while leaving the rest of the user experience unchanged. “It’s an interesting attack—we haven’t seen this before,” said Michael Sutton of cloud security vendor Zscaler. “Do not ever use the same credentials in two different sites,” he advises. Source: CS Online