Security & Privacy Weekly News Roundup, Vol. 1, Issue 4

Security & Privacy Weekly News Roundup, Vol. 1, Issue 4

They’re not playing: Game-streaming service Twitch, owned by Amazon, was hacked, the online giant announced, giving attackers access to users’ account information. The company sent an email to users, warning that their account information, including e-mail addresses, passwords, IP addresses and limited credit card information, may have been compromised. Users will be notified that passwords have been reset, and will be prompted to choose a new password. Those who connected their Twitter, YouTube or Facebook accounts with Twitch will have to reconnect. Source: Mashable

Troop movements: The Islamic State published a “kill list” online containing the names, photos and addresses of 100 U.S. military members and called on its “brothers” in the United States to kill them. The group claimed it hacked several military servers, databases and emails to obtain the information. The Defense Department and the FBI are looking into the matter. Source: The New York Times

Free resource: Stay informed with a free subscription to SPWNR

Scammers race the clock: Fidelity National Information Services’ Bob Legters said that criminals likely will increase attacks on business servers recording payment information because the industry is issuing credit cards embedded with EMV security chips. Many merchants face an October deadline to switch point-of-sale terminals to accept the new technology. “It absolutely will be the worst year of fraud because criminals know we are putting bars on the windows with EMV,” Legters said at the Consumer Bankers Association conference in Orlando. Source: The Orlando Sentinel

Prescribing healthy skepticism: The Internal Revenue Service has issued an alert about an Obamacare scam after reports of tax preparers telling clients to pay the penalty to them instead of the Treasury Department. The Affordable Care Act requires taxpayers to certify that they have health insurance. Those without insurance must pay a penalty of $95 per adult and $47.50 per child up to a maximum of $285. Source: The Delaware News Journal

Printing his own money: Authorities charged Kenneth Joseph Wild II with defrauding Memorial Hermann Health Systems of nearly $10 million over 14 years. According to a federal complaint, Wild was named manager of the 12-hospital system’s printing and mail services in 2001 and set up a phony company that billed the company for printing and data conversion services. Source: The Associated Press via CBS Houston

Planting seeds, growing STEMS: President Obama is channeling more than $240 million in public- and private-sector commitments into programs aimed at exposing minority and female students to science, technology, engineering and math (STEM) careers, including tech support, cybersecurity, coding and software design. The funding includes a $25 million Department of Education grant competition to develop science TV programming and digital media; a $90 million campaign to support hands-on learning, with commitments from Grupo Televisa and the City University of New York; and a $150 million grant program to fund early-career scientists. Source:

Keeping the keys: A report by the Government Accountability Office says former IRS employees still have access to IRS computer systems long after they have no official business with the information. The IRS uses outdated software without proper security functions, the report says, and passwords can easily be compromised. In addition, the IRS does not always delete employee access when workers quit or are fired. Source: Forbes

Ways to pay: A bipartisan House group has formed the Congressional Payments Technology Caucus (CPTC) to explore innovative payment technologies. The group will look into data security, the unbanked and access to electronic payments. Source:

A settlement that’s on Target: Retail giant Target will put $10 million into an interest-bearing escrow account in a proposed settlement of a class-action lawsuit related to a 2013 data breach that compromised some customers’ personal financial information, court documents show. Individual victims could get up to $10,000 in damages. The claims will be submitted and processed primarily online through a dedicated website. The plan requires Target to implement data security measures such as appointing a chief information security officer and maintaining a written information security program. Source:

States right? The proposed Data Security and Breach Notification Act would pre-empt stronger breach-notification laws in several states, critics told lawmakers. The legislation covers only data linked to identity theft or financial fraud, including Social Security numbers, but would not require businesses and nonprofit groups to notify users if other information is stolen, said critics such as Democratic members of the House Energy and Commerce Committee’s trade subcommittee. The proposal would pre-empt 51 existing state and territorial breach-notification laws, and would take away much of the Federal Communications Commission’s authority to enforce data security standards for telecom carriers, giving enforcement authority to the Federal Trade Commission. Source:

Nowhere to run: Mobile apps increasingly are becoming the target of cyber thieves, and nearly 40 percent of large companies aren’t scanning new applications for vulnerabilities, says a survey of information technology security professionals conducted by IBM and security researcher the Ponemon Institute. Hackers are increasingly targeting physical mobile devices in the same way they’ve hacked laptop and desktop computers. Source:

Ain’t no sunshine: A report on fraud and identity theft activity in 2014, released by the FTC as part of the Consumer Sentinel Network, puts Florida at No. 1 in the nation for the number of complaints per capita for both fraud and identity theft. On the list of the top 49 large metro areas ranking for fraud, Florida has seven cities in the top 20. On the list of the top 50 metro areas ranked in identity-theft complaints, Florida has nine out of the top 20. Source: WTFS, Tampa Bay, Fla.

Hypertext for hyper-safety: Publicly accessible websites and services of government agencies will have to move to HTTPS encryption within two years to meet the government’s objective that these sites and Web services should be offered over a secure connection. The Hypertext Transfer Protocol Secure offers the strongest privacy protection available for public Web connections, according to a draft by the White House Office of Management and Budget. Besides verifying the identity of a website or service, thus preventing redirection to bogus sites, HTTPS also encrypts information sent between the website or service and the user. Source:

Sounds like a scam, but …: If the IRS has a concern about a suspicious tax return with a real taxpayer’s name and/or Social Security number, they will send a Letter 5071C (check the upper corner of the letter for the number). If you get one, follow the directions and access The IRS will not initiate contact to verify your identification via e-mail or phone. On the IRS Identity Verification Service website, you’ll be asked questions that only you can answer. If you’re nervous about using the website, follow instructions in the letter to call a toll-free number. Source:

Payback’s a (rhymes with witch): A December blackout of North Korea’s Internet was retaliation for that nation’s hacking of computers at Sony Pictures Entertainment, said U.S. Rep. Michael McCaul, R-Texas, chairman of the House Homeland Security Committee, the first U.S. official to identify the outage as reprisal. “There were some cyber responses to North Korea,” McCaul said at an event hosted by the Center for Strategic and International Studies. He declined to say whether the United States was behind the action. North Korea’s Internet was disrupted for about 10 hours on Dec. 21 and 22, days after the Obama administration accused Kim Jong-un’s government of hacking Sony. Source:

Ground control, for real: Commercial and military planes could be vulnerable to hackers on the ground, who experts say could commandeer cockpits. The flaw lies in the entertainment and satellite communications systems, says Chris Roberts, founder of One World Labs, a cybersecurity intelligence company. “We can still take planes out of the sky, thanks to the flaws in the in-flight entertainment systems,” said Roberts, who discovered susceptibilities in the system passengers use to watch television at their seats. “We can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit.” Source:

Invasion force: The FBI is investigating possible Chinese military involvement in a hack at, which manages more than 1.4 million businesses’ website addresses. Hackers have accessed Register’s network for about a year, said people familiar with the probe. But the breach is not known to have caused disruptions or resulted in theft of client data, bolstering investigators’ belief that the hackers are state-sponsored. Some current and former law enforcement officials said the attack could be aimed at letting hackers redirect traffic to unintended websites, steal data, access e-mail accounts or cause Web pages to crash. Source:

Not-so-friendly skies: A Facebook post from Southwest Airlines on “celebrating summer with two tickets” is false, reports. Fans would have to click a “join” button, then click another button to invite 100 friends to claim tickets. The more friends you invite determines whether you get tickets. Southwest was aware of a similar scam in 2011 and warned customers via Facebook. Source: NewsNet5, Cleveland

This originally appeared on