Kicking The Stool Out From Under The Cybercrime Economy

Put simply, cybercrime, especially financial malware, has the potential to be quite the lucrative affair. That's only because the bad guys have the tools to make their work quick and easy, though. Cripple the automated processes presented by certain malware platforms, and suddenly the threats -- and the losses --aren't quite so serious.

CSO Online had the opportunity to chat with Shape Security's senior threat researcher, Wade Williamson, at this year's Black Hat conference, and he offered a brief background of these types of popular malware platforms before putting the threat landscape into perspective.

Reference:

Google Report Unmasks Ad Injection Economy

More than five percent of unique IPs visiting Google-owned websites had at least one ad injector installed, according to a new study.

"Our results reveal that ad injection has entrenched itself as a cross-browser monetization platform that impacts tens of millions of users around the globe," according to a report from Google and a team of researchers that will be presented at the IEEE Symposium on Security and Privacy later this month. "Our client-side telemetry finds that 5.5% of unique daily IP addresses visiting Google properties have at least one ad injector installed. The most popular, superfish.com, injects ads into more than 16,000 websites and grossed over $35 million in 2013 according to financial reports."

Reference:

UPS Now The Third Company In A Week To Disclose Data Breach

Credit and debit card information belonging to customers who did business at 51 UPS Store Inc. locations in 24 states this year may have been compromised as the result of an intrusion into the company's networks.

In a statement Wednesday, UPS said it was recently notified by law enforcement officials about a "broad-based malware intrusion" of its systems.

A subsequent investigation by an IT security firm showed that attackers had installed previously unknown malware on systems in more than four-dozen stores to gain access to cardholder data. The affected stores represent about 1% of the 4,470 UPS Store locations around the country.

Reference:

5 Ways Schools Can Upgrade Cyber Security

May 06, 2015 Added by:Paul Lipman

Today’s cyber criminals are more aggressive than ever before in their quest to achieve financial gains through hacking. With that being said, it should come as no surprise that our nation's schools are a prime target for such attacks. In this article, iSheriff CEO Paul Lipman highlights the five actions that can be taken to upgrade cyber security practices.

There are five actions that can be taken to move you toward the ideal. These include:

1. Establish a policy and technology to allow BYOD
2. Upgrade the web filter
3. Protect owned devices while off the network
4. Anti-malware protection does still matter
5. Integrate and move your security to the cloud

Reference:

Is You Smartphone Spying On You?

Reference:

'Oleg Pliss' Hack Makes for A Perfect Teachable IT Moment

Computerworld - Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.

The "Oleg Pliss" hack, if you can call it one, wasn't particularly sophisticated. The party behind it -- most likely relied on information like user IDs (including email addresses used as usernames) collected by attacks on non-Apple websites like the recent breach that compromised eBay user accounts. Since a lot of people reuse user IDs, passwords and account security questions, all the hacker(s) needed to do was use that information to log into iCloud and use the Find My iPhone/iPad/iPod feature to lock the device and display a message on it. (The feature is typically used to locate a lost or stolen iOS device.)

Read more...

Board Declares NSA Data Sweep Illegal

An independent board tasked with reviewing National Security Agency surveillance called Thursday for the government to end its mass data collection program and "purge" its files, declaring the program illegal in a major challenge to President Obama.

The president did not go nearly as far when he called last week for ending government control of phone data collected from hundreds of millions of Americans. In its report, obtained by Fox News and scheduled for release Thursday afternoon, The Privacy and Civil Liberties Oversight Board (PCLOB) said the program ran afoul of the law on several fronts.

"The ... bulk telephone records program lacks a viable legal foundation," the board's report said, adding that it raises "serious threats to privacy and civil liberties" and has "only limited value."

"As a result, the Board recommends that the government end the program," the panel wrote.

It remains to be seen whether Obama will accept all or part of the recommendations, but the findings could nevertheless be used as leverage in federal lawsuits against NSA spying.

The report concluded that the NSA collection raises "constitutional concerns" with regard to U.S. citizens' rights of speech, association and privacy.

Read more:

Guccifer Unmasked!

• Romanian authorities announced Wednesday the arrest of Marcel Lazar Lehel, 40, a hacker believed to work under the name 'Guccifer'.
• Guccifer became known in the U.S. a year ago after releasing personal Bush family pictures.
• In Romania his hacking dates as far back as 2010. 
• He was found guilty in his home country of a dozen hacking-related charges in February 2012.

The hacker who goes by the alias Guccifer and is known for releasing pictures of former President George W Bush's paintings has been captured in Romania.

Romanian authorities announced Wednesday that they arrested 40-year-old Marcel Lazar Lehel in the town of Arad.

The raid was organized by Romania's Directorate of Investigating Organized Crime and Terrorism (DIICOT) who said that they were cooperating with U.S. authorities.

Guccifer became known in the U.S. last year when he released pictures of former President George H.W. Bush in the hospital along with other former president George W Bush's hobby paintings.

While Bush II's paintings turned out to be more of a lighthearted hack, Guccifer eventually went on to expose the more serious secrets of America's powerful.

Guccifer hacked into the website of Colin Powell, revealing an affair between the former secretary of state and Romanian European Parliament member Corina Cretu - an affair the married man continues to deny.

Read more: 

Mark Zuckerberg’s Facebook Page Was Hacked by an Unemployed Web Developer

An unemployed Palestinian developer named Khalil Shreateh tried several times to report a bug to Facebook’s security team. When no one got back to him, he took the (dubiously) logical next step: He exploited the bug to leave a public comment on Facebook CEO Mark Zuckerberg’s wall.

“First sorry for breaking your privacy and post to your wall,” an apparent screenshot of the hack reads. “I has [sic] no other choice to make after all the reports i sent to Facebook team.”

The break-in, detailed on Shreateh’s blog (and in several agitated posts from Facebook developers on Hacker News), has been more than a little embarrassing for Facebook.

But it’s not exactly newsworthy that Shreateh found a bug — that happens all the time. In fact, Facebook runs a program that encourages white hat hackers to find and report bugs in Facebook infrastructure in exchange for a cash reward. What is unusual is that Facebook didn’t respond to Shreateh’s initial reports about the bug, and that Shreateh then exploited it in violation of Facebook’s policies for white hat hackers.

“The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,” insisted Matt Jones, a Facebook software engineer, on the forum Hacker News. “Exploiting bugs to impact real users is not acceptable behavior for a white hat.”

The High Cost Of Cybercrime

Every enterprise has high-value information vital to its success. As cyber-attack techniques become more sophisticated, this “digital gold” is increasingly vulnerable.

A study by the Ponemon Institute found that the average annualized cost of cybercrime in 2012 is $8.9 million per year, with a range of $1.4 million to $46 million.* The cost of cybercrime includes more than the value of the stolen information. It includes the costs of business disruption, lost opportunity, damage to brand, and recovery efforts.

• Sony estimated their costs from 2011 data breaches were at least $171 million.
• A competing manufacturer stole source code from a control-system supplier the supplier’s stock dropped 83%.
• A metallurgical company lost to cyber espionage technology built over 20 years at a cost of $1 billion.
• The Canadian government stopped a $38.6 billion takeover bid when attacks compromised sensitive information at government agencies and law firms.
• Civil penalties for ePHI breaches can be up to $250,000, with repeat/uncorrected violations reaching $1.5 million per violation, per year

Reference: