Cybercrime Week in Review 10 October 2015
Scottrade suffers hack; 4.6M customers notified of breach (ZDNet)
The brokerage firm confirmed the attack, but said the focus of the attack was client contact details rather than financial information.
VW’s ‘neat hack’ exposes danger of corporate software (TheGaurdian)
For anyone interested in what is laughingly known as “corporate responsibility”, the Volkswagen emissions-fraud scandal is a gift that keeps on giving. Apart from the company’s Nazi past, its high status in German life, its hitherto exalted reputation for technical excellence and quality control, and its peculiarly dysfunctional governance, there is also the shock to consumers of discovering that while its vehicles are made from steel and composite materials, they are actually controlled by software. We are already close to the point where that software may be more valuable than all the physical materials that make up the vehicle, and, if Apple and Google have their way, that imbalance is set to grow.
Incredible! Someone Just Hacked 10,000 Routers to Make Them More Secure (TheHackerNews)
Security firm Symantec has discovered a new malware, dubbed “Linux.Wifatch” a.k.a “Ifwatch,” infected more than 10,000 vulnerable ‘Internet of Things’ devices, and spreading quickly.
Why Companies Won’t Learn From the T-Mobile/Experian Hack (The New Yorker)
Last Thursday, John Legere, the C.E.O. of T-Mobile, joined the ranks of the dozens of chief executives who, in the past few years, have had to inform their customers that their personal information has been stolen. “One of our vendors, Experian, experienced a data breach,” Legere tweeted, referring to a Dublin-based credit bureau that his company uses to collect, store, and secure customers’ personal information. Experian explained the details on its Web site.
Angler Ransomware Campaign Disrupted (Bank Info Security)
A cybercrime ring that employed the Angler Exploit Kit to earn an estimated $34 million per year from ransomware infections alone has been disrupted by security researchers at Cisco’s Talos security intelligence and research group.
Near-flawless Social Engineering attack spoiled by single flaw (CSO Online)
A reader recently shared an email that was sent to their comptroller, which by all accounts was a near-perfect social engineering attempt. However, awareness training, combined with full executive support to question any suspect request, prevented what could’ve been a massive financial hit to the organization.
U.S. will not seek legislation against encryption (PC World)
The U.S. administration will not seek legislation at this point to counter the encryption of communications by many technology services and product vendors, but will work on a compromise with industry, a senior U.S. official said Thursday.
Notable news stories and security related happenings:
The European Court of Justice invalidated the U.S.-EU Safe Harbor agreement regulating the flow of personal data from Europe to the United States, citing inadequate data protections in the United States in the wake of the Snowden disclosures. While the European Commission and White House plan to negotiate a new accord–an updated Safe Harbor framework was already in the works–many officials, companies, and analysts have expressed concerns about this week’s verdict. Here on Net Politics, Karen Kornbluh weighs in on the implications of the decision and the “unpredictable outcomes” of European data protection reforms. Sidley Austin LLP Partner and guest blogger Alan Charles Raul argues that the U.S. government largely has itself to blame given that it failed to publicly communicate the checks and balances baked into U.S. intelligence collection efforts.
The Washington Post reports that the Chinese government arrested hackers the U.S. government identified as having engaged in cyber espionage for commercial gain one or two weeks before Chinese President Xi’s state visit late last month. According to the Post, the United States identified individuals it wanted the Chinese authorities to arrest so as to demonstrate that China was serious in cracking down on commercially-motivated cyber activity. Perhaps unsurprisingly, there have been no similar reports in the Chinese press. It’s only been two weeks since President Xi said his country wouldn’t “conduct or knowingly support cyber-enabled theft of intellectual property,” so it’s too early to tell whether China is sticking to its commitment. Nevertheless, if the Post report is accurate, it would be a good sign of compliance.
After ten years of negotiation, the United States and eleven other Pacific Rim nations finalized the terms of the Trans-Pacific Partnership trade accord, an extensive trade agreement setting standards to regulate commerce across the Pacific. While President Obama has championed the agreement as a means of bringing American exports to new markets and offsetting Chinese economic ascendency, the tech community, like Congress, is largely split. In particular, the undisclosed e-commerce and leaked intellectual property chapters have generated buzz. Whereas many large companies are enthusiastic about the widely rumored “free flow of information across borders” and elimination of unfair “forced localization” measures, many privacy advocates, small businesses, and Internet users have expressed concerns over broad language, copyright terms, and a lack of transparency. We’ll have analysis on the e-commerce chapter when the final text of the deal is released in the coming days.
The Nameless Coalition, a grouping of seventy-five advocacy groups, sent a letter to Facebook demanding “concrete and meaningful changes” to the company’s controversial real names policy, which requires users post under an authentic identity that “acceptable identification forms would show.” Although Facebook promised to “fix the way this policy gets handled” last year in response to backlash from the LGBT community and several advocacy organizations, the social network has yet to adopt any modifications. In its letter, the Nameless Coalition endorses the elimination of the policy in its entirety for ethical as well as legal reasons, but it also includes a series of working recommendations for the time being, such as permitting the use of non-legal names in appropriate situations, instituting an identity compliance mechanism that does not require government ID, and providing information about personal data storage and access.