Security News Digest October 29, 2013

panelgameΑσφάλεια

3 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

60 εμφανίσεις



Security News Digest

October 29
, 2013



Lax
S
ecurity at Canada Revenue
L
eads to
P
rivacy
B
reaches


http://www.cbc.ca/news/politics/lax
-
security
-
at
-
canada
-
revenue
-
leads
-
to
-
privacy
-
breaches
-
1.2286889

The privacy watchdog says weak security practices at the federal tax office led to thousands of files b
eing
inappropriately accessed for years without detection.

Privacy Commissioner Jennifer Stoddart has more
than a dozen recommendations

-

including better monitoring of employee access rights

-

to ensure the
Canada Revenue Agency protects sensitive informa
tion.

She tabled a special audit of the revenue
agency along with her annual report on compliance with
the Privacy Act, the law that governs how federal
agencies handle personal information.

For the second year in a row, all
-
time highs were set for both
privacy complaints about federal organizations as well as data breaches reported by departments and
agenc
ies.

From April 2012 to the end of March, Stoddart received 2,273 complaints from the public, up
from 986 over the same period a year before.

Much of the increase stemmed from two highly publicized
data breaches involving Employment an
d Social Development Canada and the Justice Department.


Concerns about
S
ensitive
Info i
n P
olice
R
ecord
C
hecks
P
rompts B.C.
I
nvestigation


http://www.timescolonist.com/concerns
-
about
-
sensitive
-
info
-
in
-
police
-
record
-
checks
-
prompts
-
b
-
c
-
investigation
-
1.676660

Concerns about the amount and type of personal information disclosed
in police record checks have
prompted an investigation by B.C.'s privacy commissioner.

..
Denham says that while a criminal record
check is a report of someone's prior convict
ions, penalties or outstanding charges pulled from a national
police database, such information can also reveal details that have not been proven in court.

She says
some of the issues include a person's mental health, investigations that did not result in
charges and
charges that did not end up in a conviction.

Last year, the commissioner issued a report saying the B.C.
government did too many criminal record checks for employment
-
related purposes in March 2011 and
that while some were valuable for people w
orking with children, for example, others were an invasion of
privacy.

[press release at
h
ttp://www.oipc.bc.ca/news
-
events.aspx
]


B.C.
S
houldn’t
U
se Internet
V
oting due to
S
ecurity
R
isks,
P
anel
S
ays


http://www.timescolonist.com/b
-
c
-
shouldn
-
t
-
use
-
internet
-
voting
-
due
-
to
-
security
-
risks
-
panel
-
says
-
1.669449

"The risks of implementing the I
nternet voting in British Columbia outweigh the benefits at this time," the
panel said in a report We
d
nesday.

The panel of experts, including chief electoral officer Keith Archer,
recommended against universal Internet voting, but said it might be able to

be used on a limited basis for
people with accessibility challenges.

"If Internet voting is implemented on a limited basis, jurisdictions
need to recognize that the risks to the accuracy of the voting results remain substantial," read the report.

B.C.'s

law currently does not allow Internet voting and would need to be changed to allow municipalities
or the province to even try such an idea.


Funding
R
estored for B.C.
Drug S
afety
W
atchdogs;
P
rivacy
B
reach
P
robe
C
ontinues


http://www.timescolo
nist.com/funding
-
restored
-
for
-
b
-
c
-
drug
-
safety
-
watchdogs
-
privacy
-
breach
-
probe
-
continues
-
1.668500

The B.C. government has restored contracts and funding for researchers at the University of Victoria and
the University of B.C. following a year
-
long
investigation into privacy breaches involving personal
information.

UBC’s Therapeutics Initiative, which assesses drugs covered under B.C.’s PharmaCare
program, and a UVic group studying Alzheimer’s disease lost access to health data and money in
Septembe
r 2012 as the Health Ministry investigated a privacy breach in its pharmaceutical services
division.

The ministry said it has improved its data privacy and security, allowing funding and data access
to be restored.

Health Minister Terry Lake said it was
unfortunate a year of research was lost, but
security and privacy of data were paramount.

..
Investigation of the privacy breach continues.

At least
seven Health Ministry staff have been fired since it began in May 2012.

To date, the investigation has
cos
t $3.6 million.


World's
F
irst
Bitcoin ATM O
pens in Vancouver
T
oday


http://www.cbc.ca/news/technology/world
-
s
-
first
-
bitcoin
-
atm
-
opens
-
in
-
v
ancouver
-
today
-
1.228687
7

An ATM that converts bitcoins to Canadian dollars and vice versa

was scheduled to open at 9 a.m. PT
today in Vancouver.

It will be the first

cash machine in the world to dispense the emerging digital
currency.

The kiosk, located inside Waves Coffee House at Howe and Smithe streets in downtown
Vancouver, will be operated by Vancouver
-
based Bitcoiniacs and Nevada
-
based Robocoin.


They plan to
op
en
four more locations across Canada
.

Customers will have to have their palm scanned in order to
exchange up to
$3,000 worth of bitcoin per day.


Canadian cash can be fed in or taken out from the
machine and exchanged for bitcoins on Canada’s VirtEx exchange.

The bitcoins will then be transferred
to and from the customer’s online bitcoin wallet.

The user will also ha
ve the option to receive a paper
voucher representing the transaction.


Adobe
S
ecurity
B
reach
W
orse than
O
riginally
T
hought

http://www.macworld.com/article/2059002/adobe
-
security
-
breach
-
worse
-
than
-
originally
-
thought.html

This month’s
security breach at Adobe

is turning out to be much more widesprea
d than the company first
let on.

At least 38 million users have been affected by the early October incident.

When
Adobe
announced the breach on Octo
ber 3
, it said that attackers stole user names and encrypted passwords for
an undisclosed numbers of users, along with encrypted credit or debit card numbers and expiration dates
for 2.9 million customers.

Krebs on Security now reports

on the full extent of the attack, confirming the 38
million figure with Adobe.

The total damage could go beyond 38 million users if a recent file dump at
AnonNews.org is any i
ndication.


According to Krebs on Security, the 3.8GB file includes more than 150
million usernames and hashed passwords, all taken from Adobe.
..
To make matters worse, Krebs on
Security and
Hold Security

both claim that the hackers stole source code for flagship products such as
Photoshop, Acrobat, and Reader.


Why I Don
't Want
t
o Live
i
n Dataland

http://www.informationweek.com/big
-
data/commentary/big
-
data
-
analytics/why
-
i
-
dont
-
want
-
to
-
live
-
in
-
dataland/240162558

In Dataland, we're tracked 24/7.

..
"
Dataland

is a lot closer to reality than you might know," said Kate
Crawford, a principal researcher at Microsoft Research, who spun the story of Dataland at MIT
Technology Review's Emerging Technologies conference in Cambridge, Mass.

Crawford then went
through t
he four myths of big data
.
Myth 1. Data is objective.

Myth 2. Data doesn't discriminate.

Myth 3.
Data is a great equalizer.

Myth 4. On the Internet, nobody knows you're a dog.

..
Crawford cited a study
that found you need only four data points in space
and time to identify most people.


"Our paths are very
unique and we're consistent," Crawford pointed out.


"It is extraordinary to think about why so many of
these data sets are being anonymized and sold when there is so much in there to identify us."

Wo
rse,
there are apps that "stripmine" our phones, taking all of our information, including contact information for
our friends and family.

In Dataland, there's TMI (too much information) that's PII (personally identifiable
information).


Insiders with Privileged Accounts Often Access Sensitive Info They Don't Need

http://www.infosecurity
-
magazine.com/view/35273/insiders
-
with
-
privileged
-
accounts
-
often
-
access
-
sensitive
-
info
-
they
-
dont
-
need/

Results from BeyondTrust’s “Privilege Gone Wild”

report
show that privileged
users are “out of control.”

On a regular basis, employees are granted excessive privileges and access for their particular roles,
resulting in unnecessary risks to organizations.

Overall, 44% of employees in the survey said that they
have access rights tha
t are not necessary to their job.

One of the most startling statistics from this survey
reveals that 28% of respondents admitted to having retrieved information not relevant to their job.


When
asked what information was accessed, nearly one
-
quarter identi
fied financial reports and almost half
provided written responses specifying salary details, HR data and personnel documents.

..

Insider threats
have been shown to account for a large percentage of data breaches.


While company and media
discussion

-

and company spend

-

is focused on external thr
eats from hackers and malware, a Clearswift
survey

showed that more than half of all security incidents (58%) can be

attributed to the wider insider
family: employees (33%), ex
-
employees (7%) and customers, partners or suppliers (18%).

And, it’s all
exacerbated by anywhere, anytime, any device access and the BYOD phenomenon.


Database
H
acking
Spree on US Army, NASA, and O
thers
C
osts
G
ov’t
M
illions

http://ar
stechnica.com/security/2013/10/database
-
hacking
-
spree
-
on
-
us
-
army
-
nasa
-
and
-
others
-
cost
-
gov
-
millions/

Federal prosecutors have accused a UK man of hacking thousands of computer systems, many of them
belonging to the US government, and stealing massive q
uantities of data that resulted in millions of
dollars in damages to victims.

Lauri Love, 28, was arrested on Friday at his residence in Stradishall, UK
following a lengthy investigation by the US Army, US prosecutors in New Jersey said.


According to
prose
cutors, the attacks date back to at least October 2012.


Love and other alleged hackers are said to
have breached networks belonging to the Army, the US Missile Defense Agency, NASA, the
Environmental Protection Agency, and others, in most cases by exploiti
ng vulnerabilities in SQL
databases and the Adobe ColdFusion Web application.


The objective of the year
-
long hacking spree was
to disrupt the operations and infrastructure of the US government by stealing large amounts of military
data and personally ident
ifying information of government employees and military personnel, a 21
-
page
indictment said.


Syrian Hackers Attack Obama's Website

http://www.informationweek.com/security/attacks/syrian
-
hackers
-
attack
-
obamas
-
website/240163242

The Syrian Electronic Army (SEA) has struck agai
n, this time targeting the BarackObama.com website
and related social media accounts.

Rather than being able to directly hack the website, which was used
by President Obama for his 2008 and 2012 election campaigns

-

and which now supports his presidentia
l
agenda

-

the Syrian hackers appear to have gained access to a control panel for the ShortSwitch link
-
shortening service used by the site.

The hackers, who back the regime of Syrian President Bashar al
-
Assad, altered all of the short links used by Obama's website and social media accounts, redirecting them
to a "Syr
ia Facing Terrorism" video on YouTube, which has since been removed.


In other words, anyone
who clicked on a link in Obama's Twitter feed, which counts 39 million followers, or Facebook page, which
has been "liked" 37 million times, would have been redirec
ted to pro
-
Assad propaganda.
..
The SEA
apparently gained access to the ShortSwitch account tied to Obama's site by first hacking into multiple
Gmail accounts used by Organizing for Action (OFA), a nonprofit that advocates for Obama's agenda and
also maintains the BarackObama.com website
.


Report: UN Nuclear Regulator Infected with Malware

http://threatpost
.com/report
-
un
-
nuclear
-
regulator
-
infected
-
with
-
malware/102670

The United Nations’ nuclear regulatory body, the International Atomic Energy Agency (IAEA), announced
yesterday that it found malicious software on a number of its machines, but that its network
s have not
been compromised.

According to a Reuters report, the infected computers were housed in a common
area of the IAEA’s Vienna, Austria headquarters, known as the Vienna International Center.

..
It is not
clear who could have launched the attack, but

the IAEA is heavily involved in the contentious
investigation of Iran’s move toward developing nuclear capabilities.

This is merely the latest in an
increasingly long line of attacks targeting agencies and organizations involved with nuclear and other
en
ergies, nearly all of which in some way implicate the U.S. and its allies and the Islamic Republic of Iran.


Dutch Banking Malware Gang Busted: Bitcoin's Role

http://www.informationweek.com/security/attacks/dutch
-
banking
-
malware
-
gang
-
busted
-
bitcoi/240163193

Dutch cybercrime police last week busted four men on charges that they used the banking malware
known as TorRAT to steal an estimated $1.4 million from consumers, which they allegedly laundered
using the cryptographic
currency known as Bitcoins.

TorRAT is a remote
-
access Trojan (RAT), designed
to steal online banking information, which receives command
-
and
-
control (C&C) instructions via the
anonymizing Tor network.

By using Tor, the botnet's operators can disguise the
commands they send to
infected PCs and hide the flow of stolen data being transmitted from infected PCs to attacker
-
controlled
servers.

The Windows malware was distributed in part via hacked Twitter feeds, but largely via
phishing

attacks written in Dutch that targeted online banking users in the Netherlands.

..
Police said the TorRAT
gang coordinated their operations using

Tor Mail

-

which was designed to provide users with anonymous,
private communications

-

and ultimately stole funds from at least 150 Dutch bank accounts.


Russia '
S
pied on G20
L
eaders with USB
S
ticks'

http://www.telegraph.co.uk/news/worldnews/europe/russia/10411473/R
ussia
-
spied
-
on
-
G20
-
leaders
-
with
-
USB
-
sticks.html

Russia spied on foreign powers at last month’s G20 summit by giving delegations USB pen drives
capable of downloading sensitive information from laptops, it was claimed today.

The devices were given
to foreign delegates, incl
uding heads of state, at the summit near St Petersburg, according to reports in
two Italian newspapers, La Stampa and Corriere della Sera.

Downing Street said David Cameron was
not given one of the USB sticks said to have contained a Trojan horse programm
e, but did not rule out
the possibility that officials in the British delegation had received them.

..
Delegations also received mobile
phone recharging devices which were also reportedly capable of secretly tapping into emails, text
messages and telephone calls.

..
Collectively, the hacks described herein substantially impaired the
functioning of dozens of computer servers and resulted in millions of dollars of damages to the
government victims," the indictment, filed in US District Court in Newark, New Jersey, a
lleged.


Romanians
A
ccused of
Running O
nline
Car S
cam

http://money.cnn.com/2013/10/24/tec
hnology/romanian
-
ebay
-
scam/index.html

A group of Eastern European men have been charged with running a multimillion
-
dollar scam through
sites including eBay and Cars.com, prosecutors announced Thursday.

..
U.S. law enforcement officials
have issued alerts for the men through Interpol, the international police agency.

Nicolae
Popescu, 33, is
accused of leading a crime ring that placed fake listings on e
-
commerce websites including eBay,
Cars.com, AutoTrader.
com, and CycleTrader.com.

The listings allegedly advertised high
-
value items
including cars, motorcycles and boats.

Prosecutors say the gang secured bank transfers from victims
using fake invoices purporting to be from PayPal and other online payment ser
vices.

The men also
allegedly sold nonexistent vehicles through websites they created for phony dealerships.

Prosecutors
estimate that the group earned more than $3 million from the alleged scheme between 2011 and 2012.
..
Eastern Europe has long been a c
enter for sophisticated cybercrime.


Earlier this year, an Eastern
European gang
reportedly hacked a number of tech companies

-

including Apple, Facebook and Twitter

-

in an apparent effort to steal corporate secrets



The Security News Digest (SND) is a collection of articles published by others that have been compiled by the Information Sec
urity Branch (ISB) from
various sources. The intention of the SND is simply to make its recipients aware of recent articles p
ertaining to information security in order to increase
their knowledge
of information security issues.

The views and opinions displayed in these articles are strictly those of the articles’ writers and editors
and are not intended to reflect th
e views or o
pinions of the ISB.

Readers are expected to conduct their own assessment on the validity and objectivity
of each article and to apply their own judgment when using or referring to this information. The ISB is not responsible for t
he manner in which the
inf
ormation presented is used or interpreted by its recipients.


For previous issues of Security News Digest, visit the current month archive page at:

http://www.cio.gov.bc.ca/cio/informationsecurity/securitynewsdigest/securitynews_digest.page


To learn more about information security issues and best practices, visit us at:

Information Security Branch


Office of the Chief Information Officer

Ministry of
Technology, Innovation and
Citize
ns’ Services

4000 Seymour Place
,
Victoria, BC V8X 4S8

http://www.cio.gov.bc.ca/cio/informationsecurity/index.page

CITZCIOSecurity@gov.bc.ca




The information presented or referred to in SND is owned by third parties and protected by copyright law, as well as any term
s of use associated with
the sites on whic
h the inform
ation is provided.
The recipient is responsible for making itself aware of and abiding by all applicable laws, policies and
agreements associated with this information.


We attempt to provide accurate Internet links to the
information sources referenced.

W
e are not responsible for broken or inaccurate Internet links to
sites owned or operated by third parties, nor for the content, accuracy, performance or availability of any such third
-
party sites or any information
contained on them.

**********************
**************************************************************************************************