Chinese hackers are suspected of carrying out a “massive breach” affecting the personal data of millions of US government workers, officials said.
The Office of Personnel Management (OPM) confirmed on Thursday that almost four million current and past employees have been affected.
The breach could potentially affect every federal agency, officials said.
Using a new cyber security system known as Einstein, the OPM detected a “cyber-intrusion” in April 2015. The FBI said it was investigating the breach.
Ken Ammon, chief strategy officer of Xceedium – a cyber security firm – warned that the hacked data could be used to impersonate or blackmail federal employees with access to sensitive information.
Source: Millions of US government workers hit by data breach – BBC News
As you may have heard, criminals used the Internal Revenue Service’s own website to steal taxpayer information for about 100,000 U.S. households, the agency said Tuesday, showing how vulnerable it remains as fraud proliferates.
The IRS will send you a letter if your records were at risk.
The criminals attempted to crack 200,000 accounts and made it into about half of them. The IRS will send you a letter if your account was among those 200,000, regardless of whether or not it was hacked. The agency will not call, email or send letters that ask for your personal information in response, but scammers might. Cyber thieves often take advantage of incidents like this by calling people and posing as taxmen , or emailing taxpayers malicious links.
Nasty links could infect your computer with malware in an attempt to steal your personal information, or lock up the machine until you pay a ransom — a tactic hackers began using this year while sending fake refund receipts to taxpayers, according to KnowBe4, a Clearwater, Fla.-based security company.
Source: IRS data theft: 5 things you need to know – MarketWatch
An apparent security vulnerability has left iPhone users susceptible to having their phones shut off with a simple text message.
The vulnerability appeared to have been first discovered on Reddit.
The security loophole gained widespread attention on social media Tuesday night, with individuals sending the string of code to friends as part of pranks or to simply see if it worked.
Source: iPhone Users Beware: If You Get This Text Message, Your Phone Will Likely Turn Off Immediately | Video | TheBlaze.com
Well-known security researcher Kafeine has spotted an active campaign aimed at compromising SOHO routers and changing their DNS settings so that the attackers can seamlessly redirect users to phishing sites, hijack their search queries, intercept their traffic, and more.
This particular campaign apparently targets only users of Google’s Chrome browser and ignores others. Chrome users who visit a compromised website are redirected to a site that serves cross-site request forgery (CSRF) code that determines which router model the victims use.
Source: Massive campaign uses router exploit kit to change routers’ DNS servers
What is a social engineering attack?
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.
Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
- natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- epidemics and health scares (e.g., H1N1)
- economic concerns (e.g., IRS scams)
- major political elections
How do you avoid being a victim?
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Don’t send sensitive information over the Internet before checking a website’s security (see Protecting Your Privacy for more information).
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).
- Take advantage of any anti-phishing features offered by your email client and web browser.
What do you do if you think you are a victim?
- If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Watch for other signs of identity theft (see Preventing and Responding to Identity Theft for more information).
- Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).
Source: Avoiding Social Engineering and Phishing Attacks | US-CERT
An estimated 630 million phones fail to purge contacts, e-mails, images, and more.
In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.
Source: Flawed Android factory reset leaves crypto and login keys ripe for picking | Ars Technica
“… this thing calling itself “PuTTY” was written by a developer who might know how to implement RSA in C, but who does not know how or why to use RSA.”
Source: Downloading Software Safely Is Nearly Impossible
United Airlines has become the first airline to start a bug bounty program, offering air miles for for remote code execution bugs, authentication bypasses, timing attacks, etc.
Only members of its MileagePlus program can apply, so bug hunters who aren’t will have to become members before sending in their submission.
The bug bounty program encourages researchers to find vulnerabilities in the company’s customer-facing websites, its app, and third-party programs loaded by united.com or its other online properties.
Bugs that only affect legacy or unsupported browsers, plugins or operating systems will not be taken into consideration for rewards, and so will not bugs on the company’s internal sites, partner sites, or bugs on onboard Wi-Fi, entertainment systems or avionics.
Source: United Airlines offers air miles for vulnerability information
Solid-state drives are great for performance, but data security must come first.
New research suggests that newer solid-state hard drives, which are faster and offer better performance, are vulnerable to an inherent flaw — they lose data when they’re left dormant in storage for periods of time where the temperature isn’t properly regulated.
The worrying factor is that the period of time can be weeks, months, but even in some circumstances — just a few days.
Solid-state drives are better than regular mechanical hard drives, which are slow and sluggish. But unless they’re battered around, smashed, or poured in acid, they pretty much last forever.
A recent presentation by hard drive maker Seagate’s Alvin Cox warned that the period of time data is retained on some solid-state drives is halved for every 9°F (or 5°C) rise in temperature where its stored.
That means if a solid-state drive is stored in a warm room, say 77°F (25°C), its data can last for about two years. But, if that goes up by a mere few degrees to 86°F (30°C), that data’s retention period will be cut in half.
Source: Solid-state drives lose data if left without power for just a few days | ZDNet
Kamkar told Ars his Master Lock exploit started with a well-known vulnerability that allows Master Lock combinations to be cracked in 100 or fewer tries. He then physically broke open a combination lock and noticed the resistance he observed was caused by two lock parts that touched in a way that revealed important clues about the combination. (He likened the Master Lock design to a side channel in cryptographic devices that can be exploited to obtain the secret key.) Kamkar then made a third observation that was instrumental to his Master Lock exploit: the first and third digit of the combination, when divided by four, always return the same remainder. By combining the insights from all three weaknesses he devised the attack laid out in the video.
Source: Schneier on Security: Easily Cracking a Master Combination Lock