Is Sony in Violation of Homeland Security?

December 18 2014 by admin in Uncategorized |Comments Off

Who is held accountable for the Sony network hack?  According to Homeland Security, the FTC and other government agencies — Sony. Sony is responsible for the personal data stored on their servers.

A former employee currently involved in a class-action suit against Sony said, “The real problem lies in the fact that there was no real investment in or real understanding of what information security is.”

In 2007, Sony’s Director of Information Security, Jason Spaltro, said, “it’s a valid business decision to accept the risk (of a security breach.) I will not invest $10 million to avoid a possible $1 million loss.”

Now, the U.S. government believes North Korea is responsible for hacking into Sony and using the information to make terroristic threats. In response, Sony Studio has cancelled the planned release of “The Interview” (a comedy starring Seth Rogen and James Franco with a fictitious plot about an assassination attempt on North Korean leader Kim Jong Un.) The group responsible for the hack said they would conduct “9/11 style attacks” on any theater showing the movie.

Sony Pictures Entertainment Inc. (SPE) is the American entertainment subsidiary of Japanese multinational Sony and is based in Culver City, California.

Sony’s failure to protect their network may fall under cyberterrorism and be punishable by life in prison or the death penalty.

A group called Guardians of Peace has claimed responsibility. After stealing data for months, they set-off a time bomb virus that erased their drives. A screen shot was left with a picture of a red skeleton under the phrase “Hacked by #GOP” with the statement “We’ve already warned you, and this is just a beginning. We continue till our request be met. We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.”

Internet Crime Complaint Center

December 9 2014 by admin in Uncategorized |Comments Off

From June 2009 to June 2014 the Internet Crime Complaint Center (IC3) received over 6800 complaints regarding criminals targeting online consumers by posting false advertisements for high priced items such as automobiles, boats, heavy equipment, recreational vehicles, lawn mowers, tractors, and other similar items. These complaints total more than $20 million in reported losses.

The scam initiates when the criminals post a false advertisement offering the item for sale. The advertisement usually includes a fraudulent photo to entice the consumer to purchase the item. Within the advertisement, the criminal includes a contact telephone number. The consumer leaves a message and the perpetrator responds via text message. The text message normally requests that the consumer provide an e-mail address. Once the e-mail address is provided the consumer is sent additional details to include multiple images of the item for sale. The perpetrator provides logical reasons for offering the item at such a discounted price such as moving to another location; therefore, the item needs to be sold quickly; the sale was part of a divorce settlement; or overseas deployment.

Consumers normally negotiate a price. Many scammers advise the consumer the transaction will be conducted through Ebay to ensure a safe and easy transaction. In reality the scammer is only pretending to use Ebay. The consumer receives a false e-mail that appears to be legitimate from Ebay. The e-mail provides instructions on how to complete the transaction. The perpetrator provides the consumer with all the information necessary to complete the wire transfer – the bank account name, address, and account number. The scammer provides a fraudulent toll-free Ebay customer service number for the consumer to use when they are ready to wire the money. These numbers were also used by many victims to confirm a successful wire transfer or to check transaction status and shipping information. After the transaction, the consumer is sent a false Ebay confirmation e-mail that includes the fraudulent transaction or confirmation number and the expected delivery date of the item.

Any follow-up calls, text messages or e-mails to the perpetrator(s) are normally ignored and many victims report the toll-free customer service telephone numbers provided are constantly busy. As a result, the consumer never receives the purchased item(s) and suffers a financial loss.

The FBI recommends that consumers ensure they are purchasing the actual merchandise from a reputable source by verifying the legitimacy of the seller. Below are some consumer tips when purchasing items online:

  • Use search engines or other websites to research the advertised item or person/company selling the item.
  • Search the Internet for any negative feedback or reviews on the seller, their e-mail addresses, telephone numbers, or other searchable identifiers.
  • Research the company policies before completing a transaction. For example, ensure the seller accepts payments via credit card as Ebay does not conduct wire transfers and only uses PayPal to conduct transactions.
  • Be cautious when responding to advertisements and special offers.
  • Be cautious when dealing with persons/companies from outside the country.
  • Maintain records for all online transactions.

As a consumer, if you suspect you are a victim of an Internet-related crime, you may file a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov .

Cyber Shopping Tips

December 9 2014 by admin in Uncategorized |Comments Off

The FBI reminds shoppers in advance of the holiday shopping season to beware of cyber criminals and their aggressive and creative ways to steal money and personal information. Scammers use many techniques to defraud consumers by offering too good to be true deals via phishing e-mails advertising brand name merchandise, quick money making offers, or gift cards as an incentive to purchase a product. Remember, if the deal looks too good to be true, it probably is and never provide your personal information to an unknown party or untrusted website.

Scammers often use e-mail to advertise hot-ticket items of the year that may become hard to find during the holidays to lure unsuspecting consumers to click on links. Steer clear of untrusted sites or ads offering items at unrealistic discounts or with special coupons. You may end up paying for an item, giving away personal information and credit card details, and then receive nothing in return, along with your identity compromised. These sites may also be offering products at a great price, but the products being sold are not the same as the products they advertise. This is known as the bait and switch scam.

Beware of posts on social media sites that appear to offer vouchers or gift cards, especially sites offering deals too good to be true, such as a free $500 gift card. Some may pose as holiday promotions or contests. It may even appear one of your friends shared the link with you. If so, it is likely your friend was duped by the scam after it was sent to them by one of their friends. Oftentimes, these scams lead to online surveys designed to steal personal information. Remember, if the deal looks too good to be true, it probably is. And never provide your personal information to an unknown party or untrusted website.

When purchasing gift cards online, be leery of auction sites selling discounted or bulk offers of gift cards. When purchasing gift cards in the store, examine the protective scratch off area on the back of the card to see if it has been tampered with.

Be on the lookout for mobile applications designed to steal your personal information from your smartphone. Such apps are often disguised as games and are often offered for free. Research the company selling or giving away the app and look online for third party reviews before installing an app from an unknown source.

Tickets to theater, concerts, and sporting events are always popular gifts during the holidays. If you purchase or receive tickets as a gift, do not post pictures of the tickets to social media sites. Protect the barcodes on tickets as you would your credit card number. Fraudsters will create a ticket using the barcode obtained from searching around social media sites and resell the ticket. You should never allow the barcode to be seen on social media.

If you are in need of extra cash at this time of year, beware of sites and posts offering work you can do from the comfort of your own home. Often, the work from home opportunities rely on convenience as a selling point for applicants with an unscrupulous motivation behind the posting. You should carefully research the job posting and individuals or company contacting you for employment.

As a consumer, if you feel you are a victim of an Internet-related crime, you may file a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov.

Tips

Here are some additional tips you can use to avoid becoming a victim of cyber fraud:

  • Check your credit card statement routinely.
  • Protect your credit card numbers from “wandering eyes”.
  • Do not respond to unsolicited (spam) e-mail.
  • Do not click on links contained within an unsolicited e-mail.
  • Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible.
  • Avoid filling out forms contained in e-mail messages that ask for personal information.
  • Always compare the link in the e-mail to the link you are actually directed to and determine if they actually match and lead you to a legitimate site.
  • Log on directly to the official website for the business identified in the e-mail, instead of “linking” to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
  • If you are requested to act quickly or there is an emergency, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
  • Verify any requests for personal information from any business or financial institution by contacting them using the main contact information on their official website.
  • Remember if it looks too good to be true, it probably is.

Staples Hacked

October 23 2014 by admin in Uncategorized |Comments Off

Yet another large retailer has reported a data breach. “Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement,” said Mark Cautela, Staples’ public relations manager.

Target, Home Depot and Dairy Queen have also been victims of similar hacks.

US-CERT had issued a warning about “Backoff Point-of-Sale Malware” July 31, 2014:

“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:

  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

NATO Hacked

October 15 2014 by admin in Uncategorized |Comments Off

Russian hackers known as the “sandworm” team hacked through NATO’s Microsoft computers. It is believed Russian hackers are backed by the government to obtain information on Ukraine and other areas of interest.

“This is consistent with espionage activity,” said iSight Senior Director Stephen Ward. “All indicators from a targeting and lures perspective would indicate espionage with Russian national interests.”

“The firm began monitoring the hackers’ activity in late 2013 and discovered the vulnerability — known as a ‘zero-day’ — in August,” Ward said. “The flaw is pres­ent in every Windows operating system from Vista to 8.1 except Windows XP.”

Chase Acme Hackers

October 5 2014 by admin in Uncategorized |Comments Off

ACME Data Breach

ACME Data Breach


It sound like a scene right out of a cartoon — Chase and Acme hacked. Wile E. Coyote would be so excited. Both Chase Bank and Acme supermarkets announced major data breaches and loss of customer data. Scores of millions of customer have been affected. JP Morgan announced their Chase division lost personal information of 76 million customers. ACME released this statement:

“We recently learned of an unlawful intrusion to obtain credit and debit card payment information in some of our stores, which could include name, account number, expiration date or other numerical information. Importantly, sensitive information (like Social security numbers, birthdates or driver’s license information), and other personal information were not affected, because that information is not collected as part of the payment process.”

Bash Bug

September 25 2014 by admin in Uncategorized |Comments Off

The “Bash Bug” poses a serious threat to computers and networks. The bug is also known as “shellshock”. The hack allows a remote attack to webservers.

Google Hacked

September 11 2014 by admin in Uncategorized |Comments Off

A Russian hacker reportedly posted 5 million gmail usernames and passwords. Google denies being hacked. In a press release, Google said:

One of the unfortunate realities of the Internet today is a phenomenon known in security circles as “credential dumps”—the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials.

We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.

It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

We’re constantly working to keep your accounts secure from phishing, malware and spam. For instance, if we see unusual account activity, we’ll stop sign-in attempts from unfamiliar locations and devices. You can review this activity and confirm whether or not you actually took the action.

A few final tips: Make sure you’re using a strong password unique to Google. Update your recovery options so we can reach you by phone or email if you get locked out of your account. And consider 2-step verification, which adds an extra layer of security to your account. You can visit g.co/accountcheckup where you’ll see a list of many of the security controls at your disposal.

Posted by Borbala Benko, Elie Bursztein, Tadek Pietraszek and Mark Risher, Google Spam & Abuse Team

Home Depot Hacked

September 5 2014 by admin in Uncategorized |Comments Off

It appears one of the largest data breaches has effected customers of the Home Depot. In a statement the company says:

We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately. For now, you should know the following:

First, you will not be responsible for any possible fraudulent charges. The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach.

Make sure you are closely monitoring your accounts and reach out to your card issuer should you notice any unusual activity.

If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers.

We’re working hard to get you the information you need as quickly as possible and will continue to provide updates as we learn more.

Big Banks Hacked

August 29 2014 by admin in Uncategorized |Comments Off

The Federal Bureau of Investigation, Secret Service and National Security Agency are investigating data breaches at J P Morgan.

The Wall Street Journal reports:

The potential infiltration of bank computer systems represents one of the biggest concerns expressed by top bank executives in recent years.

“As good as they are, they always know that the fraudsters are generally one step ahead of them,” says David O’Connell, a senior analyst at Aite Group, a consulting firm that specializes in the banking industry.

Banks probably spend more on cybersecurity than any industry outside the defense sector, analysts said. On average, the largest banks spend between $150 million and $200 million a year on computer security, usually 10% or less of their overall information-technology budgets, said Avivah Litan, an analyst for Gartner Inc. IT who has extensive experience with bank cybersecurity.

J.P. Morgan said it expects to spend $250 million on cybersecurity in 2014.

Next Page »