TweakTown NewsRefine News by Category:
The recent revelation of the "Heartbleed" OpenSSL bug has made it an extremely hectic week for Internet users, technology companies, banks, and the U.S. government. The Department of Homeland Security (DHS) recently issued a public advisory about "working together to mitigate cybersecurity vulnerabilities."
The DHS offers this advice to Internet users: verify the website has patched the vulnerability, then change passwords; closely monitor email, bank and social media accounts to spot suspicious activity; and become more vigilant to ensure websites are using HTTPS for all data exchanges.
"While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems," the DHS noted in a recent news release. "That is why everyone has a role to play to ensuring our nation's cybersecurity. We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary."
Cybercriminals have compromised at least 200,000 credit card owners in South Korea, with forged credit cards and fraudulent charges being reported. South Korean police authorities have identified more than 250 cases of fraudulent charges, and expect that number to increase as customers are notified to look for suspicious activity.
The hacker successfully breached a company in South Korea responsible for managing card payment processing terminals, collecting credit card numbers, expiration dates, and loyalty card passwords, according to the Financial Supervisory Service (FSS).
The FSS found credit information from three credit card companies and one bank were leaked, with two of the credit card companies already publicly punished for significant data breaches. Earlier in the year, more than 100 million South Korean credit card and bank accounts were compromised, with bank officials resigning and facing heavy scrutiny from government officials.
Security experts recently issued a statement saying the Heartbleed computer bug doesn't just hit Internet web servers, and can be found on PCs, email servers, mobile phones, and firewalls. To date, both Cisco and Juniper Networks noted that they are working to ensure their products are secure.
Unfortunately, it can be a difficult task to fix security issues with networking equipment, and Cisco has to test dozens of products to verify they are secure. Meanwhile, Juniper is busy also trying to check security and release patches as needed:
"A subset of Juniper's products were affected by the Heartbleed vulnerability including certain versions of our SSL VPN software, which presents the most critical concern for customers," a Juniper spokesperson said in a statement. "We issued a patch for our SSL VPN product on Tuesday and are working around the clock to provide patched versions of code for our other affected products."
Banks and financial institutions recently received a memo urging them to fix the security hole that is exploited by "Heartbleed," and they should consider upgrading encryption software and changing passwords, according to the Federal Financial Institutions Examination Council.
"Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks," the memo states.
Amazon, Yahoo, Netflix, and other major websites were quick to fix security holes, and users can change passwords on those sites.
The California Legislature is now mulling over AB 1710, a bill aimed at forcing retailers to be held liable for damages stemming from data breaches. Following the Target breach, in which millions of customers were exposed to potential data theft, banks and credit unions have been forced to reissue debit and credit cards - and consumers were largely left in the dark until contacted by banks.
However, AB 170 would force companies to be more forthcoming in regards to consumer protections and awareness due to data breaches. The bill changes current laws relating to customer data stored by businesses, consumer cost reimbursement, consumer identity theft mitigation, and notification time following a breach.
"Consumers need increased protection from the large data breaches that are occurring across the country," said Assemblyman Roger Dickinson (D-Sacramento), the AB 1710 co-author. "By improving the way sensitive information is retained and how consumers are alerted when breaches occur, AB 1710 will better protect customers' personal information."
There is a legal case in Florida that could set an important precedent in the United States: how criminal law can deal with bitcoins and other forms of cryptocurrency being used by criminals to commit money laundering.
Two men, described as bitcoin "enthusiasts," were arrested trying to purchase bitcoins with money related to the Target malware hacking breach, according to the US Secret Service and Miami Beach Police Department.
Pascal Reid, 29, and Michell Espinoza, 30, face up to 25 years in prison if they are convicted of money laundering and for running an unlicensed money service business. The first transactions started around $500, but progressed up to a proposed $30,000 cash-for-bitcoin swap, according to federal investigators.
Local law enforcement and federal authorities are trying to find methods to clamp down on organized criminals stealing personal information and later using ATMs to cash-out with stolen information.
Cybercriminals often use malware or phishing techniques to first compromise users, and migrate to opening new lines of credit - or stealing bank information which leads to fraudulent ATM transactions.
The Federal Financial Institutions Examination Council (FFIEC) recently said that banks must work harder to mitigate cyberattacks - and there are continually new stories about cybercriminals either compromising ATMs, or stealing identities and cashing out later.
The "Heartbleed" security vulnerability discovered by the security company Codenomicon found that the OpenSSL bug has opened up millions of Internet users to security risk. Although OpenSSL is designed to help keep sensitive information secure, Heartbleed may have led to website visitors susceptible to spying, according to researchers.
Heartbleed targets any OpenSSL version over the past two years (OpenSSL 1.0.1 up to 1.0.1f), and cybercriminals are able to access the server's system memory, and encrypted information such as usernames, passwords, debit and credit card information is up for grabs.
Here is what Codenomicon noted:
"We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able to steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication."
Cybercriminals are continually changing their strategy to compromise PCs and networks, with an increased shift towards well-researched, sophisticated attacks instead of simple attacks, according to the latest Symantec Internet Security Threat Report.
There was a 62 percent year-over-year increase in data breaches at the end of 2012, Symantec said, with more than 550 million identities exposed to potential theft. In addition to lost productivity, companies also risk public reputation - with the top eight data breaches in 2013 yielding large sums of personal information compromised.
"One mega breach can be worth 50 smaller attacks," noted Kevin Haley, Symantec Security Response director, in a press release. "While the level of sophistication continues to grow among attackers, what was surprising las year was their willingness to be a lot more patient - waiting to strike until the reward is bigger and better. Nothing breeds success like success - especially if you're a cybercriminal. The potential for huge paydays means large-scale attacks are here to stay. Companies of all sizes need to re-examine, re-think and possibly re-architect their security posture."
The United States government is worried that the bitcoin cryptocurrency can be used by criminals to help commit money laundering, and will take creative strategy by lawmakers, according to US Attorney General Eric Holder.
Some investors have embraced bitcoin as a viable digital currency, though the demise of Mt. Gox and other exchange services have alarmed lawmakers. Bitcoin exchange operators are under close federal scrutiny, as the government continues to look at new methods criminals might use to move funds quietly.
"The department is committed to innovating alongside this new technology in order to ensure our investigations are not impeded by any improvement in criminals' ability to move funds anonymously," Holder said during a recent House Judiciary Committee. "Virtual currencies can pose challenges for law enforcement given the appeal they have among those seeking to conceal illegal activity. This potential must be closely considered."