The US Department of Education's Free Application for Federal Student Aid program requires any student applying for federal aid for college or university to turn over an enormous amount of compromising personal information, including current and previous addresses, driver's license numbers, Green Card numbers, marital details, drug convictions, educational history, tax return details, total cash/savings/checking balances, net worth of all investments, child support received, veterans' benefits, children's details, homelessness status, parents details including SSNs, and much, much more.
Equifax division TALX has a product called The Work Number, where prospective employers can verify job applicants' work history and previous salaries (it's also used by mortgage lenders and others): you can create an account on this system in anyone's name, provided you have their date of birth and Social Security Number. — Read the rest
Equifax's world-beating breach of 143 million Americans' sensitive personal and financial information was the result of the company's failure to patch a two-month-old bug in Apache Struts, despite multiple reports of the bug being exploited in the wild.
This credit-card skimmer was removed from a New York gas pump; it uses components scavenged from a cellular phone and a T-Mobile SIM to send the credit card details it harvests to its owners, who can retrieve them from anywhere in the world.
Philadelphia is a crimeware-as-a-service business that sells a highly customizable ransomware package for budding entrepreneurs who want to dabble in crime.
The Mirai worm made its way into information security lore in September, when it was identified as the source of the punishing flood of junk traffic launched against Brian Krebs in retaliation for his investigative reporting about a couple of petty Israeli criminals; subsequent analysis showed Mirai to be amateurish and clumsy, and despite this, it went on to infect devices all over the world, gaining virulence as it hybridized with other Internet of Things worms, endangering entire countries, growing by leaps and bounds, helped along by negligent engineering practices at major companies like Sony.
The unprecedented denial-of-service attacks powered by the Mirai Internet of Things worm have harnessed crappy, no-name CCTVs, PVRs, and routers to launch unstoppable floods of internet noise, but it's not just faceless Chinese businesses that crank out containerloads of vulnerable, defective-by-design gear — it's also name brands like Sony.
Last week, the San Francisco Municipal Light Rail system (the Muni) had to stop charging passengers to ride because a ransomware hacker had taken over its network and encrypted the drives of all of its servers.
The Mirai worm — first seen attacking security journalist Brian Krebs with 620gbps floods, then taking down Level 3, Dyn and other hardened, well-provisioned internet giants, then spreading to every developed nation on Earth (and being used to take down some of those less-developed nations) despite being revealed as clumsy and amateurish (a situation remedied shortly after by hybridizing it with another IoT worm) — is now bigger than ever, and you can rent time on it to punish journalists, knock countries offline, or take down chunks of the core internet.
The various Mirai botnets, which use "clumsy, amateurish code to take over even more clumsy and amateurish CCTVs, routers, PVRs and other Internet of Things devices, have been responsible for some eye-popping attacks this season: first there was the 620Gbps attack on journalist Brian Krebs (in retaliation for his coverage of a couple of petty Israeli crooks); then there was the infrastructure attack that took out Level 3, Netflix, Twitter, Dyn, and many more of the internet's best-defended services.
A China-based maker of surveillance cameras said Monday it will recall some products sold in the United States after a massive "Internet of Things" malware attack took down a major DNS provider in a massive DDOS attack. The stunningly broad attack brought much internet activity to a halt last Friday. — Read the rest
Some of the internet's most popular, well-defended services — including Twitter — were knocked offline yesterday by a massive denial-of-service attack that security experts are blaming on botnets made from thousands of hacked embedded systems in Internet of Things devices like home security cameras and video recorders.
Mirai, the clumsily written Internet of Things virus that harnessed so many devices in an attack on journalist Brian Krebs that it overloaded Akamai, has now spread to devices in either 164 or 177 countries — that is, pretty much everywhere with reliable electricity and internet access. — Read the rest
On the eve of the Stuxnet attacks, half a decade ago, I found myself discussing what it all meant with William Gibson (I'd just interviewed him on stage in London), and I said, "I think the most significant thing about any of these sophisticated, government-backed attacks is that they will eventually turn into a cheap and easy weapon that technically unskilled people can deploy for petty grievances." — Read the rest
NCR reports in-the-wild sightings of "deep skimmers" (tiny, disposable card-skimmers that run on watch batteries and use crude radios to transmit to a nearby base-station) on ATMs around the world: "Greece, Ireland, Italy, Switzerland, Sweden, Bulgaria, Turkey, United Kingdom and the United States."
A month after a hospital in Hollywood was shut down by a ransomware infection that encrypted all the files on its computers and computer-controlled instruments and systems, another hospital, this one in Kentucky, has suffered a similar fate.
Seagate has emailed its employees and ex-employees to warn them that someone in the company sent their W2 tax data to a criminal who pulled off a successful phishing fraud.
Cheap Internet of Things devices like Foscam's home CCTVs are designed to covertly tunnel out of your home network, bypassing your firewall, so they can join a huge P2P network of 7 million other devices that is maintained and surveilled by their Chinese manufacturer.
Say you've just scammed someone out of all their financial details using an online fraud, but now you need to call up their bank and impersonate them, and you don't speak their language, have the wrong accent, or are of a different gender — what do you do?
It's not bad enough that Paypal is prone to shutting down your account and seizing your dough if you have a particularly successful fundraiser — they also have virtually no capacity to prevent hackers from changing the email address, password and phone numbers associated with your account, even if you're using their two-factor authentication fob.