Uber found out about a possible breach of its systems in September, and a subsequent investigation revealed an unauthorized third party had accessed one of its databases four months earlier, the company said.
The files accessed held the names and license plate numbers of about 50,000 current and former drivers, which Uber described as a “small percentage” of the total. About 21,000 of the affected drivers are in California. The company has several hundred thousand drivers altogether.
It’s in the process of notifying the affected drivers and advised them to monitor their credit reports for fraudulent transactions and accounts. It said it hadn’t received any reports yet of actual misuse of the data.
Uber will provide a year of free identity protection service to the affected drivers, it said, which has become fairly standard for such breaches.
The company said it had filed a “John Doe” lawsuit Friday to help it confirm the identity of the party responsible for the breach.
Chinese PC and mobile phone maker Lenovo Group Ltd acknowledged that its website was hacked, its second security blemish days after the U.S. government advised consumers to remove software called “Superfish” pre-installed on its laptops.
Hacking group Lizard Squad claimed credit for the attacks on microblogging service Twitter. Lenovo said attackers breached the domain name system associated with Lenovo and redirected visitors to lenovo.com to another address, while also intercepting internal company emails.
Lizard Squad posted an email exchange between Lenovo employees discussing Superfish. The software was at the center of public uproar in the United States last week when security researchers said they found it allowed hackers to impersonate banking websites and steal users’ credit card information.
In a statement issued in the United States on Wednesday night, Lenovo, the world’s biggest maker of personal computers, said it had restored its site to normal operations after several hours.
“We regret any inconvenience that our users may have if they are not able to access parts of our site at this time,” the company said. “We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users’ information.”
Lizard Squad has taken credit for several high-profile outages, including attacks that took down Sony Corp’s PlayStation Network and Microsoft Corp’s Xbox Live network last month. Members of the group have not been identified.
Starting 4 p.m. ET on Wednesday, visitors to the Lenovo website saw a slideshow of young people looking into webcams and the song “Breaking Free” from the movie “High School Musical” playing in the background, according to technology publication The Verge, which first reported the breach.
Although consumer data was not likely compromised by the Lizard Squad attack, the breach was the second security-related black eye for Lenovo in a matter of days.
Nearly half of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.
The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.
But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.
The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.
The news comes in the same week that HP took a swipe at rival Lenovo for knowingly putting Superfish adware into its machines.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”
The main recommendations of report are that network administrators should employ a comprehensive and timely patching strategy, perform regular penetration testing and variation of configurations, keep equipment up to date to mitigate risk, share collaboration and threat intelligence, and use complementary protection strategies.
The threat to security from the IoT is already well documented by HP, which released a study last summer revealing that 90 percent of IoT devices take at least one item of personal data and 60 percent are vulnerable to common security breaches.
The No. 2 U.S. health insurer said on Wednesday that hackers breached its computer system containing data on up to 80 million people.
Anthem announced the warning about the email scam in a statement, saying they purport to come from Anthem and ask recipients to click on a link to obtain credit monitoring. Anthem advised recipients not to click on links or provide any information on any website.
The company said it will contact current and former members about the attack only via mail delivered by the U.S. Postal Service. It is not calling members regarding the breach and is not asking for credit card information or Social Security numbers over the phone.
Anthem said there was no indication the email scam was connected to those who perpetrated the security breach.
The insurer acknowledged that data accessed by hackers had not been encrypted, as is the normal practice at many companies.
“When the data is moved in and out of the warehouse it is encrypted. But when it sits in the warehouse, it’s not encrypted,” Anthem spokeswoman Cindy Wakefield said.
Anthem needs to be able to easily access patient data in order to create the numerous reports it generates for customers and regulators as part of doing business, Wakefield explained. “I think that is standard practice,” she added.
“How we managed our data in the warehouse has been appropriate,” Wakefield said. “No one has pointed a finger and said you did this wrong and this is why this happened.”
But Richard Marshall, a former senior cybersecurity defense expert at the U.S. National Security Agency, said the numbers should have been encrypted.
“Social Security numbers can be sold to people who are here illegally,” said Marshall, who now advises private security firms. “Identity theft is a major issue.”
Hundreds of thousands of websites running WordPress have been infected by a piece of malware called SoakSoak. Google has flagged more than 11,000 domains hosting a WordPress website as malicious.
Websites running a third-party plug-in called Slider Revolution are being hacked, and malicious code is being installed that will in turn infect those who visit the website. The developers of the plug-in, ThemePunch, have admitted that they knew about the vulnerability in February this year but kept quiet about it.
ThemePunch in developed 29 security fixes from February to September, resisting a public call for action because of a “fear that an instant public announcement would spark a mass exploitation of the issue”.
The company had hoped that most users would install these updates, solving the problem, but it now admits that this was “sadly not the case.”
“We as a team would like to apologize officially to our clients for the problems that arose due to the security exploit in Revolution Slider Plugin versions older than 4.2, ? it says on its website.
Short answer is that you have to upgrade everything that moves on your wordpress site or it will be toast.
Sony Corp’s movie studio could face tens of millions of dollars in costs from the massive network breach that severely hindered its operations and exposed sensitive data, according to cybersecurity experts who have studied past breaches.
The tab will be less than the $171 million Sony estimated for the breach of its Playstation Network in 2011 because it does not appear to involve customer data, the experts said.
Major costs for the attack by unidentified hackers include the investigation into what happened, computer repair or replacement, and steps to prevent a future attack. Lost productivity while operations were disrupted will add to the price tag.
The attack, believed to be the worst of its type on a company on U.S. soil, also hits Sony’s reputation for a perceived failure to safeguard information, said Jim Lewis, senior fellow at the Center for Strategic and International Studies.
“Usually, people get over it, but it does have a short-term effect,” said Lewis, who estimated costs for Sony could stretch to $100 million.
It typically takes at least six months after a breach to determine the full financial impact, Lewis said.
Sony has declined to estimate costs, saying it was still assessing the impact.
The company has insurance to cover data breaches, a person familiar with the matter said. Cybersecurity insurance typically reimburses only a portion of costs from hacking incidents, experts said.
More than a week after a massive cyber attack on Sony Pictures Entertainment, the Hollywood studio isstill struggling to restore some systems as investigators searched for evidence to identify the culprit.
Some employees at the Sony Corp entertainment unit were given new computers to replace ones that had been attacked with the rare data-wiping virus, which had made their machines unable to operate, according to a person with knowledge of Sony’s operations.
In a memo to staff seen by Reuters, studio co-chiefs Michael Lynton and Amy Pascal acknowledged that “a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents.”
They are “not yet sure of the full scope of information that the attackers have or might release,” according to the memo first reported by Variety, and encouraged employees to take advantage of identity protection services being offered.
Their concern underscores the severity of the breach, which experts say is the first major attack on a U.S. company to use a highly destructive class of malicious software that is designed to make computer networks unable to operate.
Government investigators led by the FBI are considering multiple suspects in the attack, including North Korea, according to a U.S. national security official with knowledge of the investigation.
The FBI said Tuesday that it is working with its counterparts in Sony’s home country of Japan in the investigation.
That comes after it warned U.S. businesses on Monday about hackers’ use of malicioussoftware and suggested ways to defend themselves. The warning said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
Palo Alto Networks Inc has uncovered a new group of malware that can infect Apple Inc’s desktop and mobile operating systems, underscoring the increasing sophistication of attacks on iPhones and Mac computers.
The “WireLurker” malware can install third-party applications on regular, non-jailbroken iOS devices and hop from infected Macs onto iPhones through USB connector-cables, said Ryan Olson, intelligence director for the company’s Unit 42 division.
Palo Alto Networks said on Wednesday it had seen indications that the attackers were Chinese. The malware originated from a Chinese third-party apps store and appeared to have mostly affected users within the country.
The malware spread through infected apps uploaded to the apps store, that were in turn downloaded onto Mac computers. According to the company, more than 400 such infected apps had been downloaded over 350,000 times so far.
It’s unclear what the objective of the attacks was. There is no evidence that the attackers had made off with anything more sensitive than messaging IDs and contacts from users’ address books, Olson added.
But “they could just as easily take your Apple ID or do something else that’s bad news,” he said in an interview.
Apple, which Olson said was notified a couple weeks ago, did not respond to requests for comment.
Once WireLurker gets on an iPhone, it can go on to infect existing apps on the device, somewhat akin to how a traditional virus infects computer software programs. Olson said it was the first time he had seen it in action. “It’s the first time we’ve seen anyone doing it in the wild,” he added.
A team of cybersecurity firms financed by big banks plan to introduce a platform that will allow financial companies to communicate faster about potential cyber breaches, the Wall Street Journal reported.
The move follows cybersecurity attacks on some big banks last month, where JPMorgan Chase & Co’s computer systems were hacked exposing the contact details of 73 million households and 7 million small businesses.
The group gathered funds from 16 banks including JPMorgan,Citigroup Inc , BB&T Corp and U.S. Bancorp, to help lead the effort, the newspaper said.
The product, called ‘Soltra Edge’, is being launched by Financial Services Information Sharing Analysis Center (FS-ISAC) and the Depository Trust & Clearing Corp (DTCC). It has been in works for more than a year and is expected to be out next month, the report said.
Earlier this year, JP Morgan said it expects to spend more than $250 million on cyber security, with about 1,000 people working on that area, after being warned by U.S. regulators about the threat of rising cyber attacks on bank machines.
A pilot version of Soltra was used in spreading the information received by FS-ISAC from JPMorgan after the breach, the Journal said, citing sources.
Soltra, which offers a free edition as well as a paid one, will help track threat information within seconds, a spokesman for Soltra told Reuters.
The banks would be major competitors to handset makers Apple and Google because unlike others pushing mobile wallet technology, such as mobile phone carriers and retailers, they already have an intimate relationship with consumers and know their spending habits.
“Banks all around the world are working on this right now,” said James Anderson, senior vice president for mobile and emerging payments at MasterCard.
Anderson didn’t name any of the banks, but said MasterCard is already in conversations with them on how to add mobile payment capability to the existing apps that millions of consumers already have on their phones.
The most likely way will be through a technology called host card emulation, that was introduced in Android 4.4 “KitKat” and allows software apps to emulate the secure element chip found on some bank cards and the iPhone 6. Using software means wider compatibility with phones than if a dedicated chip was required.
The mobile payments market had been relatively quiet until recently. Google Wallet and Softcard, a competitor backed by cellular carriers, were in the market but consumer awareness and interest appeared to be low.
That changed with the launch of Apple Pay on Oct. 20. A million cards were activated in the first three days of use and early adopters have praised its ease of use: users just need to hold their thumb over the iPhone 6 fingerprint reader and bring the device near a terminal for payment to be made.
As a result, competitors are planning their attack. Next year CurrentC, backed by some of the biggest retailers in the U.S., will launch and companies like PayPal are also hoping to expand their footprint in stores.
But an app from a bank might have an edge because it removes a potential hurdle to adoption: unease among consumers that at a third-party is getting access to details of purchases they make.
Apple has stressed that it doesn’t see any of the purchases made by its users but Google’s system is set up so that all payments run through the company’s servers — giving the company an additional layer of information into the lives of its users.
A bank already has access to this information because of its nature and is presumably trusted by its customers. If a customer has a banking app on their phone, it would suggest they also have faith in the bank’s online security system.
A comprehensive security audit of its ads code was recently completed, but Facebook “would like to encourage additional scrutiny from whitehats to see what we may have missed,” wrote Collin Greene, a security engineer, in a blog post. “Whitehats” refers to ethical security researchers, as opposed to “blackhats” who take advantage of vulnerabilities.
According to bug bounty program guidelines, Facebook pays a minimum of $500 for a valid bug report. Until the end of the year, that has been increased to $1,000.
Greene wrote that the majority of reports it receives concern more common parts of Facebook’s code, but the company would like to encourage interest in ads “to better protect businesses.”
Facebook’s ad tools include the Ads Manager, the ads API (application programming interface) and Analytics, which is also called Insights, Greene wrote. The company also wants close scrutiny of its back-end billing code.
“There is a lot of backend code to correctly target, deliver, bill and measure ads,” Greene wrote. “This code isn’t directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.”
Greene wrote that Facebook typically sees bugs such as incorrect permission checks, insufficient rate-limiting, edge-case CSRF (cross-site request forgery) issues and problems with Flash in its ads code.
Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
Community Health Systems Inc., one of the largest U.S. hospital groups, is reporting that it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.
Security experts said the hacking group, known as “APT 18,” may have links to the Chinese government.
“APT 18″ typically targets companies in the aerospace and defense, construction andengineering, technology, financial services and healthcare industry, said Charles Carmakal, managing director with FireEye Inc’s Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June.
“They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected,” he said.
The information stolen from Community Health included patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing.
The stolen data did not include medical or clinical information, credit card numbers, or any intellectual property such as data on medical device development, said Community Health, which has 206 hospitals in 29 states.
The attack is the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.
Chinese hacking groups are known for seeking intellectual property, such as product design, or information that might be of use in business or political negotiations.
Social Security numbers and other personal data are typically stolen by cybercriminals to sell on underground exchanges for use by others in identity theft.
Over the past six months Mandiant has seen a spike in cyber attacks on healthcare providers, although this was the first case it had seen in which a sophisticated Chinese group has stolen personal data, according to Carmakal. Mandiant monitors about 20 hacking groups in China.
The UK Government isn’t doing enough to warn about the risks of cybercrime on a mass level, security firm Kaspersky has claimed.
Speaking at a company roundtable event at the firm’s European hub in London on Thursday, Kaspersky security researcher David Emm said isn’t doing as much as it could be to educate people about cyber security.
“I’d like to see the government doing more to get the message out to mainstream citizens and individuals because that’s the bone in which the industry is growing; the individuals with ideas,” Emm said
“If you look at it, the recent Cyber Street Wise campaign aside, I don’t think the government is doing very much in terms of mainstream messaging and I would certainly like to see it do more.”
Emm used the example of major UK marketing campaigns promoting the dangers of drink driving as an ideal model because they have been drilled into us over the years.
“As parents, we’ve this body of common sense, such as drinks driving, and it’s drip, drip, drip, over the years that has achieved that and I think we need to get to a point where we have some body of online common sense in which business people can draw upon; there’s definitely a role for education.”
Barclay’s bank, which was also present at the roundtable, agreed with Emm.
“The government really needs to recognise this is a serious issue – if you’re bright enough to set up your own business, you’re bright enough to protect yourself,” added the firm’s MD of fraud prevention Alex Grant.
Emm concluded by saying that the government’s Cyber Street Wise campaign that was launched in January was good enough to make people aware of the risks of cybercrime in the metropolitan areas. However, he said he’d like to see the government focus more on regional areas as people in sparsely populated areas weren’t as aware of it.
Kaspersky’s roundtable took place as part of the firm’s launch of a report that found small businesses in the UK are “woefully unprepared” for an IT security breach, despite relying increasingly on mobile devices and storing critical information on computers.
The study found that nearly a third, or 31 percent, of small businesses would not know what to do if they had an IT security breach tomorrow, with four in ten saying that they would struggle to recover all data lost and a quarter admitting they would be unable to recover any.
Duo Security Research has warned that it is possible to bypass two factor, or second factor authentication (2FA) protection on Paypal.
Paypal said that all users will need to access an account is a username and password, but the firm added that it has a workaround in place and a fix is on the way.
“An attacker only needs a victim’s Paypal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” Duo Security Research said.
“Paypal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix. In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their Paypal account security.”
The problem exists in the mobile Paypal apps that can be tricked into ignoring 2FA protection on user accounts.
The security firm, which developed a proof of concept exploit for the bug, said, “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified.”
It added, “While Paypal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the Paypal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication.”
Paypal has penned a blog post saying that this is all in hand, and that the flaw has been disabled.
“The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their Paypal account. Customers who do not use the Paypal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way,” Paypal said.
“Even though 2FA is an additional layer of authentication, Paypal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”
Paypal said that customer accounts were, and have remained secure. Duo Security said that it hopes that “full support of two-factor authentication in the [Paypal] official mobile applications and third-party merchant apps” follows.
Recently Paypal’s parent company eBay was the scene of a security scandal that made people question whether it really understands security at all.