Personal info of 800,000 USPS employees compromised in breach

November 11, 2014 – 7:15 AM

The US Postal Service has joined the ranks of private sector companies and governmental agencies that have been breached and had data stolen by hackers.

According to a statement released by the service on Monday, the attackers managed to find a way into some of their information systems, and have likely compromised personal information of some 800,000 current and past employees, as well as some data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014.

The latter need not take any action as a result of this incident, the USPS noted, but the former will be provided credit monitoring services for free for a year, and will be helped by the USPS’ Human Resources Shared Services Center, as their compromised information includes their name, date of birth, Social Security number, address and other information including beginning and end dates of employment, and emergency contact information.

“Postal Service transactional revenue systems in Post Offices as well as on usps.com where customers pay for services with credit and debit cards have not been affected by this incident,” they noted. “There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised.”

In the statement, the USPS doesn’t say when the intrusion was first discovered, but some officials have shared with The Washington Post that it was in mid-September.

Source:
http://www.net-security.org/secworld.php?id=17621

800 Million Apple Devices at Risk, No Jailbreak Necessary

November 6, 2014 – 5:31 PM

A piece of Apple-focused espionage malware dubbed WireLurker has been uncovered that, unlike most iPhone bugs, can compromise even non-jailbroken iOS smartphones and tablets—potentially putting 800 million devices at risk.

Apple operating systems, once seen as a more secure alternative to Windows and Android, have been faced with increasing numbers of attack vectors of late. WireLurker is a multi-pronged threat: it attacks and infects OS X-based Macs via compromised applications, and from there can infect any iPhone that’s connected via USB to the computer—regardless of jailbreak status.

Researchers at the Palo Alto Networks uncovered the bug, which has affected hundreds of thousands of users in Asia already. The firm found there to be 467 trojanized, malware-laden OS X applications in the unofficial Maiyadi App Store in China, which have been downloaded more than 356,000 times in the past six months.

It may be centered in China for now, but it’s very likely that it will spread to other markets: As infected devices regularly request updates from the attackers’ command and control server, new features or applications could be installed at any time.

“This malware is under active development and its creator’s ultimate goal is not yet clear,” the researchers wrote in a 30-page report. “The ultimate goal of the WireLurker attacks is not completely clear. The functionality and infrastructure allows the attacker to collect significant amounts of information from a large number of Chinese iOS and Mac OS systems, but none of the information points to a specific motive. We believe WireLurker has not yet revealed its full functionality.”

Source:
http://www.infosecurity-magazine.com/news/800-million-apple-devices-at-risk/

Badly secured routers leave 79 percent of US home networks at risk of attack

November 6, 2014 – 5:53 AM

As many as four out of five internet-connected households in the US could be at risk of attack through their wireless router.

This is among the findings of a study by security specialist Avast which found that more than half of all home routers are poorly protected using default or easily hacked password combinations such as admin/admin or admin/password.

It also found that 25 percent of consumers use their address, name, phone number or other easy to guess items as their router passwords. “Unsecured routers create an easy entry point for hackers to attack millions of American home networks,” says Vince Steckler, chief executive officer of Avast. “Our research revealed that the vast majority of home routers in the US aren’t secure. If a router is not properly secured, cybercriminals can easily gain access to an individual’s personal information, including financial information, user names and passwords, photos, and browsing history”.

Among the biggest threats to any Wi-Fi network is DNS hijacking. This involves malware being used to exploit vulnerabilities in an unprotected router to redirect the user from a known site, such as a bank website, to a fake site designed to look like the real thing. When the user logs in, hackers capture the user’s login credentials and can then use them to access the real site.

Less than half of Americans strongly believe their home network is secure, according to the survey and 16 percent of respondents said they had fallen victim to hackers. This is despite being aware that a breach can lead to their bank or financial information being stolen (42 percent were concerned about this), losing personal information (33 percent), having their browsing history stolen (11 percent), and getting their photos hacked (9 percent).

Source:
http://betanews.com/2014/11/05/badly-secured-routers-leave-79-percent-of-us-home-networks-at-risk-of-attack/

Secure Messaging Scorecard

November 5, 2014 – 5:50 PM

In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers. Many companies offer “secure messaging” products—but are these systems actually secure? We decided to find out, in the first phase of a new EFF Campaign for Secure & Usable Crypto.

This scorecard represents only the first phase of the campaign. In later phases, we are planning to offer closer examinations of the usability and security of the tools that score the highest here. As such, the results in the scorecard below should not be read as endorsements of individual tools or guarantees of their security; they are merely indications that the projects are on the right track.

Source:
https://www.eff.org/secure-messaging-scorecard

New Phishing Technique Outfoxes Site Owners: Operation Huyao

November 5, 2014 – 5:47 PM

We’ve found a new phishing technique targeting online shopping sites that may significantly change the threat landscape for phishing sites. Conventional phishing sites require an attacker to replicate the targeted site; a more accurate copy is more likely to fool intended victims.

This technique we found allows for the creation of nearly perfect copies – because the attacker no longer needs to create a copy of the site at all. Instead, the phishing page only contains a proxy program, which acts as a relay to the legitimate site. Only when any information theft needs to be carried out are any pages modified. The owners of the legitimate site would find it very difficult to detect these attacks against their customers.

We decided to call this particular attack Operation Huyao. In Chinese, huyao means a monstrous fox. The rather sneaky behavior of this attack, together with the fact that we believe the creators of this attack are located in China, made this name feel rather appropriate.

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/