Category: Cyber security

Teenager hacked Apple’s internal network

22. August 2018

A 16-year-old boy from Melbourne, Australia broke into Apple‘s internal computer systems and downloaded 90GB of data, as reported by Australian newspaper The Age. The teenager acquired possession of “authorised keys“ and had access to Apple’s network for approximately a year.

Last year Apple reported the incident to the FBI who then pointed it out to the Australian Federal Police (AFP). They found the sensitive documents in a computer folder named “hacky hack hack“. Apple succeeded to keep this incident out of media until the court proceedings last week.

The 16-year-old boy has pleaded guilty. According to his lawyer, the teenager broke into the network because he is a huge apple fan who wants to work for the company in the future. A verdict is expected at the end of September.

Apple is now trying to reassure its customers. According to a spokesman of the company, no personal data was compromised.

Apple’s Taiwanese key chip supplier TSMC was struck by a virus

7. August 2018

Taiwan Semiconductor Manufacturing Co Ltd (TSMC), the largest contract chipmaker worldwide and one of Apple’s key suppliers, has warned of a 150 million EURO hit to revenue and delays to shipments after its factories were hit with a computer virus targeting Windows computers.

TSMC, which supplies the majority of the processors for Apple’s iPads and iPhones (iPhone 8 and X), claims that parts of its production facilities in Taiwan were forced to resume production after the outbreak of a virus last Friday night.

The virus is a variation of WannaCry. The ransomware attack aimed at computers running Microsoft Windows and threatened to erase files unless the attackers were paid in the cryptocurrency Bitcoin.

According to the company 80% of the company’s affected computers had been fixed on Sunday and neither its client information nor its data manufacturing base were implicated.
Since the manufacturer does not exclusively work for Apple, it also fabricates chips for lots of other companies which also have been notified. TSMC stated that it would have to delay shipments of chips to some customers. This would decrease their third quarter revenue up to 2% which is equivalent to 150 million EURO.

Category: Cyber security · General
Tags: ,

Data of patients disclosed in Singapore’s largest data breach in history

30. July 2018

A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.

Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.

Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”

The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.

It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.

Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.

Data breach exposes data including trade secrets from several large carmakers

24. July 2018

A security researcher from the UpGuard Cyber Risk Team detected that various data from carmakers like Volkswagen, Ford and Toyota were exposed. UpGuard is an Australian cybersecurity group that among other things detects data breaches.

The source of the data leak is a small Canadian company called Level One Robotics and Controls. On a publicly accessible backup server of the engineering company were files from more than a hundred companies in business with said company. Belonging to the group of companies affected by the leak are some of the biggest carmakers like Tesla, VW, Toyota, General Motors, Chrysler and ThyssenKrupp.

The 47.000 unsecured files contained inter alia product designs, invoices, bank accounts and contracts. Some of these data are among the industry’s most closely guarded and confidential trade secrets. In addition, a number of non-disclosure agreements explaining the sensitivity of the leaked information formed part of the exposed data.

The researcher issued a leakage warning and since then the accessible information was taken offline within 24 hours.

Data breach at Panini’s online service ‘MyPanini’

2. July 2018

According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.

The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.

Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.

To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.

The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.

It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.

Apple bows to Chinese government

5. March 2018

Apple backs down: The Chinese government has demanded that Apple no longer outsource control of Chinese users data to US-based servers, but hand them over to a Chinese company.

This is likely to give Chinese authorities access to the personal data of Chinese users.

Apple informed the users in the passed weeks. Users of Apples service iCloud were informed, that their data is not longer stored on servers in the USA. Since February 28th, is Guizhou-Cloud Big Data (GCBD) the server provider for the data of Chinese users. GCBD is a state-controlled internet company based in Guizhou Province in southern China.

Affected are iCloud users with a Chinese Apple-ID.

The measure is based on new Chinese cybersecurity law, that is in place since last year. According to the new law, personal data of Chinese users fall under Chinese law and not, like before, under the law, the provider falls under.

For the diffraction under the Chinese law, Apple is heavily criticized.

 

 

Cancer Care Organization settles for 2.3 Mio $ after Data Breach

22. December 2017

In 2015, a data breach occurred at 21st Century Oncology  (21stCO), one of the leading providers of cancer care services in the USA, potentially affecting names, social security numbers, medical diagnoses and health insurance information of at least 2.2 million patients.

On its website, the provider had announced in 2016 that one of its databases was inappropriately accessed by an unauthorized third party, though an FBI investigation had already detected an attack as early as October 2015. The FBI, however, requested 21stCO to delay the notification because of ongoing federal investigations.

21stCO had then stated that ““we continue to work closely with the FBI on its investigation of the intrusion into our system” and “in addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.” To make amends for the security gap patients had been offered one year of free credit monitoring services.

Nevertheless, the provider now has to pay a fine worth 2.3 million dollars as settled with the Office for Civil Rights (OCR; part of the U.S. Department of Health and Human Services).

It has been accused of not implementing appropriate security measures and procedures to regularly review information system activity such as access or security incident reports, despite the disclosure by the FBI.

The OCR further stated that “the organization also disclosed protected health information to its business associates without having a proper business associate agreement in place”.

The settlement additionally requires 21stCO to set up a corrective action plan including the appointment of a compliance representative, completion of risk analysis and management, revision of cybersecurity policies, an internal breach reporting plan and overall in-depth IT-security. The organization will, in addition, need to maintain all relevant documents and records for six years, so the OCR can inspect and copy the documents if necessary.

Following the settlement, District Attorney Stephen Muldrow stated “we appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures.”

New and surprising password guidelines released by NIST

21. December 2017

The National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce that promotes innovation and industrial competitiveness often by recommending best practices in matters of security, has released its Digital Identity Guidelines uttering advice for user password management.

Considering that Bill Burr, the pioneer of password management, has admitted regretting his recommendations in a publication back in 2003, the NIST is taking appropriate action by revising wide-spread practices.

For over a decade, people were encouraged to create complex passwords with capital letters, numbers and „obscure“ characters – along with frequent changes.

Research has now shown that these requirements don’t necessarily improve the level of security, but instead might even make it easier for hackers to crack the code as people tend to make minor changes when they have to change their already complex password – usually pressed for time.

This is why the NIST is now recommending to let go of periodic password change requirements alongside of algorithmic complexity.

Rather than holding on to these practices, the experts emphasize the importance of password length. The NIST states, that „password length has been found to be a primary factor in characterizing password strength. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.“

It takes years for computers to figure out passwords with 20 or more characters as long as the password is not commonly used.

The NIST advises to screen new passwords against specific lists: „For example, the list may include, but is not limited to passwords obtained from previous breach corpuses, dictionary words, repetitive or sequential characters (e.g. ‘aaaaaa’, ‚1234abcd’), context-specific words, such as the name of the service, the username, and derivatives thereof.“

Subsequently, the NIST completely abandons its own suggestions and causes great relief for industries all over:

„Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed.“

Uber hid massive data breach

22. November 2017

Uber just admitted that hackers stole personal data of 50 million Uber customers and 7 million drivers. The data breach happened in October 2016, over a year ago, but was only published this week.

The data include names, e-mail addresses, phone numbers and the license numbers of 600.000 drivers. According to Uber neither social security numbers, nor credit card information, or trip location details were taken.

Uber did not disclose the data breach to public, as required by data protection law, but paid the hackers 100.000,00 $ to delete the information. Uber assumes that the data was not used.

Referring to Uber the hackers came in through a badly protected database in a cloud service to the data. Uber security Chief Joe Sullivan and another manager lost their jobs.

This data breach wasn’t the first incident that happened to Uber. Uber has a well-documented history of abusing consumer privacy.

Uber said it has hired Matt Olsen, former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser.  He will help the company restructure its security teams.

Category: Cyber security · Data breach · USA
Tags:

Google: Advanced Protection Program released

30. October 2017

Google released its Advanced Protection Program. The program is meant to make stealing passwords pointless. With help of two inexpensive physical keys it is possible to log in into the Google account on computer and smartphone.
Because of this two-factor authentication the account is secured. Even if the password is stolen in a data breach or successfully phished, the hackers cannot login, because they don’t have the keys as well. The minimal and cost effective effort has a big impact.
Google’s development of a two-factor authentication relies on a Chinese hacker attack in 2010. Since then Google’s motto is “Never ever”.
Addressees of the Program are according to Google people who have a high risk of online attacks, like journalists, victims of stalking and dissidents inside authoritarian countries. The idea of the program is to provide people with a physical device that is harder to steal than a text message or other two-factor authentication tools.
Except these people with a high risk, anyone with a Google account can sign up for the security program. Google has an Advanced Protection webpage for the sign up. In addition to the Advanced Protection Program to be able to use two physical keys are necessary. Each one costs about $20.

Pages: 1 2 Next
1 2