Tag Archives: hacks

Computer attack insurance rates rise after high-profile breaches

Hacks of Sony, Target, Home Depot and major health insurers have made it more expensive to cope with data theft, Reuters reports.

Just as you safeguard your home with insurance, companies get insurance to cover any problems with customer and corporate data. With hacking on the rise, that protection is getting harder to obtain and pay for.

A torrent of cyberattacks on US companies over the past two years has led cyber insurers to boost premiums for high-risk companies and in some cases limit damage cover to a maximum of $100 million, according to a Reuters report on Monday. The limits make it hard for companies to operate in the modern networked era and could mean higher costs they’ll have to pass along to customers.

Hacks are expensive. Companies must pay for forensic investigations, credit monitoring, legal fees and settlements. Rising cyber insurance premiums and limited damage coverage effectively mean that companies could be liable to pay more if they’re hit by a cyberattack. Companies without full insurance could easily end up paying hundreds of millions out of pocket.

The 2013 attack on US retailer Target cost the company $264 million. Target expects to only recoup around $90 million of that from insurance payouts, Reuters said. A similar attack on Home Depot forced the US home improvement chain to shell out $234 million in expenses, but insurance will only cover about $100 million, Reuters said.

High-profile attacks, like the ones against Sony, Home Depot and Target, have forced insurers to judge certain companies as too high risk. That’s especially true for health and retail companies, which have highly sensitive customer data. Three insurance companies recently told Reuters that they turned away clients seeking computer attack insurance or limited coverage to $75 million and $100 million after reviewing companies’ computer security mechanisms.

Just like good home security systems can get you a break on your home insurance payments, the price of cyber insurance depends in part on companies’ security measures.

Health insurers are suffering the most from insurance hikes, sometimes seeing premiums triple in price, said Bob Wice, a focus group leader for insurer Beazley, according to Reuters. Massive security breaches at the beginning of 2015 affected millions of customers at two US health insurers, Anthem and Premera Blue Cross.

Upon renewing its insurance after the hack, Anthem only managed to secure $100 million in insurance protection, and that was on the condition that it pay the first $25 million of any damage costs itself, the company told Reuters.

Tagged , , , , , ,

Journalist guilty of helping Anonymous deface Los Angeles Times

An American journalist has been found guilty of helping hacktivist group Anonymous deface the website of the Los Angeles Times.

Prosecutors said Matthew Keys, 28, provided the hackers a password to access systems belonging to Tribune Co, the newspaper’s parent company.

Prosecutors said Keys used online chat channels to encourage the hacktivists.

Sentencing will take place in January, but he is not expected to receive the maximum possible sentence of 25 years.

A spokesman for the US Justice Department told Reuters the sentence would likely be less than five years.

Keys’ lawyer said he planned to appeal against the verdict.

Keys was charged with conspiracy to cause damage to a protected computer, transmission of malicious code, and attempted transmission of malicious code. He was found guilty on all three counts.

Court documents said the incidents took place in December 2010, shortly after Keys had lost his job at California-based TV station Fox 40 KTXL, also owned by Tribune Co.

Keys went on to work for Reuters as the agency’s social media editor, but was let go after he was charged in 2012.

‘Elect Chippy 1337’

Prosecutors said Keys’ actions were “anonymous revenge”.

Under the online pseudonym AESCracked, Keys was said to have shared log-in details for the LA Times’ content management system – CMS – the software used to enter content, such as articles or pictures, to be published on the newspaper’s website.

With this information, an unidentified Anonymous member using the name “sharpie” is said to have edited a story on the LA Times site.

A headline was altered to read: “Pressure builds in House to elect CHIPPY 1337”.

Within the article, the opening paragraph was also changed to include the phrase “reluctant House Democrats told to SUCK IT UP”.

The defacement was “live” on the LA Times site for about an hour, the defence said.

The defaced story was on the Los Angeles Times website for around an hour, the defence said.

Tribune Co said it cost at least $5,000 to fix and investigate the incident which, as Vice’s technology site Motherboard points out, is the threshold amount for being able to bring charges under the Computer Fraud and Abuse Act.

A spokesman for Tribune Co, Gary Weitman, said: “We are pleased that the justice system worked. We will let today’s verdict speak for itself.”

Media sites targeted

Anonymous, a loosely organised group of mostly low-level hackers, often targeted mainstream media websites and social media profiles.

One splinter group Lulzsec took credit for posting a story to The Sun’s website stating that its owner, Rupert Murdoch, had committed suicide.

In another instance, on the website for US broadcaster PBS, a story was posted saying that rapper Tupac Shakur, who was shot and killed in 1996, was in fact alive and living in New Zealand.

Key members of Lulzsec were arrested after hacker-turned-informant Hector Xavier Monsegur – known as Sabu – helped police establish real identities behind the hackers.

As a result, Monsegur was given a reduced sentence of one year under supervision.

Tagged , , , , , ,

Tougher punishment for thieves who steal phones containing ‘irreplaceable’ pictures and messages

Loss of sentimental photographs and other data on handsets and other devices will be an aggravating factor when thieves are sentenced

Thieves who steal mobile telephones containing irreplaceable family photographs or precious messages will face tougher punishments under official new guidelines.

The Sentencing Council said phones and other electronic devices would fall within new measures to increase sentences for crimes causing “emotional harm”.

Mobile telephones are now the item most commonly stolen by pickpockets

Thieves will get longer jail terms or other sentences if they are convicted of taking belongings with “substantial value to the loser regardless of monetary worth”, the new rules say.

It could include text messages or other electronic communications from a deceased relative, for example.

“If a phone that is stolen contains irreplaceable sentimental data then that would be part of it,” said a spokesman for the Sentencing Council, which advises magistrates and judges on how offenders should be penalised.

“It does not matter whether the item has financial value – it is the impact on the victim that will have an influence on the case.”

Although the guidelines do not set out specific increases in sentences, a crime which causes a victim emotional trauma will be handed a more severe penalty when the new rules come into force in February.

Georgina Dormer, 73, from Brighton, said she welcomed the development after a mobile phone containing the only recordings of her late husband’s voice were stolen in 2013.

“Michael had a lovely speaking voice and I used to dial his number to hear his voicemail message,” she said.

“It was such a shock when it was stolen, just five days after he died, and it really set me back.”

The phone, and a laptop containing precious photos, were never recovered and the voicemail message was deleted automatically a few months after the theft.

“I think it’s a jolly good idea to punish these thefts more severely because of the heartache they put people through,” said Mrs Dormer.

There were 742,000 victims of mobile phone theft in England and Wales during 2012 and 2013, according to the Crime Survey for England and Wales, or more than 2,000 a day.

Apple’s iPhone was by far the most likely model to be stolen, accounting for more than 50 per cent.

Consumers told researchers in 2011 that they valued the data on their ‘phones at more than £700 and regarded it as more valuable than the device itself.

The new sentencing guidelines covered all types of theft and also set out for the first time how criminals will face harsher punishment if they target historic objects or buildings.

This category could include damage to war memorials or theft of objects from a historic shipwrecks.

Mark Harrison, national policing and crime adviser for Historic England said: “The impact of theft on our historic sites and buildings has far-reaching consequences over and above the financial cost of what has been stolen.

Thieves stole a metal plaque from a memorial in Willaston in Cheshire in July 2011

“When thieves steal metal from heritage assets, such as listed churches, artefacts from the ground or historic stonework from an ancient castle, they are stealing from all of us and damaging something which is often irreplaceable.”

The guidelines will cover sentences for all thefts in England and Wales which last year numbered more than 91,000.

• Fake mobile phone masts spy on your calls

Jill Gramann, a magistrate and member of the Sentencing Council, said: “The new guidelines will help judges and magistrates deal with this great variety of offences while ensuring that the harm caused to the victim is central to the sentencing decision.

“Thefts are committed for financial gain, but can mean much more than financial loss to the victim and we want to ensure sentences take this into account.”

Tagged , , ,

One billion Android smartphones can be hacked with just a song

Second coming of Stagefright vulnerability discovered by researchers can infect almost every Android smartphone on the planet

A billion Android smartphones and tablets are at risk from a new bug that can infect devices when they preview audio or video files, a team of security experts have warned.

The security flaw carries many of the same features as the text message Stagefright bug that was discovered in July and was seen as the biggest hole in Android security ever reported.

Researchers at Zimperium zLabs, which reported the original bug, have dubbed it Stagefright 2.0, and warned that it can affect “almost every Android device” since version 1 in 2008.

Merely by using Android’s preview function to listen to or watch a specially-created MP3 or MP4 file, hackers could access an Android device’s code and make changes remotely, and in theory could track or steal information.

Users could be duped into visiting URLs that activate Android’s preview function, or perhaps more worryingly, the fault could be exploited if a hacker and victim were on the same public Wi-Fi network such as a coffee shop.

“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” the researchers wrote.

“Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.”

Android owners could soon pay for digital content on their phones through their monthly bill

The two vulnerabilities – one which affects almost all Android devices and another that can attack those running Android 5.0 upwards – have been flagged to Google, which said it had shared an update with Android manufacturers.

It is also fixing the bug for its own Nexus devices with an update on October 5. Zimperium urged Android manufacturers to patch the problems as soon as possible.

The original Stagefright bug surfaced in July, and exploited a flaw in Google’s chat apps Hangouts and Messenger when they were sent multimedia video files.

Google rushed to fix the bug, fixing both apps, although some older versions of Android did not receive the updates.

Tagged , , , , , ,

Ashley Madison puts $377,000 bounty on hackers’ heads

Police suspect two suicides are related to the release of information stolen from the relationship-cheating website.

Amid reports that the Ashley Madison security breach may have led to suicides and extortion plots, Toronto police and the affair-arranging website are upping the ante to catch the hackers responsible for the embarrassing leak of users’ information.

To increase the chance of that happening, Ashley Madison’s parent company, Avid Life Media, offered $500,000 Canadian ($377,000) on Monday to anyone providing information leading to the arrest of those involved.

Hackers calling themselves the Impact Team first revealed in July they had stolen information from the site, including data on more than 30 million Ashley Madison patrons, who sign up with the goal of having extramarital affairs.

The cyber attackers threatened to release the embarrassing data if the website didn’t shut down. Ashley Madison refused, and so the hackers delivered on their threat last week, upending the lives of people who’d counted on the site’s confidentiality.

While it’s all happened on the Internet, there have been very real effects. In a press conference on Monday, Toronto police said they suspect two suicides were related to the leak. They also believe the hack led to a few attempts of extortion from the outed users.

Now, Ashley Madison is willing to pay up to find the culprits. If it succeeds, the bounty could renew people’s faith in Internet companies, experts say.

“If people know hacking is not an anonymous crime and they can be caught, there’s much more of a deterrent,” said Jonathan Schmidt, a former prosecutor who is now a criminal defense attorney with Ropes & Gray.

It’s unusual but not unheard of for a company to offer a bounty on a hacker, said Alex Rice, an executive at HackerOne, which helps connect companies with coding experts who can find flaws in their software. More typically, law enforcement agencies offer the money.

Sometimes, hackers do get caught. Microsoft in 2011 offered $250,000 to help bring down the group running Rustock, a network of hacked computers that sent out nearly 40 percent of the world’s spam email. The FBI and Microsoft successfully dismantled Rustock that same year.

Some hackers can avoid getting caught by paying off people to cover their trail. The US government offers a total of $4.3 million for information leading the capture of the world’s most notorious hackers. Evgeniy Mikhailovich Bogachev, at the top of the FBI’s “cyber most wanted” list, rated a $3 million bounty in 2014, after being indicted for conspiracy, computer hacking, wire fraud, bank fraud and money laundering.

“He made a lot of money off his hacking,” said Stephen Cobb, a security researcher at antivirus company ESET. “Which probably helps him.”

That might not be the case for the Impact Team, which should make it easier for law enforcement to track them down, said Cobb. “One staggers to think what was on the mind of this Impact team,” he said. “I think the reward could actually be effective.”

Convincing people to name the hackers is likely the best way to catch them, experts say. That’s because cyberattackers have gotten good at covering their tracks, making a forensic investigation of Ashley Madison’s computer systems unlikely to yield much data.

It’s the human element that usually does them in. From bragging to friends about their exploits, to posting pictures on Facebook with ill-gotten cash, history is filled with hackers brought down by pride, said Cobb.

Perhaps the hackers will be caught, and perhaps Internet users will be more careful with their personal information, said Rice, the executive at HackerOne. If so, the entire incident will leave a lasting mark on the psyche of Internet users.

“I can’t make up my mind if any good will come of this,” Rice said. “Hopefully more good than harm in the long run, but I think that’s optimistic.”

Tagged , , , , ,

Hacker Demos $30 Gizmo That Unlocks Keyless Car, Garage Doors

Most people need not worry about RollJam. “With cars, most criminal elements are just going to break your window, unlock the door, and steal your stuff,” said Adam Wosotowsky, a messaging data architect with Intel Security. “If you’re willing to steal from someone’s car, then you’re probably not the kind of criminal that does a lot of preplanning for your target.”

Infamous security researcher Sammy Kamkar last week demonstrated a gadget that can intercept wireless signals to unlock cars and garage doors. Kamkar showed off the device, which cost him just US$32 to make, at the DefCon conference in Las vegas.

Dubbed “RollJam,” the wallet-sized gadget works like this:

When the gizmo senses a signal from a key fob used to open a vehicle or garage door, it prevents the signal from reaching the door, while at the same time intercepting and storing the unlock code emitted by the fob.

To the person trying to open the door, it appears that the fob has failed. Typically, that will prompt the person to press the fob again. RollJam blocks that transmission, too, but at the same time sends the first intercepted code to the door.

To the person opening the door, it appears as if the second fob press opened the door. The individual remains unknowing that a hacker has captured the second code and can later use it to open the vehicle or garage.

Foiled by Fast Expiration

RollJam works with a wide array of motor vehicles — Nissan, Cadillac, Ford, Toyota, Lotus, Volkswagen and Chrysler — as well as Cobra and Viper alarm systems and Genie and Liftmaster garage door openers, according to Kamkar.

In fact, the device can compromise any hardware that uses the KeeLoq access control system from Microchip Technology, the High Security Rolling Code generator made by National Semiconductor, and Hisec chips sold by Texas Instruments.

However, newer systems — such as the Dual Keeloq system — will foil RollJam, Kamkar has acknowledged. That’s because their codes expire after a very short time, so stolen codes become stale before they can be used by an attacker.

Kamkar has built quite a reputation as a car hacker. He’s also made a $100 device called “OwnStar” that can “locate, unlock and remote-start any vehicle with OnStar RemoteLink.”

After he made that public, GM quickly closed that security gap.

Kamkar also developed OpenSesame by reprogramming a child’s pink toy to open a fixed-code garage door within seconds.

Low Risk for Most of Us

Since most vehicles don’t have the newer technology, car owners concerned about RollJam likely will resort to retro tech to protect their vehicles.

“I’m sure those people most concerned — people with something worth stealing — will take necessary precautions, like using a physical lock,” said Roger C. Lanctot, associate director of the global automotive practice forStrategy Analytics.

Most people need not worry about RollJam, though.

“I don’t want to ignore the seriousness of the security implications for high-traffic and high-security places that use this type of technology, but I don’t think that the average person needs to freak out and upgrade their garage doors,” said Adam Wosotowsky, a messaging data architect with Intel Security.

“With cars, most criminal elements are just going to break your window, unlock the door, and steal your stuff,” he told TechNewsWorld. “If you’re willing to steal from someone’s car, then you’re probably not the kind of criminal that does a lot of preplanning for your target.”

As cars become more connected, they also become more vulnerable, noted Adam Kujawa, a malware intelligence analyst with Malwarebytes.

“There are now more attacks available, and way more research being done to discover new ones, because of onboard computers and having cars that connect to the Internet,” he told TechNewsWorld.

“Anytime information is being sent from one system to another, there is a threat,” Kujawa said. “You can double that for wireless communications.”

More Connectivity Needed

On the other hand, those wireless communications also can be a means for auto makers to defeat hackers.

“Ironically, we will need connectivity to successfully defeat hacking of cars by keeping hacking defenses up to date,” Strategy Analytics’ Lanctot told TechNewsWorld.

“The auto industry has thus far failed to embrace connectivity with the same focus and intensity that it has pointed at safety systems,” he said.

“In fact, it is the safety systems — which take advantage of on-board computing — that have opened the door to hacking,” Lanctot pointed out.

“Simple steps have yet to be taken, in part because of the expense involved and the kind of monitoring required,” he added. “Car companies essentially need to monitor vehicles in the same way that Symantec and McAfee monitor computer networks.” Stealing the codes for unlocking motor vehicles and automated garage doors became easier last week.

Tagged , , , , , , , ,

Rowhammer: A new JavaScript attack that targets DRAM

Most of the security flaws and problems that get attention in the community are fundamentally software-based. It’s not impossible to find a hardware bug or errata to target, but such attacks are typically an order of magnitude more difficult and rely on your target having a specific make or model of CPU. A hardware attack against Haswell will most likely fail against an Ivy Bridge or AMD CPU, while an attack that succeeds against an ARM chip’s physical design won’t apply to AMD or Intel. There’s a new hardware attack making the rounds, dubbed Rowhammer, that directly targets DRAM — and it’s got the potential to be a major headache in the future.

Here’s how Rowhammer works: Recent research has shown that repeatedly accessing the same memory blocks over and over can cause a bit flip in other DRAM locations. These early attacks, however, required executing native code and relied on special instructions. A recent Chrome patch eliminated support for some of these instructions, which was thought to cause the problem.

What new research has demonstrated, however, is that the code doesn’t need to be native — it can be written in JavaScript. More than that, however, executing Rowhammer doesn’t require local program execution privileges, which used to be the case. Instead, the code can theoretically be executed via JavaScript, which means it can be served up by web browsers rather than relying on direct system access.

How Rowhammer works

At a high level, DRAM is organized into matrices of rows and columns. Conceptually, the arrangement is similar to a spreadsheet, and the exact cell to be read or written is located by a combined column and row address. Because it takes electrical current to read and write data from memory, performing operations on DRAM cells necessarily requires an electrical current. That current can have an impact on adjacent cells, and the chance that a DRAM or write has an impact on a nearby cell has only increased as cells have transitioned to smaller geometries and become more tightly packed.

DRAM-Hammer

By rapidly activating an aggressor row, a hostile program can cause adjacent DRAM cells to flip their values (the victim rows). In the diagram above, the aggressor row is the purple row, while the two victim rows are shown in yellow. If the chips aren’t quickly refreshed by the system, a disturbance error occurs, which means the values in those particular DRAM cells changes. There’s also a double-sided Rowhammer attack, in which the two yellow rows are used to launch an attack against the purple row — this method has a considerably higher chance of success.

One of the standard methods of protecting an operating system is to prevent processes from accessing memory that hasn’t been assigned to them. Your Chrome.exe or Firefox.exe process can’t just go snooping around in a game you’re playing, or even in each other’s memory locations. That’s the kind of trick that leads to hard locks and terminal errors in short order, particularly if one process overwrites values in another processes’ memory space.

Up until now, all of the previous demonstrations of a Rowhammer.js style attack relied on specific architectural exploits. Because it runs in JavaScript, Rowhammer.js is different. While the researchers found that different eviction algorithms worked best across Sandy Bridge, Ivy Bridge, and Haswell, the attack can be leveraged against all three chips.

Countermeasures

Right now, no one has created a rootkit or other exploit that relies on Rowhammer.js or an equivalent attack to do its dirty work. One simple way to avoid the problem is to increase the refresh rate to the point that the DRAM no longer has enough of an interval to be affected by Rowhammer in the first place. The problem with this approach is that it’ll both increase power consumption and it requires a huge refresh increase to be effective — up to eight-fold baseline for DDR3. That’s unlikely to ever happen without a fundamental change in memory technology, and while the Rowhammer.js exploit isn’t currently functional in the wild, we’d be surprised if malware developers don’t try to take advantage of it at some point.

Tagged , , , , , , , , , ,

Hackers target internet address bug to disrupt sites

Hackers are exploiting a serious flaw in the internet’s architecture, according to a security firm.

The bug targets systems which convert URLs into IP addresses.

Exploiting it could threaten the smooth running of internet services as it allows hackers to launch denial-of-service attacks on websites, potentially forcing them offline.

Regular internet users are unlikely to be severely affected, however.

Bind is the name of a variety of Domain Name System (DNS) software used on the majority of internet servers.

The recently identified bug allows attackers to crash the software, therefore taking the DNS service offline and preventing URLs, for example, from working.

A patch for the flaw is already available, but many systems are yet to be updated.

The Internet Systems Consortium (ISC), which develops Bind, said in a tweet that the vulnerability was “particularly critical” and “easily exploited”.

Attacks launched

Daniel Cid, a networking expert at Sucuri has published a blog post on the vulnerability in which he explained that real exploits taking advantage of the flaw have already happened.

He told the BBC: “A few of our clients, in different industries, had their DNS servers crashed because of it.

“Based on our experience, server software, like Bind, Apache, OpenSSL and others, do not get patched as often as they should.”

Cybersecurity expert Brian Honan commented that a spike in exploits of the flaw was expected over the next few days.

However, he added that websites would often still be accessible via other routes and cached addresses on DNS servers around the world, even when certain key DNS servers have been made to crash.

“It’s not a doomsday scenario, it’s a question of making sure the DNS structure can continue to work while patches are rolled out,” he said.

The impact on general internet users is likely to be minimal, according to Mr Cid.

“Average internet users won’t feel much pain, besides a few sites and email servers down,” he said.

Tagged , , , , , , , ,

OS X Zero-Day Exploit Threatens Massive Mac Attack

Mac users, beware — the ads you see on the Web could let hackers hijack your device.

Malwarebytes has discovered a new zero-day exploit in OS X that lets apps bypass passwords during installation to get root permission through a Unix shell.

A new adware installer downloaded by a Malwarebytes researcher modified his sudoers file — a hidden Unix file that controls access to root permissions.

The script exploited the DYLD_Print_To_File vulnerability publicized last month by German security researcher Stefan Esser.

Together with the disclosure, Esser posted a Trusted BSD kernel extension he wrote to protect against the vulnerability.

“Apple has not fixed [the vulnerability] yet,” said Thomas Reed, director of Mac offerings at Malwarebytes.

“I can’t say why not, but it does appear that they have known about the issue for some time,” he told TechNewsWorld. “Apparently, another researcher [with the Twitter handle ‘@beist’] alerted Apple prior to Esser’s release, but I’m unclear on the timing of that report.”

What the DYLD Exploit Does

The script exploiting the DYLD vulnerability is written to a file and then executed. It then deletes itself.

The script allows shell commands to be executed as root using sudo, without requiring a password, Malwarebytes found.

It then launches the VSInstaller app, which is in a hidden directory on the installer’s disk image, and gives it full root permissions. That lets the app install anything anywhere.

VSInstaller installs VSearch adware, as well as a variant of the Genieo adware and the MacKeeper junkware application. It then directs the user to the Download Shuttle app in the Mac App Store.

There is no good way for users to protect themselves short of installing Esser’s kernel extension, Malwarebytes said.

Apple Zips Its Lips

Apple came under fire from Esser, who claimed the company already had fixed the flaw in the newest version of OS X, El Capitan, which has been in public beta for several months.

Apple rolled out the third public beta last month and the fourth on Tuesday.

However, Esser’s assumption that Apple had fixed the flaw in El Capitan but decided not to fix it in the current version, OS X Yosemite, may be incorrect, Reed suggested.

“That just doesn’t seem reasonable to me,” he said, adding that Apple contacted him for more information “within a couple hours after my blog post was published.”

Apple did not respond to our request to comment for this story.

Bumbling Into a Hack

The people behind the DYLD exploit are “just adware vendors,” Reed said. They “tend to write careless, sloppy code, and haven’t showed any signs of being highly skilled.”

Reed criticized Esser for publicizing the flaw, reasoning that the hackers “would not have found a vulnerability like this on their own, in my opinion.”

Esser has his defenders. Commenting on the Malwarebytes blog post, “m4rkw” contended Esser only released the information to motivate Apple “to bother fixing a bug that they apparently going to bother with … leaving millions of users vulnerable to what is quite a trivial exploit.” Further, Esser provided a fix.

Esser contends he did nothing wrong.

“Why should I?” he responded on his Twitter feed when someone asked why he didn’t notify Apple instead of publicizing the vulnerability on his blog.

Esser did not respond to our request to comment for this story.

Ads Are Dangerous

The DYLD exploit opens the door to malvertising — malicious ads created by hackers.

Yahoo was hit by a malvertising attack this past week — and it, Google, AOL, and various online ad distribution platforms have been used to distribute malvertisements for some time now.

“One successful penetration of an ad system leads to huge payoff in terms of the total number of victims who can be attacked via malicious ads,” said Lane Thames, security research and software development engineer of Tripwire.

“If large-scale malvertising campaigns … continue,” he told TechNewsWorld, “consumers will lose more trust in these ad services, which can ultimately lead to financial losses for the ad organizations.”

Tagged , , , , , , , , , , ,

University of Connecticut Hack Exposed Students’ Credit Cards, SSNs

The University of Connecticut announced Friday that its School of Engineering was the target of a serious data breach that exposed an unknown amount of personal and financial information of students and information from research partners. The hack was uncovered on March 9, when IT staff discovered malware on some of the school’s servers. These servers contained both sensitive research data and private information belonging to students, staff and faculty: Social Security numbers and credit cards, as well as logins and passwords.

The school’s blog post describes the attack as apparently having originated in China. A university spokesman said the school is working with the FBI on analyzing the attack.

An investigation by the university and cybersecurity outfit Dell SecureWorks indicated the first hack occurred in September 2013, meaning the intruders have had ample opportunity to use any data they stole. The spokesman said it’s not clear yet how many people’s data may have been exposed.

Those affected by the hack will be notified and provided identity protection services, the school said.

Research sponsors and partners are also being alerted to potential data exposure, though the university says there’s “no direct evidence” any was stolen.

After patching the vulnerability, the university implemented a number of improvements to its security infrastructure and is launching a “comprehensive review” of its IT practices.

Tagged , , ,