Tag Archives: today

[ISN] Heartbleed a Year Later: How the Security Conversation Changed

http://www.eweek.com/security/heartbleed-a-year-later-how-the-security-conversation-changed.html By Sean Michael Kerner eWEEK.com 2015-04-07 A year ago today (April 7), I first saw the OpenSSL advisory about a new security vulnerability identified as CVE-2014-0160 and titled “TLS heartbeat read overrun.” When I first wrote my article for eWEEK on the issue, I identified the flaw as the Heartbeat SSL flaw. By the middle of the day on April 8, my editors at eWEEK were asking me if I had mislabeled the story since other publications were calling it Heartbleed. Time sure does fly. The name Heartbleed is the branded term that security firm Codenomicon came up with. They also branded the vulnerability in a way that I had never seen before, but has since become a model that other security vendors have tried to emulate. The Codenomicon-branded Heartbleed had its own logo and an easy-to-follow description of the flaw and the actual risks. As it turned out, the issue was also discovered by Google security researcher Neil Mehta. Both Mehta and Codenomicon were awarded the Black Hat 2014 Pwnie award for Heartbleed in the category of best server-side bug. […]

Tags: , , , , , , , , , , , , ,

[ISN] FBI Threat Intelligence Cyber-Analysts Still Marginalized In Agency

http://www.darkreading.com/risk/fbi-threat-intelligence-cyber-analysts-still-marginalized-in-agency/d/d-id/1319618 By Sara Peters Dark Reading 3/25/2015 Despite good progress, 9/11 Review Commission says that analysts could have a greater impact on FBI counter-terrorism activities if they had more domain awareness, forensics capabilities, and were more empowered to question agents. FBI threat intelligence analysts, a position created post-9/11, have proven their worth to counter-terror operations, but their impact has been limited by a lack of domain awareness, insufficient computing technology, and a lack of status within the Bureau, according to a report released today by the FBI 9/11 Review Commission. While the analysts are providing agents with tactical input, they are not yet participating in any strategic way. Part of the intelligence analysts’ job description, as described by FBIAgentEdu.org, is cyber-forensics and cyber-surveillance

Tags: , , , , , , , , , ,

[ISN] Sony Pictures Confirms Hack-Delayed Q3 Profit of $51m, More Than Double February Forecast

http://www.hollywoodreporter.com/news/sony-pictures-confirms-hack-delayed-782423 By Gavin J. Blair The Hollywood Reporter 3/17/2015 Sony Pictures generated profits of $51 million (¥6.2 billion) in the quarter ending Dec. 31, the period affected by the hacking attack, more than the $20 million it had predicted in February, Sony Corp. announced in Tokyo on Tuesday. Sales at the pictures division were $1.707 billion (¥206.6 billion) for the quarter, up from the Feb. 4 estimate of $1.633 billion. Compared to the same quarter in 2013, sales were down 20 percent on a dollar basis, but only 7.7 percent in yen, due to the weakening of the Japanese currency. The final announcement of Sony’s third-quarter earnings was delayed by the hack by a group calling itself Guardians of Peace, which caused huge disruption to the operations of Sony Pictures Entertainment in November and December. Sony explained at the Feb. 4 provisional announcement that much of the damage caused by the hack was covered by insurance and predicted a cost of approximately $15 million, an amount confirmed in today’s figures. […]

Tags: , , , , , ,

[ISN] Target poised to settle breach for $10 million

http://www.usatoday.com/story/money/business/2015/03/18/target-hack-breach-10-million/24991847/ By Jay Knoll KARE-TV March 19, 2015 MINNEAPOLIS – Target Corp. is poised to settle a class-action lawsuit filed following the retailer’s massive data breach in 2013, court documents filed Wednesday in Minnesota show. A $10 million dollar fund will be established for victims of the breach, the 97-page settlement says. Victims will be eligible for up to $10,000 compensation each. Some aspects of the proposed class action settlement appear unique, said Mark Melodia, founder of the information technology, privacy and data security practice at the law firm of Reed Smith in New York City. “First, the amount of attorneys’ fees contemplated by this deal is at the high end of the historical range, even for multi-district litigation proceedings,” Melodia said, cautioning that he has not had time to study the settlement. […]

Tags: , , , , , , , , , , , , , ,

[ISN] CIA Restructuring Adds New Cyber Focus

http://www.defenseone.com/technology/2015/03/cia-restructuring-adds-new-cyber-focus/106953/ By Patrick Tucker defenseone.com March 6, 2015 The CIA will create a new directorate designed to boost the agency’s ability to collect and use digital intelligence in operations, agency CIA Director John Brennan announced. The move to launch a “directorate of digital innovation” comes a two weeks after the Washington Post first reported that Brennan would be restructuring the agency to place a much stronger emphasis on the use of computers and electronic intelligence. The move is a big change for the agency, one that reflects a fundamental evolution in intelligence gathering. CIA traditionally has been tasked with collecting information from human sources (also called HUMINT). The NSA, conversely, is tasked with collecting information from electric sources in the form of signals (also called SIGINT). Today’s announcement is a formal recognition that the electronic world is overtaking the human one, and that collecting information from humans now has a digital component to it. “Digital technology holds great promise for mission excellence, while posing serious threats to the security of our operations and information,” Brennan said, in message to the Intelligence Community, released Friday. “We must place our activities and operations in the digital domain at the very center of all our mission endeavors.” Brennan said a new senior position will “oversee the acceleration of digital and cyber integration across all of our mission areas.” […]

Tags: , , , , , , , , , , ,

[ISN] US watchdog: Anthem snubbed our security audits before and after enormous hack attack

http://www.theregister.co.uk/2015/03/05/us_watchdog_anthem_audits/ By Shaun Nichols The Register 5 Mar 2015 A year or so before American health insurer Anthem admitted it had been ruthlessly ransacked by hackers, a US federal watchdog had offered to audit the giant’s computer security – but was rebuffed. And, after miscreants looted Anthem’s servers and accessed up to 88.8 million private records, the watchdog again offered to audit the insurer’s systems, and was again turned away. “We do not know why Anthem refuses to cooperate,” government officials told The Register today. The Office of the Inspector General (OIG) for the US Office of Personnel Management (OPM) told us it wanted to audit Anthem’s information security protections back in 2013, but was snubbed by the insurer. According to the agency, Anthem participates in the US Federal Employees Health Benefits Program, which requires regular audits from the OIG, audits that Anthem allegedly thwarted. Other health insurers submit to Uncle Sam’s audits “without incident,” we’re told. […]

Tags: , , , , , , , , , , , , ,

[ISN] Credit Card Breach at Mandarin Oriental

http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/ By Brian Krebs Krebs on Security March 4, 2015 In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach. Reached for comment about reports from financial industry sources about a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels, the company confirmed it is investigating a breach. “We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company said in an emailed statement. “Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.” Mandarin isn’t saying yet how many of the company’s two-dozen or so locations worldwide may be impacted, but banking industry sources say the breach almost certainly impacted most if not all Mandarin hotels in the United States, including locations in Boston, Florida, Las Vegas, Miami, New York, and Washington, D.C. Sources also say the compromise likely dates back to just before Christmas 2014. […]

Tags: , , , , , , , , , , , , , ,

[ISN] Target Says Credit Card Data Breach Cost It $162M In 2013-14

http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/ By Ingrid Lunden Techcrunch.com February 26, 2015 When it comes to data breaches, retailers are one of the biggest targets these days, and today we have some detail on the costs around one of the more high-profile attacks. Target today said that it has booked $162 million in expenses across 2013 and 2014 related to its data breach, in which hackers broke into the company’s network to access credit card information and other customer data, affecting some 70 million customers. The figure, revealed in the company’s Q4 earnings published today, includes $4 million in Q4, and $191 million in gross expenses for 2014, as well as $61 million gross for 2013. Target says that the gross number was offset in part by insurance receivables of $46 million for 2014 and $44 million for 2013. This is also not including whatever expenses Target may incur as a result of class action lawsuits filed after the breach, or wider damage to its reputation with customers. In January, a federal judge gave plaintiffs the nod to proceed with their class action case against the company. Overall Target posted revenues of $21.8 billion, beating analyst estimates, and adjusted earnings per share of $1.50, beating its guidance. The company also recorded a pre-tax loss of $5.1 billion related to the company pulling out of operating in Canada. In pre-market trading, the company’s shares were up a little over 1% to $77.85 per share. […]

Tags: , , , , , , , , , , , , , ,