This document summarizes a lecture about implications and responses to large security breaches. It discusses several major breaches in recent years including Yahoo, Ashley Madison, AdultFriendFinder, and Home Depot. It provides questions to consider for post-breach analysis and lessons learned about crafting effective breach notification messages and preventing future breaches. Key resources for learning about security breaches are also listed.
We are one of the top Cyber security training providers.
Cyber security includes both the technologies and processes used to protect digital devices and networks from digital attacks, hacking and unauthorised hacking.
There will be a 100% placement assistance after the completion of this course.
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
3 Steps to Stopping Social Media Account HacksNexgate
Social media hacks and hijacks are on the rise. Protect your brand and social media marketing programs. Learn the 3 steps to stopping social media account hacks.
Original air date: Aug. 29, 2017
Rebroadcast and recording info at http://www.mhmcpa.com
Cybercriminals don’t discriminate when it comes to valuable data. Not-for-profit organizations are just as vulnerable to technology-related risks as for-profit organizations. Robust cybersecurity and information technology controls can help not-for-profits keep sensitive information secure, and as data breaches become more common, information technology controls are increasingly vital to your operations.
In our webinar, we'll discuss some of the most common technology risks for not-for-profits and what management can do to mitigate those risks.
We are one of the top Cyber security training providers.
Cyber security includes both the technologies and processes used to protect digital devices and networks from digital attacks, hacking and unauthorised hacking.
There will be a 100% placement assistance after the completion of this course.
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
3 Steps to Stopping Social Media Account HacksNexgate
Social media hacks and hijacks are on the rise. Protect your brand and social media marketing programs. Learn the 3 steps to stopping social media account hacks.
Original air date: Aug. 29, 2017
Rebroadcast and recording info at http://www.mhmcpa.com
Cybercriminals don’t discriminate when it comes to valuable data. Not-for-profit organizations are just as vulnerable to technology-related risks as for-profit organizations. Robust cybersecurity and information technology controls can help not-for-profits keep sensitive information secure, and as data breaches become more common, information technology controls are increasingly vital to your operations.
In our webinar, we'll discuss some of the most common technology risks for not-for-profits and what management can do to mitigate those risks.
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
In recent years, there has been a significant number of cyberattacks resulting in massive business disruptions.
In this regard, many organizations are hiring ethical hacking groups to help prevent future attacks.
Amongst others, the webinar covers:
• 2021 Cyber-incidents
• 2021 Black swans
• Ransomware vNext
• IoT - internet of things
• Cyber security insurance evolution
• Cyber best practices & frameworks
• The 2022 black swans
Presenter:
Our first presenter for this webinar is Peter Geelen, director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy.
Our second presenter is Erwin AM Geirnaert, Co-founder and Chief Application Security Architect at Shift Left Security, a Belgian cybersecurity start-up specialized in securing start-ups, scale ups and SMBs against malicious cybercriminals. Erwin is a specialist in mobile security, J2EE security .NET security, API Security and web services security. Erwin has more than 20 years’ experience in executing security tests aka penetration testing of web applications, mobile apps, APIs and thick client applications. He is also a recognized application security expert and speaker at international events like Javapolis, LSEC, OWASP, Eurostar, Infosecurity, etc.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/ZHQQ1yJX2uU
Website link: https://pecb.com/
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
In an era where digital threats are ever-evolving, understanding the fundamentals of cybersecurity is crucial.
Highlights of the Event:
💡 Google Cybersecurity Certification Scholarship.
🎭 Cloning and Phishing Demystified
🚨 Unravelling the Depths of Database Breaches
🛡️ Digital safety 101
🧼 Self-Check for Cyber Hygiene
⏺️ Event Details:
Date: 18th December 2023
Time: 6:00 PM to 7:00 PM
Venue: Online
Ransomware: Prevention, privacy and your options post-breachGowling WLG
Ransomware (cyber attack software that holds its targets’ data for ransom) has become an increasing danger to businesses and institutions this year.
This presentation will explore the nature and extent of the problem, legal options for and regulatory obligations of victims of ransomware, and emergent insurance options for dealing with the fallout from ransomware attacks.
The good, the bad and the ugly of the target data breachUlf Mattsson
The landscape of threats to sensitive data is rapidly changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
This webinar will cover:
Data security today, the landscape, etc.
Discuss a few recent studies and changing threat landscape
The Target breach and other recent breaches
The effects of new technologies on breaches
Shifting from reactive to proactive thinking
Preparing for future attacks with new techniques
You have probably heard of the major breach at the US retailer Target, in which 40m credit cards and their details were stolen. As with any incident of this magnitude, there are valuable lessons to be learned. One way to understand the breach more fully - to borrow a phrase from DeepThroat talking about the Watergate scandal in All The Presidents Men - is to follow the money.
This webinar will do just that. Using the Target breach as a real example, for which there is now much information in the public domain, we will detail what we know about how it happened. We will place particular emphasis on the money trail, not only in terms of how the bad guys turn the data into cash, but also who ends up footing the bill, the role insurance can play, and the resulting lawsuits and other repercussions (both the CEO and CIO of Target have resigned). As such, this webinar represents a powerful opportunity to learn first hand what really happens as a breach unwinds from a very respected professional who has been in the trenches for decades.
And here are three important take-aways from this highly informative webinar:
1. Why Chip and PIN is not foolproof
2. A detailed understanding of where the money goes post breach
3. Top tips for how firms must think differently about IR in the wake of Target-like incidents
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Mark Rasch, Chief Privacy Officer, SAIC
In this video we talk about some tools and techniques that can be used to protect your login credentials and digital identity including good password practices, adding Multi Factor Authentication (MFA), and monitoring to alert when a compromised account is found. Don’t assume your organization won’t be targeted – everyone is a target. As with all our webinars, this presentation is appropriate for an audience of varied IT and security experience.
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods.
What will you learn :
-New Attack techniques hackers are using targeting WFH
-How to handle decentralisation of IT and technology decisions?
-Application risks as enterprises pivot to online/new business model(s)
-New risks in the Cloud and due to Shadow IT
-Security risks due to uninformed employees & their home infrastructure
-How to handle Misconfigurations & Third party risks
-How to build a robust breach response and recovery program?
Full video - https://youtu.be/bQLfnmhDnQs
Craig McGill, Comms for PwC in Scotland, was invited to speak at #PRFest about cyber security and how PR had to be involved from the outset. www.prfest.co.uk
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
In recent years, there has been a significant number of cyberattacks resulting in massive business disruptions.
In this regard, many organizations are hiring ethical hacking groups to help prevent future attacks.
Amongst others, the webinar covers:
• 2021 Cyber-incidents
• 2021 Black swans
• Ransomware vNext
• IoT - internet of things
• Cyber security insurance evolution
• Cyber best practices & frameworks
• The 2022 black swans
Presenter:
Our first presenter for this webinar is Peter Geelen, director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy.
Our second presenter is Erwin AM Geirnaert, Co-founder and Chief Application Security Architect at Shift Left Security, a Belgian cybersecurity start-up specialized in securing start-ups, scale ups and SMBs against malicious cybercriminals. Erwin is a specialist in mobile security, J2EE security .NET security, API Security and web services security. Erwin has more than 20 years’ experience in executing security tests aka penetration testing of web applications, mobile apps, APIs and thick client applications. He is also a recognized application security expert and speaker at international events like Javapolis, LSEC, OWASP, Eurostar, Infosecurity, etc.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/ZHQQ1yJX2uU
Website link: https://pecb.com/
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
In an era where digital threats are ever-evolving, understanding the fundamentals of cybersecurity is crucial.
Highlights of the Event:
💡 Google Cybersecurity Certification Scholarship.
🎭 Cloning and Phishing Demystified
🚨 Unravelling the Depths of Database Breaches
🛡️ Digital safety 101
🧼 Self-Check for Cyber Hygiene
⏺️ Event Details:
Date: 18th December 2023
Time: 6:00 PM to 7:00 PM
Venue: Online
Ransomware: Prevention, privacy and your options post-breachGowling WLG
Ransomware (cyber attack software that holds its targets’ data for ransom) has become an increasing danger to businesses and institutions this year.
This presentation will explore the nature and extent of the problem, legal options for and regulatory obligations of victims of ransomware, and emergent insurance options for dealing with the fallout from ransomware attacks.
The good, the bad and the ugly of the target data breachUlf Mattsson
The landscape of threats to sensitive data is rapidly changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
This webinar will cover:
Data security today, the landscape, etc.
Discuss a few recent studies and changing threat landscape
The Target breach and other recent breaches
The effects of new technologies on breaches
Shifting from reactive to proactive thinking
Preparing for future attacks with new techniques
You have probably heard of the major breach at the US retailer Target, in which 40m credit cards and their details were stolen. As with any incident of this magnitude, there are valuable lessons to be learned. One way to understand the breach more fully - to borrow a phrase from DeepThroat talking about the Watergate scandal in All The Presidents Men - is to follow the money.
This webinar will do just that. Using the Target breach as a real example, for which there is now much information in the public domain, we will detail what we know about how it happened. We will place particular emphasis on the money trail, not only in terms of how the bad guys turn the data into cash, but also who ends up footing the bill, the role insurance can play, and the resulting lawsuits and other repercussions (both the CEO and CIO of Target have resigned). As such, this webinar represents a powerful opportunity to learn first hand what really happens as a breach unwinds from a very respected professional who has been in the trenches for decades.
And here are three important take-aways from this highly informative webinar:
1. Why Chip and PIN is not foolproof
2. A detailed understanding of where the money goes post breach
3. Top tips for how firms must think differently about IR in the wake of Target-like incidents
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Mark Rasch, Chief Privacy Officer, SAIC
In this video we talk about some tools and techniques that can be used to protect your login credentials and digital identity including good password practices, adding Multi Factor Authentication (MFA), and monitoring to alert when a compromised account is found. Don’t assume your organization won’t be targeted – everyone is a target. As with all our webinars, this presentation is appropriate for an audience of varied IT and security experience.
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods.
What will you learn :
-New Attack techniques hackers are using targeting WFH
-How to handle decentralisation of IT and technology decisions?
-Application risks as enterprises pivot to online/new business model(s)
-New risks in the Cloud and due to Shadow IT
-Security risks due to uninformed employees & their home infrastructure
-How to handle Misconfigurations & Third party risks
-How to build a robust breach response and recovery program?
Full video - https://youtu.be/bQLfnmhDnQs
Craig McGill, Comms for PwC in Scotland, was invited to speak at #PRFest about cyber security and how PR had to be involved from the outset. www.prfest.co.uk
Protecting your digital and online privacyDavid Strom
I gave this talk in October 2019 about ways that your digital and online habits can be tracked and what kind of data you inadvertently leak, along with tools that you can use to protect your privacy.
How to market your book in today's social media worldDavid Strom
Self-published authors need to learn how to use various digital tools to help them market their books. This seminar will show you some of the more common and inexpensive ones
This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.
How to make your mobile phone safe from hackersDavid Strom
While the news about laptop camera covers can make any of us paranoid, the real cyber threat comes from the computer we all carry in our pockets and purses: our mobile phones. I will describe some of the more dangerous cyber threats that can turn your phone into a recording device and launch pad for hackers, and how you can try to prevent these in your daily life.
Slides from a webinar that I and Dell Virtualization Evangelist Hassan Fahimi gave in March 2016. We provide a complete overview of OpenStack and Foglight for OpenStack.
Listen to Your Customers: How IT Can Provide Better SupportDavid Strom
For a weibar sponsored by Citrix 11/15.
IT needs to provide the best possible support to its end users. Indeed, treating them as your customers is critical. We’ll cover some of the lessons learned from the best and worst customer-facing organizations to see how IT can make improvements in this area.
There are numerous analytical techniques that can be used to examine Big Data sources. I describe several of the more popular ones in this talk for a Washington University roundtable discussion in July 2015
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Neuro-symbolic is not enough, we need neuro-*semantic*
Implications and response to large security breaches
1. Implications and response to
large security breaches
SYR IST 323 class lecture
David Strom
Slides available here:
http://slideshare.net/davidstrom
1
2. Who am I?
• Long time IT B2B trade press journalist
• Actually hired Molta in a weak moment
• Started numerous print and Web pubs, wrote
two computer networking books
2
4. Agenda
• A review of the more recent, larger breaches
• Questions to ask for post-breach analysis
• What are some IT security lessons learned
• Where to find breach info for your case
studies
4
5. Yahoo!
• Three separate reported breaches from 2013,
2014, 2016 with millions of accounts leaked
• Using MD5 hashes, not state of the art and
not salted either
• Long persistent attack that lasted years
• Yahoo Account Key -- zero factor auth!
• CISO-of-the-month club: not cool
• Russian FSB officers criminally charged in Mar.
5
18. Questions for post-breach analysis
• Did the company express the breach in plain
language?
• Did they precisely indicate what happened
and whom was affected?
• Did they constructively suggest a solution?
• Can non-IT people understand what to do next
to protect their personal info?
• Has anything IT-related changed as a result?
18
21. Home Depot breach
• Symantec Endpoint Protection installed, BUT
– No Network Threat protection module active
• No point-to-point encryption for payments
• POS systems using WinXP Embedded BUT
– Not secure and not most recent OS
• No vulnerability mgmt program active
• Using a flat network topology both POS/PCs
• Not managing 3rd party vendor auth credentials
21
26. Lessons learned
• How to craft a breach notification messages
and campaigns
– Exact dates, times and places
– Provide lots of other details
– Has follow up contact info for concerned
customers
• When to notify the public and customers
– The sooner the better. Days matter.
26
27. More lessons
• How to explain the specifics of the breach
– What data was stolen, both customer and
corporate
– How to prevent this from happening again
– Make it easy for customer to find out this stuff
• What to do personally
– Don’t use real online “birthday” on social nets
– Don’t reuse passwords, really
27
29. Where to get breach news
• Naked Security/Sophos
• The Intercept (but with a bucket of salt)
• SANS.org (for tech info, training classes)
• Threatpost
• MacKeeper/Chris Vickery
• LeakedSource (notification and data dumps)
• And of course, Inside Security !
29
October 2016 customers paying by credit cards from last July-Sept data was leaked. Had to be in the physical store, online not hit. They have 150 stores around the world.
http://www.darkreading.com/attacks-breaches/vera-bradley-stores-report-payment-card-breach/d/d-id/1327173
A massive data breach targeting adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts, including millions of supposedly deleted accounts. This number refers to the entire customer databases of several dating sites, including Cams.com, Penthouse.com and other sites. The attack happened at around the same time as one security researcher, known as Revolver, disclosed a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on their web server. The data does not appear to contain sexual preference data unlike the 2015 breach, however.
Comments were swift. “This is ten times worse than the Ashley Madison hack. Wait for a raft of class-action lawsuits,” says KnowBe4. The company verified that its servers were vulnerable. LeakedSource revealed that the company did not properly encrypt its users’ data. The company stored user passwords in plainly visible format, or with the very poor SHA1 hashes that were easily cracked. The deleted emails were retained in this format: “email@address.com@deleted1.com” which is curious and obviously intentional. -- ZDNET
DailyMotion had more than 80 million of their account IDs and passwords exposed. Only a fifth of these accounts had passwords and they were fortunately encrypted. The company admitted the breach in a blog post.
http://blog.dailymotion.com/2016/12/06/8886/
Leaked Source obtained the data file.
Hackers shut down a Finnish heating system thanks to a DDoS-based DNS attack. At least two housing blocks in the city of Lappeenranta were affected and confirmed by the facilities management company. The issue was no firewall and using public IP addresses of the HVAC management systems that could be easily reached by the hackers. When the company tried to reboot their systems, they needed more than a week to get computers back online since the attack also denied remote access to the systems. Luckily, outdoor temperatures weren’t critical. Researchers at IBM found that many building automation systems suffer from a range of security issues, from weak authentication and authorization controls to vulnerable administrative web interfaces used to provide remote access. --
https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/
http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter
E-Sports Entertainment Association is one of the largest competitive video gaming communities on the planet. They were hacked in December 2016 and a database containing 1.5 million player profiles was compromised. A full timeline of events has been posted to the E-Sports website. LeakedSource confirmed the leak that was confirmed by this post. While passwords were encrypted, other information was not and could be used to set up compromised attacks. Hackers demanded ransom payment of $100k but E-Sports did not comply. –
http://www.csoonline.com/article/3155397/security/esea-hacked-1-5-million-records-leaked-after-alleged-failed-extortion-attempt.html
A Pentagon contractor has accidentally leaked more that eleven gigabytes of data, including individuals’ names, locations, Social Security numbers, salaries, and assigned units. This comes from Chris Vickery, a security researcher with MacKeeper, who wrote about it last December. The data comes from the military’s Special Operations Command, which had no user name or password protection of the database that was leaked from the Potomac Healthcare Solutions site. After Vickery called Potomac, the information was still available an hour later. “It shouldn’t take over an hour to contact your IT guy and “ fix this, he said. Eventually, the information was removed. –
https://mackeeper.com/blog/post/314-special-ops-healthcare-worker-breach
Sometimes you have security researchers that specialize in a particular product with weak controls. This is the Buffalo Terastation network attached storage. Essentially, it is a hard drive with a network connection, and software that allows you to make backups to an Internet site. The problem is that these backups are often maintained in the clear – without any password protection, and it is easy to find them if you know what you are looking for.
That is exactly what MacKeeper’s Chris Vickery figured out in two separate incidents: one reported on in February at Stewart Airport, in downstate New York, and one involving an office from Ameriprise Financial. The airport leak involved 700 GB that sat out on the Internet for a year after the IT manager opened a firewall port and forget to protect his data. The data includes everything from sensitive TSA letters of investigation to employee social security numbers, network passwords, and 107 gigabytes of email correspondence.
https://mackeeper.com/blog/post/334-extensive-breach-at-intl-airport
The Ameriprise leak inadvertently exposed hundreds of investment portfolios, worth tens of millions of dollars. In this case, the NAS drive was at the home of one of their advisors. Amusingly, one of the pieces of the leaked data is a confidential memo in which Ameriprise asks its advisors “Do you keep your backup computer records (i.e. hard drive, memory stick, etc.) at a location other than your office?”, to which the possible answers are “Yes”, “No”, and “N/A – (select this option if you are using an online solution)”.
https://mackeeper.com/blog/post/310-ameriprise-data-breach
While this could be the largest breach of the year in terms of numbers, Three Mobile, one of UK's biggest mobile phone operators, has been breached. Supposedly the personal information and contact details of six million of its customers has been exposed, which are about two-thirds of the company’s overall customers. Hackers used an employee’s login credentials to gain entry. The reason for the breach was simple theft: the company confirmed around 400 cases in which fraudsters had stolen high-value phones through burglaries and other devices have already been illegally obtained through tracking who was eligible for upgrades. Three people have been arrested so far.
http://thehackernews.com/2016/11/3-mobile-uk-hacked.html
And recently, another technical glitch exposed new customer info:
https://www.theguardian.com/business/2017/mar/20/three-mobile-possible-data-breach-data-usage-call-history
Data from more than 1,000 corporate-owned Arby’s fast food restaurants were compromised, resulting in personal information stolen from at least 355,000 customers’ credit and debit cards. Sources suggest the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017.
https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/
http://download.schneider-electric.com/files?p_Reference=SEVD-2016-288-01&p_EnDocType=Technical%20leaflet&p_File_Id=4837908514&p_File_Name=SEVD-2016-288-01+Unity+Simulator.pdf
https://www.indegy.com/blogs/new-scada-vulnerability-enables-remote-control-of-ics-networks/
SCADA controller manages millions of them around the world called Unity Pro. It is in every single control network that this company sells. Here is the notifcation to its customers.
An example of a carder website is Rescator shown here. As you can see, the site has full search capabilities based on the type of stolen credit card you are searching for.
https://krebsonsecurity.com/2017/03/google-points-to-another-pos-vendor-breach/
Uses a photo of Brian Krebs to lend authenticity to the login page of Rescator. Source of POS malware used in many of these retail attacks, including CiCi’s