Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - December 03, 2014

Dec 3, 2014 2:16AM PST
Sony Breach May Have Exposed Employee Healthcare, Salary Data

The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures: According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What's more, it's beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems.

Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.

Sony officials could not be immediately reached for comment; a press hotline for the company rang for several minutes without answer, and email requests to the company went unanswered. But a comprehensive search on LinkedIn for dozens of the names in the list indicate virtually all correspond to current or former Sony employees.

Continued : http://krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data/

Related:
Sony Pictures hack gets uglier; North Korea won't deny responsibility [Updated]
Sony breach: More leaks expose employees' salaries, personal data

Prior post: Sony Pictures hackers may have gotten inside help

* * * * * *
For those interested in the author (Brian Krebs) of the above-referenced post see: KrebsOnSecurity on CBS's '60 Minutes'

Discussion is locked

- Collapse -
FBI malware warning follows Sony Pictures hack
Dec 3, 2014 2:56AM PST

"The crime-fighting agency tells US businesses to stay alert because of some particularly nasty malware in the wild."

The FBI has warned that hackers have used malware to launch destructive attacks against businesses in the United States, following a devastating attack on the networks of Sony Pictures Entertainment.

In a five-page confidential "flash" warning sent to businesses late Monday and seen by Reuters, the FBI provided technical details about the malware, but did not mention the corporate victim by name. According to the advisory, the malware is particularly violent -- overwriting data on hard drives to make them little more than bricks while also closing down networks.

Continued : http://www.cnet.com/news/fbi-malware-warning-follows-sony-hack/

Related:
FBI issues warning on destructive malware
FBI Warns Of Destructive Cyber-Attacks Following Sony Pictures Breach

- Collapse -
Critical Security Updates for Firefox, ESR, Thunderbird
Dec 3, 2014 2:57AM PST

The Mozilla Foundation yesterday released nine security updates fixing as many vulnerabilities in its popular Firefox browser. The fixes address three critical vulnerabilities, and others rated high and moderate.

Mozilla issues critical ratings for bugs an attacker can exploit in order to run code and install software without any user interaction beyond normal browsing activity. All of the critically rated bugs affect Firefox 34, extended support release 31.3 (on which the Tor Browser Bundle is based) and Thunderbird 31.3.

Continued: http://threatpost.com/mozilla-critical-security-updates-for-firefox-esr-thunderbird/109686

Related:
Firefox 34 comes with critical security updates
Mozilla Firefox Version 34 Released with Critical Security Updates

See Updates thread: Mozilla Firefox Version 34.0.5 Released

- Collapse -
the Poodle exploit, some info
Dec 3, 2014 7:55AM PST

I have FF28 and there's a fix for it. I turned off all SSL3 in it, and set the TLS to be the ONLY security accepted by it. Information on how to do it in this thread.

http://forums.linuxmint.com/viewtopic.php?f=143&t=180418

http://forums.linuxmint.com/download/file.php?id=20190&sid=d4ffc9795b624dd1a23572613d2e68cd&mode=view

http://forums.linuxmint.com/download/file.php?id=20191&sid=d4ffc9795b624dd1a23572613d2e68cd&mode=view

Above are images of about:config page in FF28. Shows the SSL3 which can all be set to false, and the TLS connection "security.tls.version.min" should be changed from zero to one. If the tls minimum is set to one, it's supposed to deny any ssl3 connections, but I'd set them to false just to be sure, feel safer.

- Collapse -
update
Dec 3, 2014 9:04AM PST

just do the change on the TLS setting. Turning all ssl to false causes yahoo and aol mail to fail.

- Collapse -
Google simplifies CAPTCHAs down to a single click
Dec 3, 2014 2:58AM PST

Tired of solving CAPTCHAs? Google has just the thing for you.

The company has introduced the latest iteration of its reCAPTCHA tool, and it most cases, it will allow users to push on to the wanted websites by simply ticking off the box that confirms that they are not a robot.

"How can this work?" you'll ask yourself. Well, underneath the smooth surface, a new API is hard at work.

"Last year we developed an Advanced Risk Analysis backend for reCAPTCHA that actively considers a user's entire engagement with the CAPTCHA—before, during, and after—to determine whether that user is a human," explained Vinay Shet, Product Manager at Google's reCAPTCHA

Continued : http://www.net-security.org/secworld.php?id=17714

Related:
Google No CAPTCHA Simple for Humans, Tough on Bots
Google moves beyond text puzzles with No CAPTCHA reCAPTCHA

- Collapse -
Hacked Windows XP still updates, still a bad idea
Dec 3, 2014 2:58AM PST

"Yes, you still can trick Microsoft into giving you security updates for Windows XP. No, it's not a good idea. You are not protected."

Perhaps the most popular story I've written for ZDNet was the one explaining how you can hack the registry in Windows XP and trick Windows Update into continuing to send you security updates. The basis of it is that Microsoft has an embedded variant of Windows XP and support doesn't end on that until April 2016. The hack makes XP look like the embedded version.

I have maintained a Hyper-V VM on a Windows 8.1 system running this configuration and it does indeed continue to get updates. In fact, it gets updates even when Microsoft doesn't list it as getting updates. In November, the marquis vulnerability fixed by Microsoft was the bug in Schannel, their SSL/TLS implementation. The bulletin and knowledge base article list every supported version of Windows, but not the embedded ones. Even so, it did receive the update: [Screenshot]

So no problem, right? Keep running Windows XP, right? For reasons that Microsoft and we have explained repeatedly, Windows XP is not really securable by modern standards. It lacks features like ASLR that prevent many vulnerabilities or at least make them more difficult to exploit. ....

Continued : http://www.zdnet.com/hacked-windows-xp-still-updates-still-a-bad-idea-7000036333/

- Collapse -
Be Wary of 'Order Confirmation' Emails
Dec 3, 2014 4:16AM PST

If you receive an email this holiday season asking you to "confirm" an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities. [Screenshot]

Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it's easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25. [Screenshot]

According to Malcovery, a company that closely tracks email-based malware attacks, these phony "order confirmation" spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients' Windows PCs with the malware that powers the Asprox spam botnet.

Continued : http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/

- Collapse -
IRS phone scammers double up their efforts for the holidays
Dec 3, 2014 8:30AM PST

"Malwarebytes Unpacked" Blog:

It might not be tax season yet but Internal Revenue Service impersonators are hard at work scamming people during this holiday season.

They are leaving threatening voice messages to victims they've cataloged in a giant database.

The purpose of this scam is to collect money from tax payers by using a well rehearsed script made of lies and threats.

Similar to the tech support scams, the crooks are operating from boiler rooms and making thousands of calls a day.

We went undercover and decided to follow-up on a voice mail to find out what really happens. The following are excerpts from a conversation we had with a fake IRS agent.

Continued : https://blog.malwarebytes.org/fraud-scam/2014/12/irs-phone-scammers-double-up-their-efforts-for-the-holidays/

- Collapse -
The 10 Biggest Bank Card Hacks
Dec 3, 2014 8:30AM PST

The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches.

A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot.

Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it's nabbed.

Continued : http://www.wired.com/2014/12/top-ten-card-breaches/