OAIC investigating Flight Centre customer data leak

Image credit: Flight Centre Firm is ‘co-operating’ with inquiries.

Travel agency Flight Centre is under investigation by the country’s privacy regulator after accidentally releasing personal information of an undisclosed number of its customers to third-party suppliers.

The firm confirmed last month that “human error” was behind the data breach.

It has not said how many customers were affected, nor what personal information was disclosed, though in a letter to customers it said “passport details” were included in the leak. 

The information was mistakenly sent to a “small number of potential third party suppliers for a short period of time”, Flight Centre said last month.

The Office of the Australian Information Commissioner on Friday revealed it had opened an investigation into the leak.

“Flight Centre is cooperating with the Office of the Australian Information Commissioner’s inquiries. Once the investigation has concluded a further statement will be published,” it said.

It encouraged Flight Centre customers concerned about their privacy to contact the OAIC directly.

Flight Centre has said it acted quickly to contain the information once it became aware of the breach, and was assured by suppliers that they had not retained copies of the data.

It offered to fund a credit report for those affected as well as 12 months of identity protection and credit monitoring. It also said it would reimburse any costs up to December 31 for those who wished to change their passport.

View the Original article

Advertisements

NBN customers targeted by scammers

Beware of connection offers and phishing attempts.

Scammers impersonating NBN Co have tricked several hundreds of people and caused tens of thousands of dollars in losses, the Australian Competition and Consumer Commission has warned.

The ACCC said scammers were calling people and offering to connect them to the NBN for a low price.

Payment is requested through Apple iTunes gift cards, but the connections are never completed.

Criminals have also impersonated NBN Co to trick users into giving remote access to their computers, the ACCC said.

Once remote access has been granted, the scammers steal valuable personal information, install malware, and demand payment to fix supposed problems.

The watchdog also warned about NBN fraudsters asking for sensitive personal information such as name, address, Medicare and driver’s licence numbers, which they will use for identity theft and other fraud.

Older Australians in particular are being targeted.

So far, the consumer watchdog’s Scamwatch scheme has received 316 complaints this year alone about NBN scammers who have caused almost $28,000 in losses.

The ACCC advised people not to sign up to the NBN via an unsolicited phone call, and not to agree to payments requested in iTunes gift cards.

People should also never give out personal, credit card, or online account details when called out of the blue, or give unknown individuals remote access to their computers.

View the Original article

LinkedIn exploit left millions exposed to malware

Vulnerabilities in LinkedIn’s messaging service now patched.

Exploits in LinkedIn’s security measures potentially allowed hackers to spread malicious files across the social networking site and infect millions of user PCs, researchers have found.

The Microsoft-owned professional networking site, which boasts over 500 million users in 200 countries, allows members to chat, share CVs and send job descriptions to others in their network using a messenger service.

Multiple vulnerabilities were identified in LinkedIn’s security measures that are designed to restrict the types of files uploaded to LinkedIn’s chat windows, according to security researchers at Check Point.

Typically these measures allow only a handful of extensions including pdf, text documents and jpegs, however, it was discovered that attackers could bypass these checks by uploading malicious files masquerading as accepted extensions.

These files were then capable of spreading throughout a user’s network of contacts and infecting any PCs connecting to those accounts.

The research identified four exploits in the LinkedIn security systems, including a limitation that failed to identify a malicious Power Shell script that was saved as a .pdf, which if downloaded, would remain undetected on a user’s PC.

 

View the Original article

Google mass-culls apps after malware found in Play Store

Two years and 100 million downloads later.

More than 500 apps have been yanked from Google’s Play Store after they were found to contain a software development kit (SDK) that could download malicious plug-ins at will.

The SDK is used by developers for in-app advertising, and is made by Chinese vendor Igexin.

It has been used in hundreds of games, weather, internet radio, image editor and other apps, which have been downloaded in excess of 100 million times.

Security vendor Lookout discovered that the Igexin advertising SDK could download and execute plug-ins capable of spying on users, and alerted Google to the threat.

So far, the plug-ins found by Lookout have exfiltrated users’ phone call logs. The data captured includes call lengths and the number dialled, as well as if the phone is is idle, ringing or off the hook, Lookout said.

As the malicious download capability was not created by developers using the SDK and not activated when the app was submitted to the Play Store, the threat was not detected by Google.

Lookout said the malicious functionality was fully controlled by Igexin, which could activate it at any time and download malware from a remote server controlled by the Chinese company.

The Igexin SDK appears to have been recognised as malicious since 2015, with security vendors such as Symantec adding detection for it then.

After being notified by Lookout, Google pulled more than 500 apps that feature the Igexin advertising SDK.

Google said it has improved security in its Android 8.0 operating system, which stops hostile downloader apps from operating without permission.

View the Original article

Exploit vendor offers large bounties for messaging app 0days

Up to US$500,000 on the table.

Controversial exploit vendor Zerodium is willing to pay up to half a million US dollars (A$632,128) for working remote code execution and local privilege escalation security flaws in popular secure messaging apps.

The company has added Telegram, Facebook Messenger, WhatsApp, Viber, WeChat and Signal to its bounty list for zero-day vulnerabilities.

It will also pay US$500,000 for working exploits against Apple’s iMessage as well as telcos’ text and multimedia messaging services.

Apple iOS 11 remote jailbreaks or bypassing of the operating system’s restrictions against running code with elevated privileges pay even more.

Zerodium has upped its offer to US$1.5 million for such exploits, but they have to be remote and with no user interaction such as clicking on links or opening files, else the bounty drops to US$1 million (A$1.26 milllion).

The exploit vendor also targets desktop operating systems, web browsers, and servers, as well as mobile phones from Apple, Android makers, and Blackberry.

Zerodium says it sells the exploits to governments which use them to track and capture criminals. It has denied the exploits are sold to repressive regimes. It also will not share the flaws with vendors so patches can be developed.

View the Original article

Petya ransomware hits global corporate earnings

Sales fall, halts drug production.

Costly cyber attacks are having a bigger impact on corporate earnings and are becoming a fact of life for companies as Oreo cookie maker Mondelez, drug maker Merck and others said that a destructive attack in the last week of the second quarter disrupted operations.

Mondelez, the world’s second-largest confectionary company, reported a 5 percent drop in quarterly sales on Wednesday, blaming shipping and invoicing delays caused by the June 27 attack of the worm, known as Petya.

Other Petya victims include Merck, which last week warned that Petya had halted production of some drugs, saying it has yet to understand the full costs associated with the attack.

The attack also slowed deliveries at FedEx Corp, disrupted port operations of shipping company Maersk and halted production lines at British consumer goods maker Reckitt Benckiser, according to accounts by those companies.

Investors should get used to hearing about cyber attacks during earnings calls, said Ian Winer, equity co-head at Wedbush Securities.

“The trend is accelerating,” Winer said. “As hackers get more sophisticated they are taking shots at major companies.”

More hackers are becoming adept at developing or finding malware to wipe data on computers, making them inoperable.

One mysterious group known as The Shadow Brokers in April dumped a trove of powerful hacking tools on the Internet, which security experts said were developed by the US National Security Agency.

Code the group released was used for spreading Petya and in the WannaCry attack in May on hospitals, businesses and governments worldwide.

Jake Dollarhide, head of Longbow Asset Management, which manages US$85 million in assets, said he expects cyber attacks to be as common as reports that a storm or oil prices hurt results.

“As stock market investors we have to accept this brand new reality in this new digital age,” Dollarhide said.

Petya is a destructive self-propagating “worm” capable of spreading quickly across computer networks, crippling computers by encrypting hard drives so that machines cannot run.

It has taken victims weeks to get factories and other critical systems back online because businesses must individually replace damaged hard drives.

Most businesses are inadequately protected from cyber attacks, said Tom Kellermann, chief executive of investment firm Strategic Cyber Ventures.

“The day of reckoning has come for shareholders,” Kellermann said.

View the Original article

Symantec sells TLS cert business to DigiCert

Billion-dollar deal.

Symantec has sold its troubled digital credentials business to private equity-backed firm DigiCert for US$950 million (A$1.2 billion) in cash.

The deal means Symantec website security and private key infrastructure subsidiaries such as Thawte, RapidSSL, Verisign and Geotrust – which have around 14 percent of the transport layer certificate issuance market – will be merged with DigiCert, a relative minnow with just 2.2 percent market share.

Symantec will hold a 30 percent stake in the merged business. The deal has been unanimously approved by the security vendor’s board, and is expected to be complete early next year.

DigiCert has been backed by private equity fim Thomas Bravo since 2015. The US-based company will grow its staff to 1000 with the acquisition of Symantec’s TLS business.

Symantec has been involved in a long-running feud with Google and other providers over its sloppy TLS certificate issuance practices.

The security vendor was accused of issuing thousands of fake certificates which could have been used to impersonate high-profile websites such as Google properties.

It resulted in Symantec-issued certificates being distrusted in Google’s Chrome, the world’s most popular web browser, from next year.

Symantec chief executive Greg Clark made no reference to the spat with Google, but said the sale of the TLS business would sharpen the security vendor’s focus on the enterprise and cloud.

“We carefully examined our options to ensure our customers would have a world-class experience with a company that offers a modern website PKI platform and is poised to lead the next generation of website security innovation,” he said in a statement.

“I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions. Symantec is deeply committed to the success of this transition for our customers.”

View the Original article

WannaCry hero arrested over banking malware

Hutchins accused of writing Kronos banker.

Marcus Hutchins, the security researcher credited for blunting the effect of the WannaCry ransomware attack in May this year, has been arrested in the United States.

Briton Hutchins – who goes under the name Malwaretech – and an unnamed individual were arrested in Las Vegas ahead of this week’s Black Hat and DefCon security conferences.

A US grand jury indictment published by Motherboard states the pair face six charges related to creating, distributing and demonstrating the Kronos malware in 2014.

Hutchins is said to have written Kronos, while the unnamed defendant sold the malware on the Alphabay dark web market and Russian internet forums for an asking price of US$2000 to US$3000.

Kronos is a credentials-stealing malware that attempts to exfiltrate victims’ bank account details to the attackers that control it.

The unnamed defendant is said to have demonstrated Kronos in a YouTube video as part of his marketing effort for the malware. It was available until recently but has now been taken down by YouTube.

Another YouTube video purporting to show how to set up Kronos for a banking botnet remains available.

Hutchins rose to fame in May after he registered a domain that deactivated dissemination of WannaCry.

He was widely lauded for his quick thinking, and received a US$13,000 bug bounty for his efforts.

WannaCry ransom money on the move

Separately, the ransom collected by the WannaCry attackers has been moved out of the Bitcoin digital wallets it was being stored in.

The Actual Ransom twitter bot tweeted that three wallets had been emptied of a total of US$140,000 (A$176,200) in Bitcoin.

It’s not clear at this stage what the final destination for the WannaCry ransom is, or who it is trying to cash out the payments.

View the Original article

Botnet builder gets almost four years in prison

Earnt millions from Linux malware.

The man who built the infrastructure for the Ebury botnet has received a 46-month prison sentence in the United States after pleading guilty to wire fraud and other computer crimes charges.

Forty one-year-old Russian Maxim Senakh was arrested by Finnish police for his role in the Ebury botnet and extradited to the US in January this year.

The US Department of Justice said Senakh supported the Ebury campaign by creating accounts with domain registrars to develop the botnet infrastructure.

According to the US DoJ, Senakh and an associate known only as “Silver Fox”

View the Original article

Bail for arrested UK researcher who stopped WannaCry

Out of custody on $30,000 surety. A judge in Las Vegas set a US$30,000 (A$37,853) bail for a British cyber security researcher accused of advertising and selling malicious code used to pilfer banking and credit card information.Marcus Hutchins, also known as MalwareTech, won’t be released until Monday United States time.His …

Hi! You’ve reached one of our premium articles. This is available exclusively to subscribers.

It’s free to register, and only takes a few minutes.

Once you sign up you’ll have unlimited access to the full catalogue of Australia’s best business IT content, as well as a daily news bulletin delivered straight to your inbox.

Register now Already have an account? Log in to read this article.

View the Original article