Following a publicized breach at the US Postal Service, that organization is discontinuing virtual private network (VPN) connections into its network, according to reports. The Postal Service took the unusual step after acknowledging, earlier this week, that a breach of their network security exposed data on 800,000 employees and 2.9 million customers. According to a statement from a USPS spokesman to the online publication Dark Reading, the virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more “robust security features can be installed.” “As a result, telecommuting has been suspended until further notice,” he said. Remote access tools including VPNs and remote desktop applications like Citrix are a frequent source of compromises of corporate networks. Most recently, compromised employee systems are believed to be the source of an attack on JP Morgan’s network. VPN software that was vulnerable to the […]
news
Microsoft Fixes 18 Year-Old Windows Hole Used In Attacks
At this late date, you’d like to think that all the really nasty vulnerabilities in legacy Windows systems have been identified. Wishful thinking. On Tuesday, Microsoft issued a patch for a critical, remotely exploitable vulnerability affecting Windows systems going back to Windows 95, one of 14 software fixes the company released. The vulnerability in Microsoft’s OLE (Object Linking and Embedding) code is associated with CVE-2014-6332 and is already being used in targeted attacks online. It is among the most serious discovered in recent years, exposing Windows systems to remote attacks that can bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Enhanced Protected Mode sandbox in the Internet Explorer browser. The vulnerability was discovered six months ago and patched, officially, on Tuesday with MS14-064, which fixes a related OLE vulnerability, CVE-2014-6352). Microsoft has also released a stop-gap tool that customers can use in lieu of the full patch. Microsoft has also issued an […]
Discrete Malware Lures Execs At High-End Hotels
Kaspersky Lab has a fascinating write-up of malware it is calling “DarkHotel.” The information-stealing software is believed to target traveling executives. Curiously, Kaspersky says the malware may be almost a decade old and is found only on the wireless networks and business centers of select, high-end hotels. Reports about targeted attacks on traveling executives are nothing new. However, the Kaspersky report (PDF version here) may be the most detailed yet on a specific malicious software family that is devoted to hacking senior corporate executives. According to Kaspersky, the DarkHotel malicious software maintained a presence on hotel networks for years, with evidence of its operation going back as far as 2007. The malware used that persistent access to target select hotel guests, leveraging check-in/check-out and identity information on guests to limit attacks to high value targets. Targeted guests were presented with iFrame based attacks that were launched from the hotel’s website, […]
Retailers Demanding Federal Action on Data Breach
Add retailers to the chorus of voices calling for federal legislation on cyber security and data protection. In an unusual move, retail groups from across the U.S. sent a letter to Congressional leaders that urged them to pass federal data protection legislation that sets clear rules for businesses serving consumers. The letter, dated November 6, was addressed to the majority and minority party leaders of the U.S. Senate and the House of Representatives and signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Grocers Association, the National Restaurant Association and the National Association of Chain Drug Stores, among others. “The recent spate of news stories about data security incidents raises concerns for all American consumers and for the businesses with which they frequently interact,” the letter reads. “A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all […]
FBI Seizes Dozens of Online ‘Dark Markets’
The news yesterday was that the FBI arrested a 26 year-old San Francisco man responsible for operating Silk Road 2.0 – an anonymous, online marketplace for illicit goods. The news on Friday is that Silk Road was just the tip of the iceberg. On Friday, the FBI and announced that it has seized dozens of other so-called “dark market” websites offering a range of illegal goods and services for sale on the “Tor” network. The coordinated take downs are the “largest law enforcement action to date against criminal websites operating on the ‘Tor’ network,” the FBI said in a statement. “We shut down the original Silk Road website and now we have shut down its replacement, as well as multiple other ‘dark market’ sites allegedly offering all manner of illicit goods and services, from firearms to computer hacking,” said Manhattan U.S. Attorney Preet Bharara The take-downs were part of a coordinated law enforcement action […]