Ed Tittel( NetworkWorld - September 24, 2014 )
As “dark fiber” is to the telecommunications industry so, also, is “dark data” to many businesses and organizations. These vast pools of untapped, largely unprotected data simply sit there, doing not much of anything for the bottom line. Isaac Sacolik’s Dark Data: A Business Definition describes it as “data that is kept ‘just in case’ but hasn’t (so far) found a proper usage.” Unfortunately, where dark fiber unambiguously represents an asset just waiting to be tapped by simply lighting it up to add bandwidth and carrying capacity, even untapped and neglected, dark data can pose security risks should it fall into the wrong hands, or range outside its owner’s control. Most discussions of dark data tend to focus on its potential value and utility to an organization. Indeed, for those outfits willing to expend resources (money, tools and time) to develop and exploit the information and value locked up inside dark data, such potential is undoubtedly attractive. This also explains
why many organizations are reluctant to part with dark data, even if they have no plans to put it to work on their behalf, either in the near term or further down the planning horizon.

Antone Gonsalves( NetworkWorld - September 23, 2014 )
Criminals are exploiting an eBay security weakness that could result in shoppers getting redirected to a malicious webpage that tries to steal bank account information. The British Broadcasting Corp. (BBC) first reported the scam, saying it had identified more than 100 listings that sent eBay customers to official-looking pages that also asked for usernames and passwords. EBay has more than 700 million items listed on the site, so the percentage of malicious listings is small. Nevertheless, they are enough of a threat that users of the site should look carefully at the pages they are directed to, researchers say. EBay acknowledges that the site is vulnerable to so-called cross-site scripting (XSS), one of the most common types of websites attacks. “Cross-site scripting, carried out by malicious individuals, is an issue affecting sites across the Internet,” eBay spokesman Ryan Moore, said in an emailed statement. “This is not a new type of vulnerability on sites such as eBay.
” XSS is a method of injecting malicious code into a webpage through the fields in which users type information. Attackers will use the technique to exploit the Javascript and Flash eBay lets sellers write to make their stores more attractive to buyers.”The criminals behind cross-site scripting and phishing activity intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems,” Moore said. “Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code.”

Bruce Schneier( Schneier on Security - September 19, 2014 )
Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be IMSI catchers, like Harris Corporation’s Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used by security software that’s part of CryptoPhone from the German company GSMK. And in both cases, we don’t know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals? This is the problem with building an infrastructure of surveillance: you can’t regulate who gets to use it. The FBI has been protecting Stingray like its an enormous secret, but it’s not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerab
le to them.

John Zorabedian( Naked Security - September 19, 2014 )
Military contractors for the US Transportation Command were breached by hackers associated with the Chinese government at least 20 times in one year, according to a report released Wednesday by the US Senate Armed Services Committee. The committee’s investigation identified gaps in cyber-incident reporting requirements at the US Transportation Command (TRANSCOM), which is responsible for moving US troops and equipment, including to and from war zones. TRANSCOM was only aware of two of the breaches, even though the FBI and US Department of Defense were aware of 11 of the 20 successful cyber attacks, revealing a lack of information sharing between agencies. The TRANSCOM contractors include US commercial airlines and shipping companies, although the Senate report did not identify which companies were breached.

Zach Miners ( Network World - September 19, 2014 )
The breach of Home Depot’s payment systems may have compromised 56 million payment cards as a result of malware that has since been eliminated, the company said Thursday. Attackers used unique, custom-built malware to evade detection, the company said in an update on its investigation. The malware was present between April and September of this year, the firm said in a statement. Terminals identified with malware have been taken out of service. The retailer confirmed in September that its payment systems had been breached at stores in the U.S. and Canada, though it did not provide many more details. Home Depot is using new encryption technology, provided by the vendor Voltage Security, to take raw payment card information and scramble it, the company said Thursday. The technology was rolled out to all U.S. stores this past Saturday, with a Canadian rollout expected to be completed early next year, Home Depot said.

Alastair Stevenson( V3 - September 18, 2014 )
For years botnet empires have plagued businesses and governments. As noted by director of cyber security solutions of Palo Alto Networks Alex Raistrick during an interview with V3, this is because botnets have the potential to cause lasting damage to their victims and are being used by criminals in a number of ways. “As one of the most sophisticated types of modern malware, botnets are an immense cyber security concern to governments, enterprises and individuals. Financial botnets, like the Zeus botnet, have been responsible for attacks involving millions of dollars stolen directly from multiple enterprises over very short periods of time,” he said. “The Cutwail botnet (email spam botnet) can send up to 74 billion messages per day, often including malware. They are also [being] used to spread bots to recruit more computers to the botnet.” The Zeus botnet was one of the most dangerous threats facing businesses. Law enforcement across the world mounted a co-ordinated sting oper
ation against Gameover Zeus in May that temporarily knocked its command-and-control (C&C) infrastructure offline, giving victims a window of opportunity to cleanse their systems. Despite the takedown being listed as a success, the authors of the campaign have already returned to action and begun rebuilding their botnet empire. The resilience of Zeus has led to a debate in the security community about how to combat and protect against botnet campaigns. According to Raistrick the answer lies mainly in the technology used to combat botnets. “With so much new and modified malware in the wild and determined attackers attempting to breach organisations every single day, the only effective protection is technology that can combat these attacks without prior knowledge of the malware or attacker itself,” he said.

Lisa Vaas( NakedSecurity - September 16, 2014 )
A Canadian who calls himself the owner of a used-computer dealership in Calgary (one that apparently doesn’t have a website) says he’s sitting on a pile of data for Ernst & Young’s customers, stored on servers he bought in 2006. As of last week, Mark Morris was sort of, well, holding that data ransom, more or less, until the global consultancy ponied up for its return.He was originally thinking of a $50,000 retainer - and that’s just to begin deleting backups of the purported data, which he’s believed to have stored on various devices, not the data on the primary server. But as Network World reports, nobody’s even sure whether the breach is real or just the figment of Morris’s imagination. According to court documents, Morris claims that he found a treasure trove of business data associated with Ernst & Young’s clients, mostly left on one of two servers he picked up for $300 after Ernst & Young bought the firm he was working for as an independent contractor, Synergy Partners,
in 2003.