Monthly Archives: July 2014

Former employee accesses school district information


July 31, 2014

A school district in Missouri has recently had the personal information of over 10,000 past and present staff and students breached, following the actions of a former employee.

Park Hill School District is now notifying the victims, after it was discovered a former employee downloaded files onto a personal hard drive without consent. This former staffer then proceeded to upload the files to the internet – files which contained Social Security numbers, student and staff records.

Continue reading

Espionage malware returns with new toolset


July 26, 2014

A variant of a highly damaging espionage malware has returned, one which attacked governments and other enterprises around the globe early last year.

Named MiniDuke, the malware previously operated through a vulnerability in Adobe Reader. Now, attackers have redeployed the advanced virus as an attachment. Used under the names CosmicDuke and TinyBaron, the malware is now being spread, according to SCMagazine, via spearfishing and imposter applications.

Continue reading

Report released shows rise in New York State data breaches


July 19, 2014

Data breaches are growing substantially in New York State, becoming more complex, costly and representing a dangerous threat to individuals and businesses.

Attorney General of New York State Eric T. Schneiderman issued a report on 15 July outlining changing data breaches over recent years, and the resulting risks. Over eight years of security breach data was analysed for the purposes of the report.

Continue reading

Security breach compromises school information


July 16, 2014

Massachusetts and Vermont students who receive reimbursements from Medicaid are the latest victims of a data breach – one which has impacted around 3,500 individuals.

Multi-State Billing Services (MSB), the company from which the breach occurred, advised parents of the students to freeze credit accounts, in order to prevent attackers from viewing stolen credit reports. The company also stated that it plans to reimburse affected individuals for the credit freezes for three years.

Continue reading

Businessman’s phone lines hit by hackers


July 10, 2014

A New Zealand businessman woke up to find a $26,000 phone bill on his account, with his phone provider wanting him to pay the entire sum.

Alan Bray, a Tauranga resident, doesn't make international calls, but was told the charges racked up in just two days. This was reported on 30 June by New Zealand news agency 3 News, who subsequently investigated the case further.

Continue reading

July 2014 Newsletter


July 09, 2014

Includes the latest from the Securus Newsroom, Partner Updates, Community Engagement, Tech Talk, Career Ops and more.

View as PDF here: https://securusglobal.createsend.com/reports/viewCampaign.aspx?d=j&c=8529664D569F40FB&ID=C09E8E4AF5539137&temp=False

You can also subscribe to our newsletter: http://www.securusglobal.com/subscribe/

 

Penetration Testing in Australia

It is always interesting to look at theoretical investment being made by companies in Australia. Based upon our experience, the assumptions made in a recent analysis by Nick Ellsmore, are in our opinion realistic. Read full article here: http://www.dellingadvisory.com/blog/2013/4/5/penetration-testing-market-analysis-where-is-all-the-revenue

Should you be using this as your guide to your own strategy in regards to penetration testing? Well that depends on your own circumstances, your risk tolerance assessed against those assets and the overall potential impact to you in case of a breach. (Related to your risk assessment and that risk tolerance level).

Taking aside the financial aspect in terms of costs of penetration testing across the board, a key factor for consideration, based on Securus Global’s own 10+ years of experience in this market, is that 95% of web applications we test for the first time have major to critical vulnerabilities in them. If even only 50% of those applications were already in production before we tested them, (with the actual figure higher), that equates to an alarming number of websites in Australia (and globally given those statistics do not differ for our international clients), being insecure and open to compromise, if they haven’t been compromised already.

It’s clear that a great deal of Australian business do not have an effective security assurance program in place. With cyber crime on the rise and media reporting of breaches increasing exponentially, it doesn’t present a confident picture of cyber security in Australia, nor globally. Continue reading

Symantec releases analysis of cyber espionage group


July 08, 2014

A cyber espionage group is targeting industrial organisations in Europe and North America, compromising strategically important organisations for uses of spying.

According to security research organisation Symantec, the group is known as Dragonfly, and has been attacking energy grid operators, major generation firms and even pipeline operators. Targeted areas included the US, France, Turkey and Poland.

Continue reading

PhishLabs outlines top 3 targets


July 04, 2014

Financial institutions, ePayment, money transfer services and social networks have been named the top three targets of phishing kits by research organisation PhishLabs. Email services were also found to be a large target.

Throughout June, PhishLabs analysed around 9,000 phishing kits (and their variants) from a number of sources such as file sharing sites and scammer forums.

Continue reading

Breaking lcg_value()


July 03, 2014

By Norman Yue, Chief Technical Officer
Originally published: http://wordswithcomputers.wordpress.com/2014/07/02/breaking-lcg_value/

One of the things I do, under the guise of OWASP Sydney Chapter Lead, is run a weekly workshop – every week, a small group of people get together to work on some security topics ranging from reverse engineering to web-based wargames, followed by security chit-chat over dinner.

Recently, at one of these get togethers, a (very smart) friend pointed me to PHP’s lcg_value function.

First looked at by samy in 2010, lcg_value is a PHP pseudo-random number generator, which generates a random 64-bit floating point. To cut a long story short, this function works as follows (variable names taken from samy’s lcg_state_forward.c): Continue reading