MENTIS

Week of August 25, 2017

MENTIS
news

Week of August 25, 2017

Records Leaked for 25 Footballers Using Banned Substances in 2010 World Cup*:

  • The hacking group Fancy Bears has published the records of 25 football players that were awarded therapeutic use exemptions (TUEs) during the 2010 FIFA World Cup in South Africa.
  • Fancy Bears also said that it has proof that 160 players failed drug testing in 2015, including for cocaine and ecstasy.
  • The 25 players who have been compromised have done nothing wrong – TUEs are exemptions given to athletes to use banned substances in very limited situations, like to remedy a significant health problem.
  • The TUE application process is thorough and designed to balance the need to provide athletes access to critical medication while protecting the rights of clean athletes to compete on a level playing field.
  • The leak echoes previous releases of stolen documents by the Russian APT group known as Fancy Bear (aka APT28).
  • In 2016 Fancy Bear released documents from the World Anti-Doping Agency (WADA), with confidential medical information.

*Source: Info Security, August 22, 2017

https://www.infosecurity-magazine.com/news/records-leaked-for-25-footballers/


Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency*:

  • Hackers have discovered that one of the most central elements of online security – the mobile phone number – is also one of the easiest to steal.
  • In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
  • Once they get control of the phone number, they can easily reset the password on every account that uses the phone number as a security backup.
  • In January 2013, there were 1,038 incidents of this type reported; by January 2016, that number had increased to 2,658.
  • A particularly concentrated wave of attacks has hit those with valuable online accounts with virtual currency.
  • Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries.
  • The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies, and virtual currency transactions are designed to be irreversible.
  • Accounts with banks and brokerage firms and the like are not as vulnerable to these attacks because these institutions can usually reverse unintended or malicious transactions if they are caught quickly.
  • Security experts worry that these types of attacks will become more widespread if mobile phone operators do not make significant changes to their security procedures.
  • The hackers have commandeered phone numbers even when the victims knew they were under attack and alerted their cell phone provider.
  • The vulnerability of phone numbers is the unintended consequence of a broad push in the security industry to institute two-factor authentication that is supposed to help make accounts more secure.
  • Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity.
  • One of the most widely used Bitcoin wallets, has encouraged customers to disconnect their mobile phones from their Coinbase accounts.

*Source: New York Times, August 21, 2017

https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html


Sony Social Media Accounts Hijacked as Hackers Claim to Have Stolen PSN Database*:

  • The OurMine hacking group claimed yet another corporate scalp by seizing control over the Twitter and Facebook accounts of Sony’s PlayStation Network (PSN).
  • The group claimed in a series of tweets that it has access to the PlayStation Network’s database, and encouraged Sony to get in touch to receive advice on how to better protect their online accounts.
  • One piece of advice is that everyone should protect their social media accounts with the additional security features that are available to them.
  • Other important advice includes remembering to never reuse passwords on different accounts, and use strong passwords.
  • OurMine claims to have broken into Sony’s accounts after breaching the company’s Sprout Social management account.
  • Social media management software like Sprout Social allows a number of employees to share access to corporate Facebook and Twitter accounts.
  • Sony appears to have regained control of the hijacked accounts and erased the unauthorised posts.
  • So far, there doesn’t seem to be any evidence that a breach of the PlayStation Network’s database has occurred.

*Source: Hot For Security, August 22, 2017

https://hotforsecurity.bitdefender.com/blog/sony-social-media-accounts-hijacked-as-hackers-claims-to-have-stolen-psn-database-18783.html


Potential Data Breach of Oceanside Online Utility Payment System*:

  • The online payment system where Oceanside residents can pay their utility bills may have been breached.
  • Officials learned of the breach when several Oceanside residents alerted the City of unauthorized charges on the cards they used to pay their utility bills.
  • At least two of those people used that credit card only to pay their utility bill and no other purpose.
  • They have not confirmed the online utility bill payment system is the source of the credit card breach, but the City shut down its online payment system and began an internal assessment.
  • The City’s officials have not found evidence that anyone who made recurring credit card payments was affected.
  • Anyone who believes they were affected should check their credit card account for unauthorized charges and report charges to your card issuer; you can also report charges to the Oceanside Police Department and complete a crime report.

*Source: San Diego, August 22, 2017

http://www.nbcsandiego.com/news/local/Potential-Data-Breach-of-Oceanside-Online-Utility-Payment-System-441457273.html


DE Data Breach Notification Law Includes Medical Information*:

  • Delaware Governor John Carney signed a bill to update the state’s data breach notification requirements.
  • As part of extending cybersecurity protections, the law accounts for medical information being compromised in data breaches.
  • The bill requires that “any person who conducts business in Delaware and maintains personal information must safeguard that information.”
  • A security breach also now includes unauthorized access, use, modification, or disclosure of personal information.
  • Personal information includes a state resident’s first name or first initial and last name in combination with one or more of the following: Social Security number, driver’s license number, accounts number, credit or debit card number, passport number, and others (see link below).
  • A health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer for identification must also be protected.
  • The Delaware Attorney General must also be notified if the breach affects more than 500 individuals.
  • State residents must also be offered identity theft protection services if Social Security numbers were included in the information that was breached.
  • Click on the below link to view the full list of items included in the definition of personal information.

*Source: HealthIT Security, August 22, 2017

https://healthitsecurity.com/news/de-data-breach-notification-law-includes-medical-information


Identity Theft at Epidemic Levels, Warns Cifas*:

  • Identity theft is reaching “epidemic levels”, according to a UK fraud prevention group, with people in their 30s the most targeted group.
  • ID fraudsters obtain personal information before pretending to be that individual and apply for loans or store cards in their name.
  • A total of 89,000 cases were recorded in the first six months of the year by UK anti-fraud organisation Cifas.
  • These frauds are taking place almost exclusively online; the vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.
  • Fraudsters steal identities by gathering information such as their name and address, date of birth and bank account details.
  • They get hold of the information by stealing mail, hacking computers, trawling social media, tricking people into giving details, or buying data on the dark web.
  • Victims are more likely to be in their 30s and 40s, often because a good deal of information about them has been gathered online.
  • The age group which has seen the biggest rise is 21 to 30-year-olds and this finding was mirrored in separate research by credit checking company Experian.
  • You can protect yourself from identity crimes by:
    • Limiting the amount of personal information available on social networking sites
    • Updating your computer’s firewall and anti-virus programs
    • Not sharing passwords or PINs
    • Using strong passwords and PINs
    • Not re-using passwords for multiple accounts
    • Shredding your financial documents before throwing them away

*Source: BBC, August 23, 2017

http://www.bbc.com/news/business-41011464

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top