We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.

Source: News – Security and Trading

A database containing personally identifiable information was accessed, potentially compromising the names, email addresses, dates of birth, and phone numbers of 656,723 customers.

Source: JD Wetherspoon: A ‘hacker’ nicks 650,000 pub-goers’ data

The hacktivist group Anonymous breached into the website of United Nations Framework Convention on Climate Change (UNFCCC) and leaked a trove of personal information of 1415 officials.

Source: Anonymous Hacks UN Climate Change Site Against Police Attack on Cop21 March

US hotel chain Hilton revealed Tuesday that hackers infected some of its point-of-sale computer systems with malware crafted to steal credit card information.

Hilton would not disclose whether data was taken, but advised anyone who used payment cards at Hilton Worldwide hotels between November 18 and December 5 of last year or April 21 and July 27 of this year to watch for irregular activity on credit or debit card accounts.

Malicious code that infected registers at hotels had the potential to take cardholders’ names along with card numbers, security codes and expiration dates, Hilton said in an online post.

Source: Hilton hotels hit by cyber attack

Allows you to store all of your credit cards and magstripes in one device Works on traditional magstripe readers wirelessly (no NFC/RFID required) Can disable Chip-and-PIN (code not included) Correctly predicts Amex credit card numbers + expirations from previous card number (code not included) Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously Easy to build using Arduino or other common parts MagSpoof is a device that can spoof/emulate any

Source: samyk/magspoof · GitHub

Researchers find ways to p0wn industrial control systems

Source: SAP pumps 70m barrels of oil a day … and might also blow them up

U.S. prosecutors on Tuesday unveiled criminal charges against three men accused of running a sprawling computer hacking and fraud scheme that included a huge attack against JPMorgan Chase & Co and generated hundreds of millions of dollars of illegal profit.

Source: U.S. charges three in huge cyberfraud targeting JPMorgan, others

Mimic implements a devilishly sick idea floated on Twitter by Peter Ritchie: “Replace a semicolon (;) with a Greek question mark (;) in your friend’s C# code and watch them pull their hair out over the syntax error.” There are quite a few characters in the Unicode character set that look, to some extent or another, like others – homoglyphs. Mimic substitutes common ASCII characters for obscure homoglyphs. Caution: using this script may get you fired and/or beaten to a pulp.

Source: Mimic, the Evil Script That Will Drive Programmers To Insanity – Slashdot

British broadband provider TalkTalk has admitted that all of its 4 million customers’ names, addresses, dates of birth, email addresses, phone numbers and bank details may have stolen by hackers.

Source: Huge Hack Hits 4 Million British Broadband Customers

Security researchers at Pen Test Partners have found a security vulnerability in the iKettle Wi-Fi Electric Kettle that allows attackers to crack the password of the WiFi network to which the kettle is connected. Researchers say that using this simple trick and information about iKettles, they drove around London, cracked home WiFi networks, and created a map of insecure WiFi networks across the city. The same researchers cracked a Samsung smart-fridge this summer to disclose Gmail passwords. If you have 6 minutes, there’s a YouTube video you can watch.

Source: Tattling Kettles Help Researchers Crack WiFi Networks In London – Slashdot

This rig is able to send radio waves at an iPhone or Android with its headphones still plugged in, using the headphone cable as a receiver that picks up the radio signals and relays them to the operating system’s voice recognition software.

Source: Hackers Can Use Radio Waves to Hijack Androids and iPhones via Siri and Google Now

Flat, firewall-free network was a walk in the park, boffins say.[…]They say the casino lacked even basic firewalls around its payment platforms and did not have logging.

“It was a very flat network, single domain, with very limited access controls for access to payment systems,” Emmanuel Jean-Georges told the Cyber Defence Summit (formerly Mircon) in Washington DC today.

“Had this casino hotel operator had even minimal or basic protections in place like a firewall with default deny systems to limit access to PCI (payment) systems … it would have slowed down the attackers and hopefully set off red flags.”

Source: Jackpot: New hacking group steals 150,000 credit cards from casino

“It appears that the focus was to obtain contact information such as names, addresses, email addresses and phone numbers of current and former subscribers in order to send fraudulent solicitations.”[…]“As part of the investigation to date, we also determined that payment card and contact information for fewer than 3,500 individuals could have been accessed, although we have discovered no direct evidence that information was stolen,” the letter says. Those individuals are being contacted directly by Dow.

And if you believe that these details weren’t taken while they were in plain view (as well as their encrypted passwords) you’ll believe anything. I have a great deal on used camels for you.

Source: Dow Jones the latest big-name breach

Dridex, which seeks to harvest users’ banking credentials, apparently originates with what the NCA’s release describes as ‘technically skilled cyber criminals in Eastern Europe’, and is said to target both individuals and consumers alike. Losses in the UK to the attacks are currently estimated at £20mn.

Source: FBI and NCA join forces against Dridex banking malware

Depressingly familiar and stupid mistakes in EEG kit, health org’s storage of recorded brains

Source: Hackers can steal your BRAIN WAVES

EEG results are basically not encrypted or stored or transmitted any way securely, allowing them to be stolen, replayed and altered in transit. It’s not too much of a problem to fix, but it should be fixed.

Researchers have created an app that follows the micro-movements of your smartwatch and is able to detect what keys you’re pressing with your left hand and thus guess what words you may be typing on a keyboard.

Source: Creepy Smartwatch Spies What You Type on a Keyboard – Softpedia

A British infosec company has found that cheap thermal imaging accessories for smartphones can be used to glean personal identification numbers entered on push-button security devices on bank ATMs..

Thermal imaging devices used to be bulky and expensive, but Sec-Tec told iTnews they can now be bought cheaply as compact iPhone accessories – for instance, the FLIR One, which retails for US$249 (A$340).

The company tested several PIN pads in ATMs, locks and safes with the thermal imagers and found they could “leak” the digits entered by legimate users for longer than a minute after use.

Cheap thermal imagers can steal user PINs

You can be identified by how you type, even behind proxies and Tor. Protect yourself with KeyboardPrivacy.

Source: Behavioral Profiling: The password you can’t change.

Some websites are storing your typing patterns and it turns out that after some training, systems can identify who is in a system by the way in which passwords are typed. You can then be identified on other websites using the same underlying system. Paul Moore has created a proof-of-concept Chrome extension which changes the output of your typing to the website by randomising the rate at which the browser sends it to the website.

UCLA Health hospitals say hackers may have accessed personal information and medical records on 4.5 million patients.The California medical group admitted today that miscreants infiltrated its computer systems as long ago as September. It is possible the intruders accessed databases holding patient names, addresses, dates of birth, social security numbers, medical records, health plan numbers, details of medical conditions, lists of medications, and medical test results.

Source: Hackers invade systems holding medical files on 4.5 million Cali patients • The Register

Aren’t centralised databases great? A one stop shop for all your customer records!

A spokeswoman for AFC Kredieten, when asked if customers whose data had been stolen had been informed, replied: “They are not our customers. They are applicants, we had not necessarily organised a loan for them yet. AFC Credits is the victim here. What that group did is illegal and writing about it would be against the law.”

Source: Loan application data hacked, company responds: Meh, not our customers • The Register

Wow! How to not handle this! They collected the data on their website, so that makes them responsible for the data.

Source: WikiLeaks – The Hackingteam Archives

And let the shouting begin about who’s fault it was.

‘Most devastating cyber attack in US history’

Source: As the US realises it’s been PWNED, when will OPM heads roll? • The Register

“Incidentally, the stolen OPM database was reportedly being offered on Hell, an onion site hosting a e-crim forum. According to Brian Krebs. However, the database being flogged actually originated from a different, undisclosed, data breach of Unicor.gov, also known as Federal Prison Industries.”

Chances are that everyone now knows how to infiltrate the US government as SF-86 government clearance forms were copied as well:

“Likely included in the hackers’ haul: information about workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity.”

Extortion bonanza: OPM hack exposed “intimate details” of cleared personnel

The best analysis I have found of the hack so far is on Ars Technica, Why the “biggest government hack ever” got past the feds

The way the OPM is handling this is extremely poor, with them admititng first to a breach of 4m records, then the FBI publically telling them it’s 18m. There’s even a 32m record breach being reported somewhere.