1. Security News Digest
September 9, 2014
Home Depot Says Canadians Could Be Affected By Security Breach
http://www.cbc.ca/news/business/home-depot-says-canadians-could-be-affected-by-security-breach-1.2759859
Home Depot has confirmed its payment data systems, including those at its Canadian stores, have been
breached. In a statement late Monday, the do-it-yourself retailer said customers who used credit or debit
cards at stores in Canada and the U.S. could be affected by the breach. It was the first confirmation of a
suspected breach reported last week. Home Depot says there is no evidence that PIN numbers were
snatched. Home Depot is offering free identity protection, including credit monitoring to any customer
who used a card at a Home Depot store from April 2014 on.
Home Depot Breach Linked to Target's?
http://www.databreachtoday.com/home-depot-breach-linked-to-targets-a-7293
Now that Home Depot has confirmed its payment data systems were breached, industry experts weigh
the possibility that the same point-of-sale malware may have hit the home-improvement giant as well as
Target Corp., Sally Beauty, P.F. Chang's and other recently breached retailers. Although they stop short
of confirming that the Home Depot, Target and other breaches are definitively tied to BlackPOS, other
industry sources acknowledge that the malware continues to evolve. And they say BlackPOS has likely
compromised numerous U.S. retailers, many of which have not yet confirmed or even discovered a card
data compromise.
B.C. Government Set To Review Controversial Privacy Law
http://metronews.ca/news/vancouver/1147499/b-c-government-set-to-review-controversial-privacy-law/
The privacy of B.C.’s residents lays in the balance with an upcoming review of one of the province’s most
controversial laws. Until Sept. 19, B.C. residents have an opportunity to voice any concerns over the
provincial Personal Information Privacy Act (PIPA), which has been criticized for overstepping the
boundary when it comes to the privacy rights of citizens. The key concerns with PIPA include how
personal information is handed over to government authorities and other organizations without a warrant
or consent, and citizens aren’t notified when their information has been given up.
Barclays Brings Finger-Vein Biometrics To Internet Banking
http://arstechnica.com/security/2014/09/barclays-brings-finger-vein-biometrics-to-internet-
banking/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+T
echnica+-+All+content%29
Barclays has announced the arrival of personal biometric scanners to keep your Internet banking
security firmly under your thumb. Gone are the days of fumbling with desktop card readers, phone
authentication, and PIN codes as a finger scanner will be available to wealthy corporate banking clients
from 2015, and the rest of us surely soon after. The device, developed with Hitachi's Finger Vein
Authentication Technology (VeinID), will read the subdermal patterns of the client's finger vasculature in
order to combat identity fraud. Vein pattern recognition holds several advantages over fingerprint
scanning, including reliability and speed, with the authentication taking only two seconds. Each unit
houses a near-infrared (NIR) LED and monochrome CCD camera sensor, so as the red pigment in blood
(hemoglobin) absorbs NIR light, veins appear as dark lines on the resulting image. This pattern is
cryptographically stored on the SIM-card sent out by Barclays and used to authenticate the user on their
next login, with no biometric details stored on a central database.
Microchip Implant Ahead Of iPhone 6 Release
http://www.smh.com.au/technology/sci-tech/microchip-implant-ahead-of-iphone-6-release-20140906-10cx9c.html
With a wave of his left hand, Ben Slater can open his front door, turn on the lights and will soon be able to
start his car. Without even a touch he can link to databases containing limitless information, including
2. personal details such as names, addresses and health records. The digital advertising director has joined
a small number of Australians who have inserted microchips into their skin to be at the cutting edge of the
next stage of the evolution of technology.
Warning As Hackers Target Apple's iCloud
http://www.bbc.com/news/technology-29124991
Cyber-thieves are exploiting the furore around iCloud by launching a phishing campaign that seeks to
steal Apple IDs. The criminal gang behind the phishing email messages runs the Kelihos/Waledac
botnet, said Symantec in a blog post about the cyber-attack. A botnet is a large network of compromised
computers used for a wide variety of cybercrimes, including sending out spam or mining victims'
machines for saleable data. The phishing campaign revolves around an email which appears to be from
Apple and which claims that a song has been bought on iTunes via a person's Apple account. The
message said the purchase was made from a device not previously used by that account and that the
internet address used by whoever bought the track is in Volgograd, Russia.
Naked Celeb Hack Lesson: 'Delete' Doesn't Mean Delete
http://money.cnn.com/2014/09/02/technology/security/cloud-delete/index.html
The naked photo you took on your phone - and deleted - is still around, somewhere. That's the reality
today because of how modern phones, tablets and laptops save your data. By default, photos and
documents don't reside on your device alone. They're routinely "backed up to the cloud." That means
they're quietly copied onto a company's computer servers. Your embarrassing selfie lives on half a dozen
machines in North America and Europe. This is why you can easily access the same photos on your
phone, personal laptop and work computer. But it also means the data isn't in your hands anymore.
Cloud services like Apple's iCloud, Google Drive and Microsoft's OneDrive operate this way. That means
your iPhone takes all your stuff and automatically places it on Apple servers. Your Android keeps your
photos at a Google data center. Microsoft does it for Windows Phone and laptops. But it doesn't end
there. Companies strike deals to manage the flood of data. So your private documents actually end up in
computer servers at companies you never had contact with: Cisco, IBM, Verizon and others all over the
world. The lesson: Unless you take careful steps, your files no longer begin and end with the device on
which you created them. If you delete a file from your phone, it lives on in the cloud. And even if you log
into that cloud service and delete it there too, the disturbing truth is that company probably already copied
your files to another server you can't access. In that case it would be hard for hackers to get them too -
but they're still out there.
Apple Will Tighten Security On iCloud, CEO Tim Cook Says
http://www.vancouversun.com/technology/personal-
tech/Apple+planning+more+security+measures+after/10177793/story.html
Apple is planning to add more security measures to help protect its users following a celebrity photo
hacking incident. CEO Tim Cook told The Wall Street Journal that Apple Inc. will use email and push
notifications to let users know when someone tries to restore iCloud data on a new device, change an
account password or attempts an initial log on to an account with a new device. Previously there were no
notifications for restoring iCloud data, but users did receive an email when someone tried to change a
password or log in for the first time from a new device. Apple expects to start sending notifications in two
weeks. The iPhone maker said the new security being implemented will allow users to change
passwords to reclaim control of an account or notify Apple's security team about a potential problem.
For Sale Soon: The World’s First Google Glass Detector
http://www.wired.com/2014/09/for-sale-soon-the-worlds-first-google-glass-detector/
Earlier this summer, Berlin-based artist and coder Julian Oliver released Glasshole.sh, a simple and free
piece of software designed to detect Google Glass and boot it from any local Wi-Fi network. Later this
month, Oliver says he’ll start taking pre-orders for Cyborg Unplug, a gadget no bigger than a laptop
charger that plugs into a wall and patrols the local Wi-Fi network for connected Google Glass devices,
along with other potential surveillance gadgets like Google Dropcams, Wi-Fi-enabled drone copters, and
certain wireless microphones. When it detects one of those devices, it can be programmed to flash an
alert with an LED light, play a sound through connected speakers, and even ping the Cyborg Unplug
3. owner’s smartphone through an Android app, as well as silently booting those potential spy devices from
the network.
Bitcoin Creator Satoshi Nakamoto Targeted By Email Hack
http://www.theguardian.com/technology/2014/sep/09/bitcoin-creator-satoshi-nakamoto-email-hack
Bitcoin creator Satoshi Nakamoto appears to have received a hacking attack against at least some of his
online accounts, with the hacker offering to sell the anonymous developer’s personal information for
25BTC, or around £7,000 ($11,000). A post on anonymous text sharing site Pastebin offered to provide
the documents, which potentially include information about the famously secretive developer’s real
identity, if 25BTC was sent to a particular bitcoin address. No time limit was given, but as of Tuesday the
address has received just 1.5BTC.
Verizon to Pay $7.4M to Settle Privacy Investigation
http://www.fcc.gov/document/verizon-pay-74m-settle-privacy-investigation-0
The US Federal Communications Commission’s Enforcement Bureau has reached a $7.4 million
settlement with Verizon to resolve an investigation into the company’s use of personal consumer
information for marketing purposes. The Enforcement Bureau’s investigation uncovered that Verizon
failed to notify approximately two million new customers, on their first invoices or in welcome letters, of
their privacy rights, including how to opt out from having their personal information used in marketing
campaigns, before the company accessed their personal information to market services to them. In
addition to the $7.4 million payment, Verizon has agreed to notify customers of their opt-out rights on
every bill for the next three years.
Obamacare Site Hacked but Nothing Taken, HHS Says
http://money.cnn.com/2014/09/04/technology/security/obamacare-hacked/index.html
Hackers silently infected a Healthcare.gov computer server this summer. But the malware didn't manage
to steal anyone's data, federal officials say. On Thursday, the Health and Human Services Department,
which manages the Obamacare website, explained what happened. "Our review indicates that the server
did not contain consumer personal information; data was not transmitted outside the agency, and the
website was not specifically targeted," HHS spokesman Kevin Griffis said. It all happened because of a
series of mistakes. A computer server that routinely tests portions of the website wasn't properly set up.
It was never supposed to be connected to the Internet - but someone had accidentally connected it
anyway. That left it open to attack, and on July 8, malware slipped past the Obamacare security system,
officials said. As health department officials describe it, the malware was run-of-the-mill, low-level hacker
stuff. It wasn't even designed to steal patient data. It was actually malware meant to turn the computer
server into a zombie machine, part of a robot network, or botnet, to spews out spam or computer viruses
to the rest of us. But federal officials said the malware didn't do any damage. It just lay there dormant,
quiet and dumb.
The Security News Digest (SND) is a collection of articles published by others that have been compiled by the Information Security Branch (ISB) from
various sources. The intention of the SND is simply to make its recipients aware of recent articles pertaining to information security in order to increase
their knowledge of information security issues. The views and opinions displayed in these articles are strictly those of the articles’ writers and editors
and are not intended to reflect the views or opinions of the ISB. Readers are expected to conduct their own assessment on the validity and objectivity
of each article and to apply their own judgment when using or referring to this information. The ISB is not responsible for the manner in which the
information presented is used or interpreted by its recipients.
For previous issues of Security News Digest, visit the current month archive page at:
http://www.cio.gov.bc.ca/cio/informationsecurity/securitynewsdigest/securitynews_digest.page
To learn more about information security issues and best practices, visit us at:
Information Security Branch – Office of the Chief Information Officer,
Ministry of Technology, Innovation and Citizens’ Services
4000 Seymour Place, Victoria, BC V8X 4S8
http://www.cio.gov.bc.ca/cio/informationsecurity/index.page
CITZCIOSecurity@gov.bc.ca
4. The information presented or referred to in SND is owned by third parties and protected by copyright law, as well as any terms of use associated with
the sites on which the information is provided. The recipient is responsible for making itself aware of and abiding by all applicable laws, policies and
agreements associated with this information.
We attempt to provide accurate Internet links to the information sources referenced. We are not responsible for broken or inaccurate Internet links to
sites owned or operated by third parties, nor for the content, accuracy, performance or availability of any such third-party sites or any information
contained on them.
************************************************************************************************************************