Malware steals Gmail password, online banking data

August 22, 2014 – 9:38 PM

University researchers have built an Android app that secretly snatches valuable personal data from other mobile apps, such as webmail, shopping and online banking.

The app, demonstrated Friday at the USENIX Security Conference in San Diego, stole login credentials from Google Gmail, a social security number from an H&R Block app, a credit card number from a NewEgg app and a bank-check image from a Chase Bank app.

The attack developed by researchers from the University of Michigan and the University of California, Riverside, did not exploit a flaw in any of the apps.

Instead, the researchers took advantage of the operating system’s graphical user interface (GUI) design. While the malicious app was demonstrated on Android, it could theoretically work on iOS, Mac OS X and Windows, which use the same GUI design.

Because the weakness is a design problem, there is no easy fix, Zhiyun Qian, a co-author of the research, said. The GUI portion of the OS would have to be redesigned, which would cause compatibility problems for apps already in the market.

Source:
http://www.csoonline.com/article/2597982/data-protection/researchers-malware-steals-gmail-password-online-banking-data.html

UPS – 51 retail stores breached by malware

August 20, 2014 – 8:32 PM

The UPS Store, Inc. recently received a government bulletin regarding a broad-based malware intrusion targeting retailers in the United States. The UPS Store takes seriously its responsibility to protect customer information and immediately launched an internal review, implemented system enhancements and engaged an IT security firm.

An assessment by The UPS Store and the IT security firm revealed the presence of this malware on computer systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States. Based on the current assessment, the earliest evidence of the presence of this malware at any location is January 20, 2014. For most The UPS Store locations, based on our current assessment, the period of exposure to this malware began after March 26, 2014. This malware was eliminated as of August 11, 2014 and customers can shop securely at The UPS Store.

We apologize for any inconvenience and impact this incident may have had on our customers. The UPS Store is offering identity protection and credit monitoring services to impacted customers.  In order to take advantage of this service, please visit https://theupsstore.allclearid.com.  In addition, customers are encouraged to closely monitor their card account activity and take other steps to help protect themselves outlined in the customer letter below.  The UPS Store representatives are available at 1-855-731-6016 for additional assistance.

The impacted center locations, along with the timeframe for potential exposure to this malware at each location, follows this statement.

Source:
http://www.theupsstore.com/security/Pages/default.aspx

Successful strategies to avoid frequent password changes

August 19, 2014 – 5:50 AM

1.2 billion passwords reportedly stolen by Russian hackers. Before that it was Heartbleed.

After a widespread, nonspecific data breach, the conventional wisdom is that people should change all their passwords. But, there’s a better way. With the right password management habits, you won’t need to change all your passwords every time you hear about an online attack.

Changing all one’s passwords won’t hurt, but it is cumbersome. Not only that, it’s a Band-Aid fix that stops short of offering a stronger and more long-term solution, says Sean Sullivan, Security Advisor at F-Secure Labs. Data breaches are the new reality, and it’s no longer a question of if it happens to you, but when. Sullivan says rather than being told to change all their passwords, consumers need practical advice worth following. So when the next breach is disclosed, they will be in control and will only need to change those passwords they know are affected.

“The dirty little secret of security experts is that when there’s a data breach and they recommend to ‘change all your passwords,’ even they don’t follow their own advice, because they don’t need to,” says Sullivan. “Unless I find out about a breach with a specific account, I don’t worry about my passwords. That’s because I use a tool to remember my passwords for me, and a few simple techniques that help to manage my accounts so as to minimize the risk.”

Source:
http://www.net-security.org/secworld.php?id=17270

4.5 Million Patient IDs Compromised in Hospital Hack

August 19, 2014 – 4:55 AM

One of the country’s biggest hospital operators, Community Health Systems, on Monday announced that its computer network was the “target of an external, criminal cyber attack” which saw the compromise of patient identification data for “approximately 4.5 million individuals.”

The attacker or attackers are believed to have originated in China, according to Community Health Systems and its IT security contractor, Mandiant.

Community Health Systems, which operates more than 200 hospitals in the United States, revealed the breach in a Form 8-K filing with the U.S. Securities and Exchange Commission.

The hack of the computer network occurred in July, the publicly traded company said. Data stolen in the breach “did not include patient credit card, medical, or clinical information,” Community Health Systems said, but did include “patient names, addresses, birthdates, telephone numbers, and social security numbers,” which are protected under the Health Insurance Portability and Accountability Act (HIPAA).

Community Health Systems said Mandiant, serving as the company’s forensic expert for the breach, believed “the attacker was an ‘Advanced Persistent Threat’ group originating from China who used highly sophisticated malware and technology to attack the company’s systems.”

Source:
http://www.pcmag.com/article2/0,2817,2463242,00.asp?kc=PCRSS03069TX1K0001121

Yes, Google Maps is tracking you. Here’s how to stop it

August 17, 2014 – 5:51 PM

Google is probably logging your location, step by step, via Google Maps.

Want to see what kind of data it has on you? Check out Google’s own location history map, which lets you see the path you’ve traced for any given day that your smartphone has been running Google Maps.

In the screenshot above, it shows some of my peregrinations around Paris in June of this year.

This location history page has actually been available for several years, since Google first rolled it out as part of Latitude, its now-defunct location-sharing app. Cnet noticed it in December, 2013, TechCrunch picked it up a few days later, and now Junkee.com noticed it last week.

We’re highlighting it again because it’s trivially easy to turn off Google Maps location-tracking, if you want to.

In fact, I checked the location history page this morning and had difficulty finding any location data at all, because I’ve had location tracking turned off for months, with a few exceptions.

Source:
http://venturebeat.com/2014/08/17/yes-google-maps-is-tracking-you-heres-how-to-stop-it/