Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of September 21, 2015:
- According to independent security journalist Brian Krebs, multiple sources in the banking industry have found evidence of potential credit card fraud that suggests hackers compromised the point-of-sale systems in gift shops and restaurants at a large number of Hilton Hotel properties across the US. Franchise properties may also be affected, including Embassy Suites, Doubletree, Hampton Inn and Suites, as well as Waldorf Astoria Hotels & Resorts. Krebs reported the company is investigating the claims.
- The Office of Personnel Management (OPM) announced that when hackers infiltrated its systems earlier this year, they got away with approximately 6 million fingerprints – a significant increase from the 1.1 million previously reported. OPM’s response aimed to reassure those potentially affected, adding: “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” In the meantime, an interagency working group – including the FBI, DHS and DOD – will review how adversaries could potentially exploit this information in the future.
- Apple was forced to deep clean its App Store after several cybersecurity firms found that dozens, if not thousands, of Chinese apps contained embedded malware. In what is believed to be the first large-scale attack on Apple’s App Store, BBC reported hackers created a counterfeit version of Apple’s software – dubbed XcodeGhost – to be downloaded by developers. Apple released a list of the most popular apps impacted, which includes Wechat, DiDi Taxi, Gaode Map and Angry Bird 2.
- Facebook hinted at plans to finally introduce the highly requested “dislike button” and, of course, hackers quickly jumped at the opportunity. Hackread reported scammers started a new campaign that rapidly spread through Facebook, misleading users that clicking a link could give them early access to the button. The scam attempts to gather personal information, install malware, or takeover the account to share the malicious link with users’ Facebook friends.
- A Morgan Stanley employee fired in connection with the company’s data breach has pleaded guilty to downloading confidential data from hundreds of thousands of customer accounts. The former financial advisor Galen Marsh copied the names, addresses, account numbers and investment information of approximately 730,000 accounts, including those of Wealth division clients. Marsh agreed not to appeal any prison sentence of up to 37 months – sentencing is scheduled for December.
- Adobe issued an update this week, patching nearly two dozen critical vulnerabilities in Adobe Flash Player, which could “potentially allow an attacker to take control of the affected system,” warned the security bulletin. Windows and Mac users are urged to update to Flash Player version 184.108.40.206; Unix users should update to 220.127.116.111.
- Malvertisers recently hit the highly trafficked websites Forbes and Realtor.com, redirecting visitors to the Neutrino and Angler exploit kits. Security researchers reported eight Forbes URLS attached to news stories published in 2012 and 2015 in one of the attacks. The kits appeared to have exploited Flash, Java, Silverlight and numerous other browser vulnerabilities through the malicious ads, which ran from September 8 – 15. Forbes quickly responded to the issue and has since shut down the malware-serving ads.
Title image courtesy of ShutterStock.com