Phishing scam that penetrated Wall Street just might work against you, too

Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.

FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will inject a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success.

E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns. Witness the following:

Read 6 remaining paragraphs | Comments

Gruyere – Learn Web Application Exploits & Defenses

This codelab is built around Gruyere – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code...

Read the full post at

Privacy Politics at IAPP, Brussels!

The recent IAPP Congress in Brussels provided a platform to bring out the “big guns” on privacy.  Needless to say, the said “big guns” did not always agree with each other. Here is our “30,000 feet” view of their privacy perspectives:

Isabelle Falque Pierrotin (IFP) is the Chairperson of the Article 29 Working Party and President of the CNIL (French DP Regulator).  Julie Brill (JB) is a Federal Trade Commissioner responsible for privacy and other enforcement in the US.  How did they get on? We have scored the exchanges as to how likely they will bridge the gap!

Safe Harbor: IFP reminded us that the Commission had made 13 recommendations for cleaning up Safe Harbor and still wants “clear answers”.  She said that there had, as a result of the Edward Snowden story, been a “crisis of confidence” in Safe Harbor.  She said that the A29 Working Party will be “very vigilant” as to the output of the Safe Harbor upgrade process.  JB said that she remained “deeply hopeful” that Safe Harbor would be sorted out.  She said that “like any tool, it can re-examined”.  She also reminded the audience that the FTC had just taken enforcement action against Truste in relation to inappropriate re-certification of Safe Harbor companies. JB said this is “something that we, at the FTC, take tremendously seriously”.  (Chances of Bridging the Gap: 4/10)

Big Data: JB said that there were “benefits but also risks” in relation to big data.  In particular, there is the risk that we collect all data now and worry about the detail later.  JB said that companies should adopt “use risk based frameworks” to assess the risk.  She also saw value in bringing the public into the debate and that the “re-identification risk” should be linked to the social contract not to re-identify individuals.  So this is an issue of “trust”.  IFP said that she shares some of the views expressed in the Podesta report and that it is important that the individual should “stay in control” of his/her data.  Ultimately, the concept of big data and what it can achieve does not require any change to the EU privacy principles.  Expect continued debate in relation to how to collect consent or comply with profiling rules and the uncertainties the meaning of “anonymised data”. (Chances of Bridging the Gap: 6/10).

Data Breach: IFP said that she recognised the US experience given its many data breach notification laws.  She also recognised that individuals should not be flooded with notifications and the issues with notification fatigue.  JB reminded the audience that the US have 47 states with data breach notification law and that the FTC will examine unreasonable practices.  She also referenced the “long tail of App providers” who may have less effective security in place.  (Chances of Bridging the Gap: 8/10)

RTBF (Right to be Forgotten): IFP said that this is an important fundamental right.  She said that RTBF is not, actually, a new right and that it has been in the Data Protection Directive since 1995.  She admitted that there had been enormous public expectations following the ruling and that the A29 Working Party will shortly publish guidance (now published!) on how to implement this right.  But JB said that the RTBF is “controversial”.  She said that there are some elements in US law which include concepts of erasure, like erasure of credit records.  She also said that the “right to be forgotten” is also a misnomer as it is not an unfettered right to have information removed from public sources.  JB also had significant concerns about the worldwide reach of the ruling.  As we now know, the EU does want search engines to apply the right to be forgotten to .com addresses in addition to EU country specific domains. (Chances of Bridging the Gap: 0/10!)

We’ll be back tomorrow with key points from the A29 WP Guidelines on RTBF published last week!

Sony Pictures reportedly eyes North Korea after leak of five films

The depth and breadth of the cyber attack on Sony Pictures Entertainment was further revealed this weekend as at least five full-length films have been released on file-sharing sites—including some films that have not yet been released in theaters.

The World War II film Fury, currently in release, is among the films apparently released by hackers on file-sharing sites, as are the soon-to-be-released remake Annie, Mr. Turner, To Write Love on Her Arms, and Still Alice, according to a report by Variety on Saturday. By Sunday, Fury had been downloaded more than 1.2 million times, according to figures provided to Variety by the German IT forensics firm Excipio.

Meanwhile, Sony has reportedly brought in federal law enforcement to investigate the attack and retained the cyber security firm Mandiant to help restore its corporate network, though a Sony Pictures spokesperson would not confirm those reports.

Read 5 remaining paragraphs | Comments