IoT Teddy Bear Leaks Millions of Voice Recordings from Children and Parents

Standard

CloudPets’ connected stuffed animals leaked more than 2 million voice recordings of parents and children because of their poor database security. This is only the latest compromise happening with children’s toys.

The breach was first reported on Tuesday in a blog post by Troy Hunt, a Microsoft guru who specializes in cloud and online security. Hunt informs that CloudPets’ data was saved to a MongoDB database on an Amazon-hosted service that was publicly available and required no authentication, not even a password. Hunt goes on to say that the database was filed by Shodan, a search engine known for finding connected things, and evidence shows that since December 25, 2016 the stored data had been accessed multiple times by multiple people. CloudPets’ parent company, Spiral Toys, was notified at least four times about the breach, however, Hunt explains that some attempts to contact the company failed due to dead email addresses. In any event, there is no way Spiral Toys was not aware of the leak due to evidence left from criminal ransom demands.

Although this is a wake-up call to parents, businesses can take a lot away from the CloudPets breach, explains cybersecurity expert, Vinny Troia, CEO of NightLion Security. “Many businesses have not taken cybersecurity as seriously as they should be, until it’s too late,” Troia continues, “they take shortcuts that do not properly protect them against cyber criminals, and then are floored when their system becomes compromised.” Troia goes onto to explain that today cybersecurity needs to be at the forefront of businesses’ minds or they are going to be the next Spiral Toys.

The CloudPets incident is only the most recent compromise involving IoT toys, but they are certainly not the last. Both businesses and parents need to take the proper steps to protect the user data and their children from the darker side of the cyber world.

Banks Infected with Invisible Malware, World-Wide

Standard

Banks around the world are being infected with a new form of fileless malware. This type of malware is invisible, as it lies undetected within the memory of a bank’s network gathering passwords and administrative information. The malware then feeds this data back to the hackers, who use it to control the bank’s computer system remotely.

According to Kaspersky Lab, who discovered the new form of malware, there have been reports of this malware at 140 different enterprises in 40 different countries throughout the globe, including: banks, telecoms and government institutions. The United States being hit the hardest with 21 reported incidents.

“What is interesting here is that these attacks are ongoing globally against banks themselves,” said Kaspersky Lab expert Kurt Baumgartner to Ars Technica late last week. Baumgartner went on to explain, “the banks have not been adequately prepared in many cases to deal with this.”

Kaspersky Lab is unsure who is behind the attack or if it is more than one group using the same tools. They plan on releasing their findings later today.

Whoever is behind these attacks is focusing on computers that run automatic teller machines and “pushing money out of the banks from within the banks,” explains Baumgartner. He goes on to say that many of these attacks varied in the way they were executed, which is why they think numerous groups could be involved.

Fileless malware attacks are becoming more common than anyone imagined, which is why cyber security has become such an important tool. Digital Forensic Firms, such as, NightLion Security, offer malware detection and removal with 24/7 service. Vinny Troia, CEO of the St. Louis Digital Forensics Firm, commented that banks are being targeted because they do not have the proper security in place to protect them against this type of invisible malware distribution.

U.S. Steel Blames China of Hacking

Standard

U.S. Steel Corp. in Pittsburgh is accusing the Chinese government hackers of stealing private methods for creating a lightweight steel. The complaint filed with the International Trade Commission said a Pittsburgh researcher’s computer was hacked in 2011. The ITC is deciding whether they need to investigate the matter further.

China’s Commerce Ministry advised U.S. to discard the complaint since they are “completely without factual basis.”

The plans that were apparently stolen included the chemistry for the alloy and its coating, the temperature for heating and cooling the metal, and the layout of the production lines. The hackers stole designs that were made for U.S. Steel’s most valuable products, a metal called Dual-Phase 980. After the hacking occurred, according to the World Steel Association, a Chinese steel company called Baosteel Group Corp. had a new line of products, including the Dual-Phase 980. Baosteel explains these accusations as “complete nonsense.”

Visit Security Services Provider to learn how you can prevent hacking.

White House advises new Cyber Security Plan

Standard

Cyber attacks occur almost every week and do not look like they will slow down anytime soon which is why it is crucial to create an effective cyber security plan. The White House has recently proposed a plan that they think will help lessen cyber attacks and increase government response rate. This plan proposes to renovate outdated computer systems since it is much easier for hackers to break in. They also aim to train and recruit people for federal jobs that focus on cyber security, according to an article from Wall Street Journal.

This cyber security plan expects to cost $19 billion, which is a 35% increase in the cyber security budget. The plan expects to begin October 1st and end September 30th 2017. This plan will not stop cyber attacks but rather decrease the amount and increase response rate.

Click here to read more on the article.

Necessary precautions to prevent identity theft during tax season

Standard

You are more likely to get your identity stolen during tax season than any other time of the year, according to a video from KSDK. There were thousands of stolen identities in 2015. There were 500,000 complaints last year and half of them were around the time of tax season.

Vinny Troia, Digital Forensics Expert and CEO of Night Lion Security, explains that in order to prevent getting hacked is to file your taxes earlier and use the IRS pin number to file safely. Using the IRS pin is extremely important in avoiding a stolen identity. Once this pin number has been assigned to someone, no one can file your taxes for you unless they get this number.

Click here to watch the video.

Israel’s energy department experiences cyber attack

Standard

Last Monday, Israel was under a severe cyber attack, according to an article from Tech insider. The virus had been detected in the energy sector and the suspects are still unknown. They had to paralyze tons of computers of the Israeli Electricity Authority.

Apparently the Electricity Authority had received the virus over email and this type of hack was considered “ransomware.” Ransomware is software that prevents access from the computer system until the ransom is paid. These types of cyber attacks are very common and have been increasing every year. This kind of malware mainly results in catastrophic consequences.

To read more on this article, click here.

Securities and Exchange Commission cracking down on cyber security policies

Standard

For years the Securities and Exchange Commission (SEC) had a tougher bark than bite but decided that in 2016 they were going to crack down when it comes to cyber security. RT Jones Capital Equities, a small regional investment company experienced a cyber attack from China that took 100,000 of their clients’ information, according to an article on the Financial Times. Since the SEC had earlier stated that investment bankers and broker-dealers should prepare for cyber defenses, they were disappointed to hear of this cyber attack.

The SEC decided to list complaints about RT Jones’ failure to implement cyber defenses, which included not conducting periodic risk assessments, not encrypting sensitive data, and not having a breach assessment ready in case of an attack. Andrew Donohue, the SEC chief of staff, had warned that his agency would pass enforcement actions against the companies’ chief compliance officers for looking the other way when addressing important compliance concerns.

The SEC is becoming stricter to prevent cyber attacks from happening. Companies need to not only look out for cyber attacks but also the SEC, when not setting up defense mechanisms.

Read more on the article here.