data leakage

Coreflood dries up

The US Department of Justice's announcement yesterday of the takedown of the command and  control (C&C) servers for the Coreflood bots (detected by ESET as Win32/AFCore) and seizure of their domains marks another step in the growing awareness that crime, whether it is committed with bullets or with botnets, is still crime.  This particular botnet,

Deep in the Hard Drive of Texas?

As David Harley blogged earlier, the Comptroller of Public Accounts office for the state of Texas yesterday began notifying state employees that the names, addresses, social security numbers and other records of some 3.5 million current or former state employees had been accessible via the Internet.  Unlike the earlier Epsilon Data Management data breach, it seems

Posted today at SC Magazine Cybercrime Corner

Plenty more (potential) phish in the C:: The consequences of the Epsilon breach may have been a little overstated, but the Texas data exposures are far from trivial. Every picture tells a story: Your smartphone might be giving away more information than you really want to share. David Harley CITP FBCS CISSP ESET Senior Research

They Do Everything Bigger in Texas

I'll see your Epsilon mail addresses and raise you 3 1/2 million Texans' personal records. While the Epsilon leak got an excessive amount of media attention, given its limited potential for phishing (let alone spear phishing), it seems bizarre that there hasn't been much more attention paid to the exposure of all those employment/retirement records exposed for,

Public Access PCs Booby-Trapped

…keyloggers were found to have been attached to PCs used by members of the public…

Unencrypted Wireless: In Like a Lion, Out Like a Lamb

[C. Nicholas Burnett, the manager for ESET LLC's tier three technical support, contributed the following guest blog article on the FireSheep plugin for Firefox.  Thank you very much, Carl!  Aryeh Goretsky] The past several days have seen the security community abuzz about a program presented in San Diego at ToorCon 12 this last weekend called

Privacy: Can’t We All Just Get Along?

My assessment is that this could be a strong leap forward in support of Community Driven Open Source Privacy. Another assessment is that if corporate decision makers aren’t incentivized either internally by a supportive Corporate Culture or externally by regulation, getting the entire grip on cybersecurity is going to be difficult if not impossible. One final assessment is that this gap is crying out for a Cybersecurity / Personal Data Security BBB-type organization’s seal of approval to provide comfort to those who frequent the business. The hard question comes into how scalable this could be.

Facebook checked out, 1.5 million accounts overdue for password changes?

The Internet is abuzz with the announcement from Verisign’s iDefense Labs that a criminal hacker on a Russian forum who goes by the nom-de-plume "Kirllos" (Carlos?) is selling the credentials for 1.5 million Facebook accounts in batches of a thousand for between $8 and $30, depending upon their quality (which, in this case, means dates

Steganography – NOT The Study Of Stegosaurs!

There has been a recent news story about researchers at Princetown University who are working on a new form of steganography that could allow information to be leaked out of an organization on compact disks (CDs) without being detected. Steganography takes one piece of information and hides it within another. Computer files (images, sounds recordings,

Deus ex machina

It will likely come as no surprise to regular readers of ESET's Threat Blog that we are somewhat gadget aficionados here in the Research Department. Our focus, however, is usually on issues such as malware, spam and privacy so we do not spend a lot of time discussing gadgetry.  Every once in a while, though,

Is it my Business?

Do you ever use a public computer? Do you realize that potentially everything you type and read may be public information? I was checking a hotel business center computer this weekend. I found some interesting stuff. A military document for a local air force base. It wasn’t classified. The confidential test results for a semi-synthetic

Public Health and the BCS

SC Magazine included an interesting item today on security and confidentiality in the UK’s National Health Service. Anders Pettersson has suggested that the NHS is too busy to be harrassed over data protection/data leakage issues, and that the security industry should "come together to educate NHS Trusts and other organizations on simple measures to protect

Data Breaches – It’s All Greek to Me

The results (released yesterday) from a study conducted by the Ponemon Institute yielded some interesting data points. The most visible of these was the finding that 85% of U.S. organizations experienced data breaches of varying magnitudes. This study, entitled "U.S. Enterprise Encryption Trends", has completed its fourth annual publication.  The data was directly obtained from

California Healthcare Breaches

Sadly, I’m now back in not-so-sunny England, but one of my colleagues forwarded me an item about security breaches reported by healthcare organizations. On January 1st it became mandatory in California for such organizations to report incidents where non-anonymized patient data may be been intentionally or unintentionally disclosed to someone unauthorized. In the first five months,

Go Phishing with the city of Bozeman, Montana

The City of Bozeman, Montana effectively joined the ranks of phishers when they asked job candidates for their usernames and passwords for social networking sites that the applicant belongs to. In a report at , after considerable outcry the city rescinded its mindless policy. To begin with, the city was asking applicants to breach their

Data Protection: not a priority?

Data protection in the UK and Europe may mean something a little different to the way most Americans would understand it. The UK’s Data Protection Act is, like other local legislation in EC countries enacting the EU directive Data Protection Directive 95/46/EC, concerned less with the security mechanisms you use (or don’t use) to protect your

T-Mobile Data Breach – Or Not…

Just last Saturday, June 6th; there was a new posting on the Full Disclosure mailing list from a source that calls themselves pwnmobile (at least that’s part of their email address). In the post, pwnmobile claims they have harvested information from T-Mobile USA’s servers. The data they claim to have acquired is: various databases confidential

NHS: healthcare security and national insecurity

I really ought to be concentrating on some writing deadlines, but I couldn’t ignore this item, flagged by Graham Cluley, Sophos blogger-in-residence and karaoke star. (I have to say that because I was rather rude about his singing at Infosec last month.) Graham and I both live in the UK, so the state of health

Confused about Conficker?

CNN reported that there a new sleeper virus out there. There is nothing sleepy about the Conficker worm, it is wide awake and looking for people who are asleep at the security wheel. CNN reports that Conficker could allow hackers to steal personal and financial data, and they also report that it “it is

HIPAA is not privacy

Many people in the US associate HIPAA with the rules required to protect medical data. It actually is a lot more than that, but the HIPAA laws do require some minimal standards for medical providers. I recently came across an example of where HIPAA is ineffective. The medical providers are required to protect your data,

Follow us

Copyright © 2016 ESET, All Rights Reserved.