Tuesday, September 30, 2014

BREACH: Hackers charged with stealing over $100m in US army and Xbox technology via OSINT-X Newswires

Four men have been charged with breaking into the computer systems of Microsoft, the US army and leading games manufacturers, as part of an alleged international hacking ring that netted more than $100m in intellectual property, the US Department of Justice said on Tuesday.

The four, aged between 18 and 28, are alleged to have stolen Xbox technology, Apache helicopter training software and pre-release copies of games such as Call of Duty: Modern Warfare 3, according to an indictment dating from April that was unsealed on Tuesday.

Two of the hackers pleaded guilty earlier in the day, the DoJ said.

“These were extremely sophisticated hackers ... Don’t be fooled by their ages,” assistant US attorney Ed McAndrew said after a court hearing on Tuesday.

According to prosecutors, the defendants stole intellectual property and other proprietary data related to the Xbox One gaming console and Xbox Live online gaming system, and pre-release copies of popular video games. The Department of Justice (DoJ) claimed the technology was worth between $100m and $200m, a figure hotly disputed by one of those facing charges.

The four charged in the US were named as Nathan Leroux, 20, of Bowie, Maryland; Sanadodeh Nesheiwat, 28, of Washington, New Jersey; David Pokora, 22, of Mississauga, Ontario, Canada; and Austin Alcala, 18, of McCordsville, Indiana. The DoJ also said a man faces charges in Australia in connection with the same allegations. It did not name him in the announcement, but he was identified by Australian media earlier this year as Dylan Wheeler, 19, from Perth.

Pokora and Nesheiwat each pleaded guilty to a single count of conspiracy to commit computer fraud and copyright infringement. They face up to five years in prison when sentenced in January.

The four in the US had been jointly charged with with conspiracies to commit computer fraud, copyright infringement, wire fraud, mail fraud, identity theft and theft of trade secrets. They were also individually charged with individual counts of aggravated identity theft, unauthorised computer access, copyright infringement and wire fraud. The charges were based on a federal grand jury indictment returned in April.

The hackers are alleged to have accessed the computer system of Zombie Studios, which allowed them to access a Apache helicopter training simulation program that the company had developed for the US army.
Other targets of the alleged hacks included Microsoft, and game companies Epic Games and Valve, the DoJ announced. It said the US has seized $620,000 in proceeds “related to the charged conduct”.

“As the indictment charges, the members of this international hacking ring stole trade secret data used in high-tech American products, ranging from software that trains US soldiers to fly Apache helicopters to Xbox games that entertain millions around the world,” said assistant US attorney General Caldwell.
McAndrew said FBI officials in Delaware were alerted to the hacking operation in January 2011 by a confidential informant, and that the gaming companies cooperated in the investigation.

Authorities began obtaining arrest warrants last year, and Pokora, who McAndrew said was looked to by other group members as a leader, was taken into custody in March at a border crossing in Lewiston, New York.

A copy of part of the sealed indictment, obtained by thesmokinggun.com in April, detailed the charges against three of the four alleged hackers: Leroux, Nesheiwat and Pokora. Alcala was not mentioned in the leaked document.

Pokora’s plea is believed to be the first conviction of a foreign-based individual for hacking into US businesses to steal trade secret information, authorities said.

The DoJ also said that “an Australian citizen has been charged under Australian law for his alleged role in the conspiracy”. It did not name Wheeler, who attracted attention in 2012 when he listed a home-made development prototype of the Xbox One, which at the time was still in development by Microsoft, on eBay. He was 17 at the time.

Wheeler is currently on bail awaiting trial for charges relating to these allegations. which he denies. He told the Guardian that he disputes the DoJ’s estimated value of the alleged thefts - $100m to $200m - as “meaningless”. He also said that the $620,000 seized was from an act of theft by a single hacker in an “extremely disorganised group.”

“Apart from that, the group made nothing,” he said. “It was just curiosity.”

NOTICE: UShip being used to spread malware via crafted email

We should note that UShip itself is not sending these messages but we are seeing specially crafted emails to UShip members and customers specifically.


We are seeing messages proclaiming to be from UShip that look eerily similar to the previous EBay type emails phishing attacks.

BREACH: ACME financial data breach at NJ stores via OSINT-X Newswires UPDATED 3:42PM EST

Malicious software installed on ACME Markets networks in late August or earlier this month may place financial data of shoppers at risk, according to 6ABC.



Stores in Delaware, Maryland, New Jersey and Pennsylvania were potentially affected, according to ACME's website.

"Based on the information we currently know, it is not believed that any customer data was stolen. However, out of an abundance of caution, if you used your credit or debit card in a potentially affected store between June 22, 2014 and July 17, 2014 or between August 27, 2014 and September 21, 2014, you should monitor your credit and debit card account and promptly contact the bank that issued your payment card if you see suspicious activity," according to the company.

Stolen data may include names, account numbers, expiration dates or other numerical information. However, social security numbers, birth dates or driver’s license information was not affected because "that information is not collected as part of the payment process," according to the company.

UPDATE

This Sounds Familiar: Albertsons, Jewel-Osco, ACME, Shaw's Hit By Second Credit Card Data ...
When someone wrote me to say there was a data breach at the company behind several major supermarket chains — including Albertsons, Jewel-Osco, ACME, Star Markets, and Shaw’s — I thought, “That happened about six weeks ago, didn’t it?” Alas, the company has announced it is the victim of a new, separate attack.

Company List of Affected Entities:
Albertsons
SuperValu, Inc.
Cub Foods
Jewel Osco, Shaw's
Star Market
Star Market, Ab
Acquisition LLC

BREACH: Supervalu hit with second data breach, including four metro Cub Foods stores via OSINT-X Newswires


Supervalu said Monday that it was the victim of yet another customer payment card data breach -- this one affecting four Twin Cities Cub Foods stores.

The Eden Prairie-based grocery chain said the breach likely began in late August and ended Sept. 21. This is the second such breach the company has suffered in recent months, and the first was much broader.

The four affected Twin Cities stores are in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake. Supervalu said credit and debit card information may have been stolen, including card numbers, expiration dates and cardholders' names. The company did not say how many accounts may have been affected.

Supervalu is among several retailers to be victimized by cyberthieves in the past year. High-profile payment card data breaches at Target, Home Depot, Dairy Queen and others have left tens of millions of consumers vulnerable to financial theft. Stolen card numbers have been found for sale en masse on clandestine websites, presumably posted by the thieves.

Supervalu has never said how many accounts may have been compromised at its stores.

The grocery company was in the process of installing "enhanced protective technology" on its point-of-sale terminals when hackers installed malicious software on the network that processes transactions for the company's Shop 'n Save, Shoppers Food & Pharmacy and Cub Foods stores, according to Supervalu's news release.

These security measures are designed to prevent malware uploaded to the company's network from collecting any payment card data.

BREACH: Jewel Osco parent company discloses new data breach via OSINT-X Newswires

For the second time in less than two months, hackers have targeted Jewel-Osco.

The parent company said it is too early to tell just how many people have been affected, but did say that malicious software was installed in the networks that process debit and credit card transactions. Many stores have been affected in several states, including Indiana, Illinois and Iowa.

It seems like every week hackers infiltrate another company. Monday, it's the parent company of Jewel-Osco. Last week, it was Jimmy Johns.

"Fraud never sleeps," said Governors State University professor Bill Kresse. "While we're in bed here in the U.S., there is someone on the other side of the globe trying to separate you from your money."

Jewel's parent company says the most recent breach happened in late August or early this month.

It stresses there is no indication anything was stolen, but it may have accessed account numbers and expiration dates.

"It's a dangerous thing," said customer John Piazza. "I think it certainly needs to be addressed. Data security is very important and it's a very relevant concern today."

Identity theft and fraud expert Bill Kresse says this will keep happening until chip and pin cards replace magnetic stripe cards.

"The bad guys have not figured out a way to put that information on the chip embedded in the new style credit cards," said Kresse.

Fraud experts say that banks, credit card companies and retailers can no longer protect your credit card information, so it is best that statements and credit card information is checked on a daily basis.

Monday, September 29, 2014

BREACH: Lost Pizza Co in North Mississippi exposed to data hack via OSINT-X Newswire

The data hack that exposed the customers of more than 216 Jimmy John's locations has also netted two Lost Pizza Company locations, both in North Mississippi.

Credit card authorization and point-of-sale technology company Signature Systems, Inc. recently revealed that the customer data at 216 Jimmy John’s stores and 108 other restaurant locations including the Lost Pizza Co. locations in Tupelo and Southaven, Mississippi, had been exposed by cyber criminals.

"We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems," a statement on Signature Systems website said. "The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants. The malware was capable of capturing the cardholder’s name, card number, expiration date and verification code from the magnetic stripe of the card."

Raw Stats

According to ID Theft Center there were 4,816 major breaches between 2005 and September 23, 2014, with a total of 667,201,105 records stolen. That is not even including last week’s Jimmy John’s breach! With figures like this it’s easy to panic. For every American that is 2.1 stolen credit cards.

Essex Property Trust (ESS) Reports Data Breach via OSINT-X Newswire

Essex Property Trust (NYSE: ESS) reported that certain of its computer networks containing personal and proprietary information have been compromised by a cyber-intrusion. Essex has confirmed that evidence exists of exfiltration of data on company systems. The precise nature of the data has not yet been identified and the Company does not presently have any evidence that data belonging to the company has been misused.

Type: Service Info Tenant Information
Area: Property Management
First Noted: 29 Sept 2014
Location:
Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

HIPAA Reporting Statistics Since 2010


Note: If we note that entities are not reporting we will gladly start forwarding our reports along with the actual data to show that it was a breach. Starting in 2015 we will start direct reporting and will start to forward actual leaked content directly to OCR under HHS. For more information please feel free to contact us directly using the contact form.

DISCLOSURE: Southeast Womans Center (www.southeastwomenscenter.com)

Sending patient records unencrypted by email and through unencrypted other channels.

We are aware of various issues with this provider. They have been known to send records via email as well as fax and through unsecured systems of other providers.

Type: PHI
Area: Medical
First Noted: 22 Sept 2014
Location:
North Carolina
Total Records: 100+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)


Update: Additional violations noted since original post. 

BLOCKS: Suggestions - Already updated in the SLC Rulesets

Suggested Domains to Block:
adexprt.com
exoclick.com
seethisinaction.com
valu-traffic.com

We have been seeing malware being pushed out in droves from these domains.

Sunday, September 28, 2014

NEWS: Inventor of World Wide Web warns of threat to internet - Via OSINT-X Newswires

London (AFP) - The British inventor of the World Wide Web warned on Saturday that the freedom of the internet is under threat by governments and corporations interested in controlling the web.

Tim Berners-Lee, a computer scientist who invented the web 25 years ago, called for a bill of rights that would guarantee the independence of the internet and ensure users' privacy.

"If a company can control your access to the internet, if they can control which websites they go to, then they have tremendous control over your life," Berners-Lee said at the London "Web We Want" festival on the future of the internet.

"If a Government can block you going to, for example, the opposition's political pages, then they can give you a blinkered view of reality to keep themselves in power."

"Suddenly the power to abuse the open internet has become so tempting both for government and big companies."

Berners-Lee, 59, is director of the World Wide Web Consortium, a body which develops guidelines for the development of the internet.

He called for an internet version of the "Magna Carta", the 13th century English charter credited with guaranteeing basic rights and freedoms.

Concerns over privacy and freedom on the internet have increased in the wake of the revelation of mass government monitoring of online activity following leaks by former US intelligence contractor Edward Snowden.

A ruling by the European Union to allow individuals to ask search engines such as Google to remove links to information about them, called the "right to be forgotten", has also raised concerns over the potential for censorship.

"There have been lots of times that it has been abused, so now the Magna Carta is about saying...I want a web where I'm not spied on, where there's no censorship," Berners-Lee said.

The scientist added that in order to be a "neutral medium", the internet had to reflect all of humanity, including "some ghastly stuff".

"Now some things are of course just illegal, child pornography, fraud, telling someone how to rob a bank, that's illegal before the web and it's illegal after the web," Berners-Lee added.

7 Biggest Healthcare Data Breaches in the US (So Far)

1. Information on 4.9 million Tricare Management Activity beneficiaries was stolen from a Science Applications International Corporation employee’s car in 2011.
2. This year, Complete Health Systems, based in Tennessee, reported that a network server was hacked and personal information was stolen, affecting 4.5 million people around the country.
3. Illinois-based Advocate Health and Hospitals Corporation reported the theft of company computers, which impacted almost 4.03 million individuals in 2013.
4. Health Net in California had a data breach in 2011 that affected 1.9 million people. In that case, IBM alerted Health Net that several unencrypted server hard drives were missing from a California-based data center.
5. Between 2013 and 2014, the Montana Department of Public Health and Human Services reported a breach that affected more than 1.06 million people. A network server was hacked and patient data stolen.
6. In 2011, the Nemours Foundation reported it had lost three data tapes containing 10 years' worth of information on 1.05 million patients. The tapes, and the cabinet they were in, went missing from a Delaware facility; the company said it may have happened during a remodeling project.
7. In 2009, Blue Cross Blue Shield of Tennessee reported a breach when hard drives were stolen containing information on more than 1.02 million patients.
According to a recent Reuters report, medical information is worth about 10 times more than credit card numbers on the black market. Last month, the Federal Bureau of Investigations (FBI) put out an alert to healthcare organizations to be on the lookout for data hackers.

The FBI said it had observed “malicious actors targeting healthcare-related systems, perhaps for the purpose of obtaining Protected Healthcare Information ... and/or Personally Identifiable Information."

Saturday, September 27, 2014

BREACH: Madison Street Provider Network, Inc

9News reports that Madison Street Provider Network, Inc., dba  Omni Eye Specialists, Spivack Vision Center, Madison Street Surgery Center, Madison Street Anesthesia, and Madison Street Company Nurse Practitioner said they were a target of a data breach and will be notifying patients.
Stay tuned, as there’s no notification on any web site(s) yet.


UPDATE:
Madison Street Provider Network, Inc., which operates under the following business names: Omni Eye Specialists, Spivack Vision Center, Madison Street Surgery Center, Madison Street Anesthesia, and Madison Street Company Nurse Practitioner said they were a target of a data breach.

Madison Street Provider Network will send out letters to all of the patients who may have been affected by this breach. They say their is a low risk to patients at this time.

Anyone with questions should contact Madison Street Provider Network Leadership Team at 303-377-2020.




Type: Service Info
Area: NA
First Noted: 27 Sept 2014
Location:
Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

Bay Area Bioscience Association (BayBio) notifies online customers of breach

Dear BayBio Customer,
It has come to our attention that sometime within the past two weeks the security of our online payment system was breached. We believe an intruder inserted files that captured the keystrokes of our visitors and may have captured credit card numbers in the process.

You are receiving this because you have made a transaction at BayBio.org’s checkout page to pay for an event or membership. Please review your credit card statement and immediately alert your bank if you see any unusual transactions or unfamiliar vendor names.

We are taking these matters seriously and are working to resolve this security issue as quickly as we can and to install tightened security measures to ensure this doesn’t happen again. We will advise you when we’ve completed these actions and have restored the security of our online payment system.

For the present time, enrollment in events and membership renewals can be accomplished through www.baybio.org without providing credit card information. Payments will be processed by phone until our web page security problem is fixed.

Your online security while using the BayBio site is of the utmost concern to us. We regret any inconvenience this problem may have caused you. We truly appreciate your participation in the BayBio community.

Regards,
Gail Maderis
President and CEO, BayBio
250 East Grand Avenue, Suite 26
South San Francisco, CA 94080

NEWS: Ala. Hospital Can't Escape Data Breach Class Action via OSINT-X Newswires

Washington (September 26, 2014, 5:14 PM ET) -- An Alabama federal judge on Friday refused to toss a putative class action against Flowers Hospital over an employee's theft of sensitive patient information, giving the plaintiffs an opportunity to amend their claims.

In a short order to the parties, U.S. District Judge W. Keith Watkins told the five named plaintiffs in the suit against the Alabama hospital to file a second amended complaint with the court over their allegations that an unidentified third party used their Social Security numbers to file phony tax returns....

Air Force Patient Data Breach - via OSINT-X Newswires

The mishandling of patient information is "totally unacceptable" and procedures for handling such information will be reviewed, Col. John Devillier, Wright-Patterson Air Force Base commander, said.

"We have protocols in place to prevent something like this from happening, but our personnel did not follow those protocols," Devillier said in a prepared statement. "I can assure you the individuals at fault will be dealt with and we will also review all our procedures to see if we need to supplement them with additional checkpoints.

Univ. Health Systems of E. Carolina Inc. (www.ipfcc.org)

Leaking patient health records and personally identifiable information to include diagnosis, practitioner and other personal information. Additional information is being sent to the organization.

Type: PII
Area: Medical
First Noted: 5 Sept 2014
Location: Maryland, North Carolina
Total Records: 10000+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 

Friday, September 26, 2014

UPDATE: Signature Systems - Related to Jimmy Johns Breach 27 Sept 2014 9:45PM EST

Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John’s sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products.

UPDATE: An additional 108 different restaurants were compromised according to Signature Systems Inc.

UPDATE: Signature Systems breach expands to mom and pop vendors and pizza shops:
Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John’s sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products.

G.O.P. Error Reveals Donors and the Price of Access (www.gop.org) via OSINT-X Newswires

Such an error by the Republican Governors Association recently resulted in the disclosure of exactly the kind of information that political committees given tax-exempt status usually keep secret, namely their corporate donors and the size of their checks.

That set off something of an online search war between the association and a Washington watchdog group that spilled other documents, Democratic and Republican, into the open.

Dairy Queen data breach causing worry (www.dairyqueen.com) via OSINT-X Newswires

Several banks in the Morehead area are issuing new debit cards to their customers after Dairy Queen corporate reported being a victim of a data breach.

The national company confirmed the breach earlier this month but didn't disclose how many stores were affected.
“We are gathering information from a number of sources, including law enforcement, credit card companies and processors,” Dairy Queen said in a statement. “The protection of customer data is a top priority for us and our franchisees, and we take it seriously.”
In Morehead, The Citizens Bank has reissued more than 90 new cards and Whitaker Bank has reproduced more than 30 due to the breach.

UPDATE: FTP Cracking Attacks now seen as a result of Bash vulnerability Updated 2:45PM EST

We are now starting to see many thousands of FTP brute force attacks and DDOS activity as a direct result of the Bash vulnerability. We have started getting reports of FTP server attacks and DDOS attacks. We are updating our list of block suggestions that are available for direct download at www.slcsecurity.com in the "Lab" section of the website. The previously reported botnet has been taken offline. The C+C is no longer responding to inquiries from infected machines.

Also keep in mind that you will more than likely be scanned by shodan.io or one of their other domains. Here are a list of the domains that are owned or associated with shodan as of 2:15PM EST.

arguschariot.org
104.28.6.56
www.transparentpakistan.org
shodan.io
windsordirect.info
redditeast.com
www.transparent-pakistan.org
whc-community.net
artmuseumbi.org
104.28.13.0-104.28.13.255
www.upholsteryjacksonvillefl.net
hody-c.fr
northwestcrossing.com
jwebphoto.com
agenciada.com.br
yoraishin.org
lescarresgourmands.fr
gincofrance.fr
zenebo.fr
austinorthobio.com
townsvilledirect.info
crepesconcept.com
fluffyspoonesports.com
boxcool.fr
3dimmobilier.info
comptoirdelor.fr
104.28.14.126
pflp.ps
nevergiveup.fr
lenih.ru
integradacomunicacao.com.br
elisafrance.fr
best-practice.se
transparentpakistan.org
www.hyipscope.org
watchfilmhd.com
flatwoodnatives.com
parkietybydgoszcz.pl
104.28.10.100
interestingandwtf.com
tomblesonassociates.com
itaueiranet.com.br
dangersalamaison.com
ss2e-conseil.com
104.28.7.56
jetpub.fr
languagesandco.com
spielaffe.me
koraljka.info
emaster.biz
ladromeprovencale.mobi
13335
properlocal.pl
ebox.com.my
jpmiranda.com.br
tpa-immobilier.com
regmark.cz
rsfirm.com
hotel-america.com
aiybooks.com
christianpaul.fr
smrt33.org
spion.fr
50.23.7.0-50.23.7.255
ilearnlamp.com
162.159.245.38
treefishgraphics.com
regression.es
1touch.my
kidici.fr
itcreditpower.mobi
162.159.244.0-162.159.244.255
trailerstars.com
imaginpub.com
palaisdusport.com
gdp.com.sg
jamas.net
104.28.6.8
surgicryl.com
chateauanquetil.com
104.28.7.0-104.28.7.255
underwurlde.com
7to77fitness.fr
awesomg.com
belazar.fr
petrosil.com
nachosalad.com
spool.mail.gandi.net
upholsteryjacksonvillefl.net
pixpress.fr
silverstacker.net
clinicacuidarte.com.br
162.159.245.0-162.159.245.255
undervibe.com
axuriance.fr
freeears.com
cppkit.com
niduki-foundation.com
allergyinyourpractice.com
moreshoppings.com
hyipscope.org
energytroisanges.eu
bestpicts.me
osmoseeurop.com
162.252.52.131
ocoa.fr
levcar.com.br
mctrip.eu
rcsa.co.uk
wujitao.my
pilalheure.com
kk138.com
juscontrol.com.br
croffice.fr
lolzgagz.com
sewingbuttonsdesign.biz
cinereach.org
ed.ns.cloudflare.com
www.shodan.io
gullpetroleum.com
www.forandroid.org
shodan.io
lovechat.us
deaconpunnett.com
sanqiu.info
boomerbiz.biz
lancaster.fr
fauredelacour.fr
bikegrips.us
transparent-pakistan.org
www.replicabalenciagaoutlet.com
haberdar.com
104.28.12.53
abcpd.com.br
beinrabat.com
fashionhypes.com
hotelitapoa.com
tvplay.org
mistercrepes.fr
correspondendo.com.br
replicabalenciagaoutlet.com
dif-fraction.com
huangbong.com
homecomfort.com.br
globalmonster.com.br
myjordanshoes.com
yubacitydirect.info
lady.ns.cloudflare.com
guy-toussaint.net
fb.mail.gandi.net
forandroid.org
villakatarina.org
67.228.155.162
fiberdiziizle.com
toddmgreen.com
zygorguidesdownload.com
europalive.org
investstatus.com
eve-gps3.com
vitimeca.com
104.28.13.53
codeya.fr
planetpizza.fr
bestofbistrot.fr
104.28.7.8
brightbee.com.br
agrimensuranet.com.br
welshponies.org
www.investstatus.com
ump-mulhouse.org
104.28.13.49
boisconcept21.fr
photographe-clermont-63.biz
162.159.244.38
a-b.com.ua
protegezvotrebudget.com
goliathplay.com
montfortlamaury.com
rf2minecraft.net
36351
chudaimaza.com
26458 32421
downloadmovienow.com
toyoulaugh.com
varejolocal.com.br
contando.com.br
50.23.7.195
vhfvmp.net
triptico.com
162.252.52.0-162.252.52.255
www.yubacitydirect.info
chinonlambert.com
www.properlocal.pl
www.1touch.my


Additional IP Attackers:
  104.28.15.126
103.25.56.88
114.34.53.44
104.28.12.49
128.2.100.168
104.28.6.0-104.28.6.255
104.28.11.0-104.28.11.255
104.28.12.0-104.28.12.255
104.28.11.100
195.154.119.37
198.58.106.99
201.234.8.200
208.118.61.44
208.90.195.26
209.87.250.253
217.66.159.51
54.79.112.147
72.167.37.182
78.47.50.35
85.8.8.11
87.118.126.43
91.200.84.22
91.201.53.25
93.103.21.231
108.162.197.26
122.226.223.69
151.193.220.28
162.253.66.76
166.78.61.142
168.235.145.99
185.56.8.31
198.101.206.138
208.118.61.64
209.126.230.72
209.139.35.109
209.139.35.111
209.139.35.112
209.139.35.113
209.139.35.114
209.139.35.116
213.5.67.223
37.187.225.119
54.251.83.67
61.160.224.130
63.247.112.10
63.247.112.4
66.186.2.173
69.163.37.115
74.201.85.65
74.201.85.75
82.165.144.187
89.207.135.125
109.95.210.196
94.102.60.177
146.115.119.59
50.116.32.98
46.16.170.158

Additional Attackers Noted
9/27/2014
173.44.37.242
119.136.161.189
116.236.216.116


BREACH: Pacific Biosciences of California (www.pacificbiosciences.com)

Pacific Biosciences of California is notifying employees and dependents after a laptop with personal information was stolen from an employee’s home. The theft occurred on September 16.

In a letter to those affected, Natalie Welch, Senior Director of Human Resources, writes that the personal information involved included names, contact information, birthdates, Social Security numbers, direct deposit information, compensation information, and insurance information.

There is no explanation as to why the employee had personnel information at home, whether that was acceptable under their policy, and why the data were not encrypted – and if that, too, was acceptable under their policy.

Those affected have been offered free services through AllClear.
A copy of the letter was uploaded to the California Attorney General’s web site.

Type: Service Info
Area: science
First Noted: 25 Sept 2014
Location:
CA
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

Thursday, September 25, 2014

DISCLOSURE: Time Warner Cable Charlotte (www.timewarnercable.com)

Releasing customer information to include name and phone number. Minor disclosure but a disclosure none the less.


Type: Service Info
Area: Communications
First Noted: 24 Sept 2014
Location:
Charlotte, NC
Total Records: 1
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

BOTNET ACTIVITY: Related to Bash Vulnerability (UPDATED)

We are getting reports of various attacks. Look for this traffic. Chances are if you see traffic going to these 2 host you are probably infected.

89.238.150.154 port 5
162.253.66.76 port 53

We will post additional information as we find out more. The first host appears to be offline now but it may be a good idea to check for outgoing connections on port 5 anyway.

Infected machines may try and connect to 185.31.209.84 on port 443 which is hosting an IRC server for C+C on channel.

UPDATE: As of 10:30AM EST all of the identified servers have been taken offline. We will continue to monitor this situation.

BREACH: Owensboro Medical

As many as 4,000 patients may have their medical information compromised. It happened three years ago, but Owensboro Medical Practice reveals the problem just now.

Like we've seen in other breaches, officials say they found out nearly two months ago. They say demographic information was stolen like on race and gender but not credit card or medical background.
The Department of Health and Human Services and attorneys are investigating. Officials believe former employees took the info to use for their own practice.

"The employees that left formed their own company," said Timothy Hillard, "and they want to use that patient database. So, they can contact those patients to bring them into their own research company."
We're told patients affected by the breach have been notified. If you believe you're a victim of fraud, call a local credit bureau to have a fraud alert put on your credit cards.

DISCLOSURE: Air Methods (www.airmethods.com)

Company is leaking information during dispatch and movement operations. No notification

Type: PII
Area: Medical
First Noted: 24 Sept 2014
Location:
US
Total Records: 25+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

DISCLOSURE: Wilson Memorial Hospital (www.wilmed.org)

12 Sept. 2014 - Notified by Postal Mail

Hospital is disclosing patient name and medical diagnosis and other details that are protected.

Type: PII
Area: Medical
First Noted: 24 Sept 2014
Location:
US
Total Records: 25+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

 

IDS: Snort Rule Update

We have made the snort rules for detecting Bash Bug available via our normal download location. Please update your signatures if your using the slcsecurity ruleset.

Snort Rules Update

BREACH: iThemes (www.ithemes.com)

iThemes published details on a security breach that took place earlier today. According to the announcement, after noticing suspicious activity, they noticed a signification attack on their membership database. iThemes urges all customers to reset their passwords immediately. To protect accounts from any unauthorized access, iThemes has temporarily reset all user passwords. To regain access to your account, you’ll need to reset your password.
The attackers could gain access to the following customer data:
  • Username
  • Password
  • Email address
  • First and last name (if you set it)
  • IP address
  • The names of products you purchased
  • Coupon codes you might have used
  • Access times
  • Payment receipt information (but no other payment info)

BREACH: Japan Airlines mileage club members may have leaked

Japan Airlines Co. said Wednesday that personal information on up to 750,000 JAL mileage club members may have leaked after someone gained unauthorized access to the company’s computer system
The data include members’ names, addresses, birthdays and email addresses, the company said, adding that it has not confirmed the leak of passwords or credit card numbers.

A program to extract customer data and send them to a server in Hong Kong was planted on 23 personal computers at JAL. Seven of the 23 computers are believed to have actually sent data.
Type: PII
Area: Corporate
First Noted: 24 Sept 2014
Location:
Japan
Total Records: 750,000
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

DISCLOSURE: Hertford County NC (www.hertfordcountync.gov)

Some taxpayers may be at risk in Hertford County, after a list containing confidential information on the Hertford County Website was compromised.

The following statement is from the Hertford County Commissioners on a recent security breach:

The posting of a list of delinquent tax liens for tax years 2005 thru 2013 on the Hertford County Website has resulted in a breach of confidential information, i.e, social security numbers for a number of taxpayers. The county has reported this event to our insurance carrier, NCACC Risk Management Pool of which cyber coverage is designed for instances such as this. It is an ongoing investigation that was initiated on September 22nd, therefore at this point little is known as an absolute certainty of fact. The Risk Management Pool has the appropriate people ready to do what is necessary by law and they are in the process of being engaged. Hertford County has every intention of following the requirements set out in the law.

Type: PII
Area: Government
First Noted: 24 Sept 2014
Location:
Hertford County NC
Total Records: 10000+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

Wednesday, September 24, 2014

NEWS: 'Bash' bug could let hackers attack through a light bulb

Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.

Computer security researchers have discovered a flaw in the way many devices communicate over the Internet. At its most basic, it lets someone hack every Internet-enabled device in your house -- via something as simple as your light bulb.

That is, if you're one of those tech-embracing types who buys Internet-connected "smart" appliances.
But that includes a rapidly growing number of businesses and governments that use smart devices -- like cameras -- within their internal networks.



Why fear the bash bug? Because it's so pervasive.

According to open source software company Red Hat, it affects any device that uses the operating system Linux -- which includes everything from calculators to cars. But it also affects Apple (AAPL, Tech30) Macs and some Android, Windows and IBM machines.

In a public warning, Red Hat researchers classified the severity of the bug as "catastrophic."

Not every connected device is vulnerable. But it's difficult for the average person to figure out if, for instance, their home security camera is at risk.

The problem is new enough that it's impossible to know if hackers are already using it. But if it's anything like the Heartbleed bug discovered earlier this year, we might not see damage for months. And when we do, it could be disastrous.

In the case of Heartbleed, hackers eventually broke into a hospital network and stole 4.5 million patient records -- including Social Security numbers.

The only solution for the bash bug? If and when a patch becomes available, update every device you have. But that's something that's not likely. Companies don't often update their fleet of devices, and customers rarely pay attention for that sort of thing.

UPDATE:
As of 9:00AM EST: We detected mass scanning of servers for the vulnerability in our OSINT-X system. The initial results look like 83% of Internet connected devices are vulnerable.

As of 11:08AM EST: We have been informed that Red Hat's previous patches are not effective against this attack. Oracle, Ubuntu and Juniper are releasing patches to address the issue. Red Hat has not released an update yet.  

As of 12:53PM EST: We are starting to see reports of botnet activity being alerted on as a direct result of this vulnerability. Several clients have called in to ask for assistance in containing the issue.

Snort Signature for Detection:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;) 

ADDITIONAL INFORMATION:

New bash bug could wreak havoc on Linux and OS X systems

MalwareBytes Blog

​'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock

CNET News

Update on CVE-2014-6271: Vulnerability in bash (shellshock), (Thu, Sep 25th)

SANS RSS Feeds

Franchising complicates Jimmy John’s breach investiagtion as their POS vendor creds are comp'd: 2 months to notify

Team Cymru Security News  

ALERT: ATM Reader Malware New Focus

Security Researchers at SLC Security Services LLC have been actively monitoring a new potential issue with ATM machines in the US and abroad. We have been contacted by several clients that have complained of blue screen issues with ATM machines over the past few weeks.Upon examination of the operating system logs we are noticing that the machines are blue screening during the read operation of the inserted ATM cards.

One client in particular has seen 4 different ATM locations affected and has had to restart several ATM machines over the past few weeks. Upon examining the ATM machines we have determined that the attack vector is a particular type of overflow in the card reader system. Conventional Anti-Virus software does NOT detect the infection. We have noted that pre-paid credit cards are being used to perform this attempted hack of the ATM machines and the information that is embedded on the magnetic strip is actually binary and attempts to perform some sort of injection of code into the card reader themselves. None of the attempts at our client organization have been successful but this should be a warning that hackers are attempting to attack these machines via the card reader.

We are monitoring the situation for the organization and will post information after law enforcement has concluded their individual investigations.

NOTHING FOLLOWS

BREACH: Jimmy Johns - North Raleigh (www.jimmyjohns.com)

Point of sales system hacked at Jimmy John's in North Raleigh. The company has taken steps to prevent future attacks. An intruder stole login information from the point of sales system and payment terminals at some corporate and franchised location.

Type: Financial
Area: Corporate
First Noted: 24 Sept 2014
Location:
Corporate and Individual store locations 
Total Records: Unknown and not Disclosed
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)


Additional information will be posted as it is released.  

Additional Information:
Jimmy John's Confirms Breach 5:25PM EST 


List of Affected Locations:
0526 Tuscaloosa , AL 1400 University Blvd Suite B --- 6/26/2014 - 8/2/2014
1387 Tuscaloosa , AL 815 Lurleen B Wallace Blvd. --- 7/1/2014 - 8/1/2014
0375 Fayetteville , AR 518 W. Dickson --- 7/1/2014 - 8/1/2014
0660 Tucson , AZ 5411 E Broadway Blvd. --- 6/16/2014 - 8/8/2014
9034 Tempe , AZ 681 E. Apache Ste. 102 --- 6/16/2014 - 8/03/2014
9042 Tempe , AZ 521 S. College Ave. Ste. 107 --- 6/16/2014 - 8/1/2014
2179 Scottsdale , AZ 10701 N. Scottsdale Rd. Ste. 103 --- 6/16/2014 - 8/13/2014
1766 Mesa , AZ 1730 W. Southern Ave. --- 6/16/2014 - 8/2/2014
1956 Glendale , AZ 5890 W. Thunderbird Rd. Ste. 103 --- 6/23/2014 - 8/1/2014
9035 Tempe , AZ 5128 S. Rural Rd. --- 6/26/2014 - 8/2/2014
2180 Phoenix , AZ 7000 N. 16th St. Ste. 124 --- 6/27/2014 - 8/13/2014
9041 Flagstaff , AZ 1020 S. Milton Road Ste. 103 --- 7/1/2014 - 8/1/2014
1742 Peoria , AZ 25101 N. Lake Pleasant Pkwy Ste. 1330 --- 7/1/2014 - 8/5/2014
2571 Pasadena , CA 165 S. Lake Ave. --- 6/16/2014 - 8/1/2014
1814 Visalia , CA 312 W. Main St. --- 7/1/2014 - 8/2/2014
1094 Longmont , CO 210 Ken Pratt Blvd. Suite 200 --- 6/16/2014 - 7/25/2014
0673 Denver , CO 622 16th St. --- 6/27/2014 - 8/1/2014
1066 Golden , CO 1299 Washington Ave. --- 6/27/2014 - 8/1/2014
1057 Broomfield , CO 625 Flatiron Marketplace Dr. --- 7/1/2014 - 8/1/2014
1615 Denver , CO 2325 East Colfax Ave. --- 7/1/2014 - 8/1/2014
1112 Colorado Springs , CO 5885 Stetson Hills Blvd. --- 7/1/2014 - 8/2/2014
0635 Lone Tree , CO 9234 Park Meadows Dr. Suite 500 --- 7/1/2014 - 8/3/2014
0457 Greeley , CO 2644 11th Ave. Suite B --- 7/7/2014 - 8/1/2014
2192 Newark , DE 133 E. Main St. --- 6/16/2014 - 8/13/2014
1221 Altamonte Springs , FL 821 South State Road 434 Ste. 1030 --- 6/16/2014 - 8/9/2014
1222 Orlando , FL 2323 S. Orange Ave. --- 6/16/2014 - 8/9/2014
0168 Tallahassee , FL 1080 West Tennessee St. --- 6/16/2014 - 8/7/2014
0172 Tallahassee , FL 1450 Timberlane Rd. --- 6/26/2014 - 8/7/2014
1767 Jacksonville , FL 11702 Beach Blvd. Ste. 101 --- 6/26/2014 - 8/1/2014
0169 Tallahassee , FL 2047 West Pensacola St #2 --- 6/26/2014 - 8/4/2014
1457 Orlando , FL 3164 E. Colonial Dr. --- 7/1/2014 - 8/1/2014
2024 Fort Lauderdale , FL 1507 N. Federal Highway --- 7/1/2014 - 8/4/2014
1307 Tampa , FL 533 S. Howard Ave. --- 7/1/2014 - 8/2/2014
1464 Jacksonville , FL 1725 Hendricks Ave. --- 7/1/2014 - 8/1/2014
0442 Gainesville , FL 1724 West University Ave. --- 7/1/2014 - 8/2/2014
0260 West Palm Beach , FL 330 Clematis St #1 --- 7/1/2014 - 8/2/2014
0441 Gainesville , FL 2220 SW Archer Rd. --- 7/23/2014 - 8/2/2014
2185 Newnan , GA 51 Newnan Crossing Bypass --- 6/16/2014 - 8/13/2014
1213 Columbus , GA 3217 Macon Rd. --- 6/26/2014 - 8/8/2014
1860 Norcross , GA 6135 Peachtree Parkway Ste. 301 --- 7/1/2014 - 8/2/2014
0444 Atlanta , GA 365 14th St. NW --- 7/1/2014 - 8/2/2014
0986 Atlanta , GA 925A Peachtree St NE --- 7/1/2014 - 8/1/2014
1603 Alpharetta , GA 4180 Old Milton Parkway Ste. 1B --- 7/1/2014 - 8/1/2014
1448 Des Moines , IA 4926 SE 14th St. --- 6/26/2014 - 8/5/2014
1449 Ankeny , IA 202 S. Ankeny Blvd. --- 7/1/2014 - 8/1/2014
0538 Ames , IA 2801 Grand Ave N --- 7/1/2014 - 8/2/2014
0496 Cedar Falls , IA 2016 College St. --- 7/7/2014 - 9/5/2014
1700 Twin Falls , ID 130 Blue Lakes Blvd. N. --- 7/1/2014 - 8/2/2014
0887 Chicago , IL 3234 W. Foster Ave. --- 6/16/2014 - 8/8/2014
9025 Champaign , IL 601B Green St. --- 6/16/2014 - 8/1/2014
0135 Springfield , IL 3128 South 6th St. --- 6/16/2014 - 8/7/2014
0600 Evergreen Park , IL 9451 S. Kedzie Ave. --- 6/26/2014 - 8/1/2014
0158 Quincy , IL 1828 Broadway Suite E --- 6/27/2014 - 8/7/2014
1263 Collinsville , IL 501 Beltline Rd. --- 6/27/2014 - 8/1/2014
0043 Lombard , IL 1235 South Main St. --- 7/1/2014 - 8/1/2014
0739 Chicago , IL 6451 W. Diversey Ave. --- 7/1/2014 - 8/1/2014
0024 DeKalb , IL 850 Pappas Dr. --- 7/1/2014 - 8/1/2014
1187 Loves Park , IL 6112 N. 2nd St. --- 7/1/2014 - 8/1/2014
1322 Lombard , IL 2770 S. Highland Ave. --- 7/1/2014 - 8/2/2014
0608 Countryside , IL 5321 S. LaGrange Rd Unit C --- 7/1/2014 - 8/2/2014
1938 Sugar Grove , IL 472 N. Route 47 --- 7/1/2014 - 8/4/2014
9029 Charleston , IL 315 Lincoln --- 7/1/2014 - 8/1/2014
0041 Chicago , IL 3328 North Clark St. --- 7/1/2014 - 8/2/2014
0386 Vernon Hills , IL 325 North Milwaukee Ave., Suite 150 --- 7/1/2014 - 8/2/2014
0448 Naperville , IL 19 W. Jefferson Ave. --- 7/7/2014 - 8/1/2014
0273 Homer Glen , IL 14110 Bell Rd. --- 7/23/2014 - 8/1/2014
0422 Oakbrook Terrace , IL 18W 048 22nd St. --- 7/23/2014 - 8/1/2014
0187 Glen Ellyn , IL 850 Roosevelt Rd. --- 7/23/2014 - 8/1/2014
0136 Springfield , IL 2925 W Iles Ave. --- 7/23/2014 - 8/2/2014
0433 Geneva , IL 1070 Commons Dr. --- 7/23/2014 - 8/1/2014
0303 Chicago , IL 1101 S. Canal St. Ste. 104 --- 7/23/2014 - 8/1/2014
0732 Indianapolis , IN 1 North Meridian --- 6/16/2014 - 8/8/2014
1414 Columbus , IN 2115 Jonathan Moore Pike --- 7/1/2014 - 8/1/2014
9040 Lafayette , IN 2810 S. Creasy Ln. --- 7/1/2014 - 8/2/2014
1376 Bloomington , IN 2636 E. 3rd St. --- 7/1/2014 - 8/3/2014
2037 Indianapolis , IN 4914 S. Emerson Ave. --- 7/1/2014 - 8/4/2014
0651 Indianapolis , IN 1437 E 86th St. --- 7/1/2014 - 8/1/2014
0587 Carmel , IN 14299 Clay Terrace Blvd. --- 7/1/2014 - 8/2/2014
1928 Hobart , IN 1661 E. 37th Ave. --- 7/1/2014 - 8/3/2014
0452 Evansville , IN 701 N Burkhardt Rd. Suite C --- 7/1/2014 - 8/2/2014
0370 Portage , IN 2547 Willow Creek Rd. --- 7/23/2014 - 8/1/2014
0220 Indianapolis , IN 4825 East 96th Suite 1400 --- 7/23/2014 - 8/1/2014
0379 Bloomington , IN 430 East Kirkwood Ave. --- 7/23/2014 - 8/1/2014
2194 Garden City , KS 503 E. Kansas Ave. --- 6/16/2014 - 8/13/2014
0485 Lawrence , KS 1720 W. 23rd St. --- 7/1/2014 - 8/2/2014
1228 Lansing , KS 834 N. Main St. --- 7/1/2014 - 8/1/2014
0932 Wichita , KS 340 N Rock Rd. --- 7/1/2014 - 8/1/2014
1301 Wichita , KS 517 Hillside Ave. --- 7/1/2014 - 8/3/2014
2200 Louisville , KY 4919 Brownsboro Rd. Ste. 101 --- 6/16/2014 - 8/13/2014
2206 Somerset , KY 650 S. Hwy 27 Ste. 1 --- 6/16/2014 - 8/13/2014
1667 Georgetown , KY 101 Magnolia Dr. Ste. 2 --- 6/26/2014 - 8/3/2014
1319 Florence , KY 7921 Mall Rd. --- 6/27/2014 - 8/2/2014
1313 Lexington , KY 3735 Palomar Centre Dr. --- 7/1/2014 - 8/14/2014
0248 Madison Heights , MI 1535 E. 12 Mile Rd. --- 6/16/2014 - 8/7/2014
0286 Sterling Heights , MI 40846 Van Dyke --- 6/16/2014 - 8/7/2014
9011 East Lansing , MI 4790 S. Hagadorn Rd. #140 --- 6/16/2014 - 8/2/2014
9021 East Lansing , MI 143 N. Harrison Ste. 100 --- 6/16/2014 - 7/30/2014
9027 Ypsilanti , MI 537 W Cross Street --- 6/16/2014 - 7/30/2014
2184 Warren , MI 7568 E. 9 Mile Rd. --- 6/16/2014 - 8/13/2014
0543 Novi , MI 31204 Beck Rd. --- 6/26/2014 - 8/1/2014
2188 Canton , MI 6535 N. Canton Center Rd. --- 6/27/2014 - 8/13/2014
1492 Niles , MI 1260 S. 11th St. --- 7/1/2014 - 8/2/2014
1072 Livonia , MI 33177 W. 8 Mile Rd. --- 7/1/2014 - 7/30/2014
0308 Sterling Heights , MI 36324 Van Dyke --- 7/1/2014 - 8/1/2014
1693 Bloomfield Hills , MI 4087 W. Maple Rd. --- 7/1/2014 - 8/3/2014
1193 Marquette , MI 3220 U.S. Hwy 41 W --- 7/1/2014 - 8/8/2014
0396 Novi , MI 39755 Grand River Ave. --- 7/23/2014 - 8/1/2014
0150 Royal Oak , MI 413 S. Main St. --- 7/23/2014 - 8/1/2014
0271 Livonia , MI 37671 Six Mile Rd. B218 --- 7/23/2014 - 8/2/2014
0296 Bay City , MI 719 Washington Ave. --- 7/23/2014 - 8/1/2014
0909 Clarkston , MI 5601 Sashabaw Rd. --- 7/23/2014 - 8/1/2014
0259 St. Louis Park , MN 5340 16th St. --- 6/16/2014 - 8/7/2014
1184 Maple Grove , MN 8099 Wedgewood Lane N. --- 6/16/2014 - 8/8/2014
0189 Minneapolis , MN 3001 Hennepin South --- 6/17/2014 - 8/3/2014
0227 Roseville , MN 1631 County Rd C --- 6/26/2014 - 8/1/2014
1309 St. Paul , MN 80 Snelling Ave N Ste. C --- 7/1/2014 - 8/1/2014
1553 Wilmar , MN 1017 1st Street --- 7/1/2014 - 8/1/2014
0869 White Bear Lake , MN 1048 Meadowlands Dr. --- 7/1/2014 - 8/1/2014
1897 Detroit Lakes , MN 147 Veterans Memorial Pkwy. --- 7/1/2014 - 8/1/2014
0285 St. Paul , MN 2127 Old Hudson Rd. --- 7/1/2014 - 8/3/2014
0257 Minneapolis , MN 1 W Franklin Ave. --- 7/1/2014 - 7/15/2014
0479 Burnsville , MN 2001 Cliff Rd. E Suite 100 --- 7/1/2014 - 8/1/2014
0402 Golden Valley , MN 8008 Olson Memorial Hwy. --- 7/1/2014 - 8/2/2014
0507 Cape Girardeau , MO 1800 Broadway --- 6/16/2014 - 8/7/2014
1226 St. Louis , MO 5720 Oakland Ave. --- 6/16/2014 - 8/9/2014
0203 St. Louis , MO 3822 Laclede Ave. --- 6/16/2014 - 8/7/2014
1212 Independence , MO 20120 A East Jackson Dr. --- 6/26/2014 - 8/8/2014
1223 Hazelwood , MO 6064 N. Lindbergh --- 6/26/2014 - 8/9/2014
0951 St. Louis , MO 13 N. Euclid Ave. --- 6/27/2014 - 8/1/2014
1249 Sedalia , MO 2923 W. Broadway --- 6/27/2014 - 8/28/2014
1271 Creve Coeur , MO 11429 Olive Blvd. --- 7/1/2014 - 8/1/2014
1655 Kirksville , MO 510 S. Baltimore St. --- 7/1/2014 - 8/1/2014
0715 St. Peters , MO 4865 Mexico Rd. --- 7/1/2014 - 8/2/2014
1390 Jefferson City , MO 128 E. High St. --- 7/1/2014 - 8/3/2014
0773 Kansas City , MO 8427 Wornall Rd. --- 7/1/2014 - 8/1/2014
1544 Parkville , MO 8807 Tom Watson Pkwy. --- 7/1/2014 - 8/1/2014
0204 University City , MO 6681 Delmar Blvd. --- 7/3/2014 - 8/1/2014
2203 Southaven , MS 320 Goodman Rd E --- 6/16/2014 - 8/13/2014
1343 Great Falls , MT 903 10th Ave. S --- 7/1/2014 - 8/1/2014
2199 Kernersville , NC 120-A Century Place Blvd. --- 6/16/2014 - 8/13/2014
0934 Charlotte , NC 230 S. Tryon --- 6/17/2014 - 8/3/2014
0993 Raleigh , NC 5011 Falls of Neuse --- 6/19/2014 - 8/15/2014
1507 Wilmington , NC 120 Market St --- 7/1/2014 - 8/1/2014
0495 Greensboro , NC 1216 Bridford Parkway Ste. D --- 7/23/2014 - 8/3/2014
1442 Bismarck , ND 301 S. 3rd St. --- 7/1/2014 - 8/1/2014
1215 Omaha , NE 589 North 155th Plaza --- 6/16/2014 - 8/8/2014
1525 Blair , NE 2100 South 20th St. Ste. 10 --- 6/16/2014 - 8/3/2014
1000 LaVista , NE 12040 McDermott Plaza Ste. 350 --- 7/1/2014 - 8/1/2014
1044 Columbus , NE 825 23rd St. --- 7/1/2014 - 8/2/2014
2198 Freehold , NJ 13 Village Center Dr. --- 6/16/2014 - 8/13/2014
2699 Roswell , NM 2810 N. Main St. Ste. A --- 7/1/2014 - 8/1/2014
1712 Albuquerque , NM 6500 Holly Ave. NE Ste. C2 --- 7/1/2014 - 8/2/2014
0443 Reno , NV 58 E. Ninth --- 6/16/2014 - 8/7/2014
2204 Carson City , NV 2329 N. Carson St. --- 6/16/2014 - 8/13/2014
0330 Las Vegas , NV 4800 S. Maryland --- 7/1/2014 - 8/5/2014
0326 Las Vegas , NV 2204 W. Charleston --- 7/23/2014 - 8/1/2014
2437 Cicero , NY 5785 E Circle Dr. --- 7/1/2014 - 8/1/2014
0929 Mayfield Heights , OH 1314 SOM Center Rd. --- 6/16/2014 - 8/8/2014
1218 Cincinnati , OH 6459 Glenway Ave. --- 6/16/2014 - 8/9/2014
1765 Youngstown , OH 131 Lincoln Ave. --- 7/1/2014 - 8/1/2014
2058 Austintown , OH 5450 Mahoning Ave. Ste. B --- 7/1/2014 - 8/1/2014
1103 Cuyahoga Falls , OH 677 Howe Ave. --- 7/1/2014 - 8/1/2014
1275 West Chester , OH 9239 Floer Dr. --- 7/1/2014 - 8/1/2014
1628 Cleveland , OH 11446 Euclid Ave. --- 7/1/2014 - 8/2/2014
0116 Columbus , OH 2165 North High St. --- 7/1/2014 - 8/4/2014
1540 Strongsville , OH 14993 Pearl Rd. --- 7/1/2014 - 7/30/2014
0117 Columbus , OH 1860 North High St. --- 7/1/2014 - 8/1/2014
0121 Worthington , OH 7172 N. High --- 7/1/2014 - 8/1/2014
1830 Middleburg Heights , OH 18340 Bagley Rd. Ste. A --- 7/1/2014 - 8/3/2014
0344 Toledo , OH 405 Adams St. --- 7/23/2014 - 8/1/2014
9045 Stillwater , OK 217 S. Washington St. --- 6/16/2014 - 8/1/2014
2187 Enid , OK 2312 West Owen K Garriott Rd Spc E --- 6/26/2014 - 8/13/2014
1524 Tulsa , OK 1931 S. Yale Ave. Ste. A --- 7/1/2014 - 8/1/2014
1406 Beaverton , OR 2790 SW Cedar Hills Blvd. --- 7/1/2014 - 8/3/2014
1510 Beaverton , OR 18033 NW Evergreen Pkwy Ste. D --- 7/1/2014 - 8/1/2014
2190 Pittsburgh , PA 1717 E. Carson St. --- 6/16/2014 - 8/13/2014
0215 Pittsburgh , PA 3444 Forbes Ave Campus --- 7/23/2014 - 8/21/2014
0997 Columbia , SC 131 Harbison Blvd. Ste. B --- 6/16/2014 - 8/8/2014
2195 Clemson , SC 393 College Ave. Ste. 101 --- 6/16/2014 - 8/13/2014
1274 North Charleston , SC 4959 Centre Pointe Drive Ste. 101A --- 7/1/2014 - 8/1/2014
0478 Sioux Falls , SD 1904 S. Minnesota Ave. --- 6/16/2014 - 8/7/2014
1455 Clarksville , TN 1820 Madison St. Ste. A --- 7/1/2014 - 8/2/2014
0334 Knoxville , TN 1903 Cumberland Ave. --- 7/7/2014 - 8/1/2014
2186 San Antonio , TX 5531 W Loop 1604 N. Ste. 112 --- 6/16/2014 - 8/13/2014
0733 Houston , TX 820 Main St. --- 6/17/2014 - 8/2/2014
1117 Lubbock , TX 4730 Slide Rd. --- 6/21/2014 - 8/2/2014
1227 College Station , TX 200 University Dr. E. --- 6/26/2014 - 8/9/2014
1824 Flower Mound , TX 2321 Cross Timbers Rd Ste. 425 --- 6/26/2014 - 8/1/2014
1051 San Marcos , TX 117 E. Hopkins Ave. --- 6/27/2014 - 8/23/2014
2189 Katy , TX 24449 Katy Fwy Ste. 600 --- 6/27/2014 - 8/13/2014
1822 Humble , TX 9490 FM 1960 Bypass Rd W Ste. 300 --- 7/1/2014 - 8/1/2014
1007 Round Rock , TX 200 University Blvd --- 7/1/2014 - 8/1/2014
1587 Sherman , TX 3209 N Hwy 75 --- 7/1/2014 - 8/1/2014
1229 Richardson , TX 285 W Campbell Rd. --- 7/1/2014 - 8/3/2014
1753 Coppell , TX 171 N. Denton Tap Rd. Ste. 500 --- 7/1/2014 - 8/5/2014
1254 Austin , TX 4001 N. Lamar Blvd., Ste. 502 --- 7/1/2014 - 8/1/2014
1159 Houston , TX 10535 Westheimer Rd Ste. 102 --- 7/2/2014 - 8/8/2014
0958 Lehi , UT 3501 N. Center St. --- 6/23/2014 - 7/31/2014
1351 Provo , UT 2308 N University Pkwy. --- 7/1/2014 - 8/4/2014
0057 St. George , UT 930 South Bluff St. --- 7/1/2014 - 8/7/2014
1837 St. George , UT 910 N. Dixie Downs Road --- 7/1/2014 - 8/1/2014
1219 Logan , UT 1482 N Main St. --- 7/4/2014 - 8/9/2014
0100 St. George , UT 42 S. River Rd. --- 7/23/2014 - 7/31/2014
2197 Virginia Beach , VA 1908 Landstown Centre Way Unit 110 --- 6/16/2014 - 8/13/2014
2116 Portsmouth , VA 341 High St. --- 7/1/2014 - 8/1/2014
0603 Seattle , WA 4141 University Way --- 6/16/2014 - 8/7/2014
1856 Kirkland , WA 12305 120th Ave NE Ste. E --- 7/1/2014 - 8/1/2014
1520 Renton , WA 330 SW 43rd St. Ste. A --- 7/1/2014 - 8/1/2014
0670 Oshkosh , WI 70 Wisconsin St. --- 6/16/2014 - 8/1/2014
0113 Milwaukee , WI 1532 West Wells St. --- 6/16/2014 - 8/7/2014
1123 River Falls , WI 477 Spruce St. --- 6/16/2014 - 8/8/2014
1411 Sheboygan , WI 2633 Calumet Ave. --- 7/1/2014 - 8/1/2014
0112 Portage , WI 2643 New Pinery Rd. --- 7/23/2014 - 8/1/2014
1496 Morgantown , WV 1018 Suncrest Towne Centre --- 7/1/2014 - 8/1/2014
2257 Rock Springs , WY 1577 Dewar Dr. Ste. 100 --- 6/26/2014 - 8/1/2014
1673 Sheridan , WY 727 E. Brundage Ln. --- 7/1/2014 - 8/1/2014

UPDATE 9/26/2014:
Rosen Law Firm Initiates Jimmy John's Credit Card Data Breach Class ...

BREACH: Bexar County Sheriff’s Office (www.bexar.org)

The human resources department at the Bexar County Sheriff’s Office has notified employees of a possible data breach.
A spokesperson for the Sheriff’s Office said at one point a shared drive containing employee information could have been accessed by people outside of the department.

Type: Personnel Records
Area: Law Enforcement
First Noted: 22 Sept 2014
Location:
San Antonio, TX  
Total Records: NA
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

BREACH: Grady High School - Atlanta GA (www.atlanta.k12.ga.us)

Atlanta Public School officials are investigating a computer hacking incident at Grady High School. According to a district spokesperson, nearly 200 computers were affected.
On Sept. 4th, Grady High School principal Timothy Guiney sent a letter to parents, explaining the situation.
“The perpetrator(s) have transmitted threatening comments on one occasion and also transmitted explicit sexual content,” the letter read.
A Grady insider told 11Alive’s Blayne Alexander that both teachers and students were affected, and many of the messages popped up on the screen as students were working in the classrooms. Guiney’s letter indicates the hacking incidents occurred over a three-day period.

Type: Threats and Sexually Explicit Content
Area: Education
First Noted: 21 Sept 2014
Location: Atlanta, GA
Total Records: 120+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 

Tuesday, September 23, 2014

ALERT: Pharmaceutical Sector

We are getting a large number of reports of targetted attacks aimed at Pharmaceutical companies in the US and Europe. We have seen several different variants of a new malware campaign known a "Havex" that are not being detected by AV products.

1. Out of thousands of possible ICS suppliers, the three companies targeted for trojanized software were not primary suppliers to “energy” facilities. Instead, all three offered products and services most commonly used by the pharmaceutical industry.

2. The Dragonfly attack is very similar in nature to another campaign called Epic Turla and is likely managed by the same team. Epic Turla has been shown to have targeted the intellectual property of pharmaceutical companies.

3. The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in consumer packaged goods industries, such as pharmaceutical rather than the energy industry.

“My research, coupled with my knowledge of the pharmaceutical industry, led me to conclude that it was the target of Dragonfly,” remarked Langill. “The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”

ALERT: Citadel Adapted for Espionage

IBM's Trusteer, which develops anti-fraud software used by a number of banks, warns that it's discovered a Citadel variant that's been tweaked for espionage purposes, and which is being used to target a number of organizations, including an unnamed chemical manufacturer.


"While the use of advanced malware that was originally built for financial theft as a generic advanced persistent threat tool is not new, this is the first time we've seen Citadel used to target nonfinancial organizations," says Dana Tamir, director of enterprise security at IBM's Trusteer, in a blog post. Trusteer has declined to name the victims - or confirm whether it could tell if the campaign was related to industrial espionage or nation-state spying. It says only that they victims include "one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials." Trusteer says it directly notified all of the fewer than 10 victims it identified.


Based on Trusteer's analysis, tweaking Citadel to spy on non-banking businesses didn't take much customization. "According to an analysis of the configuration file used in this attack, the Citadel malware was instructed to look for user access to certain URL addresses of Internet-connected systems, such as webmail, of the targeted companies," Tamir says. "Once the browser accesses such a URL, the malware is instructed to grab all the information submitted by the user."


Because this type of "form grabbing" attack is happening in the browser, it allows the malware to grab the data being submitted - including usernames and passwords for corporate webmail accounts - before it gets encrypted. But Trusteer says it's not clear if the attackers directly targeted the petrochemical and other firms, or if they just happened to retrieve the valid credentials from PCs infected with the malware, as part of more widespread financial cybercrime activities.

--

To protect against Cyberthreats consider hiring SLC Security Services LLC to perform a complete and full security audit of your network. "If we don't find a vulnerability, you don't pay us! Guarantee.