Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances. “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the Federal Bureau of Investigation said in a private notice it has been distributing to healthcare providers, obtained by Reuters.

Exclusive: FBI warns healthcare sector vulnerable to cyber attacks - Yahoo News

In 2013, there were at least 1,367 confirmed data breaches, according to Verizon, and over 63,000 “security incidents,” which include everything from catastrophic leaks to a breach that “compromises the integrity, confidentiality, or availability of an information asset.” Of those, governments around the world accounted for nearly 13% of confirmed breaches and a whopping 75% of “incidents.”

Where are all these breaches coming from? In a word, “oops.” Of the nine classifications of threats listed by Verizon, which account for over 90% of all incidents, one stands out in the public sector: “Miscellaneous error.”

The single biggest cause of government data breaches is “oops” - Quartz

"When you are dealing with so many different sources of information and so many different offices that need to be involved in the response to a problem, there has to be a reporting structure that brings it all together," Mr. McRobbie says. The changes mean that the university now has uniform response procedures—a tool kit, Mr. Bruhn calls it—that can be applied to cybersecurity and physical-security incidents alike. "It is that structure that provides us with a huge amount of comfort because we know even if it is a one-off sort of incident, we have a structure that is amoeba-like enough that it can cover just about anything that can happen," he says.

Indiana U. Puts IT and Safety Under One Umbrella - Technology - The Chronicle of Higher Education

The results are a strong indication that merely updating servers to a version of OpenSSL that’s not vulnerable to Heartbleed isn’t enough. Because Heartbleed exploits don’t by default show up in server logs, there’s no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect. Anyone visiting the bogus site would see the same https prefix and padlock icon accompanying the site’s authentic server. The demonstration that it’s possible to extract private SSL certificates means that out of an abundance of caution, administrators of sites that used vulnerable versions of OpenSSL should revoke and replace old certificates with new ones as soon as possible. Given the huge number of sites affected, the revelation could create problems.

Private crypto keys are accessible to Heartbleed hackers, new data shows | Ars Technica

In short: The NSA is said to have decided that the exploit was better something for it to use as an offensive tool than to affect a defensive posture for the rest [of] tech; its decision meant that in its view, its own intelligence efforts were essentially more important than the security of your information.

NSA Exploited Heartbleed For Years,” TechCrunch (via shortformblog)

They came in through the Chinese takeout menu. Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

Hackers Lurking in Vents and Soda Machines - NYTimes.com

Bugs in single software or library come and go and are fixed by new versions," the researchers who discovered the vulnerability wrote in a blog post published Monday. "However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.

Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping | Ars Technica

The odds are 50/50 that the Internet will be effectively destroyed by cyberattacks by 2025. If the Net goes down, there will be terrible costs as we reboot the economy.

Robert E. McGrath, a retired software engineer who participated in critical developments of the World Wide Web, on the future of the internet. Survey participants in our future of the internet canvassing acknowledged the fact that global dependence on one particular system makes it a prime target for a devastating attack.

Agree? Disagree? Your thoughts?

(via pewinternet)

"If you’re a journalist or a journalistic organization we will see state-sponsored targeting and we see it happening regardless of region, we see it from all over the world both from where the targets are and where the targets are from," Huntley told Reuters.

Journalists, media under attack from hackers: Google researchers | Reuters

The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users. Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn’t ended the attack by blocking the requests.

Attackers trick 162,000 WordPress sites into launching DDoS attack | Ars Technica