Top infosec trends in the social media spotlight this week
A data breach at Capital One grabbed news headlines around the world this week, as the US financial services company announced that the personal information of approximately 106 million North American citizens had been pilfered by a criminal hacker.
News of the breach was coupled with an announcement from the US Department of Justice, which outlined the arrest of a former software engineer in connection with the incident.
According to the criminal complaint (PDF), the accused is believed to have exploited a “specific configuration vulnerability” in the company’s infrastructure, which Capital One is said to have patched when it learned of its discovery on July 17.
Although it may be some weeks until the full details emerge surrounding the data breach, the incident has already sparked numerous talking points among the security community.
From one mega-breach to another, consumers in the US that were impacted by the Equifax security scandal have been flocking to the settlement website to request their stake in the multimillion-dollar breach fund.
In fact, the response has been so great that the Federal Trade Commission (FTC) this week updated its guidelines to recommend that people opt for credit monitoring, rather than a cash sum.
Check out our latest coverage of the Equifax breach mop-up, which asks the question: will regulators will need to become more aggressive in oversight and penalties in the future?
The Equifax and Capital One incidents have done little for consumers’ confidence in security defenses. However, as one black hat learned this week, not all web properties offer such easy pickings.
A scoop in The Register this week gave an all-too-ironic rundown of a would-be hacker who scanned Akamai security researcher Larry Cashdollar’s personal domain for remote file inclusion vulnerabilities.
El Reg explains:
Unfortunately for the attacker, Cashdollar also used the logs to follow the GET requests to the payload the attacker was trying to load: a script that attempted to harvest information about his server. By dissecting that and other files the hacker had ready to execute commands and take over vulnerable websites, Cashdollar was also able to extract the criminal's email address and their preferred language – Portuguese.
Cashdollar also published a play-by-play of the incident on the Akamai blog.
The burst of attacks even prompted the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning this week, aimed at assisting organizations in protecting themselves.
This problem would be all the worse if it wasn’t for the efforts made by Europol’s No More Ransom project.
No More Ransom toasted its third anniversary on July 26, with the organization announcing it has prevented more than $100 million from going to the wrong pockets.
And last, but certainly not least: Congratulations, Marcus!