Denmark Sent Healthcare Data of 5.3M Citizens to Chinese Agency by Mistake

An envelope containing a CD with the healthcare records of 5.3 million Danish citizens was mistakenly delivered to the wrong address, in the hands of an employee working at the Chinese Visa Application Service Centre in Copenhagen, Danish officials announced last week.

The incident took place on February 18, 2015, when Statens Serum Institut (SSI), a private healthcare organization, sent a CD via Post Danmark to the country’s Statistics Office. Due to a mistake made by the postal worker delivering the envelope, the package reached the Chinese Visa Application Service Centre, on the same street, a few hundred meters from the Danish Statistics Office headquarters.

Data on the CD not encrypted

The CD contained the personal and health information of 5,282,616 Danish citizens who resided in the country between 2010 and 2012. The data was not encrypted but did not include names and home addresses, according to a subsequent investigation by the Danish Data Protection Agency.

The same investigation revealed that the Chinese employee who received the letter also opened the package. Discovering the sensitive material on the CD, the same employee realized she received the envelope by mistake and later delivered the data to the Danish Statistics Office.

Authorities said they found no reason to doubt the Chinese Visa Applications employee’s explanation and would not pursue any charges against her.

Officials not pursuing charges against SSI

SSI published statements about the incident on March 20, 2015, and September 10, 2015. As such, the Danish Data Protection Agency claims SSI does not have to inform all affected parties about the accidental data exposure. The Agency also adds it will not be taking any further action against SSI.

Accidental data breaches happen all the time. The most recent case happened to Google in May, when one of the managers of a third-party benefits vendor sent a file containing sensitive information about Google employees to the wrong person.

By Catalin Cimpan


Crime in UK Now Most Likely to be Cyber Crime

There were nearly six million fraud and cyber crimes committed in the UK in the 12 months to March 2016, according to the latest figures from the Office for National Statistics (ONS).

This is the first year that such cyber crimes have been included in the ONS statistics, so it is not possible to consider overall trends nevertheless, it suggests that approximately half of all UK crime is now cyber-related.

“This is the first time we have published official estimates of fraud and computer misuse from our victimization survey,” said ONS statistician John Flatley. “Together, these offenses are similar in magnitude to the existing headline figures covering all other Crime Survey offenses. However, it would be wrong to conclude that actual crime levels have doubled, since the survey previously did not cover these offenses. These improvements to the Crime Survey will help to measure the scale of the threat from these crimes, and help shape the response.”

One area that can be measured over time is plastic card fraud, which has been monitored since 2006. This increased until peaking in 2008-2010, and then declined following the introduction of the EMV chip and pin card. Current findings indicate that 4.7% of plastic card owners were victims of card fraud in the year ending March 2016.

The ONS figures suggest that there were 2 million computer misuse incidents; more than two-thirds of which were virus related, with the remainder involving unauthorized access to personal information (including hacking). 51% of fraud incidents are now cyber-related.

Kaspersky Lab’s principal security researcher David Emm is not surprised by the figures. Criminals follow the money. “With so much financial activity moving online, criminals have capitalized on this by moving their activity into the cyber world,” Emm said.

“It’s clear that crime is becoming cyber enabled as our world becomes digital. Greater transparency around the scale of this problem is vital, helping set the national priorities for law enforcement resources, and underlining the need for industry and government to work together to combat this growing menace,” said Paul Taylor, head of cyber security at KPMG.

The extent of this criminal move into online crime means that people are now six times more likely to be a victim of plastic card fraud than a victim of theft from the person, and around 17 times more likely than robbery.

Victims of fraud differ from other crime victims. They come from higher income households than victims of violence. They tend to be in managerial and professional occupations rather than manual occupations, students or long-term unemployed. There is also some indication that those living in rural areas and least deprived areas are more likely to be affected than those in urban and deprived areas. This is not in itself surprising since it is the same groups that are most likely to be involved in online financial transactions.

One important message from the statistics shows that fraud really is not a ‘victimless crime’. There is still a common belief that victims will be reimbursed for any online fraud losses. The ONS shows that this is not necessarily true. “Victims received a full reimbursement in 43% of fraud incidents (1.6 million), typically from their financial provider. In 690,000 cases, the victim received no or only partial reimbursement,” says the ONS. Having said that, in incidents involving bank and credit card fraud, 84% of victims received full reimbursement.

The majority of recorded incidents are caused by viruses. Technology can be used to defend against technology. “It is vital,” warns Kaspersky’s “that people use a reliable Internet security solution on all connected devices, apply security updates as soon as they become available, download software only from trusted sources (such as official app stores and vendors) and be cautious about e-mail and other messages that include attachments and links – even if they appear to come from friends.”

Earlier this month, the UK’s National Crime Agency (NCA) released its Cyber Crime Assessment 2016, which argues that criminal capability is outpacing industry’s ability to defend against attacks, and suggests that “only by working together across law enforcement and the private sector can we successfully reduce the threat to the UK from cyber crime.”

By Kevin Townsend


Notorious Hacker ‘Phineas Fisher’ Says He Hacked the Turkish Government

A notorious hacker has claimed responsibility for hacking Turkey’s ruling party, the AKP, and stealing more than 300,000 internal emails and other files.

The hacker, who’s known as Phineas Fisher and has gained international attention for his previous attacks on the surveillance tech companies FinFisher and Hacking Team, took credit for breaching the servers of Turkey’s ruling party, the Justice and Development Party or AKP.

“I hacked AKP,” Phineas Fisher, who also goes by the nickname Hack Back, said in a message he spread through his Twitter account on Wednesday evening.

The hacker didn’t provide any definitive evidence to support his claims, but he posted a link to a series of stolen files totaling more than 100 gigabytes.

On Tuesday, WikiLeaks began publishing emails stolen from the party of the Turkish President Recep Tayyip Erdogan. The anti-secrecy organization led by Julian Assange said it recently received the files from a source “who is not connected, in any way, to the elements behind the attempted coup [in Turkey], or to a rival political party or state.”

That source, it appears, was none other than Phineas Fisher.

“What better way to celebrate the release of VICE’s Cyberwar than by attacking a NATO member?” Phineas Fisher told me in an email, referring to VICELAND’s new documentary series on hacking and cybersecurity, which this week featured an exclusive interview with the hacker.

Phineas Fisher explained in his message that he attacked AKP “because I support the society people are trying to build in Rojava and Bakur, and they’re being attacked by Turkey,” referring to two Kurdish anti capitalist autonomous regions, which are located between Turkey and Syria. ”I don’t see leaking as an end in itself, so I was talking with people in Rojava and Bakur to see how best to use the access I’d gotten.

Earlier this year, the hacker claimed to have robbed a bank in a cyberheist and sent 10,000 euros in bitcoin to the Rojava Plan, an organization that promotes “gender liberation, direct democracy, and a free and ecological society” in Rojava.

The hacker hinted that there was some sort of miscommunication when WikiLeaks received the files, and the organization jumped the gun in publishing them.

“To be fair to WikiLeaks, they didn’t know I was still in AKP’s network downloading files at the time they announced they were publishing,” Phineas Fisher wrote in his message. “But they did know that the source who had given them the file was asking them to wait.”

WikiLeaks did not immediately respond to a request for comment. And Phineas Fisher declined to answer more questions regarding the hack.

The leak is being hosted also by the independent security researcher Thomas White, also known as TheCthulhu.

After the publication of the emails on Tuesday, Turkey reacted by blocking WikiLeaks. How they’ll react to this new, apparently more extensive leak, remains to be seen.



Ransomware Attackers Demand Higher Extortion Fees as Threats Escalate

Ransomware attacks, which occur when cybercriminals block access to a victim’s critical data and demand payment to release it, are rapidly increasing in numbers, maturity and severity, security experts have found.

The average ransom demand has more than doubled from $294 (£223) at the end of 2015 to $679 (£514), new research from security firm Symantec shows. According to Symantec’s special report Ransomware and Businesses 2016, ransomware attacks have reached a “new level of maturity and menace” over the past 12 months as online criminals use more newer, more sophisticated methods to target both individuals and large organisations.

“Ransomware has quickly emerged as one of the most dangerous cyberthreats facing both organisations and consumers, with global losses now likely running to hundreds of millions of dollars,” the report reads. “The perfection of the ransomware business model has created a gold-rush mentality among attackers, as growing numbers seek to cash in.”

Although ransomware infection numbers did drop in the first quarter of 2015, the overall infection rate rose steadily through the rest of the year with an average of 23,000 to 35,000 infections occurring every month, the report found. The arrival of the Locky ransomware in March 2016 saw infection numbers spiking up to 56,000.

Last year was also a record one for attacks with a total of 100 new ransomware families discovered, most of which are now the “most dangerous form of the threat” – crypto-ransomware. These attacks occur when a malicious individual or group encrypts a user’s data and demands that they pay a ransom in exchange for a decryption key.

According to an earlier Kaspersky Lab report, crypto-ransomware attacks have already reached epidemic status with the number of users hit more than quintupling in the past year.

In late 2015 and early 2016, TeslaCrypt was found to be one of the most widespread ransomware variants. The most widely circulated crypto-ransomware threats were Cerber, CryptXXX and Locky, the report said.

Although ransomware attackers continue to target individuals, accounting for 57% of all global infections between January 2015 and April 2016, the report notes that ransomware gangs are increasingly focusing their attacks on businesses and organisations, particularly in sectors that are more likely to pay up.

While the services sector accounted for 38% of all ransomware infections, manufacturing industry came second with 17%, followed by public administration (10%), and finance, insurance and real estate (10%).

“Although more complex and time-consuming to perform, a successful targeted attack on an organisation can potentially infect thousands of computers, causing massive operational damage and serious damage to revenues and reputation,” the report reads. “Once cybercrime gangs see some businesses succumb to these attacks and pay the ransom, more attackers will follow suit in a bid to grab their share of the potential profits.”

Between January 2015 and April 2016, the US fell victim to the most ransomware attacks accounting for 31% of global infections, followed by Italy, Japan, the Netherlands, Germany and the UK.

This year has already seen a series of major ransomware attacks on hospitals and universities,including Hollywood Presbyterian Medical Center, MedStar Health and the University of Calgaryamong others.



Hidden ‘Backdoor’ In Dell Security Software Gives Hackers Full Access

Security researchers are warning Dell security management software admins to patch their systems after finding six high-risk vulnerabilities.

One of the highest-rated “critical” flaws involves a hidden default account with an easily-guessable password in Dell’s Sonicwall Global Management System (GMS), a widely-used software used to centrally monitor and manage an enterprise’s array of networked security devices.

The vulnerability could allow an attacker “full control” of the software and all connected appliances, such as virtual private networking (VPN) appliances and firewalls.

The flaws were detailed in an advisory posted by researchers at Digital Defense, a Texas-based firm that has a commercial stake in the vulnerability scanning business.

However, there’s no evidence to suggest the flaws have been actively exploited by attackers, the researchers said.

Dell acknowledged the flaws affect the most recent versions of the GMS software versions 8.0 and 8.1 and issued patches. In a security advisory, the company said it “highly recommends” that admins install the hotfix, available from its support pages.

A Dell spokesperson said in an email late Thursday:

The recent situation raised by Digital Defense, Inc. is related to six vulnerabilities in the Dell SonicWALL Global Management System (GMS), which could allow an attacker control of the software and connected appliances. Unlike intentional “backdoors,” these were software flaws that could allow users to enter the system.

Upon learning of the situation, SonicWALL immediately issued patches to the affected versions of the GMS software and there is no evidence to suggest the flaws have been actively exploited by attackers. Customer security is a top concern and priority for Dell, and we strongly encourage customers who want to ensure they have the latest versions of their SonicWALL software to visit [the support website].


Source: ZDNet

Data Breach Hits 140 Cicis Restaurants

Texas-based pizza restaurant chain CiCi’s, recently rebranded as Cicis, informed customers on Tuesday that their payment card information may have been stolen by malware installed on point-of-sale systems at some locations.

The company said it launched an investigation in March 2016, after some of its restaurants reported problems with PoS systems. Cicis’ PoS vendor soon discovered malware at some locations, which led to a forensic analysis conducted by a cybersecurity firm.

Investigators confirmed that cybercriminals managed to plant malware on Cicis PoS systems in an effort to steal data from payment cards used by customers. Malware has been found at nearly 140 restaurants in Texas, South Carolina, Tennessee, Oklahoma, Ohio, North Carolina, Missouri, Maryland, Louisiana, Kentucky, Georgia, Florida, Arkansas and Alabama. It’s worth noting that Cicis has nearly 450 buffet-style restaurants in 33 states.

While in most cases the attackers gained access to PoS systems in March 2016, some restaurants in Florida, Mississippi, North Carolina, Ohio, Tennessee and Texas had been breached since mid-2015.

“While we believe most of the breaches were remedied within a few weeks of the intrusion, out of an abundance of caution we are not declaring some restaurants as threat-free until they were reviewed by our forensic analyst this month,” Cicis wrote in a data breach notice.

According to the company, not all the credit and debit cards used at affected restaurants have been stolen, and no other customer information has been compromised.

Security blogger Brian Krebs, who was the first to break the news on the Cicis breach in early June, learned from the restaurant chain’s PoS provider that fraudsters planted card-stealing malware by tricking employees. Krebs analyzed the botnet leveraged in the attack and determined that fraudsters had managed to steal roughly 600,000 cards from Cicis locations.

Earlier this month, fast food restaurant chain Wendy’s informed customers that a recent breach impacted more than 1,000 of its locations. The company initially reported that only 300 franchised restaurants had been affected.

Fast-casual restaurant chain Noodles & Company has also suffered a data breach. The company said cybercriminals planted PoS malware at a majority of its 500 restaurants.

By Eduard Kovacs


Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

Oracle has one-upped itself once again. The company fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update released Tuesday afternoon.

The quarterly patch update resolves vulnerabilities in 84 different products, including Oracle Database Server, Oracle Fusion Middleware, and Oracle’s E-Business Suite to name a few. The number of fixes exceeds the previous all time high, 248 patches, pushed by Oracle in January and marks more than double the amount of vulnerabilities addressed by the company in its last CPU in April.

Like the April CPU, more than 50 percent of the vulnerabilities, 159 in total, can be exploited remotely without authentication. Oracle Fusion Middleware is the biggest culprit; 35 of the 40 vulnerabilities that affect the software are remotely exploitable.

The company’s E-Business Suite – in which 21 of the 23 vulnerabilities are remotely exploitable – and Oracle Sun Systems Products Suite – in which 21 of the 34 vulnerabilities are remotely exploitable – also merit attention.

Nineteen vulnerabilities across nine different products fetch a CVSS 3.0 rating of 9.8, the most critical vulnerability rating this quarter. While Oracle is encouraging its customers to apply the fixes as soon as possible, users will want to prioritize the update if they’re running one of the nine affected pieces of software: Oracle Fusion Middleware, Supply Chain Products, Oracle Communications Applications, Oracle Health Sciences, Oracle Retail Applications, Oracle Sun Systems Products Suite, and Oracle Virtualization.

All 19 bugs are remotely exploitable without authentication, meaning an attacker wouldn’t need a username or password to exploit them, according to Oracle’s advisory. It wouldn’t be an Oracle CPU without patches for perennial whipping boy Java. This quarter’s update includes 13 patches for Java SE, nine of which are remotely exploitable without authentication. Users running Java SE version(s) 6u115, 7u101, 8u92, or Java SE Embedded, version(s) 8u92, are affected.

Noted researcher David Litchfield, a skilled Oracle bug hunter, uncovered nearly 10 percent of the vulnerabilities, 27 bugs, including a mix of SQL injections, cross-site scripting vulnerabilities, and server-side request forgery attacks. Litchfield outlined the bugs via .PDF documents on Tuesday. Multiple SQLi, XSS, SSRF and more… details for 27 flaws patched in the July 2016 CPU — David Litchfield (@dlitchfield) July 19, 2016 Among them were a slew of XSS flaws in Oracle Primavera, project management software that’s usually used in industries such as engineering, construction, aerospace and other fields.

Litchfield discovered that via arbitrary HTML/script that doesn’t use parentheses or a .write clause an attacker could bypass a XSS filter designed to protect users against exploitation in the software. One of the scariest sounding vulnerabilities he found exists in Agile, Oracle’s Product Lifecycle Management Database.

The vulnerability could allow a user Index Privileges on SYS tables, something that could allow them to execute as SYS and allow “complete compromise of the database.” Litchfield also described a series of SQL injections in eBusiness Suite, a XSS and SSRF flaw in Apex, and XSS vulnerabilities in Oracle Business Intelligence Enterprise Edition. Considering the sheer number of vulnerabilities, experts on Tuesday said it’s likely admins will have their plates full with this quarter’s patches.

“Oracle systems are complex and multi-component, not speaking about numerous customizations every company usually has,”Alexander Polyakov, CTO at ERPScan, a company that helps companies secure Oracle enterprise resource planning (ERP) systems, “So, Oracle admins should be ready for difficult and time-consuming work of implementing all the patches.”



OurMine is Now Breaking into Minecraft Accounts

The same hacking group that took over Mark Zuckerberg’s Twitter account has now found a way to break into accounts connected to the hit game Minecraft.

The group, OurMine, made the claim on Tuesday in a video demonstrating its hack. The attack is aimed at the user login page run by Minecraft’s developer, Mojang.

OurMine isn’t revealing all the details behind the hack. The group said it works by stealing the Internet cookies from the site, which can be used to hijack any account. All that OurMine needs is the victim’s email address.

To test the hack, IDG News Service created a user account on Mojang, emailed OurMine and asked the group to break into it, which the group did. To show proof, the group renamed the user profile to “OurMine Team.”

The hack could allow the group to change the account’s password, too, OurMine claimed. But the hacking team says it has no malicious purpose in exposing the vulnerability. “We found this exploit because we don’t want other hackers to know it,” the group said.

The hack specifically targets the user account system that customers rely on to access the PC and Mac versions of the game. OurMine said it will reveal the entire hack to Mojang once the developer contacts the group.

The hackers have offered little information about themselves, but they’ve become best known for taking over the social media accounts of high-profile tech executives, including Zuckerberg and Google CEO Sundar Pichai.

In emails, the group has said it merely wants to help the public become aware of today’s cybersecurity problems, including the use of weak passwords.

The group’s recent hack of Mojang highlights the vulnerabilities with Internet cookies, which can store information like site preferences or user account credentials for site authentication.

If those are stolen, a hacker can use the cookies to impersonate the victim’s online identities. Security flaws found in browsers and credit-card sites in the past could expose cookies to easy theft.

Some security flaws found in the past in browsers and credit card sites also have made it easy to steal cookies.

In OurMine’s case, the hackers somehow cloned Mojang’s user account site as a way to extract the stolen cookies. OurMine says on its website that it sells services where it will examine a user’s Internet accounts and websites for weaknesses.



Anonymous Launches DDoS Attack Against Rio Court That Blocked WhatsApp in Brazil

The Brazil branch of the Anonymous hacker collective has launched a DDoS attack against the website ( of the Rio court that banned WhatsApp usage across the country.

The attack, meant as a warning shot, took place yesterday and only lasted a few hours. The court website was back to normal by 15:00, local time. The hacker group took credit for the attack via a post on their Facebook page, where they also explained their reasons.

Yesterday, the same Rio court ordered ISPs to block WhatsApp across Brazil. The country’s five major operators, Claro, Nextel, Oi, TIM, and Vivo, all complied.

Facebook started having Whatsapp-related problems in Brazil in February 2015, when a judge wanted the company to help in a criminal investigation by revealing messages exchanged in encrypted WhatsApp conversations.

Because the company could not aid law enforcement, last December, a judge banned WhatsApp for two days but later decided to fine the company instead. In March 2016, the same court went one step further by arresting Facebook’s Vice President for Latin America, Diego Dzodan. He was later released when Facebook told the judge that WhatsApp was not under Dzodan’s supervision, being a company runs separately from Facebook.

The situation escalated once more in May, when a Brazil judge banned WhatsApp but was forced to reinstate access to the social network following an appeal. Yesterday, judges banned WhatsApp once again, and this time, the company faces a fine of $15,300 per day until it decides to comply with the judicial order to decrypt the messages involved in the criminal investigation.

A few hours after the attack took place, the same court, TJRJ (Tribunal de Justiça do Estado do Rio de Janeiro), decided to lift WhatsApp’s ban. The social network is now once again accessible in the country.

By Catalin Cimpanu



Apple Patches Remote Code Execution Flaws

Apple released a patch for vulnerabilities affecting the iTunes, iOS, Safari, OS X El Capitan, tvOS, and watchOS line of products. The update includes a patch of critical vulnerabilities in iOS and OS X that could allow remote code execution.

Cisco Talos senior security researcher Tyler Bohan discovered flaws in the OS X platform’s image processing format. The vulnerabilities are comparable to the Stagefright vulnerabilities in Android devices discovered a year ago by Joshua J. Drake at Zimperium zLabs. The iOS flaw allows for nearly undetectable theft of passwords from iPhones.

“When rendered by applications that use the Image I/O API, a specially crafted TIFF image file can be used to create a heap based buffer overflow and ultimately achieve remote code execution on vulnerable systems and devices,” Cisco Talos threat researcher Earl Carter wrote in a blog post. “This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images.”

An attacker could deliver a payload to launch the vulnerability using iMessages, malicious web pages, MMS messages, or other malicious file attachments, according to Talos.

Security firm Zscaler discovered a separate vulnerability affecting OS X El Capitan that grants unauthorized access of cookies stored in the Safari browser to applications that do not have appropriate privileges. “This access could result in a malicious application lifting all the persistent cookies for a given user and accessing sites posing as that user,” Zscaler senior software engineer Abhinav Bansal wrote in a company blog post.

In speaking with, Amit Sinha, CTO and EVP of engineering and cloud operations at Zscaler, said the flaw is a “major vulnerability” affecting all Mac users. “Any application that is installed on the Mac App Store has full access” to the persistent cookies stored unencrypted in Safari’s cookie store.

Sinha said it would be “trivial” for an attacker to exploit the vulnerability and access all cookies stored by affected users. A popular application could gain access to victims’ cookies in a widespread attack that requires you to craft specific malicious code. “No special permissions are needed,” he said

Zscaler researchers found three other vulnerabilities affecting Mac OS X and iOS, he told The vulnerabilities were reported to Apple and have not yet been disclosed.

Many of the updates involved situations in which Apple discovered additional related vulnerabilities as a report of vulnerabilities disclosed by external researchers, according to WatchGuard Technologies information security threat analyst Marc Laliberte. “While investigating further into a reported vulnerability should be the status quo, that isn’t always the case,” he wrote in an email to