You already know about Deloitte Breach but, did you know this

According to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.

Information shared by a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.

It appears that Deloitte has known something was not right for some time. According to this source, the company sent out a “mandatory password reset” email on Oct. 13, 2016 to all Deloitte employees in the United States

They (hackers) accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.

For more info:
https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/

Some things you may not know about the risks associated with SSN

It’s only the last four digits that separate you from other Americans.

Using social media and other data, researchers found they could identify the first five numbers of 44% of deceased people born between 1988 and 2003 in just one attempt


When you carelessly give your Social Security number like you do your telephone number on Match.com, you are putting more than just your tax records in jeopardy. That number is also tied to your medical records, retirement accounts, and credit history

Contrary to popular belief, a new number is not a “get out of jail free” card. For one, it’s not that easy to secure a different number. According to AARP, only 400 new numbers were issued in 2016, despite having over 15 million people victimized by identity theft.


For More Info:
https://www.cheatsheet.com/money-career/worst-mistake-you-can-make-with-your-social-security-number.html/?a=viewall

Security flaw that could allow remote access (iPhone, Android and others). iOS 11 not affected

According to a report from Google Project Zero, a security flaw has been found in iPhones and other devices that use Broadcom Wi-Fi chips. The weakness allows a hacker to remotely take over the device knowing only the MAC address or network-port ID. Since the MAC address of a connected device is easily obtained, it is considered a serious threat

iPhones aren't the only devices at risk. Beniamini has confirmed that Apple TV, Android phones (including the S7 Edge), select routers and smart TVs are also "at risk."


For Mor Info:
https://www.techspot.com/news/71146-security-flaw-found-broadcom-chipset-allows-hackers-hijack.html

Did you know - New Security Measures in iOS 11 - Establishing Trust with a PC Now Requires a Passcode

In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. 

iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing.


For More:
https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/

Authentication - PIN, Touch ID, Face ID - Pros and Cons.

Here is an excellent article that provides some clarification

https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-security/

Enterprise Security Blind spots

(no surprise here)
61 percent of respondents said that the main security blind spot in the enterprise are unmanaged devices, followed by not up-to-date systems, applications and programs at 55 percent.





More Here:
http://www.zdnet.com/article/hackers-reveal-leading-enterprise-security-blind-spots/

Not a joke - Hacker does NOT want money, demands nude picture

MalwarHunterTeam tweeted out news of a screenlocker posing as ransomware where the bad guys request nude photos of the victim instead of money


More Here:
https://www.scmagazine.com/hacker-asks-for-nude-photos-of-victim-instead-of-money-to-unlock-computer/article/695137/

Updated MetaSploit Cheat Sheet from SANS

Get it here

https://blogs.sans.org/pen-testing/files/2017/02/MetasploitCheatsheet2.0.pdf

iOS Feature (not bug) - Turning Off Wi-Fi and Bluetooth in Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth

From the Article:

To be clear, and to be fair, this behavior is exactly what Apple wants. In its own documentation, the company says that "in iOS 11 and later, when you toggle the Wi-Fi or Bluetooth buttons in Control Center, your device will immediately disconnect from Wi-Fi and Bluetooth accessories. Both Wi-Fi and Bluetooth will continue to be available." That is because Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation.

For More Info
https://motherboard.vice.com/en_us/article/evpz7a/turn-off-wi-fi-and-bluetooth-apple-ios-11

Interesting (and a bit scary) - Red Alert 2.0 (Trojan) can block incoming calls (from my Bank?)

How come the people who make products can't be this smart



Red Alert 2.0 (Trojan) continues to be updated with functionality recently added to block incoming calls from banks, including those which may be from financial fraud departments investigating potential malicious activity.


More here:
https://www.tripwire.com/state-of-security/featured/red-alert-android-banking-trojan/

Four Cheat Sheets for Malware Analysis from SANS

1. Reverse-Engineering Malicious Code 
2. REMnux Usage Tips for Malware Analysis on Linux 
3. Analyzing Malicious Documents 
4. Malware Analysis and Reverse-Engineering 

Get it here:
https://digital-forensics.sans.org/blog/2017/09/13/malware-analysis-cheat-sheets

Have you heard of Consumer Scores? if the answer is NO then , you have not heard of "Data Brokers" either.

Data brokers are companies which collect personal information on people through both public and private sources—from court records to websites to store sales—and provide it to a wide range of buyers.

It’s unknown exactly how many data brokers operate in the United States, because so many keep a low profile. Credible estimates range from 2,500 to 4,000.

Consumer score is a computer-generated number that attempts to predict your likelihood to get sick, or to pay off a debt. Consumer scores are similar to FICO credit scores, but aren’t regulated as to what factors can be used and how transparent the score and its contributing factors are to the scored individual.


There are three causes for concern. 
First, consumer scores are a secret. If those who sell them are evasive about explaining details, those who use them usually are almost totally unknown.

Second, collected data is often incorrect. “We found a 50 percent accuracy rate in Acxiom data we looked at,” says Dixon, “and they are considered among the best.”

Third, and most disturbing, there’s nothing consumers can do about any of this. They don’t know what data is being collected, or by whom. They don’t know what’s being done with it. They don’t know where it is going.


For More Info:
http://www.newsweek.com/secretive-world-selling-data-about-you-464789

What happens if you don't patch your system - Ask Equifax

Everyone wants to go to heaven but, no one wants to die.
Every company wants to be fully protected but most of them don't want to patch (in time)

Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017


BTW.
The company also appears to have suffered another data breach, this time in Argentina where its Bryan Krebs reports “an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”


For More info:
https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/

Are You Really Buying Spring Water?

Water sold in a bottle may be labeled distilled, spring, mineral, artesian or sparkling to name a few. More than 17 million barrels of oil are used in the manufacture of bottled water and 50 billion water bottles are used and discarded every year.² The cost of bottled water may be as much as 2,000 times more than tap water;³ 8 glasses of water each day from your tap costs approximately 49 cents per year while the same amount in bottled water costs $1,400.⁴

For More details:
http://articles.mercola.com/sites/articles/archive/2017/09/06/are-you-really-buying-spring-water.aspx