FEMA Data Breach Hits 2.5 Million Disaster Survivors

The Federal Emergency Management Agency (FEMA) unlawfully shared the private information of 2.3 million hurricane and wildfire survivors with a federal contractor that was helping them find temporary housing, an inspector general from the Department of Homeland Security said Friday. The data includes “20 unnecessary data fields” such as “electronic funds transfer number,” “bank transit number” and addresses. CNN reports: FEMA said it began filtering the data in December 2018 to prevent this information from being shared, but a more permanent fix may not be finalized until June 2020. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” said Lizzie Litzow, press secretary for FEMA, in a statement.

“To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”

Germany Urged To Champion Global Treaty To Ban ‘Killer Robots’

An anonymous reader quotes a report from Reuters: Nobel Peace Prize laureate Jody Williams and other activists warned on Thursday that fully autonomous weapons could be deployed in just 3-4 years and urged Germany to lead an international campaign for a ban on so-called “killer robots.” Williams, who won the Nobel in 1997 for leading efforts to ban landmines, told reporters Germany should take bold steps to ensure that humans remained in control of lethal weapons. “You cannot lead from the rear,” she said. Critics fear that the increasingly autonomous drones, missile defense systems and tanks made possible by new artificial intelligence could turn rogue in a cyber-attack or as a result of programming errors.

German Foreign Minister Heiko Maas called last week for action to ensure human control of lethal weapons, but is pushing a non-binding declaration rather than a global ban, given opposition by the United States, Russia and China. The United Nations and European Union have called for a global ban, but discussions so far have not yielded a clear commitment to conclude a treaty. Activists from over 100 non-governmental groups gathered in Berlin this week to pressure Maas and the German government to take more decisive action after twice endorsing a ban on fully autonomous weapons in their 2013 and 2018 coalition accords.

Pwn2Own Researchers Exploit Mozilla Firefox, Microsoft Edge and Tesla

A fully patched Mozilla Firefox web browser was no match for researchers at the Pwn2Own competition, though Mozilla found itself up to the task and has already patched the issue. Firefox wasn’t the only thing hacked at Pwn2Own as researchers were also able to exploit the internet browser on a Tesla Model 3 as well.

Fake CDC Emails Warning Of Flu Pandemic Push Ransomware

A new malspam campaign is being conducted that is pretending to be from the Centers for Disease Control and Prevention (CDC) about a new Flu pandemic. Attached to the emails are a malicious attachment that when opened will install the GandCrab v5.2 Ransomware on the target’s computer. 

A business world in the Clouds


Safeguarding against the security pitfalls of Cloud-Based Platforms

Majority of us are intimately familiar with the concept of ‘the Cloud’, the seemingly omnipresent information sharing and storage solution.  But how much do you know about the security systems that defend it?  Most of you may already be using cloud-based programs such as GoogleDocs, DropBox or, more commonly, Microsoft Office 365 – the near ubiquitous email collaboration platform commonly found in most offices.  However, as fears surrounding data security grow, an understanding of the risks and rewards of cloud computing is more important than ever.

Bank Payment Scams Claim 84,000 Victims

The BBC has today reported that scams in which criminals trick bank customers into paying them money out of their bank accounts jumped by 45% in the second half of last year. Over the whole of last year, more than 84,000 bank customers fell victim, some losing tens of thousands of pounds. Banks say scam merchants are shifting their attention from trying to penetrate banking systems to conning members of the public directly. Business are being targeted as well, with a similar sharp rise to £209m in suspicious transfers unwittingly authorised by staff members. 

How Threat Intelligence Helps Determine File Reputation

Should you open that attachment? Determining whether a file is safe to open, or whether it comes from a reputable source, is getting to be tricky business these days. Without quick context from threat intelligence, determining file reputation is becoming increasingly complicated.

Tripwire Patch Madness: The Challenge

Welcome to Tripwire Patch Madness!Comprised of 26 vulnerabilities divided into two conferences and four divisions, the goal of this tournament is to declare which named vulnerability is king of Patch Madness! The original list of named vulnerabilities was taken from Hanno Böck’s named vulnerabilities repo. Any entries that did not have published CVSSv2 scores were dropped (not enough of the entries had CVSSv3 scores) and the list was topped up with other named vulnerabilities to give us a total of 13 vulnerabilities per conference.Over the years named vulnerabilities have been used to draw attention to critical issues and as a cry for attention from those that discovered them. In many cases, the criticality of the issue warrants the name, an easy to reference identifier for those that don’t enjoy keeping CVEs in their heads. There have been times though when those that discovered a vulnerability simply wanted attention. For that reason, each division, containing either 6 or 7 named vulnerabilities, has been seeded using each vulnerability’s CVSSv2 score.The rules:Each conference is comprised of 13 teams.Teams were randomly assigned conferences and divisions.Each conference consists of a 7-team division and a 6-team division.Each division was seeded using CVSSv2 base scores.Byes
a. Within the 6-team division, the highest seeded team receives a bye in the second round.
b. Within the 7-team division, the highest seeded team receives a bye in the first round.
While we’re not ready to reveal just how we’ve determined the winning vulnerability in each round of the tournament, we invite you to play along and tweet your thoughts on the winners using #PatchMadness.Feel free to take the initial bracket release and complete it fully, sharing your thoughts on the outcome of the tournament.

WordPress Themes Open Redirection

Many WordPress themes and a plugin suffer from open redirection vulnerabilities. Age-Verification plugins version 0.5 is affected. Themes affected include Ev version 1.x, Nine-Day version 1.6, Aibbt version 1.0, itiis version 1.x, ifxPro.Cn version 5.0, 2kqq version 5.2, Azzxx version 1.2.1, BigChrome version 5.2, clsn-003 version 1.0, Concise version 2.8, TaozHuji version 5.2, UsaMusic-PC version 1.0, Wngzs version 1.0, 2018110612035976 version 1.7.3, Begin4.6 version 4.6, Begin5.2 version 5.2, Begin44 version 4.4, BeginLTS version 6, Zangai version 1.1.0, Deep version 5.4, and Wopus version 1.0.