iOS hackers are some of the most sought after individuals in the security research community. Geniuses like Comex who come up with jailbreaks used by millions of iPhone and iPad users are offered incredible sums of money to sell their exploits to powerful and high profile clients.
Sure, you could win a decent amount of cash at a security conference for showing off the exploits you’ve uncovered, but why not make $250,000 and secretly sell your stuff to say, an entity like the U.S. government?
That’s exactly what a security researcher/middle man by the pseudonym of “Grugq” did for an unnamed iOS hacker. Located in Bangkok, Grugq made 15% commission off negotiating a $250,000 deal with a contact in the U.S. government. Grugq facilitated the transaction of the exploit information from the hacker in exchange for the 6-figure payout from the client.
via Hackers Can Make $250,000 Selling iOS Exploits To The Government | Cult of Mac.
Recent revelations surrounding hacker attacks infiltrating JPMorgan Chase & Co. leave questions about why we’re seeing an increasing number of successful attacks on major institutions. It turns out that protecting an institution full of personally identifiable information is more complex than just having a good cybersecurity team.
Hackers were able to unleash malicious software onto Chase’s internal system through a security gap in one of the bank’s consumer-facing websites. The offending group was well researched and equipped with custom malware specifically targeted at Chase. Right now the extent of the damage is unknown as investigators continue to explore the breach.
via JP Morgan’s security breach points to broader issues in cyber security | VentureBeat | Business | by Ruth Reader.
It’s been a long time since Microsoft had a Patch Tuesday this bad. By Friday they were conceding problems with several updates. Not only did they withdraw four updates, but they recommended that users uninstall one of them.
via What went wrong with Microsoft's August updates? | ZDNet.
Target Corp.’s TGT -0.66% computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.
Members of Target’s computer-security staff raised concerns about vulnerabilities in the retailer’s payment-card system before the massive hacking occurred. Danny Yadron has details on the News Hub.
At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.
via Target Staff Raised Security Concerns Before Data Breach – WSJ.com.
The U.S. government, finally realizing that it has to take action to ensure a minimum level of cybersecurity in networks that manage the nation’s energy, water and financial services, presented the Framework for Improving Critical Infrastructure Security on Wednesday. The document, which was put together by industry and government experts, is a compilation of cybersecurity standards and best practices; it is the result of the year-old Executive Order 13636, under which President Barack Obama directed operators of critical infrastructure to provide guidance for defending their networks.
via U.S. Gives Cybersecurity Advice to Critical Infrastructure Operators—But No Rules – IEEE Spectrum.
When I discuss the insider threat with folks in the community, there seems to be several schools of thought. For example, some will apply a much lower risk to the insider threat, treating it as a one-off chance that an employee gets mad and does something bad out of spite. While this is a possibility, insider threats can run much deeper. We tend to pay attention to events that are in our face, such as an employee gone mad running around with WiFi DoS tools and malware-laced USB thumb drives. This would certainly catch our attention.
via Detecting Snowden – The Insider Threat | Tenable Network Security.
Adobe Systems Incorporated – after a compromise needs to have users change their passwords. Not knowing a better way to deal with this Adobe sent an easy to spoof email. Can you say phishing in ten seconds? Maybe they should try a signed email? What do you think?
Microsoft is reporting an unpatched vulnerability in all versions of Internet Explorer. All versions of IE, other than those running on Windows Server, are vulnerable. This includes Internet Explorer 11 on Windows 8.1 and RT.
via Microsoft reports IE zero-day attacks | ZDNet.