iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post do not click if you’re wary of security breaches on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.

Also, this is a great reminder to log and monitor, or SIEM.  An admin’s account was compromised, then their website was hacked.

Tripwire would have caught the changes, and login auditing would have caught the hacker/admin’s actions.

via Dev site behind Apple, Facebook hacks didn’t know it was booby-trapped | Ars Technica.

This is why you employ defense-in-depth and full network monitoring, even if you don’t care what websites your employees visit at work.

But while the company was informed by AT&T of suspicious activity over its network connection on October 25—the day the Wen story was published—the attack had begun weeks earlier and appears to have been focused on getting into the e-mail accounts of Times Shanghai Bureau Chief David Barboza and South Asia Bureau Chief Jim Yardley. The attack used 45 different pieces of custom malware code, including remote access tools that gave Chinese hackers the run of the Times’ network.

The attackers used a botnet of computers compromised at US universities to obscure the source of the attack. They then infected computers at the Times with malware, most likely through e-mail “spear phishing” attacks, and used the malware to install remote access tools on at least three target systems that allowed them to gather more information from the network—finally finding the Windows network domain controller and grabbing its user directory and password tables. The hackers then used the cracked passwords to access other systems and created a custom program built to infiltrate the Times‘ mailserver to search all the e-mails and documents sent to Barboza and Yardley’s accounts—apparently searching for the names of people who may have spoken to Barboza as he reported on the Wen family.

via Chinese hackers attacked New York Times computers for four months | Ars Technica.

Wow: Massive espionage malware targeting governments undetected for 5 years | Ars Technica.

Bad news for RoR sites… it’ll probably be years before they’re all upgraded and patched.

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.

The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash, according to Ben Murphy, one of the developers who has confirmed the vulnerability. As of last week, the framework was used by more than 240,000 websites, including Github, Hulu, and Basecamp, underscoring the seriousness of the threat.

via Extremely critical Ruby on Rails bug threatens more than 200,000 sites | Ars Technica.

These are pretty dismal statistics…

Ponemon Institute and security firm ID Experts … surveyed 80 health care organizations and found that 94 percent had experienced a data-loss incident in the past two years. Another 45 percent sustained more than five breaches during that period.

via Nine out of 10 hospitals lost personal data in last two years – SC Magazine.

All the requirements in the world won’t make a difference if the organizations do not allocate the resources to ensure compliance, and if the employees continue to fail to comply.

It’s interesting seeing how extensive our police-state surveillance is:

While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.

The guest lists from hotels, IP login records, as well as the creative request to email providers for “information about other accounts that have logged in from this IP address” are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the “what” being communicated; the government’s powers to determine “who” communicated remain largely unchecked.

via Surveillance and Security Lessons From the Petraeus Scandal.

A low-tech variation on the “watch facebook for announcements of when people will be away from home”:

The scheme is simple enough: you open the newspaper or look online at the obituaries, and it’s a roadmap for criminals as to where you’ll be and when you’ll be there — a funeral home for the visitation, a cemetery for the burial.

via Burglary via obituary a growing problem in Utah | ksl.com.

Every company can afford – and must afford – some security monitoring.

Even three years ago, small businesses shied away from security monitoring as too complex and too difficult to deploy, with a 2009 article calling such systems “not for the faint of heart.”

Now, log-management services in the cloud, easier-to-use managed security services, and simpler security information and event management (SIEM) solutions have made security monitoring possible for all but the smallest firms. For such businesses, gathering intelligence on security events can be an offshoot of network monitoring or the other way around, but each can give companies better visibility into what is going on with their information systems, says Nicole Pauls, director of product management for SolarWinds, an information-technology provider.

via Security Monitoring On A Budget: Security Knowhow Needed – Dark Reading.

PCI SSC press release press release: PCI Professional Program Training now available.

Good news – it’s a credential you keep, regardless of where you work.

Watch what happens as things go seriously wrong back east, and make contingency plans for your own business should things go badly where your servers are located.

Flooding and power outages caused by Hurricane Sandy have forced several New York data centers to switch to generator power. But those generators are quickly running out of fuel, so data center companies are telling their customers to shut down their servers and move workloads elsewhere.

One of the worst situations is at 75 Broad Street in Manhattan, where both Internap and Peer1 Hosting are shutting down operations “after basement-level flooding disabled critical diesel fuel pumps,” Data Center Knowledge reports. 75 Broad Street is part of the “Zone A” portion of the city that is under emergency evacuation orders, as is another data center operated by Datagram at 33 Whitehall Street. The Datagram outage led to downtime for popular websites Gawker, Huffington Post, and BuzzFeed.

Read the whole story via Hurricane Sandy takes data centers offline with flooding, power outages | Ars Technica.