We’ve Moved!

New iCloud Hacking Tool Released

A+ Certification

Latest Retail Data Breach

We’ve Moved!

Posted in: General Info | Comments Off

Cyberhank.com has made the move to the Google platform.

Our site is now hosted by Google Domains. We will be investigating new features and functions in the near future.

H.M. DeBardeleben MSITM @ January 28, 2015

New iCloud Hacking Tool Released

Posted in: Security Awareness, Threats, Hacks, Security Awareness, Security Awareness, Threats | Comments Off

A new hacking tool called iDict has been made available online. iDict is designed to perform brute force dictionary attacks against Apple’s iCloud service.

Fortunately, iDict’s capabilities are limited by the size of the dictionary it uses to guess your password. So you’re really only in danger if your password is on the 500-word-long list included with the hacker tool.

The key takeaway here is that you should always use strong passwords. For those who don’t know a strong password:

  • Is at least eight characters long.

  • Does not contain your user name, real name, or company name.

  • Does not contain a complete word.

  • Is significantly different from previous passwords.

  • Contains characters from each of the following four categories:


Uppercase letters

A, B, C

Lowercase letters

a, b, c


0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces

` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

H.M. DeBardeleben MSITM @ January 3, 2015

A+ Certification

Posted in: Security Awareness, Training | Comments Off

CompTIA’s A+ is a widely accepted, basic level certification, well suited for entry-level professionals. It is particularly useful for demonstrating an understanding of computers. I was fortunate enough to be able to gain college credit for passing the A+ certification. Western Governors University has the certification built into the IT Management program. The exam covers maintenance of desktops, laptops, mobile devices, operating systems and printers. In order to receive the current CompTIA A+ certification, you must pass two exams: CompTIA Exam 220-801 and 220-802. Each exam consists of 90 multiple choice and performance-based questions. Test-takers have 90 minutes to complete each exam.

In today’s I.T. market, a broad range of knowledge and skills not only makes you more valuable in your present position but also presents you with more opportunities for your future. Having an A+, can help get you into a help desk analyst or desktop support technician to start your I.T. career. Many Government contract IT positions require A+ certification.

I currently hold a Master’s Degree in IT Management and still make sure to list my A+ certification, along with the other certificates I hold. Many employers place a great deal of emphasis on technical certifications. The certification continues to be just as relevant to new trends and cutting-edge technology like as it was when it was launched in 1993 as a credential for the break-fix PC repairman. Staying current with technology, the exam moved from being PC-centric to incorporating learning objectives for PCs, tablets, smartphones, cloud computing and cyber security.

I also see that same lack of basic knowledge from some of my peers even though they may have years of experience, “high-level” certifications, and even degrees. Plenty of times I have seen some of my colleagues struggle with trying to figure out a particular issue without following the proper steps outlined in the troubleshooting theory (covered in the Troubleshooting domain for exam 220-802).

I would strongly disagree with those who say certifications are useless. While on the job experience is invaluable, add to that job-specific certifications like the A+ and you will eventually find more opportunities and more money. When you have three people applying for a position and all appear equal in skills, knowledge, and experience, but one has a certification in the area a company is hiring for, which one do you think will get the job?

The truth is that earning the A+ certification is better than earning no certifications at all. This is especially true for someone with very little or no experience in the field. The A+ demonstrates that they have some knowledge. However, the worth of the A+ or any particular certification will depend on the particular area of I.T. one plans to go into, as well as the potential employer’s opinion about certifications.

I.T. professionals should have the A+ credential on their resumes. Earning the A+ certification gives potential I.T. professionals a higher level of confidence, credibility, better salaries, enhanced career opportunities and even credit towards other certifications. It doesn’t matter if you plan to go into help/service desk, desktop support, web development, networking, or I.T. security, the A+ certification is a great foundation to build your I.T. career on, which is the key.

H.M. DeBardeleben MSITM @ October 18, 2014

Latest Retail Data Breach

Posted in: Security Awareness, Threats, Breaches & Leaks | Comments Off

Kmart has been confirmed as the latest retail chain to be breached after its parent company Sears Holdings Corp admitted that some customers’ debit and credit card numbers had been compromised.

In a form submitted to the Securities and Exchange Commission (SEC), Sears says its IT team discovered the breach on 9 October and that further investigations suggest the incursion may have begun at the start of September.

Ongoing forensic examination suggests that no personal information, debit card PINs, social security numbers or email addresses have been snaffled by those behind the attack.

A statement released by Sears said sorry to its customers:

We sincerely apologize for any inconvenience this may cause our members and customers. We want our members and customers to be aware of the situation and we suggest that customers carefully review and monitor their debit and credit card account statements.

The press release, which neither reveals how many payment cards have been compromised nor the nature of the malware used, says there is no evidence that online customers of kmart.com have been affected.

The company says that Kmart’s IT team launched an investigation immediately, alongside an external security firm, and that it continues to work in conjunction with law enforcement and banking partners. Sears also revealed that it is deploying additional software to help safeguard its customers’ data.

The firm has offered free credit monitoring to customers who shopped at Kmart with a debit or credit card during September and up until 9 October but also advises them to monitor their statements for unusual activity.

Kmart, which has a network of 1221 stores across the United States, is only the latest US retailer to suffer a data breach.

In December 2013 Target became the temporary record holder for the largest ever retail breach as attackers used point-of-sale malware to sneak off with 40 million payment card records. The company also reported a second part of the breach which saw the loss of 70 million ‘guest’ records which contained personal information.

Other notable retail incursions over the previous twelve months include one at luxury US retailer Neiman Marcus which saw an undisclosed number of payment cards compromised.

In January, North American craft store Michaels experienced its second breach in 3 years, later reporting that over 2.5 million payment cards were likely to have been affected.

More recently, the restaurant chain P.F. Chang’s revealed in June that is was investigating a potential breach of credit and debit card data. The company later confirmed that payment cards used in 33 of its restaurants were potentially at risk.

In August, point-of-sale malware was used once again, this time to breach Supervalu. While the company hasn’t confirmed how many payment cards were compromised, it did reveal that its investigation was looking into 200 of its stores.

Last month a breach at Home Depot led to the compromise of 56 million unique payment cards after its point-of-sale systems were targeted with custom malware. The scale of this attack makes it the biggest in retail history, surpassing even Target.

More proof, if any was needed, that data breaches are a huge concern to the retail industry came just a few days ago when Dairy Queen became the latest victim, confirming it has found malware known as Backoff on its PoS systems.

With data breaches costing not only billions of dollars, but claiming executives’ jobs as well, now is as good a time as any for firms within every sector to reassess their security implementation. (We have 6 tips for both businesses and consumers here.)

Companies may also be well advised to revisit their incident response plan, or to create one quickly if they don’t have one in place already.

H.M. DeBardeleben MSITM @ October 14, 2014

SnapChat Compromised

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness, Threats, Hacks | Comments Off

We’ve been warning you for some time now, nothing on the Internet is private, or safe from prying eyes. There are several apps available to capture and save images from SnapChat.

A giant database of intercepted Snapchat photos and videos has been released by hackers who have been collecting the files for years. Shocked users of the notorious chat forum 4chan are referring to the hack as “The Snappening,” noting that this is far bigger than the iCloud hacks that recently targeted celebrities.

Underground photo-trading chat rooms have been filled in recent weeks with hints that something big was coming. Thursday night it finally arrived: A third-party Snapchat client app has been collecting every single photo and video file sent through it for years, giving hackers access to a 13GB library of Snapchats that users thought had been deleted.

Users of 4chan have downloaded the files and are creating a searchable database that will allow people to search the stolen images by Snapchat username.
The database of Snapchat files posted online was hosted on viralpop.com, a fake competition website that installed malicious software on the computers of users trying to take part. That site has now been suspended and taken offline, although thousands of people have already downloaded the collection of Snapchats.

H.M. DeBardeleben MSITM @ October 11, 2014

Largest Bond Insurer in US exposes Sensitive Data

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness | Comments Off

KrebsonSecurity reports that MBIA, Inc., the United States’ largest bond insurer, misconfigured a company Web server and this has led to the exposure of the sensitive personal details. The site reports that the personal data, which includes account numbers and balances as well as administrative credentials, has been indexed by search engines. “In some cases, the documents indexed by search engines featured detailed instructions on how to authorize new bank accounts for deposits, including the forms and fax numbers needed to submit the account information,” states the site.

H.M. DeBardeleben MSITM @ October 10, 2014

Breach Apathy

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness | Comments Off

Is the general public becoming desensitized to security breaches?

Henry M DeBardeleben
October 9, 2014

With new security breaches being reported almost weekly now, has the public in general be come numb to the dangers these breaches represent? Over the past few years there have been breaches of confidential data at TJX, Home Depot, Target and so on.
And the breaches are not limited to retailers; JPMorgan Chase, AT&T and the US Department of Veterans Affairs have been victims of data breaches. It seems that every time I watch the news there’s a story about a data breach.

The disturbing thing is that these breaches are not all the result of hackers breaking into a system from outside of the company. In the case of the VA and AT&T the breaches were caused by insiders. The VA incident involved an employee bringing a VA laptop home and having it stolen from his car. The laptop contained the personal information of several million current and former military members. In the AT&T case it seems that a now former employee accessed account information, including Social Security and driving license numbers.

Data breaches have become so common that people seem apathetic towards them. Home Depot stock is nearing an all-time high, after having compromised the personal information of over 40 million customers. Target, who suffered a data breach last year, dropped nearly 20 points in the market but is now at pre-breach levels again.

RSA, a company that supplied much of the world with security key fobs , those little devices with the ever-changing number sequences in the display, was the victim of a data breach triggered by a failure in security awareness. And RSA employee opened an email, from his Junk email box because it had an eye-catching topic, “2011 Recruitment plan.xls”. This was of course, a spear phishing attempt, one that proved successful and resulted in RSA having to spend millions to redefine the security algorithm used to generate the synchronized numbers and the reissue of tens of millions of new key fobs to customers, many of which were defense contractors.

So what do we take away from this? If customers aren’t going to hold businesses liable for mishandling or under-protecting sensitive data the businesses have little incentive to act proactively in protecting said data. Companies need to implement dynamic security awareness programs in addition to intrusion detection and prevention systems.

RSA had no choice but to react quickly and completely do to the very nature of their product. While Target, Home Depot and the others are still reacting to what happened to them, some several years after the fact. If there were a greater outcry from the customers these companies would have put forth every possible effort to rectify the situation and prevent future incidents. Instead what I fear is they will continue to be reactive rather than proactive.

H.M. DeBardeleben MSITM @ October 9, 2014

AT&T Insider Leaks Account Information

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness | Comments Off

AT&T, one of the US’s biggest telecoms, has fired an insider for having thumbed through customer accounts without authorization and potentially slurping customers’ taxpayer IDs, driver license numbers and more.

Sources familiar with the incident said about 1,600 people were affected, according to The Register.

Michael A. Chiarmonte, director of finance billing operations at AT&T, said in a letter that the now-former employee got into people’s accounts in August:

We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver’s license number.

Additionally, while accessing your account, the employee would also have been able to view your Customer Proprietary Network Information without proper authorization.

H.M. DeBardeleben MSITM @ October 8, 2014