What you need to know for your personal cyber security life…
Number Thirteen in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday now is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the loop.
# # #
Exclusive: Snowden Swiped Password From NSA Coworker
- BY MICHAEL ISIKOFF
- NBC News
- February 12th 2014
A civilian NSA employee recently resigned after being stripped of his security clearance for allowing former agency contractor Edward Snowden to use his personal log-in credentials to access classified information, according to an agency memo obtained by NBC News.
In addition, an active duty member of the U.S. military and a contractor have been barred from accessing National Security Agency facilities after they were “implicated” in actions that may have aided Snowden, the memo states. Their status is now being reviewed by their employers, the memo says.
The Feb. 10 memo, sent to congressional intelligence and judiciary committees this week, provides the first official account of a sweeping NSA internal inquiry aimed at identifying intelligence officials and contractors who may been responsible for one of the biggest security breaches in U.S. history. The memo is unclassified but labeled “for official use only.”
While the memo’s account is sketchy, it suggests that, contrary to Snowden’s statements, he used an element of trickery to retrieve his trove of tens of thousands of classified documents: “At Snowden’s request,” the civilian NSA employee, who is not identified by name, entered his password onto Snowden’s computer terminal, the memo states.
# # #
White House pushes cybersecur
ity framework for critical infrastruc ture
- By Grant Gross
- IDG News Service
- February 12, 2014
A new cybersecurity framework released Wednesday by the Obama administration aims to help operators of critical infrastructure develop comprehensive cybersecurity programs.
The voluntary framework creates a consensus on what a good cybersecurity program looks like, senior administration officials said. The 41-page framework takes a risk management approach that allows organizations to adapt to “a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner,” according to the document.
Organizations can use the framework to create a “credible” cybersecurity program if they don’t already have one, said one senior Obama administration official. “The key message is that cybersecurity is not something you just put in place and walk away,” the official said, in a background press briefing. “There’s no prescription or magic bullet for cybersecurity. There are only well-conceived, proven ways of continuously managing the risks.”
The framework, building on a presidential directive from a year ago, can help “companies prove to themselves and to their stakeholders that good cybersecurity can be the same thing as good business,” the official said.
# # #
Hackers target Adelson casino empire’s website
- BY JTA
- February 13, 2014
The website of the casino operation owned by Jewish billionaire Sheldon Adelson was hacked by unidentified vandals who criticized his support for Israel
The hackers on Tuesday took over the home page of websites run by the Las Vegas Sands Corp., the world’s largest casino operator, which is owned by Adelson. In addition to criticizing Adelson over comments he made in October about Iran and its nuclear program, the hackers also posted personal information about employees, including email addresses and Social Security numbers, according to The Morning Call newspaper based in Allentown, Pa.
The company email system also reportedly was not working, and the Sands’ corporate website and the sites of its resorts in Las Vegas, Macau and Singapore did not function.
The Las Vegas Sands websites were down on Wednesday, with messages saying they were undergoing maintenance.
# # #
Email Attack on Vendor Set Up Breach at Target
- By Brian Krebs
- Krebs on Security
- February 12, 2014
The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.
Last week, KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.
Two of those sources said the malware in question was Citadel — a password-stealing bot program that is a derivative of the ZeuS banking trojan — but that information could not be confirmed. Through a PR firm, Fazio declined to answer direct questions for this story, and Target has declined to comment, citing an active investigation.
In a statement (PDF) issued last week, Fazio said it was “the victim of a sophisticated cyber attack operation,” and further that “our IT system and security measures are in full compliance with industry practices.”
# # #
Inside Endgame: A Second Act For The Blackwater Of Hacking
- By Andy Greenberg
- Forbes Staff
This story appears in the March 3, 2014 issue of Forbes.
In the classic hacker career narrative, a juvenile genius breaks into the Internet’s most sensitive networks, gets caught and then settles into a lucrative corporate gig selling his skills for defense. Nate Fick is trying to pull off the same story with an entire company.
Fourteen months ago Fick took over as chief executive of Endgame, perhaps the most controversial name in Washington, D.C. cybersecurity contracting. For years Endgame’s elite hackers worked in the shadows of the Beltway to build and sell “zero-day exploits,” an industry term for malicious code that abuses a previously unidentified vulnerability. As a contractor to military and intelligence agencies including the NSA, it enabled some of those customers’ most intrusive spying practices by offering ways to break into software from the likes of Microsoft – MSFT +0.79%, IBM – IBM +0.3% and Cisco for millions of dollars.
Fick’s daunting task now: To shift his firm’s focus to the far wider market in commercial defense products — and in the process, to shed its reputation as the Blackwater of hacking. The 36-year-old CEO, a former elite Marine reconnaissance captain who served in Iraq and Afghanistan before developing what he describes as a personal distaste for violence, hints at a motivation for the change beyond profit. An ethical cloud still hangs over Endgame for its track record in undermining the Internet’s security.
Fick’s first move: taking Endgame out of the zero-day exploit game. “The exploit business is a crummy business to be in,” says Fick, sitting at a coffee shop near Endgame’s unmarked office in Arlington, Va., which has never before allowed a reporter inside. “If we’re going to build a top-tier security firm, we have to do things differently… This is one of those happy circumstances where business realities, reputational concerns and my personal feelings aligned.”
# # #