Personal Cybersecurity #25: Daily news

What you need to know for your personal cyber security life… 

Number twenty-five in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday now is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop.  

evil inside

# # #

HEADLINES…for this issue…

  • Syrian hackers claim to reveal how much FBI pays Microsoft for customer data
  • Chinese Police University Trains Beijing Hackers
  • Speedy attack targets Web servers with outdated Linux kernels
  • UCSF warns nearly 10, 000 people of potential security breach
  • Secunia vulnerability report questioned by experts
  • Missing Perspective on the Closure of the Full-Disclosure Mail List
  • Teen hacker hits five Omani government websites
  • Obama Administration Denies ‘Abandoning the Internet’
  • Man Who Exposed Target Security Breach Is Focus of Sony Movie Deal (Exclusive)
  • Target Inc. Is Still a Liability Landmine

Syrian hackers claim to reveal how much FBI pays Microsoft for customer data

  • March 21, 2014

Syrian Electronic Army (SEA) hackers have reportedly obtained documents that reveal how much money the FBI pays Microsoft each time agents try to obtain or view an individual customer’s communication information.

The SEA, a group that has made headlines in the past for infiltrating Western media outlets that it perceives to be against Syrian President Bashar Assad, provided a trove of emails and invoices to the Daily Dot, which analyzed the documents before publishing them.

“The documents consist of what appear to be invoices and emails between Microsoft’s Global Criminal compliance team and the FBI’s Digital Intercept Technology Unit (DITU), and purport to show exactly how much money Microsoft charges DITU, in terms of compliance costs, when DITU provides warrants and court orders for customers’ data,” wrote the Daily Dot’s Kevin Collier and Fran Berman.

“In December 2012, for instance, Microsoft emailed DITU a PDF invoice for $145,100, broken down to $100 per request for information, the documents appear to show,” they went on. “In August 2013, Microsoft allegedly emailed a similar invoice, this time for $352, 200 at a rate of $200 per request. The latest invoice provided, from November 2013, is for $281,000.”


# # #

Chinese Police University Trains Beijing Hackers

  • By Bill Gertz
  • Follow @BillGertz
  • Washington Free Beacon
  • March 20, 2014

China’s main internal security and police university is training hackers for cyber attacks, according to new information obtained by the U.S. government.

The People’s Public Security University in Beijing, a part of the Ministry of Public Security that trains all of China’s police and internal security troops, has several units engaged in training and operations for cyber attacks.

One section of the school was identified last month as a key training center for police network attack operations: The Network Attack and Defense Laboratory. The lab uses Chinese software that was identified last year by officials as designed for training cyber warfare operators and spies.

Disclosure of the police training unit for Chinese hackers follows several U.S. reports made public last year that identified China’s primary military hacking force as Unit 61398, located near Shanghai.

Another Chinese school, Wuhan University, also has been linked by U.S. intelligence agencies to cyber attacks against the West.


# # #

Speedy attack targets Web servers with outdated Linux kernels

# # #

UCSF warns nearly 10, 000 people of potential security breach

  • By Marisa Lagos
  • March 20, 2014

SAN FRANCISCO — UCSF recently warned 9,986 people that their personal information may have been compromised after desktop computers were stolen from the university’s Family Medical Center at Lakeshore in January.

The unencrypted computers were taken from the Sloat Boulevard facility on or around Jan. 11, the university said in a written statement released last week. They contained “some personal and health information, which may have included individuals’ names, dates of birth, mailing addresses, medical record numbers, health insurance ID numbers, and driver’s license numbers,” according to the statement.

Additionally, the Social Security numbers of 125 individuals were on the computers.

There’s no evidence that anyone has tried to access or use the personal information, according to UCSF officials, but the university “is responding with the highest level of caution and concern.”


 # # #

Secunia vulnerability report questioned by experts

  • By Steve Ragan
  • Salted Hash
  • CSO Online
  • March 19, 2014

On Tuesday, the OSVDB project outlined various problems with Secunia’s annual vulnerability report, including instances where Secunia counted vulnerabilities multiple times, or under-reported them. The project also took issue with how Secunia classified third-party products, which the Copenhagen-based firm says are non-Microsoft programs, a definition that isn’t shared by a majority of the security community.

“In the world of VDBs, we frequently refer to a third-party component a ‘library’ that is integrated into a bigger package,” the post explains.

“The notion that “non-Microsoft” software is “third-party” is very weird  for lack of better words, and shows the mindset and perspective of Secunia. This completely discounts users of Apple, Linux, VMs (e.g. Oracle, VMware, Citrix), and mobile devices among others. Such a  Microsoft-centric report should clearly be labeled as such, not as a  general vulnerability report.”

The project acknowledged that their observations may be biased, as they are a direct competitor to Secunia due to the involvement of their commercial partner Risk Based Security (RBS) – but after looking at the source data, it’s hard to ignore the numbers.

To begin with, when examining the opening totals from Secunia, the OSVDB project says they are “incorrect and entirely misleading.”


# # #

Missing Perspective on the Closure of the Full-Disclosure Mail List


  • By jerichoattrition
  • March 19, 2014

This morning I woke to the news that the Full-Disclosure mail list was closing its doors. Assuming this is not a hoax (dangerously close to April 1st) and not spoofed mail that somehow got through, there seems to be perspective missing on the importance of this event. Via Facebook posts and Twitter I see casual disappointment, insults that the list was low signal to noise, and that many had stopped reading it a while back. I don’t begrudge the last comment one bit. The list has certainly had its share of noise, but that is the price we pay as a community and industry for having a better source for vulnerability disclosure. Speaking to the point of mail lists specifically, there were three lists that facilitated this: Bugtraq, Full-Disclosure, and Open Source Security (OSS). Bugtraq has been around the longest and is the only alternative to Full-Disclosure really (remember that VulnWatch didn’t last, and was ultimately low traffic). OSS is a list that caters to open source software and does not traffic in commercial software. A majority of the posts come from open source vendors (e.g. Linux distributions), the software’s maintainer, etc. It is used as much for disclosure as coordination between vendors and getting a CVE assigned.

One of the first things that should be said is a sincere “thank you” to John Cartwright for running the list so long. For those of you who have not moderated a list, especially a high-traffic list, it is no picnic. The amount of spam alone makes list moderation a pain in the ass. Add to that the fake exploits, discussions that devolve into insults, and topics that are on the fringe of the list’s purpose. Trying to sort out which should be allowed becomes more difficult than you would think. More importantly, he has done it in a timely manner for so long. Read the bold part again, because that is absolutely critical here. When vulnerability information goes out, it is important that it goes out to everyone equally. Many mails sent to Bugtraq and Full-Disclosure are also sent to other parties at the same time. For example, every day we get up to a dozen mails to the OSVDB Moderators with new vulnerability information, and those lists and other sources (e.g. Exploit-DB, OffSec, 1337day). If you use one or a few of those places as your primary source for vulnerability intelligence, you want that information as fast as anyone else. A mail sent on Friday afternoon may hit just one of them, before appearing two days later on the rest. This is due to the sites being run with varying frequency, work schedules, and dedication. Cartwright’s quick moderation made sure those mails went out quickly, often at all hours of the day and over weekends.

While many vulnerability disclosers will send to multiple sources, you cannot assume that every disclosure will hit every source. Some of these sites specialize in a type of vulnerability (e.g. web-based), while some accept most but ignore a subset (e.g. some of the more academic disclosures). Further, not every discloser sends to all these sources. Many will send to a single mail list (e.g. Bugtraq or FD), or to both of them. This is where the problem arises. For many of the people still posting to the two big disclosure lists, they are losing out on the list that was basically guaranteed to post their work. Make no mistake, that isn’t the case for both lists.


# # #

Teen hacker hits five Omani government websites

  • Staff Report
  • Gulf News
  • March 19, 2014

Muscat: Five Oman government websites, including the Telecommunications Regulatory Authority (TRA) and the General Directorate of Traffic, were hacked on Tuesday evening.

Local media reported that the hacker was a 14-year-old who calls himself Dr DarknesS. He said he hacked the TRA website to express his displeasure over the poor services provided by telecom companies, according to Shabiba daily newspaper.

The teenager said that one has to shell out a large amount of money when signing up for any telecom subscription but the service provided is below par.

“Hacking is the only way to register one’s protest,” the hacker said. The quality of Internet services in Oman is poor compared to other GCC countries, he said, adding that in neighbouring countries people have a wide choice because there are a large number of operators but here due to the monopoly the quality is very poor.


# # #

Obama Administration Denies ‘Abandoning the Internet’

  • By Brendan Sasso
  • National Journal
  • March 19, 2014

A top Commerce Department official pushed back Wednesday against concerns that the Obama administration is opening the door to an Internet takeover by Russia, China, and other authoritarian regimes.

The fears stem from the Commerce Department’s announcement last Friday that it plans to give the Internet Corporation for Assigned Names and Numbers, an international nonprofit group, control over the technical system that allows computers to connect to Web addresses.

“Our announcement has led to some misunderstanding about our plan, with some individuals raising concern that the U.S. government is abandoning the Internet. Nothing could be further from the truth,” Lawrence Strickling, the assistant Commerce secretary for communications and information, said in a statement. “This announcement in no way diminishes our commitment to preserving the Internet as an engine for economic growth and innovation.”

He said the U.S. government will continue to push ICANN to adopt polices that are in the interest of the United States and an open Internet.


# # #

Man Who Exposed Target Security Breach Is Focus of Sony Movie Deal (Exclusive)

  • By Borys Kit
  • The Hollywood Reporter
  • 3/19/2014

Sony has picked up the rights to the New York Times article “Reporting From the Web’s Underbelly,” which focused on cyber security blogger Brian Krebs. Krebs, with his site, was the first person to expose the credit card breach at Target that shook the retail world in December.

Richard Wenk, the screenwriter who wrote Sony’s high-testing big-screen version of The Equalizer, is on board to write what is being envisioned as a cyber-thriller inspired by the article and set in the high-stakes international criminal world of cyber-crime.

Escape Artists’ Steve Tisch, Todd Black and Jason Blumenthal are producing as are Todd Hoffman and Richard Arlook. David Bloomfield will executive produce.

Nicole Perlroth’s New York Times article told of Krebs, who has the appearance of a mild-mannered accountant but writes with a 12-gauge shotgun by his side, is an expert in the digital underground and is on a first-name basis with some of the biggest cyber-criminals in the world, many of whom are Russian.


# # #

Target Inc. Is Still a Liability Landmine

  • By Rich Duprey
  • The Motley Fool
  • March 19, 2014

Three months have passed since the massive data breach at Target (NYSE: TGT) ended, and though the retailer continues to plug away, investors should be cautious treading here, because there’s still a massive liability IED waiting to detonate — and it could blow up anytime now.

As is all too well known now, for several weeks in November and December, hackers had free rein to access, steal, and sell sensitive customer data before being discovered and shut down. Some 40 million people — and possibly as many as 110 million — were potentially compromised (I should know — I was one of them). What is only just coming to light, however, is the extent to which all of this was preventable. And because of that, Target’s liability in this financial and public-relations disaster is as yet incalculable.

Stuff happens. Hackers will hack, and every level of defense erected will eventually be overcome. From Target to Wal-Mart and J.C. Penney to BJ’s Wholesale Club, all their systems have been hacked at one time or another. Even AT&T had an incident years back, and though it’s unpleasant and corporations need to implement industry best practices to protect their customers’ data, we almost willfully acknowledge that at some point we may see our information compromised. Call it a hazard of doing business in the modern digital age.

What we don’t sign onto, however, is a company cavalierly handling our data, or being more concerned about how its reputation will look instead of rectifying the problem. TJX (NYSE: TJX) was taken to task several years ago, when it suffered a data breach and waited a whole month before notifying customers, costing the retailer more than $100 million in investigation costs, security system upgrades, customer communications, and legal fees, as well as some $1.6 billion over the lifetime of the case.



p style=”text-align: center;”># # #

Updated: March 23, 2014 — 2:57 am

The Author

Rich Fleetwood

Rich is the founder of SurvivalRing, now in it's 20th year, author of multimedia CDs and DVDs, loves the outdoors, his family, his geeky skill-set, and lives in rural Missouri, just a few miles from the Big Muddy. Always ready to help others, he shares what he learns on multiple blogs, social sites, and more. With a background in preparedness and survival skills, training with county, state, and national organizations, and skills in all areas of media and on air experience in live radio and television, Rich is always thinking about the "big picture", when it comes to helping individuals and families prepare for life's little surprises.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.