What you need to know for your personal cyber security life…
Number thirty-one in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop.
And, just so you know, I’ve got 31 years of IT experience, and my day job is for the State of Wyoming as an Information Specialist. I believe an informed prepper is a BETTER prepper. Information is the life blood of being prepared. Learn more with every article in this continuing series. Please ask questions if you want to learn more…I’m here to help.
# # #
HEADLINES…for this issue…15 articles
- Whitehat hacker goes too far, gets raided by FBI, tells all
- Gov’t red-faced as card data leaks lead to thefts
- Who is Robin Seggelmann and did his Heartbleed break the internet?
- FBI Arrests Trio For Microsoft Xbox Hacking
- Thoughts on USG Candor to China on Cyber
- Nurses Say Pagers Must Go; Hospitals Drag Feet
- Social Engineering Grows Up
- Public or Private Cloud? The Decision Comes Down to Risk, DISA CIO Says
- How to protect yourself from the ‘Heartbleed’ bug
- Hackers Lurking in Vents and Soda Machines
- Expert: Israel Needs More Cyber-Attack Specialists
- Chicago-area doctors’ group announces data breach
- Security flaws could give hackers control of power plants and oil rigs
- U.S. Tries Candor to Assure China on Cyberattacks
- 5-year-old hacks Xbox, now he’s a Microsoft ‘security researcher’
Whitehat hacker goes too far, gets raided by FBI, tells all
- By Sean Gallagher
- Ars Technica
- April 9, 2014
A whitehat hacker from the Baltimore suburbs went too far in his effort to drive home a point about a security vulnerability he reported to a client. Now he’s unemployed and telling all on reddit.David Helkowski was working for Canton Group, a Baltimore-based software consulting firm on a project for the University of Maryland (UMD), when he claims he found malware on the university’s servers that could be used to gain access to personal data of students and faculty.
But he says his employer and the university failed to take action on the report, and the vulnerability remained in place even after a data breach exposed more than 300,000 students’ and former students’ Social Security numbers.
As Helkowski said to a co-worker in Steam chat, “I got tired of being ignored, so I forced their hand.” He penetrated the university’s network from home, working over multiple VPNs, and downloaded the personal data of members of the university’s security task force.
He then posted the data to Pastebin and e-mailed the members of the task force anonymously on March 15.One day later, the FBI obtained a search warrant for Helkowski’s home.
While no charges have yet been filed against him, Helkowski’s employment with Canton Group has ended. And yesterday, he took to reddit to tell everyone about it in a post entitled “IamA Hacker who was Raided by the FBI and Secret Service AMAA!” To prove his identity, he even posted a redacted copy of the search warrant he was served.
How did the FBI track him down so fast? It turns out that Helkowski told just about everyone (including co-workers) about what he was doing.
And since the vulnerability he used was the same one Canton Group had reported to UMD on February 27, it didn’t take a lot of sleuthing to follow a trail that pointed straight back to Helkowski’s home in the Baltimore suburb of Parkville.
# # #
Gov’t red-faced as card data leaks lead to thefts
- Korea Joong
- Ang Daily
- April 11, 2014
Fear of hacked personal information being used in financial fraud and leading to actual losses, which the financial authorities promised was unlikely to happen, has been realized.
As a result, public mistrust and frustration is growing over the assurances by the financial authorities.
Yesterday, the financial authorities issued a warning to the public after personal information of 200,000 credit card accounts was hacked via a point-of-sale card reader at a cafe in Mokpo, South Jeolla.
Information about 200,000 credit card accounts was leaked since January from that single cafe, and the hackers withdrew cash to 268 accounts before they were caught recently.
# # #
Who is Robin Seggelmann and did his Heartbleed break the internet?
- By Lia Timson
- April 11, 2014
German computer programmer Robin Seggelman has been outed as the man whose coding mistake, now known as Heartbleed, has left millions of internet users and thousands of websites vulnerable to hackers.
The discovery, by Google engineers, has prompted experts to call on people to change their passwords to most, if not all, websites they subscribe to after site owners have fixed their vulnerabilities.
Dr Seggelman, 31, from the small town of Oelde in north-west Germany, is a contributor to the Internet Engineering Task Force (IETF), a not-for-profit global group whose mission is to make the internet work better. He is attached to the Munster University of Applied Sciences in Germany, where, as research associate in the networking programming lab in the department of electrical engineering and computer science, he has published a number of papers, including his thesis on strategies to secure internet communications in 2012.
He has been writing academic papers and giving talks on security matters since 2009, while still a PhD student.Advertisement His academic research influence index score of two, based on the number of scientific citations of his work, suggests an influential thinker at the early stages of his scientific career.
According to the IETF, Dr Seggelman previously worked for Dutch Telecom IT services subsidiary T-Systems, possibly the largest such consultancy in Germany.
# # #
FBI Arrests Trio For Microsoft Xbox Hacking
- The Smoking Gun
- April 10, 2014
APRIL 10 — A group of alleged hackers has been charged with breaking into the computer systems of the U.S Army, Microsoft, and several other firms to steal pre-release copies of popular video games like “Call of Duty,” simulation software for Apache attack helicopter pilots, and confidential data that was used to create counterfeit versions of the Xbox gaming system, The Smoking Gun has learned.
Three men have been named in a sealed federal indictment charging them each with 15 felony counts, including conspiracy, fraud, and computer hacking, according to a copy of the 54-page document obtained by TSG.
Two other alleged hackers–a North Carolina resident and an Australian teenager–have been identified as unindicted coconspirators in the scheme, which began in early-2011 and continued for more than two years.
A federal grand jury last July returned a sealed indictment against Nathan Leroux, 19; Sanadodeh Nesheiwat, 28; and David Pokora, a Canadian resident. FBI agents last week arrested Leroux at his Wisconsin home and collared Nesheiwat (seen above) at his New Jersey residence. Pokora’s status could not be determined.
# # #
Thoughts on USG Candor to China on Cyber
- By Jack Goldsmith
- April 8, 2014
Paul is skeptical about the USG’s unilateral briefing to Chinese officials on some of its cyber operations and doctrines that David Sanger discloses in the NYT. He argues that China is unlikely to reciprocate, he doubts the usefulness of the unilateral disclosure, and he wonders why the USG does not share the information with the American public.
I think the matter is more complex.First, it may be (as I have long argued) that greater candor by the USG vis a vis China is a necessary precondition to genuine progress on the development of norms for cyberoperations – both exploitation and attack.
Unless we can credibly convey what we are doing and what we might do (and not do) in certain cyber situations, our adversaries will assume the worst and (a) invest in their own cyber programs to keep up – a classic arms race situation, and/or (b) interpret particular cyberoperations in a risk-averse fashion, in their least charitable light, which might induce unwarranted escalation in those contexts.
Our adversaries will rationally assume the worst because, despite USG claims about its responsible use of cyber exploitations and attacks, the news is filled with reports about prodigious USG cyber-operations and aggressive plans in this realm. Indeed, as Sanger notes: “The Pentagon plans to spend $26 billion on cybertechnology over the next five years — much of it for defense of the military’s networks, but billions for developing offensive weapons — and that sum does not include budgets for the intelligence community’s efforts in more covert operations.
It is one of the few areas, along with drones and Special Operations forces, that are getting more investment at a time of overall Pentagon cutbacks.”Second, Paul is right to be skeptical about reciprocity by China. But it sounds like the United States didn’t give up much new information on U.S. doctrine for the use of cyberweapons. (Sanger states that “elements of the doctrine can be pieced together from statements by senior officials and a dense “Presidential Decision Directive” on such activities signed by Mr. Obama in 2012.”)
More importantly, the United States can in theory benefit from unilateral disclosure of doctrine and weapons capabilities even if China doesn’t reciprocate, for the unilateral disclosure might assist China in interpreting, and not misinterpreting, USG actions in the cyber realm – all to the USG’s advantage.
As Sanger says, “American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.” In theory, unilateral information disclosure to China about the nature of USG cyberoperations can help China interpret USG actions properly, and can thereby help tamp down on the possibility of mistaken escalation by China; and the USG might also in this manner help China to see the benefits to itself in disclosure to the USG.
# # #
Nurses Say Pagers Must Go; Hospitals Drag Feet
- By Alison Diana
Nurses and other healthcare workers who communicate vital patient information say they need an alternative to outdated pagers and insecure smartphones.At most hospitals, nurses are still required to communicate with colleagues and doctors via Voice over IP (VoIP) or pagers. But many nurses, who tend to be constantly on the go, are increasingly ignoring policy and are texting from their smartphones instead.
This approach carries risks: Not only are the phones insecure, but they could also introduce germs into sterile environments.
Pagers may be less risky, but they aren’t efficient. They cost US hospitals $8.3 billion in 2013, according to a report by the Ponemon Institute: $3.2 billion through time-consuming discharge processes and another $5.1 billion while clinicians waited for patient information (an average of 46 per minutes per day).
Fed up with waiting for pages, nurses are taking matters into their own hands. Although 89% of hospitals forbid the use of personal smartphones at work, 67% of hospitals report nurses are using their iPhones, Androids, and other devices to support clinical communications and workflow, according to a new report by Spyglass Consulting Group.
Hospital IT departments know nurses are doing this, but they don’t have the time or the resources to monitor their usage. Of the 53% of hospitals with BYOD programs, only 11% include nursing staff.
# # #
Social Engineering Grows Up
- By Kelly Jackson Higgins
- Dark Reading
Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new “tag team” rules to reflect realities of the threat.
The wildy popular DEF CON Social Engineering contest this year in Las Vegas will feature a new twist: Each contestant will be assigned a teammate to whom they must hand-off during the live event where they cold-call targeted corporations.
“We needed to create an event like the real world,” says Christopher Hadnagy, chief human hacker at Social-Engineer.org , and organizer of the contest, now in its fifth year. “In the 30 minutes [of the live call], you have to tap out at least twice” so that each teammate will have a role in the live call.
The contest aims to wring as much potentially revealing information about the company from the unsuspecting call recipient. Contestants squeeze as many predetermined “flags” out of employees at major US corporations, everything from the type of browser they are using to the name of their cleaning/janitorial service.
The pretense could be that the caller needs to hand the call to his manager or another colleague, for example, to provide more legitimacy for the call — something Hadnagy and his team at Social-Engineer.org say is becoming more and more common in social engineering exploits.
“These are realistic vectors,” he says of the two-person call approach. Phony Microsoft tech support scams do this often, says Hadnagy.
# # #
Public or Private Cloud? The Decision Comes Down to Risk, DISA CIO Says
- By Frank Konkel
- April 8, 2014
For federal agencies, deciding whether information, data or applications belong in a public or private government cloud or a hybrid combination of the two is no easy feat.
Myriad factors play into these decisions – projected cost savings, information sensitivity and availability, to name a few – but according to U.S. Defense Information Systems Agency Chief Information Officer David Bennett, the single most important element continues to be risk.
DISA recently rolled out a government-operated cloud computing services portfolio called milCloud that was designed to attract Defense Department customers who seek the cloud’s promise of cost reductions combined with increased control, flexibility and mission security necessary for classified and controlled unclassified information.
“You have to understand risk and the data you’re dealing with,” said Bennett, speaking at a Nextgov event Tuesday. “As you look at those things, you have to ask questions like, ‘What controls do I have in place?’
We want to leverage commercial opportunities and reap the benefits of doing that, but we also want to verify and make certain what’s out there and that we’re able to understand and monitor that.”
# # #
How to protect yourself from the ‘Heartbleed’ bug
- By Richard Nieva
- CNET NewsSecurity
- April 8, 2014
A major new security vulnerability dubbed Heartbleed was disclosed Monday night with severe implications for the entire Web. The bug can scrape a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords, and credit card numbers.
It’s an extremely serious issue, affecting some 500,000 servers, according to Netcraft, an Internet research firm. Here’s what you can do to make sure your information is protected, according to security experts contacted by CNET: Do not log into accounts from afflicted sites until you’re sure the company has patched the problem. If the company hasn’t been forthcoming — confirming a fix or keeping you up to date with progress — reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.
Some Web sites that appeared to have been affected included Yahoo and OKCupid, though the companies have said their sites are all or partly fixed (see below for details). You can check sites on an individual basis here, though caution is still advised even if the site gives you an “all clear” indication. If you’re given a red flag, avoid the site for now.
# # #
Hackers Lurking in Vents and Soda Machines
- By NICOLE PERLROTH
- The New York Times
- APRIL 7, 2014
SAN FRANCISCO — They came in through the Chinese takeout menu.Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.
Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities.
Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used printers, thermostats and videoconferencing equipment.Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems.
This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.
# # #
Expert: Israel Needs More Cyber-Attack Specialists
- By Shimon Cohen
- Arutz Sheva
The threatened #opisrael cyber-attack turned out to be a dud – but Israel does not have enough manpower to ward off a major cyber-attack.
Dr. Michael Orlov, head of the cyber-engineering department of Shamoon College Engineering in Be’er Sheva, explained the problem to Arutz Sheva Monday.
As Orlov explained, the hacking projects against Israel by Anonymous – a loosely organized group of hackers worldwide, but for #opIsrael mostly localized to Middle-Eastern countries – is a childish attempt to “feel important,” and nothing more. Currently, cyber-attacks against Israel largely focus on replacing a site’s content with propaganda, and leaving a site alone after it is fixed. This, he said, “is not a serious problem.”
Future attacks may be, however. Orlov emphasizes that if a major country – e.g. Iran – were to set aside the “relatively small amount” of $50 million dollars to establish a professional hacking team, Israel could be in trouble.
“We have seen Iran do this in the past to other countries, like Saudi Arabia,” Orlov stated, “Hackers attacked, broke into [websites] and deleted information. If this happens, we cannot dismiss the impact of attacks.”
# # #
Chicago-area doctors’ group announces data breach
- By Mitch Smith
- Tribune reporter
- April 5, 2014
Surgical information for more than 1,200 patients may have been compromised in February when an unknown person accessed a doctor’s Gmail account, a Chicago-area physicians’ group announced Friday.
Midwest Orthopaedics at Rush said in a news release that names and dates of birth for 1,256 patients could have been accessed, along with descriptions, dates and instructions for their surgeries. All those patients were notified by letter this week, Midwest Orthopaedics at Rush said, and the group has received no reports that the information has been misused.
The breach, which was discovered around Feb. 10, did not expose patients’ financial information, the group said.
“We take this situation very seriously and apologize that this incident occurred,” Dennis Viellieu, the group’s CEO, said in the news release. “Maintaining the integrity of confidential patient information is of utmost importance to us.”
# # #
Security flaws could give hackers control of power plants and oil rigs
- By Alex Hamilton
- IT Pro Portal
- 04 Apr 2014
Power plants, oil rigs and refineries could be at risk from hackers, new research shows, as there are vital bugs in their software that could allow an outsider to gain remote access.
Around the world about 7,600 plants are using the vulnerable software that could allow an attacker with the “lowest skill in hacking” to exploit them.
The software, named Centum CS 3000, was first released to run on Windows 98 and is used to monitor and control the heavy machinery in many of the globe’s large industrial installations.”We went from zero to total compromise,” Juan Vasquez, from security firm Rapid7, told the BBC.
# # #
U.S. Tries Candor to Assure China on Cyberattacks
- By DAVID E. SANGER
- The New York Times
- APRIL 6, 2014
WASHINGTON — In the months before Defense Secretary Chuck Hagel’s arrival in Beijing on Monday, the Obama administration quietly held an extraordinary briefing for the Chinese military leadership on a subject officials have rarely discussed in public: the Pentagon’s emerging doctrine for defending against cyberattacks against the United States — and for using its cybertechnology against adversaries, including the Chinese.
The idea was to allay Chinese concerns about plans to more than triple the number of American cyberwarriors to 6,000 by the end of 2016, a force that will include new teams the Pentagon plans to deploy to each military combatant command around the world. But the hope was to prompt the Chinese to give Washington a similar briefing about the many People’s Liberation Army units that are believed to be behind the escalating attacks on American corporations and government networks.
So far, the Chinese have not reciprocated — a point Mr. Hagel plans to make in a speech at the P.L.A.’s National Defense University on Tuesday.
The effort, senior Pentagon officials say, is to head off what Mr. Hagel and his advisers fear is the growing possibility of a fast-escalating series of cyberattacks and counterattacks between the United States and China. This is a concern especially at a time of mounting tensions over China’s expanding claims of control over what it argues are exclusive territories in the East and South China Seas, and over a new air defense zone.
In interviews, American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.
# # #
5-year-old hacks Xbox, now he’s a Microsoft ‘security researcher’
- By Zach Miners
- IDG News Service
- April 4, 2014
p>A 5-year-old San Diego boy has been commended by Microsoft for his security skills after finding a vulnerability in the company’s Xbox games console.
Kristoffer Von Hasssel’s parents noticed earlier this year that he was logged into his father’s Xbox Live account and playing games he was not supposed to.
He hadn’t stolen his father’s password. Instead, he stumbled upon a very basic vulnerability that Microsoft is said to have now fixed.After typing an incorrect password, Kristoffer was taken to a password verification screen. There, he simply tapped the space bar a few times, hit “enter” and was let into his father’s account.