Personal Cybersecurity #32: Daily news

What you need to know for your personal cyber security life… 

Number thirty-two in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop. 

And, just so you know, I’ve got 31 years of IT experience, and my day job is for the State of Wyoming as an Information Specialist. I believe an informed prepper is a BETTER prepper. Information is the life blood of being prepared. Learn more with every article in this continuing series. Please ask questions if you want to learn more…I’m here to help.

evil inside

# # #

HEADLINES…for this issue…19 articles

  • Which Federal Agency Controls Cybersecurity? The Answer May Surprise You
  • U.S. Agent Lures Romanian Hackers in Subway Data Heist
  • Top Chinese hacking team reveals members’ identities
  • Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too
  • White House Details Zero-Day Bug Policy
  • BAE Shifts Cyber Software Development to Malaysia
  • Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach
  • Hackers from China waste little time in exploiting Heartbleed
  • Korea – hackers’ safe haven
  • Heartbleed bug exploited to steal taxpayer data
  • Cosmetic surgeons targeted by hackers as personal details of 500, 000 people who made enquiries at top clinic are stolen
  • Out in the Open: Inside the Operating System Edward Snowden Used to Evade the NSA
  • Qualifying Cyber Command Staff Is Harder Than You Think
  • HIPAA security risk assessment tool: Small provider needs
  • Banksy art work showing government agents spying on a phone box appears on side of Cheltenham house near to GCHQ
  • Private crypto keys are accessible to Heartbleed hackers, new data shows
  • Israeli Hackers Expose ‘Amateurs’ Behind Anti-Israel Attack
  • Appeals Court Overturns Conviction of AT&T Hacker ‘Weev’
  • Here’s why it took 2 years for anyone to notice the Heartbleed bug

Which Federal Agency Controls Cybersecurity? The Answer May Surprise You

  • By Paul Rosenzweig
  • Security States
  • The New Republic
  • April 16, 2014


p>One of the most hotly contested questions in the cyber domain (at least domestically) is whether or not the federal government should have a role in setting universal cybersecurity standards for critical American infrastructure. That was the ground for debate much of 2011 and 2012 in Congress.

The debate gave rise to a subsidiary question: If the federal government is going to set standards, which part of the government should be responsible? Some (the “hawks”) favored the National Security Agency. (This was before Edward Snowden became a household name.) Others (the “doves”) thought that civilian control through the Department of Homeland Security was the better course of conduct. But everyone seemed to agree that one of the federal government security agencies should be in charge of setting cybersecurity standards.

In our current system of government, though, things that make sense seldom become reality. It now seems that our cybersecurity standards are going to be set by a consumer protection organization — the Federal Trade Commission (FTC). The case that made this clear is Federal Trade Commission v. Wyndham Worldwide Corporation, a civil suit brought in the District of New Jersey by the FTC relating to a cybersecurity breach at Wyndham Hotels.

To understand how the case creates this new reality, we need to step back and understand the FTC. The FTC has two grounds on which it can bring a civil lawsuit. One is an allegation of deception — in other words, an argument that some consumer service organization (like, say Wyndham Hotels) had made representations to the public that were false. As you can imagine, allegations of that sort are often tied to particular circumstances and particular facts. The second ground for FTC enforcement is a broader one: that a company has engaged in “unfair” business practices. This means, in the words of the statute, that a company “caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” In other words, that a company made a cost/benefit analysis to the detriment of consumers in a way that the FTC thinks is unreasonable.


# # #

U.S. Agent Lures Romanian Hackers in Subway Data Heist

  • By Del Quentin Wilber
  • Bloomberg
  • April 16, 2014

U.S. Secret Service Agent Matt O’Neill was growing nervous. For three months, he’d been surreptitiously monitoring hackers’ communications and watching as they siphoned thousands of credit card numbers from scores of U.S. retailers.

Most every day O’Neill was alerting a credit card company or retailer to an online heist. The result was predictable: the companies canceled hijacked credit and debit cards and the aggravated hackers’ customers began complaining that the stolen card numbers weren’t working as promised.

It was only a matter of time before the cyber thieves realized they were being watched.

“We were hoping they wouldn’t figure it out until we could catch them,” O’Neill said.

The Secret Service and FBI are investigating an increasing number of attacks on U.S. retailers’ data, including the massive breach of Target Corp. (TGT) last year that affected more than 40 million debit and credit card accounts. Investigators won’t talk about the Target probe. Instead, the Secret Service pointed to O’Neill’s investigation that began in 2010 as an example of how they go about solving such crimes.


# # #

Top Chinese hacking team reveals members’ identities

  • By Liu Jiayi
  • View from China
  • ZDNet News
  • April 17, 2014

The Keen, a top hacking team which took down Windows 8.1. Adobe Flash in just 15 seconds and Apple’s Safari Mac OS X Mavericks system in only 20 seconds during a Pwn2Own Vancouver event in March, has divulged the identity of its members, a Chinese newspaper reported on 13 April 2014.

“50 percent of us are the top scoring students in the national college entrance examination. 50 percent are majored in mathematics, and 50 percent are from Microsoft,” said Lv Yiping, key member of the Keen and co-founder and chief operating officer of the team’s Shanghai-based parent company.

The team’s primary attacker Chen Liang, who holds an undergraduate degree from Shanghai Jiao Tong University and a graduate degree from Fudan University, said he had to lock himself up in a rented room for two months to keep away from all kinds of distractions and solely focused on the hundreds of millions of lines of code for an operating system.


# # #

Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too

  • By Dan Goodin
  • Ars Technica
  • April 16, 2014

Private encryption keys have been successfully extracted multiple times from a virtual private network server running the widely used OpenVPN application with a vulnerable version of OpenSSL, adding yet more urgency to the call for operators to fully protect their systems against the catastrophic Heartbleed bug.

Developers who maintain the open source OpenVPN package previously warned that private keys underpinning VPN sessions were vulnerable to Heartbleed. But until Wednesday, there was no public confirmation such a devastating theft was feasible in real-world settings, said Fredrik Strömberg, the operator of a Sweden-based VPN service who carried out the attacks on a test server. An attacker carrying out a malicious attack could use the same exploit to impersonate a target’s VPN server and, in some cases, decrypt traffic passing between an end user and the real VPN server.

Wednesday’s confirmation means any OpenVPN server—and likely servers using any other VPN application that may rely on OpenSSL—should follow the multistep path for recovering from Heartbleed, which is among the most serious bugs ever to hit the Internet. The first step is to update the OpenSSL library to the latest version. That step is crucial but by no means sufficient. Because Heartbleed may have leaked the private key that undergirds all VPN sessions, updated users may still be susceptible to attacks by anyone who may have exploited the vulnerability and made off with the key. To fully recover from Heartbleed, administrators should also revoke their old key certificates, ensure all end user applications are updated with a current certificate revocation list, and reissue new keys.


 # # #

White House Details Zero-Day Bug Policy

  • By Mathew J. Schwartz
  • Dark Reading
  • 4/15/2014

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information is some cases involving security or law enforcement.

The White House and National Security Agency have strongly denied reports that the NSA had known about the Heartbleed vulnerability in OpenSSL for years and was actively exploiting it for intelligence-gathering purposes.

Those allegations appeared Friday in a Bloomberg News report — citing unnamed sources — claiming the NSA kept secret details about the Heartbleed vulnerability for at least two years. The vulnerability (a.k.a. CVE-2014-0160), which can be used to spoof and steal encrypted information from millions of vulnerable websites, was recently discovered and made public by Google engineer Neel Mehta and Finnish security firm Codenomicon.

But the NSA — via Twitter — and the Obama administration quickly disputed the Bloomberg report. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report,” read a statement released Friday by the Office of the Director of National Intelligence (ODNI). “Reports that say otherwise are wrong.” The ODNI also noted that the federal government relies on OpenSSL to secure government websites, and claimed that if any agency — including the NSA — had previously discovered the vulnerability, “it would have been disclosed to the community responsible for OpenSSL.”


 # # #

BAE Shifts Cyber Software Development to Malaysia

  • By Andrew Chuter
  • Defense News
  • April 15, 2014

KUALA LUMPUR — BAE Systems Applied Intelligence business is moving the center of its cyber software development activities to Malaysia as part of a strategy that will see the Southeast Asian location emerge as a key component of it growing security business, according to Richard Watson, the division’s Asia Pacific region managing director.

The Malaysian operation has already grown from 10 people to 100 within two years and the plan is to recruit enough engineers to boost that figure to 350 people during 2015, said the Applied Intelligence executive.

The expansion of the British company’s cyber business here comes at a time of increasing concern locally about the impact defense and commercial hacking can have on national security.

In a speech at a conference on the sidelines of the Defence Services Asia exhibition here this week, Malaysian Defence Minister Hishammuddin Hussein identified cyber terrorism as one of the most vital non-traditional security issue to emerge in recent times.


 # # #

Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

  • By Brian Krebs
  • Krebs on Security
  • April 15, 2014

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:


 # # #

Hackers from China waste little time in exploiting Heartbleed

  • By Jordan Robertson
  • The Age – ITPro
  • April 16, 2014

For those who don’t feel the urgency to install the latest security fixes for their computers or change passwords, take note: Just a day after Heartbleed was revealed, attacks from a computer in China were launched.

The software bug, which affects a widely used form of encryption called OpenSSL, was announced to the world on Tuesday, April 8 at 3:27am Sydney time, according to a timeline pieced together by Fairfax Media. That sent companies scrambling to fix their computer systems – and for good reason.

At 10.00 am on Wednesday, a computer in China that was previously used for hacking and other malicious activities tried to attack a server at the University of Michigan, said J. Alex Halderman, an assistant professor of electrical engineering and computer science. The university’s computer was a “honeypot”, which was intentionally left vulnerable and designed to attract attacks so researchers could study them.

The hackers’ fast turnaround highlights how quickly the digital underworld is in taking advantage of newly disclosed software vulnerabilities. So far, 41 attempts to exploit the Heartbleed hole have been made on three honeypots operated by Halderman and his research team. About half have come from China. The attacks could include some attempts by other researchers trying to assess the impact of the bug.


 # # #

Korea – hackers’ safe haven

  • By Kim Yoo-chul
  • The Korea Times
  • 2014-04-15

Around 35 million of Korea’s population of 52 million population use mobile devices.

But with this rising connectedness comes increased vulnerability to hacking; but so far, the country has failed to protect user information from hacking and other cyber security attacks.

“It’s fair to say Korea has emerged as a haven for hackers,” said Chun Kil-nam, an expert in cyber security and a former professor at the Korea Advanced Institute of Science and Technology, Tuesday.

“But what’s worse is that the country has no comprehensive plans to ward off technologically sophisticated hackers and criminals,” Chun said.

Global security software firm Symantec said in a recent analysis that the confidential information of over half-a-billion people around the world was hacked last year. Korea alone accounted for 20 percent of those.


 # # #

Heartbleed bug exploited to steal taxpayer data

  • By Dan Goodin
  • Ars Technica
  • April 14, 2014

Underscoring the severity of the Heartbleed bug affecting huge swaths of the Internet, hackers exploited the vulnerability to steal taxpayer data for at least 900 Canadian citizens and an unknown number of businesses, officials in that country warned Monday morning.

Canada Revenue Agency (CRA) officials said they removed public access to online tax services last Tuesday, a day after the catastrophic defect in the widely used OpenSSL cryptography library surfaced. But by then it was too late. Hackers casing online CRA services were nonetheless able to exploit the OpenSSL flaw, which makes it possible to pluck private encryption keys, passwords, and other sundry sensitive data out of the private computer memory of servers running vulnerable versions of the open-source library.

“Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” Canadian officials disclosed in a blog post published Monday morning. “Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

Monday’s post is among the first to disclose the malicious exploitation of the two-year-old Heartbleed bug. By Tuesday, researchers showed that Heartbleed was exposing usernames and passwords of Yahoo Mail users, and some Ars readers also reported that their accounts were compromised before Ars servers were updated. OpenSSL is the Internet’s most widely used implementation of Web encryption, so it wouldn’t be surprising if vast numbers of sites were similarly attacked. Update: Later on Monday, UK-based parenting website Mumsnet said hackers exploited a vulnerable version of OpenSSL on its servers to obtain user names and passwords.


 # # #

Cosmetic surgeons targeted by hackers as personal details of 500, 000 people who made enquiries at top clinic are stolen

  • Mail Online
  • 15 April 2014

One of Britain’s best-known and biggest providers of private cosmetic surgery has been targeted by computer hackers, it was revealed last night.

Confidential personal details of nearly 500,000 people who made an enquiry about surgery via Harley Medical Group’s website were stolen in an apparent bid to blackmail the company.

Patients interested in surgery are asked to fill in an online form ahead of an appointment, with details including phone numbers, email address and date of birth.

That personal information was accessed and stolen in a security breach, the firm admitted in a letter to patients posted online.


 # # #

Out in the Open: Inside the Operating System Edward Snowden Used to Evade the NSA

  • By Klint Finley
  • 04.14.14

When NSA whistle-blower Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. But this month, we learned that Snowden used another technology to keep his communications out of the NSA’s prying eyes. It’s called Tails. And naturally, nobody knows exactly who created it.

Tails is a kind of computer-in-a-box. You install it on a DVD or USB drive, boot up the computer from the drive and, voila, you’re pretty close to anonymous on the internet. At its heart, Tails is a version of the Linux operating system optimized for anonymity. It comes with several privacy and encryption tools, most notably Tor, an application that anonymizes a user’s internet traffic by routing it through a network of computers run by volunteers around the world.

Snowden, Greenwald and their collaborator, documentary film maker Laura Poitras, used it because, by design, Tails doesn’t store any data locally. This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.

“The installation and verification has a learning curve to make sure it is installed correctly,” Poitras told WIRED by e-mail. “But once the set up is done, I think it is very easy to use.”


 # # #

Qualifying Cyber Command Staff Is Harder Than You Think

  • By Aliya Sternstein
  • April 14, 2014

The Coast Guard Cyber Command aims to qualify a couple of service members for what Pentagon officials have said will be a 2,000-member force within the next two years.

It will take all the military services a lot of time and money to get their members qualified for the force. For the Coast Guard, the task is even harder because it has no dedicated cyber school and splits its activities between defense and homeland security.

The two-person figure, provided by the Coast Guard’s cyber chief, partly reflects the difficulty of instructing computer whizzes from various educational backgrounds to reach the same proficiency level. It takes resources.

“This is 26, 27 weeks long or longer — months’ worth –of training before they are qualified and ready to go,” Rear Adm. Bob Day, commander of the Coast Guard CYBERCOM, told Nextgov. “We’re investing millions” of dollars, he added.


 # # #

HIPAA security risk assessment tool: Small provider needs

  • By Patrick Ouellette
  • Health IT Security
  • April 14, 2014

Though the Department of Health and Human Services (HHS) released its HIPAA security risk assessment tool a few weeks ago, it’s still unclear how healthcare organizations will use the tool as part of their HIPAA Security Rule compliance strategy. Most organizations realize the tool isn’t necessarily a panacea for federal compliance needs. However, according to Alisa Chestler, a shareholder in the Washington, D.C. office of Baker Donelson, the beauty of the tool for small to mid-size providers is that it’s flexible and serves as a good starting point for those who may be lacking in risk analyses.

Chestler, who concentrates her practice in healthcare regulatory compliance; privacy, security and records management issues, discussed the tool’s benefits and uses with

What are your general impressions of the HIPAA security risk assessment tool?

First and foremost, with this tool the government is reinforcing how seriously they’re taking this type of analysis is required of the small providers, what they should know and the expectation that the risk analysis be completed. Secondly, as they begin to see what the tool is all about, they will quickly realize how much of a deep dive it is. So even if it’s not as robust as, say, the audit protocol, it shouldn’t be scoffed at because it will make providers think of things that they never would have thought of before.


 # # #

Banksy art work showing government agents spying on a phone box appears on side of Cheltenham house near to GCHQ

  • By Sam Creighton
  • Mail Online
  • 13 April 2014

Mysterious street artist Banksy is thought to have unveiled his latest creation, taking aim at the thorny issue of government surveillance.

The guerrilla graffiti artist is believed to be behind the image of three trenchcoat clad agents eavesdropping on a telephone box that appeared in Cheltenham in the early hours of this morning.

It is believed the city was chosen for the work because it is where GCHQ, the centre of the UK’s surveillance network, is based. The graffiti is on the side of a house just three miles from the listening post.

Although the artist has not officially claimed the work, it is in his characteristic style and carries a political message in line with his previous pieces.

It comes in the wake of the storm over the leaked files from former U.S. National Security Agency contractor Edward Snowden, which shed light on the extent to which governments were listening in on citizens’ communications.


 # # #

Private crypto keys are accessible to Heartbleed hackers, new data shows

  • By Megan Geuss
  • Ars Technica
  • April 12, 2014

Contrary to previous suspicions, it is possible for hackers exploiting the catastrophic vulnerability dubbed Heartbleed to extract private encryption keys from vulnerable websites, Web services firm Cloudflare reported Saturday.

As recently as yesterday, Cloudflare published preliminary findings that seemed to indicate that it would be difficult, if not impossible, to use Heartbleed to get the vital key that essentially unlocks the secure sockets layer padlock in millions of browsers. To be extra-sure, Cloudflare launched “The Heartbleed Challenge” to see how other people exploiting Heartbleed might fare. The company set up an nginx server running a Heartbleed-vulnerable version of OpenSSL and invited the Internet at large to steal its private key.

Just nine hours later, software engineer Fedor Indutny and Ilkka Mattila at NCSC-FI had obtained the server’s private keys using nothing but the Heartbleed vulnerability. As of this writing, CloudFlare had confirmed a total of four winners: Rubin Xu, a PhD student in the Security group of Cambridge University, as well as security researcher Ben Murphy.

The results are a strong indication that merely updating servers to a version of OpenSSL that’s not vulnerable to Heartbleed isn’t enough. Because Heartbleed exploits don’t by default show up in server logs, there’s no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect. Anyone visiting the bogus site would see the same https prefix and padlock icon accompanying the site’s authentic server.


 # # #

 Israeli Hackers Expose ‘Amateurs’ Behind Anti-Israel Attack

  • By Ari Soffer
  • Israel National News
  • 4/13/2014

Israeli hackers have gone on the offensive against their anti-Israel opponents in revenge for the #OpIsrael hacking attack against Israeli sites and servers.

After the failed “operation” by members of the “Anonymous” hacker network, Israeli hackers from Israel Elite Force took the fight to them – robbing them of their anonymity by posting details and even photos of some of the hackers on their website.

The hacker behind the counterattack, an Israeli known as “Buddhax”, said that he did it to make anti-Israel hackers “think twice” before attacking Israeli sites, and to expose them as amateurs.

Israeli hackers had already responded to attempts last week to infiltrate Israeli and Jewish sites by taking down or defacing anti-Zionist and Muslim sites.

But Buddhax has gone a step further.


 # # #

 Appeals Court Overturns Conviction of AT&T Hacker ‘Weev’

  • By Kim Zetter
  • Threat Level
  • 04.11.14

A hacker sentenced to three and a half years in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T’s unsecured website is about to go free, after a ruling today that prosecutors were wrong to charge him in a state where none of his alleged crimes occurred.

Andrew “Weev” Auernheimer was in Arkansas during the time of the hack, his alleged co-conspirator was in California, and the servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Prosecutors therefore had no justification for bringing the case against Auernheimer in New Jersey, a federal appeals panel ruled this morning.

The appeal was closely watched in cyber law and civil liberties circles, and Auernheimer had a powerhouse legal team that handled his case pro-bono.

“Venue in criminal cases is more than a technicality; it involves ‘matters that touch closely the fair administration of criminal justice and public confidence in it,'” the judges wrote in their opinion (.pdf). “This is especially true of computer crimes in the era of mass interconnectivity. Because we conclude that venue did not lie in New Jersey, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.”


 # # #

 Here’s why it took 2 years for anyone to notice the Heartbleed bug

  • By Timothy B. Lee
  • April 12, 2014

What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake. The OpenSSL developer who approved the change didn’t notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years.

It’s hard to blame those guys. OpenSSL is an open source project. As the Wall Street Journal describes it, the project is “managed by four core European programmers, only one of whom counts it as his full-time job.” The OpenSSL Foundation had a budget of less than $1 million in 2013.

That’s shocking. Software like OpenSSL increasingly serves as the foundation of the American economy. Cleaning up the mess from the Heartbleed bug will cost millions of dollars in the United States alone. In a society that spends billions of dollars developing software, we should be spending more trying to keep it secure. If we don’t do something about that, we’re doomed to see problems like Heartbleed crop up over and over again.

Why security flaws are different from other bugs

Computer security is a classic collective action problem. We all benefit from efforts to improve software security, but most organizations don’t make it a priority. For most of us, it’s economically rational to free-ride on others’ computer security efforts.


 # # #

Updated: April 24, 2014 — 4:36 pm

The Author

Rich Fleetwood

Rich is the founder of SurvivalRing, now in it's 24th year, author of multimedia CDs and DVDs, loves the outdoors, his family, his geeky skill-set, and lives in rural southern Wyoming, just below the continental divide (long story, that...). Always ready to help others, he shares what he learns on multiple blogs, many social sites, and more. With a background in preparedness and survival skills, training with county, state, and national organizations, and skills in all areas of media and on air experience in live radio and television, Rich is always thinking about the "big picture", when it comes to helping individuals and families prepare for life's little surprises.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.