Personal Cybersecurity #33: Daily news

What you need to know for your personal cyber security life… 

Number thirty-three in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop. 

And, just so you know, I’ve got 31 years of IT experience, and my day job is for the State of Wyoming as an Information Specialist. I believe an informed prepper is a BETTER prepper. Information is the life blood of being prepared. Learn more with every article in this continuing series. Please ask questions if you want to learn more…I’m here to help.

evil inside

# # #

HEADLINES…for this issue…10 articles

  • Hackers attack Spokeo, UN Civil Aviation Org in nine-site crime spree
  • Police Grapple With Cybercrime
  • AOL email hacked: Several users complain about compromised accounts
  • SEC seeks data on cyber security policies at Wall Street firms
  • SQL Injection Cleanup Takes Two Months or More
  • How Heartbleed transformed HTTPS security into the stuff of absurdist theater
  • Michaels Confirms Data Breach
  • Mission-critical satellite communications wide open to malicious hacking
  • Cyber warfare research institute to open at West Point
  • Heartbleed Means Users Must Reset Passwords

Hackers attack Spokeo, UN Civil Aviation Org in nine-site crime spree

  • By Violet Blue
  • Zero Day
  • ZDNet News
  • April 21, 2014

Adding to a list of high profile targets that includes Comcast, NullCrew released on Sunday evidence it added a major “people finder” data broker, the UN’s aviation regulation and security arm, the University of Virginia, Telco Systems and others to its growing catalog of those it has hacked and humiliated.

The hackers of NullCrew claim in its Pastebin (e-zine) called “FTS Zine 5” that it also broke into Ukraine’s science center, where they claim to have discovered a database relating to individuals somehow working in “weapon code” production.

NullCrew announced on Twitter that it published the evidence of hacking into nine sites Easter Sunday. As with its previous conquests NullCrew mocked its targets while explaining the attacks — which could have been avoided with updated security practices.

The hackers have added data dealer Spokeo, the UN’s International Civil Aviation Organization, the University of Virginia, the Science and Technology Center of Ukraine, and others to its tally of victims.


# # #

Police Grapple With Cybercrime

  • The Wall Street Journal
  • April 20, 2014

When cybercriminals stole $2.5 million from the state of Utah in 2009, authorities got most of the money back—but never could find their man.

The money was wired to a bank account in Texas, officials said, as a step before an attempt to move it overseas. Utah authorities managed to freeze much of the funding in the U.S., but couldn’t figure out how the state agency got hacked and by whom, officials said. At one point, state investigators sought a man with a false name at a nonexistent address.

“It was just, for us, kind of a helpless feeling,” Utah Commissioner of Public Safety Keith Squires said of the incident.

As crime is increasingly moving online, state and local police—who have spent decades refining how to track down murderers, thieves and drug dealers—are having a hard time keeping up.

“It probably is one of the most perplexing questions right now in terms of state and local policing: How do they handle this stuff?” said Richard McFeely, who recently stepped down as the top cybersecurity official at the Federal Bureau of Investigation. “We’re not generally working these cases. We need to get out ahead of this.”


# # #

AOL email hacked: Several users complain about compromised accounts,0,6586634.story

  • By Salvador Rodriguez
  • Chicago Tribune
  • April 21, 2014

You’ve got (spam) mail.

Several AOL users are complaining on Twitter that their email accounts have been hacked and are being used to send out spam to others.

Multiple users have said that their accounts have been affected despite not being used in a long time. Among them is Los Angeles Times Food Editor Russ Parsons.

“I’ve gotten a couple of emails from friends telling me that my AOL account had been hacked and that they were getting spammed by it. The thing is, that account has been closed for at least two years,” Parsons said in an email.

It’s unclear how widespread the problem is or what is causing it. Users are complaining that changing their accounts’ passwords is not resolving the problem, as is usually the case when an email account has been hacked.

AOL has not addressed the situation and could not be reached for comment.

[Updated 3:50 p.m. PDT April 21: AOL said it is working on resolving the issue. The company said users can go to AOL’s help website to check on the latest updates and said that users should contact AOL if they believe their account was hacked.


# # #

SEC seeks data on cyber security policies at Wall Street firms

  • By Jaikumar Vijayan
  • Computerworld
  • April 21, 2014

The Securities and Exchange Commission (SEC) plans to review the cyber defenses of 50 Wall Street broker-dealers and investment advisers to determine whether they are prepared for potential cyber threats.

The SEC Office of Compliance Inspections and Examinations (OCIE) will review each company’s tools and policies regarding governance, risk identification and assessment, network and data security controls, remote access and third party cyber risks.

In a security alert released last week, the SEC said the effort was launched after participants at an SEC-sponsored roundtable discussion in March stressed the importance of strong cybersecurity controls at Wall Street firms.

During the roundtable, SEC Commissioner Luis Aguilar recommended that the Commission collect information from broker-dealers and other financial firms about their cyber readiness. The SEC will follow-up with information on how it can can help the financial industry bolster security.


 # # #

SQL Injection Cleanup Takes Two Months or More

  • By Kelly Jackson Higgins
  • Dark Reading
  • 4/17/2014

A new report highlights the prevalence and persistence of SQL injection attacks.

In the past 12 months, 65% of organizations have suffered a SQL injection attack, and it took them close to 140 days to realize they had been hit.

According to a report by the Ponemon Institute published yesterday, it took an average of 68 days for victim organizations to recover and clean up after discovering they had suffered a SQL injection attack.

SQL injection is a hacking technique where an attacker exploits a vulnerability in the targeted application to send malicious SQL statements to the database. The attacker inserts malicious SQL statements into an entry field.

“SQL injection has been around for ages,” says Larry Ponemon, chairman and founder of the Ponemon Institute. It just won’t go away. “You’re lucky if you discover it [quickly], and it takes a long time to remediate: 140 days for an organization to even detect a SQL injection attack” has occurred. “And 40% of them say it takes six months or longer to detect it… It’s nine months on average from start to finish.”


 # # #

How Heartbleed transformed HTTPS security into the stuff of absurdist theater

  • By Dan Goodin
  • Ars Technica
  • April 21, 2014

If you want to protect yourself against the 500,000 or so HTTPS certificates that may have been compromised by the catastrophic Heartbleed bug, don’t count on the revocation mechanism built-in to your browser. It doesn’t do what its creators designed it to do, and switching it on makes you no more secure than leaving it off, one of the Internet’s most respected cryptography engineers said over the weekend.

For years, people have characterized the ineffectiveness of the online certificate status protocol (OCSP) as Exhibit A in the case that the Internet’s secure sockets layer and transport layer security (TLS) protocols are hopelessly broken. Until now, no one paid much attention. The disclosure two weeks ago of the so-called Heartbleed bug in the widely-used OpenSSL cryptography library has since transformed the critical shortcoming into a major problem, the stuff of absurdist theater. Security experts admonish administrators of all previously vulnerable websites to revoke and reissue TLS certificates, even as they warn that revocation checks in browsers do little to make end users safer and could indeed weaken the security and reliability of the Internet if they were made more effective.

Certificate revocation is the process of a browser or other application performing an online lookup to confirm that a TLS certificate hasn’t been revoked. The futility of certificate revocation was most recently discussed in a blog post published Saturday by Adam Langley, an engineer who was writing on his own behalf but who also handles important cryptography and security issues at Google. In the post, Langley recites a litany of technical considerations that have long prevented real-time online certificate revocations from thwarting attackers armed with compromised certificates, even when the digital credentials have been recalled. Some of the considerations include:


 # # #

Michaels Confirms Data Breach

  • By Jeffrey Roman
  • Bank Info Security
  • April 17, 2014

Arts and crafts retailer Michaels has now confirmed its stores were hit by a data breach that potentially compromised account information for 3 million payment cards.

The breach, which involved “criminals using highly sophisticated malware,” potentially affected about 2.6 million cards used at Michaels stores from May 8, 2013, through Jan. 27, 2014. The malware attack also affected Michaels’ Aaron Brothers stores, where approximately 400,000 cards were potentially affected from June 26, 2013, through Feb. 27, 2014, the company said in an April 17 statement.

Michaels says breached systems contained certain payment card information, such as payment card numbers and expiration dates, for its customers. There is no evidence that other customer personal information, such as name, address or PIN, was at risk, the company says.

The company provided a list of affected U.S. Michaels stores and a list of affected Aaron Brothers stores.


 # # #

Mission-critical satellite communications wide open to malicious hacking

  • By Dan Goodin
  • Ars Technica
  • April 17, 2014

Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday.

Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.

“If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk,” Ruben Santamarta, IOActive’s principal security consultant, wrote. “Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”

Santamarta said that every single one of the terminals he audited contained one or more weaknesses that hackers could exploit to gain remote access. When he completed his review in December, he worked with the CERT Coordination Center to alert each manufacturer to the security holes he discovered and suggested improvements to close them. To date, Santamarta said, the only company to respond was Iridium. To his knowledge, the remainder have not yet addressed the weaknesses. He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did.


 # # #

Cyber warfare research institute to open at West Point

  • By Joe Gould
  • Staff writer
  • Army Times
  • April 7, 2014

The Army’s academy has established a cyber warfare research institute to groom elite cyber troops and solve thorny problems for the Army and the nation in this new warfighting domain.

The U.S. Military Academy at West Point, N.Y., plans to build a cyber brain trust unprecedented within the service academies, filling 75 positions over the next three years — including scholars in technology, psychology, history and law, among other fields.

The chairman of the organization, called the Army Cyber Institute, will be retired Lt. Gen. Rhett Hernandez, the first chief of Army Cyber Command, according to Col. Greg Conti, the organization’s director.

The institution, which aims to take on national policy questions and develop a bench of top-tier experts for the Pentagon, will be defining how cyber warfare is waged, to steer and inform the direction of the Army.


 # # #

Heartbleed Means Users Must Reset Passwords

  • By Aliya Sternstein
  • April 19, 2014

Federal officials are telling Obamacare website account holders to reset their passwords, following revelations of a bug that could allow hackers to steal data.

Officials earlier in the month said the government’s main public sites, including, were safe from the risks surrounding Heartbleed — faulty code recently found in a widely-used encryption tool.

But, this weekend, the online marketplace’s homepage directs users to change their login information.

“While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution,” states.


 # # #

Updated: April 24, 2014 — 4:33 pm

The Author

Rich Fleetwood

Rich is the founder of SurvivalRing, now in it's 24th year, author of multimedia CDs and DVDs, loves the outdoors, his family, his geeky skill-set, and lives in rural southern Wyoming, just below the continental divide (long story, that...). Always ready to help others, he shares what he learns on multiple blogs, many social sites, and more. With a background in preparedness and survival skills, training with county, state, and national organizations, and skills in all areas of media and on air experience in live radio and television, Rich is always thinking about the "big picture", when it comes to helping individuals and families prepare for life's little surprises.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.