What you need to know for your personal cyber security life…
Number forty-four in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop.
And, just so you know, I’ve got 31 years of IT experience, and my day job is with the State of Wyoming as an Information Specialist. I believe an informed prepper is a BETTER prepper. Information is the life blood of being prepared. Learn more with every article in this continuing series. Please ask questions if you want to learn more…I’m here to help.
# # #
HEADLINES…for this issue…33 articles
- Organisations fail to encrypt sensitive data, shows Infosecurity Europe survey
- Hackers threaten ‘Israhell’ cyber-attack over Gaza
- Chinese Hackers Pursue Key Data on U.S. Workers
- Police: Fake security officer tries to get password to stolen computer in Sand Springs
- Adventurous squirrels give region’s power grid a shock
- Corporate Espionage Impacts Doing Business In China
- Banks Dreading Computer Hacks Call for Cyber War Council
- Senate should demand electric grid reliability and security
- Why You May Want the CFE Designation
- Don’t Waste Your Money: Are you staying at a hacker-friendly hotel?
- Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords
- Chinese hackers switched targets to U.S. experts on Iraq
- Bloody June: What’s behind last month’s DDoS attacks?
- NORKS hacker corps reaches 5, 900 sworn cyber soldiers – report
- Russian hacker captured in 2010 Broadway Grill data breach
- Ancient vulnerabilities are geddon in the way of security
- Order restored to universe as Microsoft surrenders confiscated No-IP domains
- BAE Says Hedge Fund Attack on Hedge Fund Wasn’t Real
- PF Chang’s says breach was ‘highly sophisticated criminal operation’
- Hacked companies face SEC scrutiny over disclosure, controls
- Microsoft admits technical error in IP takeover, but No-IP still down
- Another Security Breach for Obamacare
- How Companies Can Rebuild Trust After A Security Breach
- DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS
- EXCLUSIVE: U.S. Manufacturer Wants Commerce Dept. to Penalize China for Cyberattack
- Leaked: 10 Months Of The Houston Astros’ Internal Trade Talks
- The Downside of Not Exhausting a $6 Billion Cyber Contract
- What If Oil Companies Apply The Same Tactics For Cybersecurity To Safety?
- Third-Party Service Providers Scrutinized After SEA’s Reuters Hack
- FFIEC Cybersecurity Assessments Begin
- Hacker taunts arrested comrade after someone drops dime to FBI
- Cyber security an economic opportunity, says UK government
- AT&T: ’twas conniving contractors who nicked your info
# # #
Organizations fail to encrypt sensitive data, shows Infosecurity Europe survey
- By Warwick Ashford
- 09 July 2014
More than a third of organisations are failing to encrypt sensitive data sent outside their systems, a survey has revealed.
Nearly 36% of more than 200 security professionals, polled at Infosecurity Europe 2014 in London, admitted their organisations are not using encryption for sharing sensitive data.
“This statistic is cause for alarm, particularly given that encryption provides protection for companies against cyber criminals, competing companies and even governments,” said Terence Spies, CTO of Voltage Security, the company that conducted the survey.
“Encryption is the key to keeping sensitive data away from prying eyes because encrypting data at the source means that hackers or malicious actors will not be able to see or use the information, even if they do manage to intercept it.”
# # #
Hackers threaten ‘Israhell’ cyber-attack over Gaza
- By David Shamah
- Times of Israel
- July 9, 2014
As the war against Hamas terrorists in Gaza rages on, anti-Israel hackers are gearing up for yet another large-scale cyber-attack on Israel. Set for Friday, July 11, #OpSaveGaza, anti-Israel hackers promise, the denial of service (DDOS) attack will be the “greatest campaign ever against ‘Israhell,’ to expose their terrorist activity to the world,” hackers wrote.
Such politically motivated cyber-attacks are almost routine, and so far israel’s record of foiling them is good.
Israel is ready, said Dina Beer, CEO of the Israel Internet Association (ISOC), which administers Israel’s Internet connections to the rest of the world. “I won’t say that such attacks are easy to deal with, but we are always ready to deal with them,” she told The Times of Israel. “Israel faces DDOS and hack attacks every day, so we’re experienced with how to deal with them. The difference during times of crises like these is the number of hackers that participate in the attacks.”
Despite that experience, it would be foolish to dismiss the attacks, said Isaac Ben-Israel, head of the Tel Aviv University’s Yuval Neeman Workshop for Science, Technology, and Security.
# # #
Chinese Hackers Pursue Key Data on U.S. Workers
- By Michael S. Schmidt, David E. Sanger and Nicole Perlroth
- The New York Times
- July 9, 2014
WASHINGTON — Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.
The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network, according to the officials. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants for security clearances list their foreign contacts, previous jobs and personal information like past drug use.
In response to questions about the matter, a senior Department of Homeland Security official confirmed that the attack had occurred but said that “at this time,” neither the personnel agency nor Homeland Security had “identified any loss of personally identifiable information.” The official said an emergency response team was assigned “to assess and mitigate any risks identified.”
One senior American official said that the attack was traced to China, though it was not clear if the hackers were part of the government. Its disclosure comes as a delegation of senior American officials, led by Secretary of State John Kerry, are in Beijing for the annual Strategic and Economic Dialogue, the leading forum for discussion between the United States and China on their commercial relationships and their wary efforts to work together on economic and defense issues.
# # #
Police: Fake security officer tries to get password to stolen computer in Sand Springs
- July 9, 2014
TULSA – Sand Springs police say they arrested a man after he posed as a security officer in an attempt to get the password for a stolen computer.
Investigators say Frank Sudduth, 23, stole jewelry and a laptop computer from a neighbor and later returned to the apartment later wearing a police T-shirt in an attempt to get the password to unlock the computer.
Police say Sudduth went to the victim’s apartment and told her son that he was a security officer and needed the password so that a report could be filed and turned in to the management office.
Officers say Sudduth took the T-shirt from the closet of his roommate, who had recently been hired by the Kiefer Police Department.
# # #
Adventurous squirrels give region’s power grid a shock
- By Kendra Hogue
- Portland Tribune
- 09 July 2014
When the power goes out on a hot day, most people assume overuse of air conditioning is to blame.
But from June 12 through July 7, four substation outages in Portland’s westside suburbs and in North Portland were caused by adorably nimble, fluffy-tailed and overly adventurous squirrels.
All four outages were in PGE territory and one — the Oak Hills substation at Northwest Cornell Road and Twin Oaks Drive in Beaverton — was hit twice. (By different squirrels, of course.)
“This is clearly an unusual convergence of squirrel activity,” said Steve Corson, spokesman for PGE. “We’d like to have a break from squirrels for awhile.”
# # #
Corporate Espionage Impacts Doing Business In China
- By Nina Xiang
A sex tape is always intriguing.
In this case, my curiosity was aroused by a secretly-filmed alleged sex tape of the former China head of British drug-maker GlaxoSmithKline (GSK) and his girlfriend, which was sent to senior executives at GSK as a teaser for whistler-blower documents.
So I talked with Steven Feldman, professor of business ethics at Case Western Reserve University in Cleveland, Ohio, about it.
He shared with me some anecdotes about hidden surveillance while doing business in China. For example, he say he knows one major American company that had an office in Shanghai. The board of directors of the company wanted to come over to Shanghai to have a board meeting. But the company’s China head was unable to get the electronic bugs out from his boardroom, because it’s illegal to own the equipment to search for electronic eavesdropping in China.
Another company said they had to be very careful when buying new buildings in China because a lot of the office buildings are filled with electronic eavesdropping bugs.
# # #
Banks Dreading Computer Hacks Call for Cyber War Council
- By Carter Dougherty
- July 8, 2014
Wall Street’s biggest trade group has proposed a government-industry cyber war council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.
The proposal by the Securities Industry and Financial Markets Association, known as Sifma, calls for a committee of executives and deputy-level representatives from at least eight U.S. agencies including the Treasury Department, the National Security Agency and the Department of Homeland Security, all led by a senior White House official.
The trade association also reveals in the document that Sifma has retained former NSA director Keith Alexander to “facilitate” the joint effort with the government. Alexander, in turn, has brought in Michael Chertoff, the former U.S. Secretary of Homeland Security, and his firm, Chertoff Group.
# # #
Senate should demand electric grid reliability and security
- By Thomas S. Popik and William R. Graham
- The Hill
- July 07, 2014
With a Senate vote on two nominees for commissioners of the Federal Energy Regulatory Commission (FERC) pending, there is unprecedented attention on this obscure regulator of interstate pipelines and electricity transmission. In 2005, Congress granted FERC additional authority to regulate electric grid reliability and security, but too often FERC has accommodated industry rather than enforce strict standards.
Both FERC nominees, Cheryl LaFleur and Norman Bay, have long tenures as commissioner and director of Enforcement, respectively. Before a confirmation vote, Senators should examine FERC’s weak regulatory record and determine whether leadership and legislative fixes are necessary.
Prior to the 2003 Northeast Blackout which affected 50 million people, electric grid reliability and security were unregulated. An industry trade association had set voluntary standards but compliance was spotty. After the Northeast Blackout, a special U.S.-Canada task force identified the voluntary standards system as a prime cause. In response, Congress designed a hybrid regulatory system, where a private successor to the trade association, the North American Electric Reliability Corporation (NERC), would set mandatory standards. FERC would have authority to request, review, and approve, but not change, NERC’s standards.
Nominee and Acting FERC Chair LaFleur, formerly a senior utility executive, is a supporter of the hybrid FERC-NERC regulatory system. At an April Senate hearing entitled, “Keeping the lights on — Are we doing enough to ensure the reliability and security of the U.S. electric grid?” energy committee Chair Mary Landrieu (D-La.) requested of the witnesses, “Say how this is working.”
“I think it’s working quite well,” responded Chairman LaFleur. NERC CEO Gerry Cauley chimed in, “I think the model is working really well.”
# # #
Why You May Want the CFE Designation
- By Terry Sheridan
- Accounting Web
- July 8, 2014
The Madoff Ponzi scheme, financial crisis of 2007-2009, ongoing mortgage fraud and other scandals, and laws like Sarbanes-Oxley and Dodd-Frank that were passed to counter the fraudsters, send a clear message: fraud investigation is a can’t-miss career track and valuable expansion to an accounting or law practice or to the C-suite’s bean counters.
Here’s a little extra persuasion: According to the 2014 global fraud study by the Association of Certified Fraud Examiners (ACFE), the typical organization loses 5 percent of annual revenues to fraud—a projected global fraud loss of almost $3.7 trillion if the 2013 estimated Gross World Product is applied.
The median loss caused by fraud in the study was $145,000. And another 22 percent of the cases involved losses of at least $1 million.
Most cases are reported in banking and financial services, government and public administration, and manufacturing sectors. The largest reported median losses, however, are in mining, real estate, and oil and gas industries, according to the study. There are clearly opportunities in many sectors.
# # #
Don’t Waste Your Money: Are you staying at a hacker-friendly hotel?
- By Doris Taylor
- July 8, 2014
As the travel season heats up, Consumer Reports cautions that some popular hotel and motel chains could be vulnerable to hackers because of weak security systems.
The major credit-card companies require businesses to have standard data protections if they want to accept credit and debit cards. It’s called being PCI compliant. But Consumer Reports found that a number of hotels may not be.
At a Super 8 motel in New York, the manager said he “had not heard” about PCI compliance. An assistant general manager at a Red Lion in California also said, “I never heard of this.” Similarly, a manager at an America’s Best Value in Washington state said, “I have no idea” about PCI compliance.
In the past, hackers have taken advantage of weak security at hotels. For instance, there were three documented data breaches at properties of Wyndham Worldwide several years ago. According to a complaint by the Federal Trade Commission, “security failures” at Wyndham Worldwide led to more than $10 million in unauthorized charges.
# # #
Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords
- By Dan Goodin
- Ars Technica
- July 7, 2014
In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.
The attack works against LIFX smart lightbulbs, which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000.
According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.
“Armed with knowledge of the encryption algorithm, key, initialization vector, and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the Wi-Fi details, and decrypt the credentials, all without any prior authentication or alerting of our presence,” researchers from security consultancy Context wrote.
# # #
Chinese hackers switched targets to U.S. experts on Iraq
- By Gregg Keizer
- July 7, 2014
A sophisticated Chinese hacker group that had been stealing information from U.S. policy experts on nearby Southeast Asia suddenly changed targets last month to focus on the Middle East — Iraq, in particular — security researchers said Monday.
The group, called “Deep Panda,” switched from exploiting one area of expertise to another because of the march of the Islamic State of Iraq and the Levant (ISIS) towards Baghdad, and the collapse of Iraq’s security forces in the north and west of the country.
“The networks [of the think tanks] had been previously compromised, but Deep Panda pivoted to target systems and individuals with ties to the Middle East and Iraq,” said Dmitri Alperovitch, co-founder and CTO of CrowdStrike, an Irvine, Calif. security company, of the overnight switch. The shift in Deep Panda’s targeting happened on June 18, the day that ISIS began to attack the strategically important oil refinery at Baiji, 155 miles north of Baghdad.
China is the largest foreign investor in Iraqi oil fields, and draws about 10% of its oil imports from the country. Most of China’s oil investments, however, are in southern Iraq.
# # #
Bloody June: What’s behind last month’s DDoS attacks?
- By Jon Gold Follow
- July 7, 2014
The list of DDoS attacks in the month of June has made for grim reading. High-profile sites have been targeted by extortion demands, online games got disrupted and at least one company was put out of business as a direct result.
While it’s tempting to look for a single cause at the root of this apparent tsunami of distributed denial-of-service activity, the reality is considerably more complex. Online activism, the profit motive and even potential nation-state activity contributed to June’s high volume of DDoS attacks.
The only commonality, in fact, may be the ease with which DDoS attacks can be launched. Experts like Molly Sauter, an academic and author of the forthcoming book The Coming Swarm, say that the process is childishly simple.
“Literally, if you have a credit card and if you’re bored, it could be anyone,” Sauter told Network World. “It’s so easy to rent a botnet – most of them are out of Russia – and you can rent one for stupid cheap, and then deploy it for a couple of hours, and that’s really all you need to target a major site like Feedly or Evernote.”
# # #
NORKS hacker corps reaches 5, 900 sworn cyber soldiers – report
- By Darren Pauli
- The Register
- 7 July 2014
North Korea has doubled the number of government hackers it employed over the last two years according to military sources from the South.
The allegations claim 5900 “elite” personnel were employed in Pyongyang’s hacking unit, up from 3000 in 2012.
The hackers had their crosshairs firmly fixed on Seoul but operate from bureaux in China, the source told the Yonhap News Agency.
“The communist country operates a hacking unit under its General Bureau of Reconnaissance, which is home to some 1200 professional hackers,” the source told the agency.
# # #
Russian hacker captured in 2010 Broadway Grill data breach
- By jseattle
- July 7, 2014
A 30-year-old Russian man was arrested over the weekend for a series of crimes involving hacking into point of sales systems at Washington restaurants including a data breach in 2010 that involved stealing credit card information from hundreds of customers of Capitol Hill’s Broadway Grill. The allegations detail at least $1.7 million in losses to banks and credit card companies from data stolen from the Capitol Hill restaurant’s point of sale system.
The U.S. Attorney’s office Monday morning announced the arrest of Roman Seleznev — known as “Track2″ in “the criminal carding underground,” according to the announcement. Seleznev was indicted in 2011, according to the U.S. Attorney but wasn’t taken into custody until July 5th.
CHS reported on the status of the case earlier this year as we reported that authorities had still made no arrests in the 2010 crimes against customers of the Capitol Hill restaurant. Secret Service agent Bob Kierstead told CHS that investigators had contained and identified the malware used in the virtual attack but were still working to locate suspects. Kierstead did not tell CHS at the time that an indictment had been made.
The Broadway Grill shuttered in 2013 after owners said they struggled to recover from the negative publicity related to the wave of credit card fraud. Agent Kierstead told CHS there was no illegal activity from within Broadway Grill “whatsoever.”
# # #
Ancient vulnerabilities are geddon in the way of security
- By Stilgherrian for The Full Tilt
- July 3, 2014
“We are failing at communicating to the rest of the world,” says James Lyne, global head of security research at Sophos. “I think that we have a fundamental broken behaviour in this industry that we need to go and shift.” And he’s got numbers to back up his claim.
Lyne has been warbiking. That’s exactly the same thing as wardriving, that is, driving around a city to map out its open and poorly secured wireless networks, but with more lycra. His results for London and San Fransisco are already online, and those for Las Vegas, Hanoi and Sydney are coming soon.
On Wednesday, journalists were given a preview of Sydney’s results, which Lyne described as the “least worst of a bad bunch”.
Of the 34,476 wi-fi networks he detected while cycling Sydney streets, 1,371 (3.98 percent) were still using the obsolete Wired Equivalent Privacy (WEP) protocol. That’s significantly better than San Francisco’s 9.5 percent, which presumably has so many obsolete wireless networks because it rolled them out sooner, but it’s still a worry.
“WEP is just broken, bad, has been known-bad for such a long time, and there really isn’t a context in which it should be used now — and it’s still remarkably present,” Lyne told ZDNet.
# # #
Order restored to universe as Microsoft surrenders confiscated No-IP domains
- By Dan Goodin
- Ars Technica
- July 2, 2014
Microsoft has surrendered the 23 domain names it confiscated from dynamic domain hosting service No-IP.com, a move that begins the process of restoring millions of connections that went dark as a result of the highly controversial legal action.
At the time this post was being prepared, No-IP had recovered 18 of the domains and was in the process of reacquiring the remaining five from Public Interest Registry, the registry for Internet addresses ending in .org, No-IP spokeswoman Natalie Goguen told Ars. People who rely on No-IP subdomains that don’t end in .org should already have service restored, as long as the domain name service (DNS) server they use has been updated to reflect Wednesday’s transfer. Users who are still experiencing connectivity problems should try using DNS services from Google or OpenDNS, which have both updated their lookups to incorporate the transfers.
Microsoft confiscated the No-IP domains in late June through a secretive legal maneuver that didn’t give the dynamic DNS provider an opportunity to oppose the motion in court. Microsoft’s ex parte request was part of a legal action designed to dismantle two sprawling networks of infected Windows computers that were abusing No-IP in an attempt to evade takedown. As partial justification for the request, Microsoft lawyers argued No-IP didn’t follow security best practices.
# # #
BAE Says Hedge Fund Attack on Hedge Fund Wasn’t Real
- By Chris Strohm
- July 2, 2014
The hacking attack on a hedge fund that was described by a security official with BAE Systems Plc (BA/) last month wasn’t real, a company spokeswoman said.
The attack was one of several “illustrative scenarios” that BAE internally developed and was “incorrectly presented” as authentic, Natasha Davies, a company spokeswoman, said in a telephone interview today. The company, based in London, sells network security services to government and corporate clients.
The notion of a serious hacking attack on a hedge fund fueled questions about network security at financial institutions and helped lead to the creation of a new group to promote computer security within the banking industry.
Paul Henninger, global product director for BAE Systems Applied Intelligence, said June 19 that hackers successfully inserted malicious software that delayed by several hundred microseconds a large, unnamed hedge fund’s order-entry system. Henninger said the hackers also rerouted data that might be used to make money in rogue stock-market transactions.
# # #
PF Chang’s says breach was ‘highly sophisticated criminal operation’
- By Martyn Williams
- IDG News Service
- July 2, 2014
Restaurant chain P.F. Chang’s China Bistro says the theft of credit and debit card information from some of its restaurants earlier this year was “part of a highly sophisticated criminal operation.”
But the chain, which only discovered the breach after a large batch of card numbers were offered on an Internet forum, said it’s still working with the U.S. Secret Service and forensic experts to determine exactly what happened.
“We continue to make progress in our investigation into the recent security compromise that affected P.F. Chang’s,” said Rick Federico, CEO of PF Chang’s, in a statement posted Tuesday on the company’s website. “We will continue sharing important details once they have been confirmed by a team of third-party forensic experts.”
The statement was the first update issued by the company in three weeks and didn’t add much additional information to what was already known: that an attack apparently hit the point-of-sale systems in the company’s restaurants and sucked up card numbers used between March and May of this year.
# # #
Hacked companies face SEC scrutiny over disclosure, controls
- By Dave Michaels
- July 2, 2014
The Securities and Exchange Commission has opened investigations of a number of companies, examining whether they properly handled and disclosed a growing number of cyberattacks.
The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, according to two people familiar with the matter who asked not to be named because the probes aren’t public.
Target Corp., the victim of a breach last year that allowed hackers to access payment data for 40 million of its customers’ debit and credit cards, is one of the companies facing SEC scrutiny, according to company filings.
The prospect of enforcement actions against companies that have been victims of cyberattacks marks a new front in the agency’s efforts to combat the rising threat hackers pose to public companies, brokerages and financial markets. Previously, the SEC had focused on guiding public companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers.
# # #
Microsoft admits technical error in IP takeover, but No-IP still down
- By Jeremy Kirk
- IDG News Service
- July 1, 2014
Microsoft admitted Tuesday it made a technical error after it commandeered part of an Internet service’s network in order to shut down a botnet, but the Nevada-based company says its services are still down.
A federal court in Reno granted Microsoft an ex-parte restraining order that allowed it to take control of 22 domains run by No-IP, a DNS (Domain Name Service) provider owned by Vitalwerks, which was served the order on Monday.
Microsoft alleged the domains were being abused by cybercriminals to manage and distribute malware. It was the tenth time Microsoft has turned to the courts to take sweeping action against botnets, or networks of hacked computers.
Although No-IP was not accused of wrongdoing, Microsoft maintained the company had not done enough to stop abuse on its networks. Microsoft’s intention by seizing the domains was to block only the computers using No-IP’s services that were being used as part of a botnet.
# # #
Another Security Breach for Obamacare
- By Jillian Kay Melchior
- National Review
- July 1, 2014
A Romanian attacker hacked the Vermont health exchange’s development server last December, gaining access at least 15 times and going undetected for a month, according to records obtained by National Review Online.
CGI Group, the tech firm hired to build Vermont Health Connect, described the risk as “high” in a report about the attack. It also found possible evidence of sophisticated “counter-forensics activity performed by the attacker to cover his/her tracks.”
The report says that no private consumer information was stored on the hacked server, and that CGI Group had “verified that no additional servers [that may store private data] communicated with any of the identified attacker IP addresses.”
But Michael Gregg, the CEO of the cyber-security consulting firm Superior Solutions, says it’s possible the hacker went on to access other parts of Vermont Health Connect, covering his tracks and remaining undetected to this day.
“There is potential for consumer risk,” says Gregg, who has also testified to Congress about cyber-security risks for HealthCare.gov. “Best practices were not carried out in several respects. All those point to the possibility of further or additional breaches, because they have just not shown that they have done the due diligence, and without those controls in place, it’s hard to say. The attacker could have captured passwords on additional systems and used those to create different accounts that Vermont Health Connect doesn’t know about yet.”
# # #
How Companies Can Rebuild Trust After A Security Breach
- By Kate Vinton
- Forbes Staff
- July 1. 2014
“It’s not a question of if you will be hacked, but when,” says cybersecurity expert Joe Adams. This is bad news for companies, not only because of security risks, but also because data breaches have a significant and measurable impact on customers’ trust and spending habits, according to a study released Monday. The good news? Customers, who are generally not concerned about security until a breach happens, are looking for transparency and timely responses to breaches, something companies can provide with enough preparation and foresight.
Interactions, a customer experience marketing group, released a study Monday called “Retail’s Reality: Shopping Behavior After Security Breaches.” Using the same sampling as the 2010 U.S. Census, the study looks at how security breaches impact customers’ shopping habits. Forty-four percent of survey respondents had been the victim of a data breach. A higher 60% of Millennials had had their data stolen, likely because these 18 to 24-year-olds are much more likely to share their information online and sign up for retail credit cards, according to DeMeo, Vice President of Global Marketing and Analytics at Interactions.
Trust for retail is low, with 45% of shoppers saying they don’t trust retailers to keep their information safe. After a security breach, 12% of loyal shoppers stop shopping at that retailer, and 36% shop at the retailer less frequently. For those who continue to shop, 79% are more likely to use cash instead of credit cards. According to DeMeo, shoppers who use cash statistically spend less money, hurting the company. Indeed, 26% say they will knowingly spend less than before.
All this paints a concerning picture for retailers looking to both keep their company secure and minimize the negative impact of a security breach if — or when — it occurs. DeMeo says his company does not study the financial impact of customer reactions to data breaches, but it doesn’t bode well for a company if consumers are spending and trusting less. Companies need to either find a foolproof way to prevent security breaches entirely (an unfortunately idealistic goal), or work to minimize the negative effect of data breaches on their relationship with customers.
# # #
DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS
- By William Knowles @c4i
- Senior Editor
- InfoSec News
- July 1, 2014
XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec Institute and the EC-Council are vulnerable to a Cross-site scripting (XSS) attack.
Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013.
According to XSSposed, the InfoSec Institute has not one, two, three, four, five, six, but SEVEN XSS vulnerabilities discovered this week. This most recent XSS vulnerability to the EC-Council is to their portal page where their customers sign in. This is not the only XSS vulnerability to their site, The Hacker News reported one back in 2011 and Rafay Baloch and Deepanker Arora discovered another in 2013.
In a previous Web defacement statement the “EC-Council takes the privacy and confidentiality of their customers very seriously.” Regardless, the EC-Council Web site was compromised three times during a single week in February 2014. Since the breach, EC Council has neither confirmed nor denied allegations that the attacker exfiltrated thousands of passports, drivers. licenses, government and military Common Access Cards (CACs).
# # #
EXCLUSIVE: U.S. Manufacturer Wants Commerce Dept. to Penalize China for Cyberattack
- By Shane Harris
- Foreign Policy
- July 1, 2014
A U.S. solar panel manufacturer whose business secrets were allegedly stolen by Chinese computer hackers has asked the U.S. government to investigate the matter, setting in motion a process that could see the United States impose trade penalties for the first time in response to state-sponsored cyber-espionage against an American company.
In a filing with the Commerce Department on Tuesday, July 1, the U.S. subsidiary of German company SolarWorld, which builds solar panels and equipment, asked officials to investigate allegations contained in a recent criminal indictment accusing five members of the People’s Liberation Army with hacking the company’s computers and stealing proprietary information. Prosecutors say that the hackers took SolarWorld’s price lists, product designs, and communications between the company and its lawyers in a series of computer incursions that began in 2012.
“The [government of China’s] theft of SolarWorld’s trade and financial information has inflicted, and will likely continue to inflict significant and, as yet, unquantified harm on SolarWorld,” the company told the Commerce Department. But the hackers weren’t just after SolarWorld’s product information. They also allegedly stole information about a trade case that SolarWorld has been pressing against Chinese solar panel manufacturers, which it accuses of unfairly dumping their cheap products in the U.S. market. The compromised information could give Chinese officials a peek at the evidence the company planned to use in its trade case.
“As the indictment makes clear, the focus of much of the cyber theft was related to SolarWorld’s trade remedy cases against Chinese solar manufacturers,” the company said. This suggests that the hacking has a “direct bearing” on the Commerce Department’s investigation of Chinese dumping, which has been occurring for years.
# # #
Leaked: 10 Months Of The Houston Astros’ Internal Trade Talks
- By Barry Petchesky
Two years ago, the Houston Astros constructed “Ground Control”—a built-from-scratch online database for the private use of the Astros front office. It is by all accounts a marvel, an easy-to-use interface giving executives instant access to player statistics, video, and communications with other front offices around baseball. All it needs, apparently, is a little better password protection.
Documents purportedly taken from Ground Control and showing 10 months’ worth of the Astros’ internal trade chatter have been posted online at Anonbin, a site where users can anonymously share hacked or leaked information. Found below, they contain the Astros front office’s communications regarding trade overtures to and from other teams, as well as negotiations—a few of which actually led to trades. You will find heavy efforts to get a big haul for Bud Norris at last year’s trade deadline (before settling for very little), pushes to acquire touted young talents like Dylan Bundy and Gregory Polanco, and even evidence the Astros rejected out of hand a blockbuster deal that could have brought them Giancarlo Stanton.
From a strict baseball perspective, all of this is really interesting just for the insight it offers into how baseball trades work on an operational level. As it turns out, it really isn’t too different from your fantasy league, with front office types kicking around ideas, making preposterous demands, gossiping, and discussing various contingencies. If this happens, we’ll be looking to do this, but then if this other thing happens, we’ll be looking to do this. All of it is worth running through, but a few of the highlights are as follows:
# # #
The Downside of Not Exhausting a $6 Billion Cyber Contract
- By Aliya Sternstein
- June 30, 2014
Agencies are partially taking advantage of a huge bulk-price governmentwide deal to help automate network vulnerability-tracking and fix problems in real-time, according to federal officials.
If departments underutilize the arguably complex acquisition program, the upshot could be saving money on a potentially $6 billion contract.
But if agencies latch onto the five-year endeavor, they could save money elsewhere, by eliminating the hundreds of millions of dollars currently spent on audit paperwork and incident response, advocates say.
The so-called continuous diagnostics and mitigation project — funded by the Homeland Security Department — aims to supply all agencies with products to move from traditional three-year vulnerability checks to three-day fixes.
Parts of DHS itself are using established tools and also must wait for current network surveillance contracts to expire.
# # #
What If Oil Companies Apply The Same Tactics For Cybersecurity To Safety?
- By Loren Steffy
The American Petroleum Institute is working with several large U.S. oil companies to assemble a team of cybersecurity specialists that would help identify and prevent malicious software attacks against the computers that control the country’s energy infrastructure. Led by an executive for Dallas-based Hunt Oil, the group will serve as a clearinghouse of sorts for threats to automated systems.
By improving communication among oil companies, the group, known as the Oil and Natural Gas Information Sharing and Analysis Center, hopes to get companies working together to thwart attacks that could cripple offshore rigs, refineries, pipelines and other equipment.
The approach makes a lot of sense. After all, the potential for hackers to target energy company computer systems poses a mutual threat that is best addressed when companies combine their efforts.
The oil and gas industry has shown remarkable solidarity when it comes to addressing what it perceives as a common outside threat, whether it comes from hackers or new regulations the industry considers onerous. It’s been far less willing, however, to take such a collaborative approach to confront threats from within its own ranks.
# # #
Third-Party Service Providers Scrutinized After SEA’s Reuters Hack
- By Robert Lemos
One content provider’s lapse in spotting the odd behavior of privileged users allowed the Syrian Electronic Army cyber-propaganda group to deface Reuters.com.
As popular cyber-attack targets continue to make progress in locking down access to their networks and data, attackers searching for other ways to compromise their targets have increasingly focused on another weak point—third-party suppliers and contractors.
On June 23, hackers from the propaganda group known as the Syrian Electronic Army redirected visitors to some Reuters articles to a defacement page that berated the news organizations for “fake reports and false articles about Syria.” The attackers did not breach Reuters network, however, but modified a content widget provided by Taboola, which normally allows media sites to monetize their page views.
The SEA fooled one company employee, which the firm refers to as a “user,” into giving up their password and then used the access to Taboola’s Backstage platform to change the header in the Reuters widget, the company said in an analysis of the attack.
# # #
FFIEC Cybersecurity Assessments Begin
- By Jeffrey Roman
- Bank Info Security
- June 24, 2014
The Federal Financial Institutions Examination Council has started its cybersecurity assessment pilot program, which will examine more than 500 community banking institutions. Plus, the council has launched a Web page dedicated to cybersecurity information.
The pilot program is slated to run through July, says Stephanie Collins, spokesperson for the Office of the Comptroller of the Currency.
The aim of the pilot program is to help smaller banking institutions address potential security gaps. The assessments will be conducted by state and federal regulators during regularly scheduled examinations, the FFIEC says.
“Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks,” the council says.
# # #
Hacker taunts arrested comrade after someone drops dime to FBI
- By Sean Gallagher
- Ars Technica
- June 18 2014
Continuing variations on a theme, the FBI has arrested yet another alleged “hacktivist” based on information provided by a confidential informant. This time, FBI agents from the bureau’s Chicago field office nabbed Timothy Justin French, who the Justice Department claims was a member of a group called NullCrew. Another alleged NullCrew member, a juvenile offender, was arrested by the Royal Canadian Mounted Police based on information passed by the FBI.
Based on a statement from a member of NullCrew who remains at large, the arrests weren’t a big surprise. Calling French and the other hacker “skids” (script kiddies), the NullCrew member mocked their poor operational security and failure to cover their own digital tracks. And in a reference to the LulzSec case, the poster said that French missed “what should’ve been the most fucking obvious thing ever: don’t let just any asshole in the crew, and don’t give them the keys to the fucking kingdom. The FBI got someone to get you fuckers, and you deserved it. I’ve already taken care of that little problem—if it walks like Sabu and talks like Sabu…”
French, who the FBI claims is known by the usernames “Orbit,” “crysis,” and a number of other IRC, Skype, and Twitter handles, was arrested on June 11 at his home in Morristown, Tennessee. He is accused, along with other members of NullCrew, of launching “computer attacks that resulted in the release of computer data and information, including thousands of username and password combinations,” according to a statement issued by the Justice Department.
French and NullCrew’s alleged activities were exposed by a confidential informant who was invited into the group’s conversations on CryptoCat and Skype and in Twitter direct messages. “Nullcrew members discussed past, present, and future computer hacks, shared current computer vulnerabilities and planned targets, and discussed releases of their victims’ information,” the Justice Department said in its release. And apparently the informant volunteered the information to the FBI. “The witness has assisted with the investigation primarily in an effort to help the FBI, the affidavit stated.
# # #
Cyber security an economic opportunity, says UK government
- By Warwick Ashford
- 16 June 2014
“Cyber security should not be seen as a necessary evil,” says Francis Maude, minister for the Cabinet Office.
“It is a growth business in its own right and can be a strength for the UK,” he told the opening session of IA14, the government’s annual cyber security and information assurance event in London.
This year’s event is focused on public-private partnerships around cyber security and is expected to include an announcement of a GCHQ pilot on sharing declassified information on cyber threats, and GCHQ plans to share declassified intellectual property to support new business ventures.
Considering the UK is one of the fastest growing economies in the developed world, Maude said the UK not only needs to increase efforts to make the it one of the safest places in the world to do business, but also seize the opportunity that cyber presents for innovation, jobs and prosperity.
# # #
AT&T: ’twas conniving contractors who nicked your info
- By Shaun Nichols
- The Register
- 14 Jun 2014
AT&T is warning customers that their personal information might have been breached as part of a scheme to unlock and resell devices.
The company said in a filing to the California Attorney General’s office that employees at an unnamed service provider it works with had accessed the personal data of customers including social security numbers and date of birth.
According to a letter the company has sent to customers, the breach occurred earlier this year between April 9 and 21 as three workers pulled the customer data in order to request unlock codes from AT&T which could then be used to remove the device from AT&T’s network and allow the device to be resold.
The information was apparently part of a scheme by the group to unlock and resell devices on the AT&T network. The company typically allows users to unlock their devices from its network by entering a code which can be obtained from the company by supplying account information including portions of the customer’s social security number.