Category Archives: Data Breach

Cyber Ransom vs. Ransomware

Posted on February 7, 2017 | Leave a comment

By now, we have all heard about ransomware as it has taken over the cybersecurity scene over the last couple of years. However, we want to make sure that everyone is clear about the difference between cyber ransom and ransomware, as there is a very clear distinction. Cyber ransom and ransomware attacks have been the most popular forms of cyberattacks as of late.

Cyber Ransom

The most common form of cyber ransom is through a distributed denial of service (DDoS) attack. In a DDoS attack, hackers flood a business’ site with data requests, overwhelming the site’s legitimate functions. The flooding eventually forces that website to shut down. As far as the ransom is concerned, cybercriminals will threaten to launch an attack on an organization’s site unless the organization pays a ransom fee of a certain Bitcoin amount.

Another form of cyber ransom is through corporate extortion which is becoming more and more popular. This type of attack can be carried out in several ways. One approach, which Domino’s in Europe was hit with, is where a cybercriminal sends out a ransom letter threatening businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, or fraudulent delivery orders.

Another variation of corporate extortion is where cybercriminals perform a data breach, where they gain access to a company’s network and gather sensitive data. The data collected is usually information on their clients such as credit cards, social security numbers, email addresses, and login credentials. While this seems like data breaches that we have heard about recently (Yahoo, Adult Friend Finder, and several social media sites), cybercriminals who are involved in corporate extortion are in it for the money. Once cybercriminals have performed the data breach, they will threaten to publicly release the information unless the company pays a set ransom fee.

Ransomware

Ransomware is the most common form of cyberattack seen today. In a ransomware attack, the cybercriminal will infect a machine with malware that encrypts all or some files on a user’s computer. Once the encryption process has completed, a ransom note will appear on the victim’s screen demanding payment in order to receive the decryption key. Payment for the decryption key is usually made in Bitcoins, which are extremely hard to trace back to the hacker. Ransomware is most commonly distributed through phishing campaigns where cybercriminals will send emails embedded with malware. Once the user on the receiving end clicks on a link or opens up an attached file, the malware will begin to download, and the encryption process will begin.

Cyber Ransom and Ransomware Connected

  • Cyber Ransom – Cybercriminals threaten to launch a DDoS attack on an organization’s site unless the organization pays a ransom fee.
  • Ransomware – Cybercriminals infect machines with malware that encrypts all or some files, then demand a ransom fee to receive the decryption key.

 

When put in these terms, cyber ransom and ransomware seem like they wouldn’t be connected at all. However, cybercriminals are becoming more and more sophisticated with their attacks every single day. So, here’s the kicker. Cybercriminals are starting to use the threat of DDoS as ‘smokescreens’ for more wicked attacks, such as ransomware. The hackers will use DDoS attacks to distract the IT department, so they are able to slip under the radar without being detected. While the DDoS attack or the threat of one will only distract IT individuals for a short time, that’s all the time hackers need. While the IT staff scramble to handle the momentary network outages, hackers can use automated scanning or penetration techniques to map a network and install ransomware.
To stop these types of attacks, look at some of the new technologies that continuously monitors your network traffic.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Malware, Security, Uncategorized

Tagged ,

DHS Cyber Incident Response Plan Focuses on Infrastructure Risk

Posted on January 24, 2017 | Leave a comment

The National Cyber Incident Response Plan describes how stakeholders in numerous areas can properly react to cybersecurity threats.

The Department of Homeland Security released a refreshed version of its National Cyber Incident Response Plan (NCIRP), with a strong focus on how the US can react to cybersecurity threats to critical infrastructure.

The NCIRP as previously published on September 30, 2016, with a national engagement period that went until October 31, 2016.

“The NCIRP describes a national approach to dealing with cyber incidents; addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response,” the US Computer Emergency Readiness Team (US-CERT) stated on its website.

Public and private partnerships are critical to address major cybersecurity risks to critical infrastructure, the NCRIP executive summary explains. Furthermore, the plan “sets common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans.”

Several guiding principles outlined in the Presidential Policy Directive (PPD)-41 also helped DHS and other agencies create the NCRIP:

  • Shared responsibility
  • Risk-based response
  • Respecting affected entities
  • Unity of governmental effort
  • Enabling restoration and recovery

“While steady-state activities and the development of a common operational picture are key components of the NCIRP, the Plan focuses on building the mechanisms needed to respond to a significant cyber incident,” according to the NCRIP.

The plan also differentiates between a “cyber incident” and a “significant cyber incident.” The former is when the “confidentiality, integrity, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident” are potentially jeopardized.

Significant cyber incidents on the other hand are events that potentially result in “demonstrable harm” to national security interests, foreign relations, US economy, public confidence, civil liberties, or public health and safety.

The DHS Office of Cybersecurity and Communications will also conduct and oversee NCIRP reviews and maintenance in coordination with the DOJ, Office of the Director of National Intelligence, and Sector Specific Agencies.

“The revision process includes developing or updating any documents necessary to carry out capabilities,” the NCIRP explained. “Significant updates to the Plan will be vetted through a public-private senior-level review process.”

The Healthcare Information Management Systems Society (HIMSS) previously commented on DHS response plan, saying it supported the overall principle of cybersecurity education and readiness being shared responsibilities.

HIMSS did point out that all dimensions of potential cybersecurity threats should be considered. For example, IT infrastructure and assets can exist in terrestrial, sea, air, and space. The NCIRP should therefore address all dimensions to help create a flexible response plan.

“The complexity of threat and asset response may be significantly compounded, especially when multiple dimensions are in play— including in the private and public sectors (e.g., underwater data centers, undersea Internet cables, satellite communications, and over-the-air communications),” HIMSS wrote to DHS.

HIMSS also said in its October 2016 letter that a better definition of what qualifies as a cyber incident was necessary. Large cyber threats that could potentially impact public health and safety are a top concern for HIMSS, the organization explained. HIMSS said it is already working to ensure that the healthcare industry understands how to properly prepare for such threats.

“As the federal government’s decision to fund two grants for the NH-ISAC indicated, coordination across the healthcare community is becoming increasingly important in the fight against cyberattacks,” the letter stated. “Collaboration with the NH-ISAC and other stakeholders, particularly on threat identification and incident mitigation, will have a significant impact on public health and safety.”

 

Leave a comment

Posted in Cyber Security, Data Breach, Healthcare, Security

Tagged ,

Top Internet Outages of 2016

Posted on January 6, 2017 | Leave a comment

As we sipped on warm holiday beverages and gradually watched the year wind down, it’s rather customary to reflect on the past and contemplate the future. Following traditions, we took a stroll down memory lane analyzing the state of the Internet and the “cloud”. In today’s blog post we discuss the most impactful outages of 2016, understand common trends and evaluate some of the key learnings.

As we analyzed the outages that have hit us hard this year, we noticed four clear patterns emerge.

  • DDoS attacks took center stage and clearly dominated this past year. While the intensity and frequency of DDoS attacks have been increasing over time, the ones that plagued 2016 exposed the vulnerability of the Internet and the dependency on critical infrastructure like DNS.
  • Popular services weren’t ready for a crush of visitors. Network and capacity planning is critical to address the needs of the business during elevated traffic patterns. For example, lack of a CDN (Content Delivery Networks) frontend can prove to be costly if not factored into the network architecture during peak load.
  • Infrastructure redundancy is critical. Enterprises spend considerable time and money focusing on internal data center and link-level failure. However, there is often oversight when it comes to external services and vendors.
  • The Internet is fragile and needs to be handled with care. Cable-cuts, routing misconfigurations can have global impact and result in service instabilities and blackholed traffic.

DDoS Attacks: Hitting where it Hurts

While there were a plethora of DDoS attacks in all shapes and forms, four different attacks had the highest impact. Three out of the four attacks targeted DNS infrastructure.

On May 16th, NS1, a cloud-based DNS provider was a victim of a DDoS attack in Europe and North America. Enterprises relying on NS1 for DNS services like Yelp and Alexa were severely impacted. While this started out as an attack on DNS, it slowly spread to NS1’s online-facing assets and their website hosting provider.

The Second attack on June 25th, came in the form of 10 million packets per second, targeting all 13 of the DNS root servers. It was a large-scale attack on the most critical part of the internet infrastructure and resulted in roughly 3 hours of performance issues. Even though all the 13 root servers were impacted, we noticed varying levels of impact intensity and resilience. There was a strong correlation between the anycast DNS architecture and the impact of the attack. Root servers with greater anycast locations saw diluted attack traffic and were relatively more stable than root servers with fewer locations.

The  mother of all DNS DDoS attacks was single-handedly responsible for bringing down SaaS companies, social networks, media, gaming, music and consumer products. On October 21st, a series of three large-scale attacks were triggered against Dyn, a managed DNS provider. The attack impacted over 1200 domains that our customers were monitoring and had global reach, with heavy effects in North America and Europe. We saw impacts on 17 of the 20 Dyn data centers around the world for both free and paid managed DNS services. Customers who relied only on Dyn for DNS services were vulnerable and severely impacted, but those who load-balanced their DNS name servers across multiple providers had the luxury to fall back on the secondary vendor during the DDoS attack. For example, Amazon.com had multiple DNS providers: Ultra DNS and Dyn. As a result, it did not suffer the same unavailability issues as many of Dyn’s other customers.

The DDoS attack on the Krebs on Security website on September 13th was record-breaking in terms of the size of the attack, peaking at 555 Gbps. Both the Dyn and the Krebs attacks were triggered by the Mirai botnet of hacked consumer devices. While the Internet-of-Things is set to revolutionize the networking industry, security needs to be top-of-mind.

Targeting critical infrastructure, like DNS, is an efficient attack strategy. The Internet, for the most part runs like a well-oiled machine; however, incidents like this present a reality check on network architecture and monitoring mechanisms. Consider monitoring not just your online-facing assets but also any critical service, like DNS. Be alerted as soon as you start seeing instabilities in the network to trigger the right mitigation strategy for your environment.

Application Popularity: Overloaded Networks

When it comes to application usage and websites there is no such thing as too many visitors. Until the network underneath begins to collapse. 2016 witnessed some popular services unable to keep up with demand.

January 13th witnessed one of the largest lottery jackpots in U.S history. Unfortunately, it also witnessed the crumbling of Powerball, the website that serves up the jackpot estimates and winning numbers. Increased packet loss and extended page load times indicated that neither the network or the application could handle the uptick in traffic. In an attempt to recover, Powerball introduced Verizon’s Edgecast CDN network right around the time of the drawing. Traffic was distributed across three different data centers (Verizon Edgecast CDN, Microsoft’s data center and the Multi-State Lottery Association datacenter), but it was too late. The damage was already done and user experience to the website was sub-standard.

The summer of 2016 saw a gaming frenzy, thanks to PokemonGo. There were two separate occasions (July 16th and July 20th) when Pokemon trainers were unable to catch and train their favorite characters. The first outage, characterized by elevated packet loss for 4 hours, was a combination of the network architecture and overloaded target servers unable to handle the uptick in traffic. The second worldwide outage was caused by a software update resulting in user login issue and incomplete game content.

November 8th was a defining moment in global politics. It was also the day the Canadian Immigration webpage was brought down by scores of frantic Americans. As US states closed the presidential polls and results began trickling in, the immigration website started choking before finally giving up. We noticed 94% packet loss at one of the upstream ISP providers, an indication that the network could not keep up with the spike in traffic.

Benchmarking and capacity planning is critical for network operations. Best practices include testing your network prior to new software updates and large-scale events. Bolster your network architecture through CDN vendors and anycast architectures to maximize user-experience. Monitor to make sure your vendors are performing as promised.

Fragile Infrastructure: Cable Cuts and Routing Outages

The network is not free from those occasional cable cuts and user induced misconfigurations. Let’s see how, sometimes a simple user oversight can impact services even across geographical boundaries.

On April 22nd, AWS experienced route leaks when more specific /21 prefixes were advertised by Innofield (AS 200759) as belonging to a private AS and propagated through Hurricane Electric. This resulted in all of Amazon-destined traffic transiting Hurricane Electric, to be routed to the private AS rather than Amazon’s AS. While the impact of this route leak was minimal, it was rather tricky as the leaked prefixes were not the same as Amazon’s prefixes, but more specific and thus preferred over Amazon. This was no malicious act, but rather a misconfiguration on a route optimizer at Innofield.

Level 3 experienced some serious network issues across several locations in the U.S and U.K on May 3rd. The outage lasted for about an hour and took down services including Cisco, Salesforce, SAP and Viacom. We were able to trace down the issue to a possible misconfiguration or failure in one of the transcontinental links.

On May 17th, a series of network and BGP level issues were correlated to a possible cable fault in the cross-continental SEA-ME-WE-4 line. While the fault seemed to be located around the Western European region, it had ripple effects across half the globe, affecting Tata Communications in India and the TISparkle network in Latin America. While monitoring your networks, look for indicators of cable faults. Some examples include dropped BGP sessions or peering failure, multiple impacted networks with elevated loss and jitter.

On July 10th, JIRA, the SaaS-based project tracking tool was offline for about an hour. From a BGP reachability perspective, all routes to the /24 prefix for JIRA were withdraw from Level 3. This resulted in the self-adjusting routing algorithm searching for an alternate path. Unfortunately, the backup path funnelled all the traffic to the wrong destination AS. Traffic was terminating in NTT’s network instead of being routed to JIRA due to a misconfiguration of the backup prefix.

Looking Ahead

So, what have we learned? By its very nature, it is expected that networks are bound to have outages and security threats. Smarter networks are not the ones that are built to be foolproof, but the ones that can quickly react to failures and inconsistencies. As the internet becomes the glue that binds SaaS and service delivery, it is paramount to have visibility over its shortcomings, especially during a crisis. As you move into the new year, take stock of the past year’s events and prepare for the future. Bolster your network security, but at the same time monitor how your network is performing under adverse conditions. Detect bottlenecks, common points of failure and distribute dependencies across ISPs, DNS service providers or hosting providers. Wishing you a happy outage-free New Year !

Leave a comment

Posted in Big Data, Data Breach, Hacking, Security

Tagged ,

Hacker Demonstrates How Easy In-flight Entertainment System Can Be Hacked

Posted on December 22, 2016 | Leave a comment

Next time when you hear an announcement in the flight, “Ladies and gentlemen, this is your captain speaking…,” the chances are that the announcement is coming from a hacker controlling your flight.

Dangerous vulnerabilities in an in-flight entertainment system used by the leading airlines, including Emirates, United, American Airlines, Virgin, and Qatar, could let hackers hijack several flight systems and even take control of the plane.

According to security researchers from IOActive, the security vulnerabilities resides in the Panasonic Avionics In-Flight Entertainment (IFE) system used in planes run by 13 major airlines, providing a gateway for hackers which is absolutely terrifying.

The security holes could be exploited by hackers that could allow them to spoof flight information like map routes, speed statistics, and altitude values, and steal credit card information.

IOActive’s Ruben Santamarta managed to “hijack” in-flight displays to change information like altitude and location, control the cabin lighting, as well as hack into the announcements system.

“Chained together this could be an unsettling experience for passengers,” said Santamarta. “I don’t believe these systems can resist solid attacks from skilled malicious actors. This only depends on the attacker’s determination and intentions, from a technical perspective it’s totally feasible.”

Besides these critical issues, the researcher said in some instances; hackers could access credit card details of passengers stored in the automatic payment system and use their frequent flyer membership details to capture personal data.

The vulnerabilities affect 13 different airlines that use Panasonic Avionics system, which include American Airlines, United, Virgin, Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France, Singapore, and Aerolineas Argentinas.

The vulnerabilities were reported to Panasonic in March last year, and the researcher waited more than a year and a half to go public, so the company had “enough time to produce and deploy patches, at least for the most prominent vulnerabilities.”

Emirates is working with Panasonic to resolve these issues and regularly update its systems. “The safety of our passengers and crew on board is a priority and will not be compromised,” Emirates said, reported the Telegraph.

Santamarta is the same researcher who warned of security issues in systems used by different aircraft in the past.

Back in 2014, he discovered that it was possible to reverse engineer a bug, which let him connect to the Wi-Fi signal or the in-flight entertainment system to connect to airplanes’ equipment, including the navigation system.

You also might recall back in 2015 the FBI detained Chris Roberts for possible computer crimes for attempting to hack into a in-flight entertainment system.  At that time one of the plane manufacturers had cast doubt on the hacking claims. Boeing said its entertainment systems are “isolated from flight and navigation systems.”  Well we now know Chris might have been correct that the systems are vulnerable to hacking just like any other computer system.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Yahoo Says 1 Billion User Accounts Were Hacked

Posted on December 15, 2016 | Leave a comment

SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts.

The two attacks are the largest known security breaches of one company’s computer network.

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.

It is unclear how many Yahoo users were affected by both attacks. The internet company has more than 1 billion active users, but it is not clear how many inactive accounts were hacked.

Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.

Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.

And critics say the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012 and series of spam attacks — a mass mailing of unwanted messages — the following year.

Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log into some users’ accounts without a password.

Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims. The company has not disclosed who it believes was behind the attack.

In July, Yahoo agreed to sell its core business to Verizon Communications for $4.8 billion. Verizon said in October that it might seek to renegotiate the terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.

After the latest disclosure Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” he said. “We will review the impact of this new development before reaching any final conclusions.”

Mr. Lord said Yahoo had taken steps to strengthen Yahoo’s systems after the attacks. The company encouraged its users to change passwords associated with their Yahoo account and any other digital accounts tied to their Yahoo email and account.

In the hacking disclosed Wednesday, Mr. Lord said Yahoo believed an “unauthorized third party” managed to steal data from one billion Yahoo user accounts. Mr. Lord said that Yahoo had not been able to identify how the hackers breached Yahoo’s systems, but that the company believed the attack occurred in August 2013.

Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as email, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

Yahoo recommended that its customers use Yahoo Account Key, an authentication tool that verifies a user’s identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Security experts say the latest discovery of a breach that happened so long ago is another black mark for the company. “It’s not just one sophisticated adversary that gets in,” said Ben Johnson, co-founder and chief security strategist at Carbon Black, a security company. “Typically companies get compromised multiple times due to the same vulnerability or employee culture.”

Mr. Johnson added that the scale of the breaches is only increasing as companies store more and more troves of information in similar databases. “When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.

Leave a comment

Posted in Cyber Security, Data Breach, Forensic, Hacking

Tagged , ,

Google accounts hit with malware — a million and growing

Posted on December 1, 2016 | Leave a comment

86 apps available in third-party maketplaces can root 74 percent of Android phones.

android-security-640x461
More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.

More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.

Check Point said in a blog post that the attack campaign, known as Gooligan, is expanding to an additional 13,000 devices a day. It’s malware that infects devices and steals their authentication tokens to breach data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and other programs.

The malware attack is said to be the biggest single theft of Google accounts on record, according to Forbes. But the reason for the attack may not be what you’d expect. It’s not to grab personal information from the accounts of Google users. Instead, it’s to force them to download apps that are part of an advertising fraud scheme that makes up to $320,000 a month, Michael Shaulov, head of mobile and cloud security at Check Point, told Forbes.

Google responded to a request for comment with a link to its blog post about the attack. In the post, Google said it has found no evidence that Gooligan has accessed user data or that specific groups of people have been targeted. “The motivation…is to promote apps, not steal information,” Google said.

The episode comes at a time when cyber attacks have been a high profile problem, hitting everyone from internet giants to the Democratic National Committee. In September, Yahoo suffered what is believed to be the biggest cyber attack in history, in which hackers swiped information from more than half a billion accounts. And in July, the White House said it believed Russia was behind hacks of the DNC.

Gooligan belongs to a family of malware called Ghost Push. It features a Trojan horse type of attack, in which the malicious software poses as legitimate apps for Android smartphones and tablets. Names of the malicious apps include StopWatch, Perfect Cleaner and WiFi Enhancer, according to The Wall Street Journal. Once installed, these apps automatically install other apps, some of which can steal usernames and passwords to post fake reviews.

Those downloads and reviews apparently feed into the hackers’ ad fraud scheme. The hackers have run ads in those forcibly downloaded apps, so every click or download helps the hackers make money, Forbes reported.

Check Point said Gooligan is a variant of an Android malware campaign found by researchers in the SnapPea app last year.

The Gooligan apps come from third-party app stores or websites, instead of the Google Play store, where the company has more authorization over apps. But Check Point said some apps that Gooligan downloads without permission can be found on the Play store.

Google said it has removed those apps from the Play store.

People who are worried that their Google accounts may be compromised can consult the Check Point website.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged , ,

“Don’t Click” for Black Friday/Cyber Monday

Posted on November 22, 2016 | Leave a comment

black-friday
Some civilized thoughts:

1. “Don’t click stuff from unknown sources!”

2. Don’t scan (QR codes) from unknown sources.

3. ANY time you scan, you click OR hand over your E-Mail your expectations of privacy have evaporated.

4. Your E-Mail and your Phone number are worth a LOT more than a 10% coupon.

5. Always worth being careful of “cheap” electronics or bargains that just seem too good to be true….

6. Online coupons and online sites, PLEASE validate, check and then DOUBLE check the site, the security, the SSL Certificate AND the spelling before putting in a credit card.

7. Links embedded in emails AND sites AND anything you are looking at CAN and SHOULD be examined very carefully before being clicked!

8. Shopping at the Mall, be careful of the “free web access” people like me are sitting there VERY happy to give you a Chase, Wells Fargo or AMEX login.

9. Need to sign up for something in a hurry? USE A UNIQUE PASSWORD!

And remember if it looks to good to be true…..then it probably is!

Ok, hope that helps

Oh, and DON’T CLICK !

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Ex-NSA Contractor Stole 50 TB of Classified Data; Includes Top-Secret Hacking Tools

Posted on October 24, 2016 | Leave a comment

nsa

Almost two months ago, the FBI quietly arrested NSA contractor Harold Thomas Martin III for stealing an enormous number of top secret documents from the intelligence agency.

Now, according to a court document filed Thursday, the FBI seized at least 50 terabytes of data from 51-year-old Martin that he siphoned from government computers over two decades.

The stolen data that are at least 500 million pages of government records includes top-secret information about “national defense.” If all data stolen by Martin found indeed classified, it would be the largest NSA heist, far bigger than Edward Snowden leaks.

According to the new filing, Martin also took “six full bankers’ boxes” worth of documents, many of which were marked “Secret” and “Top Secret.” The stolen data also include the personal information of government employees. The stolen documents date from between 1996 through 2016.

“The document appears to have been printed by the Defendant from an official government account,” the court documents read. “On the back of the document are handwritten notes describing the NSA’s classified computer infrastructure and detailed descriptions of classified technical operations.”

Former NSA Insider Could Be Behind The Shadow Brokers

It’s not clear exactly what Martin allegedly stole, but The New York Times reported Wednesday that the stolen documents also included the NSA’s top secret hacking tools posted online by a supposed hacking group, calling itself Shadow Brokers, earlier this year.

Earlier this summer, Shadow Brokers claimed to have infiltrated NSA servers and stolen enormous amounts of data, including working exploits and hacking tools.

The NY Times report suggests that the FBI has found forensic evidence that the hacking tools and cyber-weapons posted online by the alleged hacking group had actually been on a contractor’s machine.

NSA Contractor to Face Espionage Charges

Martin, a former Booz Allen Hamilton staffer like NSA whistleblower Snowden, should remain locked up and the government also plans to charge him with violations of the Espionage Act, Prosecutors said.

If convicted, one can face the death penalty.

Martin has “obtained advanced educational degrees” and has also “taken extensive government training courses on computer security,” including in the areas of encryption as well as secure communications.

A former US Navy veteran, Martin allegedly used a sophisticated software that “runs without being installed on a computer system and provides anonymous Internet access, leaving no digital footprint on the Machine.”

It’s believed that Martin was using TAILS operating system or another USB-bootable operating system in conjunction with Tor or a VPN that would not leave any forensic evidence of his computer activities.

Martin’s motives are still unclear, but among the seized documents, investigators uncovered a letter sent to Martin’s colleagues in 2007, in which he criticized the information security practices of government and refers to those same co-workers as “clowns.”

The letter reads: “I will leave you with this: if you do not get obnoxious, obvious, and detrimental to my future, then I will not bring you; into the light, as it were. If you do, well, remember that you did it to yourselves.”

Martin is due to appear before US Magistrate Judge Beth P. Gesner for his detention hearing on Friday in Baltimore.

 

Leave a comment

Posted in Cyber Security, Data Breach, Forensic, Hacking, Security

Tagged , ,

Protect yourself from scammers by doing this when your bank calls

Posted on October 14, 2016 | Leave a comment

YouTubeAdam Levin, author of “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves” explains how you can protect…

Leave a comment

Posted in Cyber Security, Data Breach, Security

Tagged

Breach exposes at least 58 million accounts, includes names, jobs, and more

Posted on October 13, 2016 | Leave a comment

Another breach!  “Cloud” is often touted as being more secure than on-premise hosting.  But that only goes if your cloud provider does proper pro-active security.  In the case mentioned in the article, they didn’t.  How does your cloud provider do?   Are they open about security, or is it hidden behind an SLA?
“Buyer beware” it’s priceless.

data_breach_challenge
With 2 months left, more than 2.2 billion records dumped so far in 2016.

There has been yet another major data breach, this time exposing names, IP addresses, birth dates, e-mail addresses, vehicle data, and occupations of at least 58 million subscribers, researchers said.

The trove was mined from a poorly secured database and then published and later removed at least three times over the past week, according to this analysis from security firm Risk Based Security. Based on conversations with a Twitter user who first published links to the leaked data, the researchers believe the data was stored on servers belonging to Modern Business Solutions, a company that provides data storage and database hosting services.

Shortly after researchers contacted Modern Business Solutions, the leaky database was secured, but the researchers said they never received a response from anyone at the firm, which claims to be located in Austin, Texas. Officials with Modern Business Solutions didn’t respond to several messages left seeking comment and additional details.

Risk Based Security said the actual number of exposed records may be almost 260 million. The company based this possibility on an update researchers received from the Twitter user who originally reported the leak. The update claimed the discovery of an additional table that contained 258 million rows of personal data. By the time the update came, however, the database had already been secured, and Risk Based Security was unable to confirm the claim. The official tally cited Wednesday by breach notification service Have I Been Pwned? is 58.8 million accounts. In all, the breach resulted in 34,000 notifications being sent to Have I Been Pwned? users monitoring e-mail addresses and 3,000 users monitoring domains.

mbs

 

According to Risk Based Security, the account information was compiled using the open source MongoDB database application. The researchers believe the unsecured data was first spotted using the Shodan search engine. The publication of the data happened when a party that first identified the leak shared it with friends rather than privately reporting it to Modern Business Solutions.

By the tally of Risk Based Security, there have been 2,928 publicly disclosed data breaches so far in 2016 that have exposed more than 2.2 billion records. The figures provide a stark reminder of why it’s usually a good idea to omit or falsify as much requested data as possible when registering with both online and offline services. It’s also a good idea to use a password manager, although this leak was unusual in that it didn’t contain any form of user password, most likely because the data was being stored on behalf of one or more other services.

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud, Security

Tagged ,