CIA director’s secrets aren’t so secret after email hack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

An anony­mous hack­er claims to have breached CIA Direc­tor John Brennan’s per­son­al email account and has post­ed doc­u­ments online, includ­ing a list of email address­es pur­port­ed­ly from Brennan’s con­tact file. The CIA said it referred the mat­ter to the prop­er author­i­ties, but would not com­ment fur­ther. The hack­er spoke to the New York Post, which described him as “a ston­er high school stu­dent,” moti­vat­ed by his oppo­si­tion to U.S. for­eign pol­i­cy and sup­port for Pales­tini­ans. His Twit­ter account, @phphax, includes links to files that he says are Brennan’s con­tact list, a log of phone calls by then-CIA deputy direc­tor Avril Haines, and oth­er doc­u­ments. The hack­er also claimed to have breached a Com­cast account belong­ing to Home­land Secu­ri­ty Sec­re­tary Jeh John­son, and released what appeared to be per­son­al infor­ma­tion. One doc­u­ment pur­port­ing to come from Brennan’s AOL email account con­tains a spread­sheet of peo­ple, includ­ing senior intel­li­gence offi­cials, along with their Social Secu­ri­ty num­bers, although the hack­er redact­ed the num­bers in the ver­sion he post­ed on Twit­ter. Based on the titles, the doc­u­ment appears to date from 2009 or before. When peo­ple vis­it the White House and oth­er secure facil­i­ties, they are required to sup­ply their Social Secu­ri­ty num­bers. Bren­nan could have been for­ward­ing a list of invi­tees to the White House when he was Pres­i­dent Barack Obama’s coun­tert­er­ror­ism advis­er. Source: The Asso­ci­at­ed Press via WTOP, Wash­ing­ton, D.C.

Hackers take another bite of the Apple app store

sh_apple app store_220Near­ly a month after mal­ware was dis­cov­ered in hun­dreds of infect­ed iPhone apps, anoth­er secu­ri­ty com­pro­mise has infil­trat­ed Apple’s App Store. App ana­lyt­ic com­pa­ny SourceD­NA pub­lished a blog post that said it found that hun­dreds of apps have been qui­et­ly col­lect­ing iPhone own­ers’ per­son­al infor­ma­tion, includ­ing their device ser­i­al num­bers and Apple ID email address­es. The per­son­al data was being gath­ered by adver­tis­ing plat­form You­mi, which inte­grates with apps made by Chi­nese devel­op­ers. “We’ve found hun­dreds of apps in the App Store that extract per­son­al­ly iden­ti­fi­able user infor­ma­tion via pri­vate APIs that Apple has for­bid­den them from call­ing,” SourceD­NA wrote in the blog post. “This is the first time we’ve seen iOS apps suc­cess­ful­ly bypass the app review process.” SourceD­NA esti­mates that the num­ber of com­pro­mised apps has account­ed for at least 1 mil­lion down­loads. In a state­ment, Apple said it has begun remov­ing affect­ed apps from the App Store. Source: Tech Insid­er

As if the car accident wasn’t bad enough

British insur­ance giant Avi­va has apol­o­gized to cus­tomers after an employ­ee sold con­fi­den­tial infor­ma­tion on auto acci­dent claims to third-par­ty firms. Avi­va is con­tact­ing thou­sands of motorists who had acci­dents in 2013 and 2014 and are thought to have been affect­ed by the inter­nal data breach. The employ­ee has been fired and the police, Finan­cial Con­duct Author­i­ty and data pro­tec­tion watch­dog the Infor­ma­tion Commissioner’s Office have all been informed. One Avi­va cus­tomer said that after she set­tled an insur­ance claim fol­low­ing a 2013 car acci­dent, she began to get nui­sance calls on her cell phone from per­son­al injury claims firm—sometimes up to 10 times a day. The insur­er says no sen­si­tive per­son­al infor­ma­tion, such as finan­cial or med­ical details, was dis­closed in the breach. Source: Info Secu­ri­ty

Pin up this warning: New cards still at risk

sh_chip and pin card_280The chip-and-PIN card sys­tem rolling out in the Unit­ed States is meant to cre­ate a dou­ble check against fraud. A would-be thief has to steal a victim’s chip-enabled card and be able to enter the victim’s PIN. But foren­sics researchers have found a case in which crim­i­nals out­smart­ed that sys­tem with a chip-switch­ing trick. Com­put­er secu­ri­ty researchers at the École Nor­male Supérieure uni­ver­si­ty and the sci­ence and tech­nol­o­gy insti­tute CEA pub­lished a paper detail­ing a case of cred­it card fraud in which five sus­pects were arrest­ed for using a work-around to spend near­ly 600,000 euros (about $680,000) from stolen cred­it cards despite the cards’ chip-and-PIN pro­tec­tions. The researchers dis­cov­ered that the now-con­vict­ed fraud­sters altered stolen cred­it cards to implant a sec­ond chip, capa­ble of spoof­ing the PIN ver­i­fi­ca­tion required by point-of-sale ter­mi­nals. When a buy­er inserts a card and enters a PIN, the card read­er queries the card’s chip as to whether the PIN is cor­rect. A fraud­u­lent chip can lis­ten for that query and pre-empt the real chip with a “yes” sig­nal, regard­less of what­ev­er ran­dom PIN the fraud­ster has entered. Source: Wired

From the tool box … free!

Free online resources from the AARP Fraud Watch Net­work are avail­able to con­sumers who want to test cyber­se­cu­ri­ty vul­ner­a­bil­i­ty. A sur­vey indi­cates a high inci­dence of risky online behav­iors with bank and cred­it card accounts, smart­phones and pub­lic Wi-Fi use. “The Fraud Watch Network’s recent sur­vey ver­i­fies that too many Amer­i­cans are neglect­ing cyber­se­cu­ri­ty and should take mea­sures to decrease their sus­cep­ti­bil­i­ty to mali­cious cyber activ­i­ty,” said Nan­cy Lea­Mond, Chief Advo­ca­cy & Engage­ment Offi­cer, AARP. The Fraud Watch Net­work pro­vides free scam alerts, fraud tips and edu­ca­tion­al con­tent. More than half of those sur­veyed said they have not set up online access to mon­i­tor their bank (61 per­cent) and cred­it card accounts (71 per­cent). More than a quar­ter of respon­dents (27 per­cent) said they have used unse­cure pub­lic Wi-Fi net­works to do bank­ing or make cred­it card pur­chas­es. One of four smart­phone users (26 per­cent) has not pro­grammed the phone with a pass­code. Source: PR Newswire

Company says China’s pants are on fire

sh_china hack_280A U.S. cyber­se­cu­ri­ty com­pa­ny says it has evi­dence that hack­ers linked to the Chi­nese gov­ern­ment may have tried to vio­late a recent agree­ment between Wash­ing­ton, D.C., and Bei­jing not to hack pri­vate firms in each other’s coun­try for eco­nom­ic gain. The firm, Crowd­Strike, said unnamed cus­tomers in the tech­nol­o­gy and phar­ma­ceu­ti­cal indus­tries have faced attempt­ed, but unsuc­cess­ful, intru­sions from Chi­na-linked hack­ers. Two inci­dents took place the day before and the day after Pres­i­dent Oba­ma and Chi­nese Pres­i­dent Xi Jin­ping said on Sept. 25 they reached an “under­stand­ing” not to use cyber spies to com­mit eco­nom­ic espi­onage against each oth­er, Crowd­Strike says. “We are aware of this report. We’ll decline com­ment on its spe­cif­ic con­clu­sions,” said a senior Oba­ma admin­is­tra­tion offi­cial. “We have and will con­tin­ue to direct­ly raise our con­cerns regard­ing cyber­se­cu­ri­ty with the Chi­nese.” Source: Mar­ket­Watch

Advertising dollars flow around CISA

The Finan­cial Ser­vices Round­table, which rep­re­sents top banks, insur­ers and cred­it card com­pa­nies, has pro­duced radio, video and social-media ads to try to get Con­gress to pass the Cyber­se­cu­ri­ty Infor­ma­tion Shar­ing Act (CISA). CISA is intend­ed to boost the exchange of cyber-threat data between the pub­lic and pri­vate sec­tor, but has stalled due to pri­va­cy con­cerns and wor­ries about the bill’s poten­tial to fight cyber crime. Finan­cial firms and indus­tries such as retail­ing have sup­port­ed the bill, as has a large bipar­ti­san coali­tion of law­mak­ers. The White House recent­ly came out in favor. But dig­i­tal rights advo­cates and a small but grow­ing group of pri­va­cy-mind­ed sen­a­tors oppose the bill. In recent weeks, a num­ber of promi­nent tech firms, such as Apple, also have said they don’t sup­port the bill in its cur­rent form. Source: The Hill

If they’re out to get you, Facebook will let you know …

sh_facebook_280Face­book will send a warn­ing notice if it thinks your account has been “tar­get­ed or com­pro­mised by an attack­er” asso­ci­at­ed with a nation-state. The social net­work says if this hap­pens, it’s not because Facebook’s secu­ri­ty sys­tems have been com­pro­mised but that the user’s com­put­er or mobile phone has mal­ware on it. Face­book, Chief Secu­ri­ty Offi­cer Alex Sta­mos said the new pre­cau­tion builds on exist­ing secu­ri­ty mea­sures for accounts that Face­book believes have been hacked. “We do this because these types of attacks tend to be more advanced and dan­ger­ous than oth­ers, and we strong­ly encour­age affect­ed peo­ple to take the actions nec­es­sary to secure all of their online accounts,” Sta­mos wrote. Source: The Huff­in­g­ton Post

… And they also want a say when someone’s out to get them

Face­book request­ed the chance to voice its opin­ion in a legal chal­lenge mount­ed by an Aus­tri­an law stu­dent against the Irish pri­va­cy reg­u­la­tor for refus­ing to inves­ti­gate the U.S. company’s trans­fers of data to the Unit­ed States. Major U.S. tech com­pa­nies such as Microsoft and Apple, as well as Face­book, came under fire after rev­e­la­tions in 2013 of the U.S. government’s Prism pro­gram, which allowed U.S. author­i­ties to har­vest pri­vate infor­ma­tion direct­ly from those com­pa­nies. Aus­tri­an law stu­dent Max Schrems chal­lenged Facebook’s trans­fers of Euro­pean users’ data to its Amer­i­can servers, because of the risk of U.S. snoop­ing in light of dis­clo­sures by for­mer U.S. Nation­al Secu­ri­ty Agency con­trac­tor Edward Snow­den. Schrems filed his com­plaint with the Irish Data Pro­tec­tion Com­mis­sion­er because Face­book has its Euro­pean head­quar­ters in Ire­land. “We will request an oppor­tu­ni­ty to join the pro­ceed­ings in the Irish High Court,” said a spokes­woman for Face­book. Source: Reuters

Uneasy lie the heads

sh_Identity theft on rise_750Near­ly eight in 10 Amer­i­cans are fright­ened of hav­ing their iden­ti­ties stolen, says a Bankrate.com report, includ­ing 23 per­cent who are very fright­ened. About half of Amer­i­cans have either been a vic­tim of iden­ti­ty theft or know some­one who has, up 12 per­cent­age points from 2008. One in five Amer­i­cans is not at all wor­ried about hav­ing their iden­ti­ty stolen. Thir­ty- to 49-year-olds are the most ner­vous about iden­ti­ty theft, while mil­len­ni­als (18- to 29-year-olds) are the least con­cerned. Forty-two per­cent don’t check their cred­it reports reg­u­lar­ly, and 41 per­cent con­duct bank­ing and oth­er sen­si­tive busi­ness on unse­cured Wi-Fi net­works that do not require a pass­word. “With news of a data hack near­ly every week, con­sumers are doing them­selves a dis­ser­vice by not check­ing their cred­it reports reg­u­lar­ly,” Bankrate.com ana­lyst Jan­na Her­ron said. Source: KUSA, Den­ver

Crunching the coverage numbers can be confusing

Insur­ing cor­po­ra­tions against dig­i­tal secu­ri­ty breach­es is a new field for the insur­ance indus­try, mak­ing the lev­el of risk dif­fi­cult to quan­ti­fy. The mas­sive costs being faced by com­pa­nies such as Home Depot after major dig­i­tal secu­ri­ty breach­es are mak­ing insur­ers rethink pre­mi­ums. In some sec­tors, such as health care, which has been heav­i­ly tar­get­ed, cyber insur­ance pre­mi­ums are report­ed to have tripled. And it is becom­ing appar­ent that the ini­tial costs of get­ting a net­work up and run­ning after an attack and bear­ing the imme­di­ate finan­cial brunt are only the tip of the ice­berg. Com­pro­mised client data, rep­u­ta­tion­al dam­age and a loss of investor con­fi­dence are areas in which com­pa­nies are see­ing costs esca­late after a breach. Geoff White, chair­man of the Lloyds Mar­ket Association’s cyber busi­ness pan­el, says Lloyd’s cur­rent capac­i­ty of $350 mil­lion to $400 mil­lion will need to rise to pro­vide the kind of future cov­er­age need­ed by large multi­na­tion­al cor­po­ra­tions. The Lon­don insur­ance mar­ket is esti­mat­ed to write rough­ly a fifth of glob­al cyber pre­mi­ums, with Lloyds insur­ers car­ry­ing about three-quar­ters of the busi­ness. Source: IT Pro Portal

Spending big, but each to his own

An analy­sis by busi­ness intel­li­gence firm Govi­ni says U.S. fed­er­al spend­ing on cyber defense plat­forms and ser­vices rose to near­ly $31 bil­lion in fis­cal 2014 from $6 bil­lion in 2011, a five-fold increase. Govi­ni exam­ined fed­er­al pro­cure­ment in 11 seg­ments through its Cyber­se­cu­ri­ty Tax­on­o­my from 2010 to 2014 and found that the data breach at the Office of Per­son­nel Man­age­ment and oth­er recent cyber attacks prompt­ed agen­cies to update their data net­works. The report indi­cates that fed­er­al spend­ing on offen­sive cyber plat­forms that seek to proac­tive­ly safe­guard com­put­er sys­tems from cyber attacks climbed 150 per­cent to $15 bil­lion in 2014 from $6 bil­lion in the pre­vi­ous fis­cal year. “The sur­pris­ing thing for us was there was no com­mon lan­guage or def­i­n­i­tion of cyber­se­cu­ri­ty across the fed­er­al con­trac­tor base,” said Eric Gille­spie, CEO of Govi­ni. “Our cus­tomers knew there was sig­nif­i­cant cap­i­tal being allo­cat­ed to cyber, but they didn’t know how much or in what seg­ments.” Data sci­en­tists also found that net­work fire­wall spend­ing surged 937 per­cent in the past three years. Source: Exec­u­tive Gov