CIA director’s secrets aren’t so secret after email hack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

An anonymous hacker claims to have breached CIA Director John Brennan’s personal email account and has posted documents online, including a list of email addresses purportedly from Brennan’s contact file. The CIA said it referred the matter to the proper authorities, but would not comment further. The hacker spoke to the New York Post, which described him as “a stoner high school student,” motivated by his opposition to U.S. foreign policy and support for Palestinians. His Twitter account, @phphax, includes links to files that he says are Brennan’s contact list, a log of phone calls by then-CIA deputy director Avril Haines, and other documents. The hacker also claimed to have breached a Comcast account belonging to Homeland Security Secretary Jeh Johnson, and released what appeared to be personal information. One document purporting to come from Brennan’s AOL email account contains a spreadsheet of people, including senior intelligence officials, along with their Social Security numbers, although the hacker redacted the numbers in the version he posted on Twitter. Based on the titles, the document appears to date from 2009 or before. When people visit the White House and other secure facilities, they are required to supply their Social Security numbers. Brennan could have been forwarding a list of invitees to the White House when he was President Barack Obama’s counterterrorism adviser. Source: The Associated Press via WTOP, Washington, D.C.

Hackers take another bite of the Apple app store

sh_apple app store_220Nearly a month after malware was discovered in hundreds of infected iPhone apps, another security compromise has infiltrated Apple’s App Store. App analytic company SourceDNA published a blog post that said it found that hundreds of apps have been quietly collecting iPhone owners’ personal information, including their device serial numbers and Apple ID email addresses. The personal data was being gathered by advertising platform Youmi, which integrates with apps made by Chinese developers. “We’ve found hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling,” SourceDNA wrote in the blog post. “This is the first time we’ve seen iOS apps successfully bypass the app review process.” SourceDNA estimates that the number of compromised apps has accounted for at least 1 million downloads. In a statement, Apple said it has begun removing affected apps from the App Store. Source: Tech Insider

As if the car accident wasn’t bad enough

British insurance giant Aviva has apologized to customers after an employee sold confidential information on auto accident claims to third-party firms. Aviva is contacting thousands of motorists who had accidents in 2013 and 2014 and are thought to have been affected by the internal data breach. The employee has been fired and the police, Financial Conduct Authority and data protection watchdog the Information Commissioner’s Office have all been informed. One Aviva customer said that after she settled an insurance claim following a 2013 car accident, she began to get nuisance calls on her cell phone from personal injury claims firm—sometimes up to 10 times a day. The insurer says no sensitive personal information, such as financial or medical details, was disclosed in the breach. Source: Info Security

Pin up this warning: New cards still at risk

sh_chip and pin card_280The chip-and-PIN card system rolling out in the United States is meant to create a double check against fraud. A would-be thief has to steal a victim’s chip-enabled card and be able to enter the victim’s PIN. But forensics researchers have found a case in which criminals outsmarted that system with a chip-switching trick. Computer security researchers at the École Normale Supérieure university and the science and technology institute CEA published a paper detailing a case of credit card fraud in which five suspects were arrested for using a work-around to spend nearly 600,000 euros (about $680,000) from stolen credit cards despite the cards’ chip-and-PIN protections. The researchers discovered that the now-convicted fraudsters altered stolen credit cards to implant a second chip, capable of spoofing the PIN verification required by point-of-sale terminals. When a buyer inserts a card and enters a PIN, the card reader queries the card’s chip as to whether the PIN is correct. A fraudulent chip can listen for that query and pre-empt the real chip with a “yes” signal, regardless of whatever random PIN the fraudster has entered. Source: Wired

From the tool box … free!

Free online resources from the AARP Fraud Watch Network are available to consumers who want to test cybersecurity vulnerability. A survey indicates a high incidence of risky online behaviors with bank and credit card accounts, smartphones and public Wi-Fi use. “The Fraud Watch Network’s recent survey verifies that too many Americans are neglecting cybersecurity and should take measures to decrease their susceptibility to malicious cyber activity,” said Nancy LeaMond, Chief Advocacy & Engagement Officer, AARP. The Fraud Watch Network provides free scam alerts, fraud tips and educational content. More than half of those surveyed said they have not set up online access to monitor their bank (61 percent) and credit card accounts (71 percent). More than a quarter of respondents (27 percent) said they have used unsecure public Wi-Fi networks to do banking or make credit card purchases. One of four smartphone users (26 percent) has not programmed the phone with a passcode. Source: PR Newswire

Company says China’s pants are on fire

sh_china hack_280A U.S. cybersecurity company says it has evidence that hackers linked to the Chinese government may have tried to violate a recent agreement between Washington, D.C., and Beijing not to hack private firms in each other’s country for economic gain. The firm, CrowdStrike, said unnamed customers in the technology and pharmaceutical industries have faced attempted, but unsuccessful, intrusions from China-linked hackers. Two incidents took place the day before and the day after President Obama and Chinese President Xi Jinping said on Sept. 25 they reached an “understanding” not to use cyber spies to commit economic espionage against each other, CrowdStrike says. “We are aware of this report. We’ll decline comment on its specific conclusions,” said a senior Obama administration official. “We have and will continue to directly raise our concerns regarding cybersecurity with the Chinese.” Source: MarketWatch

Advertising dollars flow around CISA

The Financial Services Roundtable, which represents top banks, insurers and credit card companies, has produced radio, video and social-media ads to try to get Congress to pass the Cybersecurity Information Sharing Act (CISA). CISA is intended to boost the exchange of cyber-threat data between the public and private sector, but has stalled due to privacy concerns and worries about the bill’s potential to fight cyber crime. Financial firms and industries such as retailing have supported the bill, as has a large bipartisan coalition of lawmakers. The White House recently came out in favor. But digital rights advocates and a small but growing group of privacy-minded senators oppose the bill. In recent weeks, a number of prominent tech firms, such as Apple, also have said they don’t support the bill in its current form. Source: The Hill

If they’re out to get you, Facebook will let you know …

sh_facebook_280Facebook will send a warning notice if it thinks your account has been “targeted or compromised by an attacker” associated with a nation-state. The social network says if this happens, it’s not because Facebook’s security systems have been compromised but that the user’s computer or mobile phone has malware on it. Facebook, Chief Security Officer Alex Stamos said the new precaution builds on existing security measures for accounts that Facebook believes have been hacked. “We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” Stamos wrote. Source: The Huffington Post

… And they also want a say when someone’s out to get them

Facebook requested the chance to voice its opinion in a legal challenge mounted by an Austrian law student against the Irish privacy regulator for refusing to investigate the U.S. company’s transfers of data to the United States. Major U.S. tech companies such as Microsoft and Apple, as well as Facebook, came under fire after revelations in 2013 of the U.S. government’s Prism program, which allowed U.S. authorities to harvest private information directly from those companies. Austrian law student Max Schrems challenged Facebook’s transfers of European users’ data to its American servers, because of the risk of U.S. snooping in light of disclosures by former U.S. National Security Agency contractor Edward Snowden. Schrems filed his complaint with the Irish Data Protection Commissioner because Facebook has its European headquarters in Ireland. “We will request an opportunity to join the proceedings in the Irish High Court,” said a spokeswoman for Facebook. Source: Reuters

Uneasy lie the heads

sh_Identity theft on rise_750Nearly eight in 10 Americans are frightened of having their identities stolen, says a Bankrate.com report, including 23 percent who are very frightened. About half of Americans have either been a victim of identity theft or know someone who has, up 12 percentage points from 2008. One in five Americans is not at all worried about having their identity stolen. Thirty- to 49-year-olds are the most nervous about identity theft, while millennials (18- to 29-year-olds) are the least concerned. Forty-two percent don’t check their credit reports regularly, and 41 percent conduct banking and other sensitive business on unsecured Wi-Fi networks that do not require a password. “With news of a data hack nearly every week, consumers are doing themselves a disservice by not checking their credit reports regularly,” Bankrate.com analyst Janna Herron said. Source: KUSA, Denver

Crunching the coverage numbers can be confusing

Insuring corporations against digital security breaches is a new field for the insurance industry, making the level of risk difficult to quantify. The massive costs being faced by companies such as Home Depot after major digital security breaches are making insurers rethink premiums. In some sectors, such as health care, which has been heavily targeted, cyber insurance premiums are reported to have tripled. And it is becoming apparent that the initial costs of getting a network up and running after an attack and bearing the immediate financial brunt are only the tip of the iceberg. Compromised client data, reputational damage and a loss of investor confidence are areas in which companies are seeing costs escalate after a breach. Geoff White, chairman of the Lloyds Market Association’s cyber business panel, says Lloyd’s current capacity of $350 million to $400 million will need to rise to provide the kind of future coverage needed by large multinational corporations. The London insurance market is estimated to write roughly a fifth of global cyber premiums, with Lloyds insurers carrying about three-quarters of the business. Source: IT Pro Portal

Spending big, but each to his own

An analysis by business intelligence firm Govini says U.S. federal spending on cyber defense platforms and services rose to nearly $31 billion in fiscal 2014 from $6 billion in 2011, a five-fold increase. Govini examined federal procurement in 11 segments through its Cybersecurity Taxonomy from 2010 to 2014 and found that the data breach at the Office of Personnel Management and other recent cyber attacks prompted agencies to update their data networks. The report indicates that federal spending on offensive cyber platforms that seek to proactively safeguard computer systems from cyber attacks climbed 150 percent to $15 billion in 2014 from $6 billion in the previous fiscal year. “The surprising thing for us was there was no common language or definition of cybersecurity across the federal contractor base,” said Eric Gillespie, CEO of Govini. “Our customers knew there was significant capital being allocated to cyber, but they didn’t know how much or in what segments.” Data scientists also found that network firewall spending surged 937 percent in the past three years. Source: Executive Gov