Archive for June 30, 2016

Google,EFF opposing access to data by law enforcement agencies

In their letter, Google, EFF, Demand Progress, FightForTheFuture, TOR, VPN providers Private Internet Access, Golden Frog and Hide My Ass, plus many others, urge Congress to “consider and debate” the implications of the new rule.

“The changes to Rule 41 give federal magistrate judges across the United States new authority to issue warrants for hacking and surveillance in cases where a computer’s location is unknown,” the letter reads.

“This would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment.”

Noting that the changes would allow for the hacking of innocent computer users, the coalition describes the proposal as dangerously broad.

“It fails to provide appropriate guidelines for safeguarding privacy and security, and it circumvents the legislative process that would provide Congress and the public the critically necessary opportunity to evaluate these issues,” they continue.

But perhaps most importantly, the proposed changes will undermine the security of those who need it most – those who have taken legitimate steps to protect their privacy with anonymizing tools such as VPNs and TOR.

“There are countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for privacy, personal safety, and data security,” the letter reads.

“Many businesses even require their employees to use virtual private networks for security, especially during travel. Such tools should be actively promoted as a way to safeguard privacy, not discouraged.”

Sharp dip in China based hackings

According to a new report from a prominent cybersecurity firm hired to investigate breaches, Chinese hacking of U.S. government and corporate networks and other countries has sharply declined since 2014

Hackers operating out of China were linked to between 50 and 70 incidents that the cybersecurity company FireEye Inc. was investigating on a monthly basis in 2013 and the early part of 2014. Starting in October 2015, however, this tally dropped below 10 incidents and hasn't recovered. FireEye observed only a handful of network intrusions attributed to Chinese groups in April of this year.

FireEye rival CrowdStrike Inc. says that it, too, has noticed a drop in China-based hacking incidents. Chief Technology Officer and co-founder Dmitri Alperovitch said the decline may be accounted to sweeping reorganization of China’s military, announced earlier this year.

The shift is likely the result of a confluence of factors, including public scrutiny and pressure from the U.S. government but it is not solely the result of a September anti-hacking pledge struck by President Obama and Chinese President Xi Jinping.
Chinese military hackers attempted to steal troves of confidential information from the U.S. Office of Personnel Management in 2014 and failed. But China got the data anyway. It passed the job to contractors -- a group code-named Coldcuts by the U.S. -- who worked on their own or for private companies to conduct a dragnet for sensitive data from government, airlines and health insurers.
The new information about those incursions, confirmed by two people involved in the investigation who asked not to be identified because the details remain confidential.
When China’s expansive hacking operations began to come into the public eye, the U.S. was able to muster the political support to confront China directly on its cyber espionage tactics — indicting five Chinese military officers in 2014 on charges of stealing trade secrets and striking the anti-hacking pledge. None of those charged has appeared in the U.S.
That’s a success for the Obama administration and September deal is thought to be the reason behind it but researchers found that the drop was noticed before the deal was made.
Military reforms within the Chinese government also played a role. Since taking power in late 2012, Xi has implemented a series of significant military reforms aimed at centralizing China’s cyber elements that may also be a factor.
Ahead of a visit to the U.S. by Chinese President Xi Jinping in September 2015, news leaked that President Barack Obama was considering sanctions against Chinese companies that benefited from hacking. China’s top security czar flew to Washington to hammer out an agreement, later announced by the two presidents, that China would stop supporting cyberespionage for commercial purposes.
Though Chinese hackers are still targeting some private-sector U.S. firms but that data could be used both for military applications and commercial ones. This suggests that the intrusions could be traditional intelligence-gathering, which is not prohibited by the September agreement.
But it seems the battle may be moving to another front.

That shift makes the question over whether China is keeping a promise that it won’t hack U.S. companies for technology and personal data a challenge to answer or is it turning the battle to another front.

Acer Data Breach Exposes Credit Card Details

(pc-google images)

Acer online store has recently been hacked and the breach has exposed the credit card details of users accessing the website over the past 12 months.

Acer has sent a letter informing all users of its online store in the US warning that their personal records were drawn off from its store by crooks between May 12, 2015 and April 28, 2016.

The lost data includes customer names, addresses, card numbers, and three-digit security verification codes on the backs of the cards. Acer did not say how many customers had their details swiped.

"Based on our records, we have determined that your information may have been affected, potentially including your name, address, card number ending in [insert], expiration date and three-digit security codes. We do not collect Social Security numbers, and we have not identified evidence indicating that password or login credentials were affected," the letter reads.

Acer has urged its customers who suspect their card numbers being used for fraudulent charges to file reports with the police.

"If you suspect that you are a victim of identity theft or fraud, you have the right to file a police report. In addition, you may contact your State Attorney General’s office or the US Federal Trade Commission to learn about steps you can take to protect yourself against identity theft”, said the letter from Acer.

DoD’s attack on Health and Human Services

Recently Department of Defense has hacked into Health and Human Services website to check the website's vulnerability. Called by the name "Hack the Pentagon " bounty program was a good hit and had impact such that Health and Human Services has started to look at it .

HHS officials mentioned that DoD's recent bounty program paid bounties to hack into various systems to exploit cyber security issues in health care.

Lucia Savage , Chief privacy officer at HHS's office of the National Coordinator for health Information Technology, said that the practice showed whether HHS could meet scaled up health care needs.

Recently ethical hacking has been hot topic at the recent Federal Drug Administration workshop focussing medical devices and their vulnerabilities.

“This is a struggle for devices as well,” she said. “You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential.

“Given that space and given the need to improve cyber security, is there something that ONC can do to improve that rate at which ethical hacking occurs in health care?” savage said her office was working on plans to see how effectively applied to various medical devices sector.

“I think that this is a technique that has been found highly valuable in the rest of industry,” she said. “One of the things we are thinking about is how to get this to take root as a security hygiene process within the health care system.”

Dr. Dale Nordenberg, CEO of Novasano Health and Science and a Health IT standards committee member, said that hacking medical devices could prove difficult because every medical device is hackable, leaving weaknesses and solutions to be worked out with a litany of detail.

“The issue is that once a vulnerability is identified, the industry is highly resistant to exposing to the public that specific vulnerability because the manufacturer has to get engaged,” he said.

Savage added that her office and FDA are continuing to identify details like intellectual property issues and identifying who remedies a vulnerability, but with the Internet of Things and interoperability moving forward, these devices are becoming more interconnected.

Hackers post explicit images on U.S. athletic conference’s twitter account

Hackers took over the official twitter account of Southeastern Conference (SEC) and posted a couple of images of scantily clad women on Saturday (June 25) morning.

SEC is an American college athletic conference whose member institutions are located primarily in the Southern part of the United States.

While its micro blogging site’s handle was hacked, a social media nightmare became a reality.

One tweet showed a woman dressed in a bra and underwear with the following message: “Hey! Dear, do you want to see me naked boobs? Meet me here,” followed by a link. Another showed a photo of a scantily clad woman apparently rummaging around under a desk with the message, “Hi! Sugar, do you want to watch my private videos? go on,” followed by another link.

SEC spokesman Herb Vincent said in a statement, "We became aware of it when we saw some retweets."

The company removed the images, changed the password and notified Twitter about the incident as soon as breach was known.

The tweets, which were sent out to the account has 325,000 followers.

Soon after the posts were deleted, Commissioner Greg Sankey apologized for the posts which were the result of a hack.

SEC isn’t alone with its social media issues. Earlier this month, the National Football League's twitter account was hacked with three unauthorized messages appearing in the league's timeline, including a statement that Commissioner Roger Goodell had died who was in fact alive.