The Hilton organization is reportedly trying to work out whether it has been hacked and, if so, what it should do about it.
We say reportedly as we have not been able to contact Hilton ourselves and can rely only on reports. They are pretty solid reports, however, and they concern a problem at the company that happened between 21 April and 27 July.
Brian Krebs, of KrebsOnSecurity, started this off with a report about a payment card breach. Krebs said that he had heard about the breach from various sources, and that Visa – the card provider – has mailed potentially affected parties with a warning, and the news that it is the fault of a bricks and mortar company.
Visa did not name the company, but affected parties, or banks to be more precise, have uttered it to Krebs. Its name is Hilton.
“Sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: they were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts,” he wrote.
“It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.”
Krebs has a statement from the Hilton organisation in which the firm defended its security practices, and revealed that it is aware of the potential problem and is looking into it. This is a common theme among the breached, and should soon become part of mission statements.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” said the company in the statement to Krebs.
“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
We have asked Visa and Hilton for their comments.
“Mimecast experienced malicious traffic from multiple IP addresses, targeting its U.S. network. This resulted in service disruption for U.S. customers,” Mimecast Chief Executive Peter Bauer said in a statement on Tuesday.
The statement said that service had returned to normal and that the attack appeared to be limited to disruption of email service for its clients.
The company declined comment when asked who was behind the attack or if law enforcement was investigating. An FBI spokeswoman said she had no immediate comment.
Mimecast’s customers include software maker NetSuite Inc, advertising and marketing giant Omnicom Group Inc, Bon Pan restaurant chain, the Boston Celtics basketball team and the Cleveland Indians baseball team.
Hackers have penetrated the IT systems of U.S. health insurer Excellus BlueCross BlueShield and gained access to personal, financial and medical information of more than 10 million people, the company has disclosed.
The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.
The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.
Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.
The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.
No evidence has been found yet that the data was copied or misused by the attackers.
Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.
The company will not contact affected individuals via email or telephone, so any emails or phone calls claiming to be from the company in regard to this attack should be ignored as they are probably scams.
The incident comes after three other Blue Cross Blue Shield health insurers — Anthem, Premera and CareFirst — announced large data breaches this year as a result of cyberattacks.
Excellus said that it doesn’t have sufficient information about the Anthem, Premera and CareFirst investigations in order to comment about possible connections between those attacks and the one against its own systems.
For most users, the only option to get rid of the malware is to reset the phone to its factory settings, which unfortunately also deletes all the data on the device.
The malware calls itself “Porn Droid” and bills itself as a viewer for adult content. It has been seen only on third-party Android application marketplaces or forums for pirated software, wrote Lukas Stefanko, an ESET malware analyst.
But after it’s installed, users see a warning supposedly from the FBI that they’ve allegedly viewed “prohibited pornography.” It asks for a $500 fine to be paid within three days.
To change the device’s PIN, Porn Droid needs administrator-level access to the phone. Stefanko wrote that the malware uses a new method to obtain that high level of access.
When Porn Droid runs, it asks people to click a button. “After clicking on the button, the user’s device is doomed,” Stefanko wrote. “The Trojan app has obtained administrator rights and now can lock the device. And even worse, it sets a new PIN for the lock screen.”
Other kinds of Android malware locked the screen by keeping the ransonware warning in the foreground using an infinite loop. But that could be remedied by using a command-line tool, the Android debug bridge, or deactivating admin rights in Safe Mode, according to Stefanko.
In the case of Porn Droid, if someone tries to deactivate the admin privileges, the malware uses a call-back function to reactivate them, Stefanko wrote.
The malware is also coded to try to shut down three mobile antivirus products: Dr. Web, ESET’s Mobile Security and Avast.
More advanced users may be able to get rid of Porn Droid without resetting and erasing all data on their phone. It is possible to remove the malware if a user has root privileges to the device, and some security software can stop it, Stefanko wrote.
NIST has funded a number of companies to make touchless fingerprint readers possible, and is creating a framework for evaluating possible technologies for widespread use.
Touchless fingerprint readers could be particularly useful for quickly identifying large numbers of people, such as a queue entering a controlled facility, NIST contends. Germaphobes would also appreciate the technology, as they would not have to touch potentially germy fingerprint readers to gain access to their computers.
In the past decade, NIST, which recommends specific standards across a wide range of industries, has been instrumental in establishing a technological baseline for standard fingerprint readers, which are now being increasingly used in computers and other devices requiring stringent techniques to identify users.
Now the agency wants to duplicate that success with contactless readers.
Companies such as 3M and MorphoTrak have developed prototype contactless readers with the help of NIST funding. NIST is also looking to fund additional companies to develop other models.
Contactless readers, in theory, would produce clearer images than those captured by mashing a human digit onto a fingerprinting surface, which distorts the friction ridges of a finger.
Capturing the fingerprint from a distance, however, requires a different set of technologies than those used by standard fingerprint readers. New sensing technologies must be developed as well as new algorithms to capture the fingerprints against varying levels of background light.
While the companies work on building the prototypes, NIST is developing metrics for evaluating how well they work.
Working with the FBI, NIST is developing a set of requirements for how the technology should work across different product lines. Such work will set the stage for certifying contactless fingerprint readers for U.S. government and military use.
Cyber thieves are using Yahoo’s advertising network to make money in a bad way. Today’s tinned food and bottled water warning is that the Yahoo system that we have come to love and let inform our purchasing decisions has a sickness, and that sickness is ruddy people and their tinkering with security.
People, specifically hackers, are exploiting the Yahoo advertising system with a poison, a poison known as malvertizing, according to a blog post by security firm Malwarebytes.
Malvertizing, a portmanteau of malware and advertising, is what you would expect.
Jérôme Segura, a senior security researcher at Malwarebytes, said that it is a rather significant threat, and a rather recent one.
“June and July have set new records for malvertizing attacks. We have just uncovered a large-scale attack abusing Yahoo’s own ad network,” he said.
“As soon as we detected the malicious activity, we notified Yahoo and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at this time.”
Segura said that the Yahoo network has a lot of traffic, he quoted monthly visits of 6.9 billion a month, and that the threat presented to users is a sneaky and silent one.
“Malvertizing is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain,” he added.
“The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns.”
Segura explained that the firm had worked closely with Yahoo on nixing the problem and Yahoo confirmed this in a statement.
“Yahoo is committed to ensuring that our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue,” it said.
“Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience.”
The social security numbers and credit card information of up to 6,000 University of Connecticut students, faculty and others may have been stolen by cyberhackers from China, the university said on Friday.
Officials detected a potential breach of the School of Engineering’s network in March and an investigation uncovered that hackers may have gained access to it as early as September, 2013, spokesman Tom Breen said.
He said 6,000 students, faculty, alumni and research partners of the school were notified that their personal information may have been compromised.
“The breach is far more extensive, could impact many more accounts and started much earlier than we originally believed,” said Breen. “There is no way at the present time to determine the exact number of accounts hacked,” he added.
Breen said the hack has been traced to China ”based on the type of cyber-attack that was launched, and the software used.” He added the FBI and several state agencies have been notified. The university said it was also taking steps to secure its systems.
The National Security Agency has said that it will end its access to most bulk data collected under a controversial surveillance program in November, but keep records for litigation purposes.
The office of the Director of National Intelligence said in a statement that the bulk telephony data — the subject of leaks by former intelligence contractor Edward Snowden which shocked many in the US and abroad — would be destroyed “as soon as possible” to comply with a law passed by Congress in early June.
The statement said that during the 180-day transition period required under the USA Freedom Act, “analytic access to that historical metadata… will cease on November 29, 2015.”
But it added that “for data integrity purposes,” NSA will allow technical personnel to continue to have access to the metadata for an additional three months.
The NSA must preserve bulk telephony metadata collection “until civil litigation about the program is resolved, or the relevant courts relieve NSA of such duties.”
The data kept for litigation “will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata on expiration of its litigation preservation duties.”
Law enforcement agencies from 20 countries collaborated to cripple a major computer hacking forum, and U.S. officials filed criminal charges against a dozen people associated with the website, the U.S. Department of Justice announced.
Darkode.com on is displaying a message saying the site and domain had been seized by the FBI and other law enforcement agencies.
Darkode, a password-protected online forum for criminal hackers, represented one of the gravest threats to the integrity of data on computers across the world, according to David Hickton, U.S. attorney for the Western District of Pennsylvania. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”
Five of the defendants face charges in Hickton’s district.
Darkode allowed hackers and other cybercriminals to sell, trade and share information and tools related to illegal computer hacking, the law enforcement agencies alleged.
Before becoming a member of Darkode, prospective participants were allegedly vetted through a process that included an invitation by a member, the DOJ said in a press release. The prospective member then pitched the skill or products he or she could bring to the forum.
Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware, the DOJ said.
The takedown of the forum and the charges announced Wednesday came after the FBI’s infiltration of Darkode’s membership.
Congress must pass a new wiretap law that requires social media websites and operators of other Internet communication tools to share customers’ communications with law enforcement agencies the same way that telecom carriers do, Michael Steinbach, assistant director of the FBI’s Counterterrorism Division, said Wednesday.
Congress should use the Communications Assistance for Law Enforcement Act (CALEA) as a model for new rules focused on Internet-based communications, Steinbach told the U.S. House of Representatives’ Homeland Security Committee. His comments build upon the FBI’s call in recent months to expand CALEA to Internet communications tools. Agency Director James Comey first called for a CALEA rewrite to cover encrypted mobile phone data last October.
CALEA requires telecom carriers and equipment vendors to build wiretap capabilities into their products or networks, and critics have accused the FBI of wanting Congress to mandate encryption backdoors in technology products. But the FBI isn’t asking for backdoors, Steinbach said.
“We’re not talking about large-scale surveillance techniques,” he said. “We’re not looking at going through a backdoor or being nefarious; we’re talking about going to the company and asking for their assistance.”
Instead, the FBI wants access to stored or ongoing Internet communications after it shows evidence of criminal or terrorist activity and gets a court order, he said. The FBI needs help from Congress and from communications providers to make that happen, Steinbach said.
“We understand privacy,” he said. “Privacy above all other things, including safety and freedom from terrorism, is not where we want to go.”
The Rebirth of The Pirate Bay that we reported on recently could be a sham site set up by the FBI with the intention of snagging punters.
It could not be, but there are increasing suspicions that this is the case, and there were probably some clues at the time.
We reported on the Pirate Bay relaunch earlier this week, saying that there was some kind of divide between the members of the site.
The new service was considered to be something of a spin-off that had done away with a number of administrators in order to be more hands-off.
However, it has the hallmarks of something that is hands-on, according to Twitter messages from an account used by the Anonymous hacker collective.
Questions were raised about the new site, including the passing of the old admins and the decision to use Cloudflare integration.
In some cases people pointed to FBI-like flags. The use of Cloudflare suggests that user information might be exposed to the warrant-like demands of the surveillance agencies.
— TheAnonMessage (@TheAnonMessages) February 1, 2015
The Pirate Bay people have denied that the site is a puppet for the FBI and have explained away the use of Cloudflare in a statement sent to TorrentFreak.
“We have seen that there has been some question to why we are using Cloudflare. This is only initially to handle the massive load on the servers. It will be removed shortly,” the statement said.
But, while the Pirate Bay is linked with the US-based Cloudflare it will be associated with the risk of national security investigations and warrants. Cloudflare has not commented.
TorrentFreak added in a later article that the Pirate Bay has moved away from its previous service provider, Trabia, and is now the guest of an unknown, or hidden, provider.
Taken together these things add up to a site that you may choose not to use. Of course, it might not be an FBI plant, and it might be the FBI, or someone else, that has started raising suspicions in order to keep people away from the magnetic phoenix. Take care out there.
Health insurer Anthem Inc, which has nearly 40 million U.S. customers, has confirmed that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees.
The No. 2 health insurer in the United States said the breach did not appear to involve medical information or financial details such as credit card or bank account numbers.
The information accessed during the “very sophisticated attack” did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said.
Anthem said that it immediately made every effort to close the security vulnerability and reported the attack to the FBI. Cybersecurity firm FireEye Inc FEYE. said it had been hired to help Anthem investigate the attack.
The company did not say how many customers and staff were affected, but the Wall Street Journal earlier reported it was suspected that records of tens of millions of people had been taken, which would likely make it the largest data breach involving a U.S. health insurer.
Anthem had 37.5 million medical members as of the end of December.
“This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information,” U.S. Rep. Michael McCaul, a Republican from Texas and chairman of the Committee on Homeland Security, said in a statement late Wednesday.
The NSA is using its network of servers around the world to monitor botnets made up of thousands or millions of infected computers. When needed, the agency can exploit features of those botnets to insert its own malware on the already compromised computers, through a technology codenamed Quantumbot, German news magazine Der Spiegel reported.
One of the secret documents leaked by former NSA contractor Edward Snowden and published by Der Spiegel contains details about a covert NSA program called DEFIANTWARRIOR that’s used to hijack botnet computers and use them as “pervasive network analysis vantage points” and “throw-away non-attributable CNA [computer network attack] nodes.”
This means that if a user’s computer is infected by cybercriminals with some malware, the NSA might step in, deploy their own malware alongside it and then use that computer to attack other interesting targets. Those attacks couldn’t then be traced back to the NSA.
According to the leaked document, this is only done for foreign computers. Bots that are based in the U.S. are reported to the FBI Office of Victim Assistance.
The NSA also intercepts and collects data that is stolen by third-party malware programs, especially those deployed by other foreign intelligence agencies, if it is valuable. It refers to this practice as “fourth party collection.”
In 2009, the NSA tracked a Chinese cyberattack against the U.S. Department of Defense and was eventually able to infiltrate the operation. It found that the Chinese attackers were also stealing data from the United Nations so it continued to monitor the attackers while they were collecting internal UN data, Der Spiegel reported.
It goes deeper than that. One leaked secret document contains an NSA worker’s account of a case of fifth party collection. It describes how the NSA infiltrated the South Korean CNE (computer network exploitation) program that targeted North Korea.
“We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data,” the NSA staffer wrote in the document. “However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about.”
In other words, the NSA spied on a foreign intelligence agency that was spying on a different foreign intelligence agency that had interesting data of its own.
Sometimes the NSA also uses the servers of unsuspecting third parties as scapegoats, Der Spiegel reported. When exfiltrating data from a compromised system, the data is sent to such servers, but it is then intercepted and collected en route though the NSA’s vast upstream surveillance network.
The Federal Bureau of Investigation (FBI) is looking to shore up its security capabilities by hiring the brightest and best bodies out there.
The agency has publicly petitioned for persons in the usual way, and has posted employment information about a range of roles.
The roles, not to mention most of what we have reported about the agency, suggest that the FBI has a real, concentrated focus on cybercrime and cyber knowhow.
“The FBI seeks highly talented, technically trained individuals who are motivated by the FBI’s mission to protect our nation and the American people from the rapidly evolving cyber threat,” said Robert Anderson, executive assistant director for the Bureau’s criminal, cyber, response and services branch.
“What we want are people who are going to come and be part of a team that is working on different very complex types of investigations and to use their skills in that team environment.”
We often hear that the security and law agencies are fighting an arms race against their enemies, and the FBI suggested that the people that it employs will have the most rewarding job available.
This suggests that it will be open to people who are not happy with their current role, which seems counter to its earlier advice.
“One thing that no one else can offer is the mission and the camaraderie and the teamwork the FBI brings to the table,” added Anderson.
“The biggest thing you can offer to anyone that comes to work at the FBI is the mission and the scale of investigations. It doesn’t matter where you go, it doesn’t matter who you work for, you can’t get that anywhere else but the FBI.”
A range of jobs are open to application until 20 January. The FBI will presumably have relatively strict policies (PDF) on the kind of people it prefers to employ.
The statement adds that “preferred backgrounds” range from computer programming to digital forensics and “even ethical hacking”.
Quick law enforcement access to the contents of smartphones could save lives in some kidnapping and terrorism cases, FBI Director James Comey said in a briefing with some reporters. Comey said he’s concerned that smartphone companies are marketing “something expressly to allow people to place themselves beyond the law,” according to news reports.
An FBI spokesman confirmed the general direction of Comey’s remarks. The FBI has contacted Apple and Google about their encryption plans, Comey told a group of reporters who regularly cover his agency.
Just last week, Google announced it would be turning on data encryption by default in the next version of Android. Apple, with the release of iOS 8 earlier this month, allowed iPhone and iPad users to encrypt most personal data with a password.
Comey’s remarks, prompted by a reporter’s question, came just days after Ronald Hosko, president of the Law Enforcement Legal Defense Fund and former assistant director of the FBI Criminal Investigative Division, decried mobile phone encryption in a column in the Washington Post.
Smartphone companies shouldn’t give criminals “one more tool,” he wrote. “Apple’s and Android’s new protections will protect many thousands of criminals who seek to do us great harm, physically or financially. They will protect those who desperately need to be stopped from lawful, authorized, and entirely necessary safety and security efforts. And they will make it impossible for police to access crucial information, even with a warrant.”
Representatives of Apple and Google didn’t immediately respond to requests for comments on Comey’s concerns.