Teenage hackers are making merry with the online world of CIA director of national intelligence James Clapper.
This is the second bout of attacks from the group of technology tearaways, according to Motherboard, which reports on the Clapper problem and its connection to a group known as Crackas With Attitude.
A member of the group, a young chap called Cracka, told Motherboard that access to a range of Clapper accounts had been seized, and that Clapper and the CIA haven’t a clue what’s going on.
“I’m pretty sure they don’t even know they’ve been hacked. You asked why I did it. I just wanted the gov to know people aren’t fucking around, people know what they’re doing and people don’t agree #FreePalestine,” he said.
The claims were supported by the Office of the Director of National Intelligence, which confirmed that something has happened and that the authorities are looking into it.
“We’re aware of the matter and we reported it to the appropriate authorities,” said spokesman Brian Hale, before going mute.
Cracka, representing himself on Twitter as @dickreject, is less quiet. He has tweeted a number of confirmatory and celebratory messages that are not particularly flattering about the CIA and its abilities.
This is the group’s second bite at the CIA cherry. The teenagers walked into the personal email account of CIA director John Brennan last year and had a good look around. Some of the impact of this was washed away when it was discovered that Brennan used an AOL account for his communications.
“A hacker, who describes himself as an American high school student, has breached the CIA boss’s AOL email account and found a host of sensitive government files that one assumes a government official shouldn’t be sending to his personal email address,” said security comment kingpin Graham Cluley at the time.
“I’m not sure what’s more embarrassing. Being hacked or having an AOL email account.”
The company said email and password details were likely gathered either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored Time Warner Cable’s customer information, including email addresses.
The company said it has not yet determined how the information was obtained, but there were no indications that Time Warner Cable’s systems were breached.
Time Warner Cable spokesman said it was recently notified by the Federal Bureau of Investigation that some customers’ email addresses including account passwords “may have been compromised.”
The company said it is sending emails and direct mail correspondence to encourage customers to update their email passwords as a precaution.
Thousands of small businesses continue to suffer intermittent outages of their websites in the crucial lead up to Christmas, after their provider Moonfruit took all sites offline yesterday.
A statement from the company at 1pm today said: “Our operations team is continuing to work on resolving the service issue. We are making progress but unable to provide specific details at this time. Once again, we’re really sorry for the disruption. Your patience and understanding is very much appreciated.”
A further update was scheduled for 3pm but had not materialized at the time of publication.
The identikit website creator made the unusual decision after facing a prolonged DDoS attack against its servers last Thursday from a hacking group calling itself Armada DDoS. The company is believed to have had renewed threats of further attacks and is still suffering a significant degradation of service.
The motives for the attack are currently unknown.
Moonfruit began restoring service this morning, but at 1pm many customers were still having problems, and the main Moonfruit site was offline.
Moonfruit is one of the oldest sites of its type, dating back to 2000. The British company was initially advertising-based and free before moving to a subscription model when the last bubble burst.
The whole system was based on Adobe Flash until recently, but has been adapted for HTML5, which represents an important step in its survival as more browsers stop rendering the ageing platform.
However, the company announced earlier today that it is taking all its sites offline for 12 hours after a sustained distributed denial-of-service (DDoS) attack on its servers.
Moonfruit Update, 14/12/2015: https://t.co/5xkHAshFT9 and your sites will be offline today. Please read: https://t.co/w2CvVG1xqQ
— Moonfruit (@moonfruit) December 14, 2015
Dave Larson, chief operating officer at Corero Network Security, said: “Unfortunately, the sheer size and scale of hosting or data centre operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack.
“As enterprises of all sizes increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating DDoS attacks, even as an indirect target.”
DDos attacks grew by a third in just the past quarter. A Swedish bank was brought down last month, while GitHub was taken offline earlier in the year by an attack thought to have originated in China.
Moonfruit customers have expressed their anger at the short notice and timing of the outage. Many are obviously concerned about potential loss of sales in the run up to Christmas, but Moonfruit maintained that the downtime is necessary to make “infrastructure changes”.
“We have been working with law enforcement agencies regarding this matter and have spared no time or expense in ensuring we complete the work as quickly as possible,” said the company’s director, Matt Casey, in a statement posted to the Moonfruit Facebook page.
The Moonfruit site, which is built on its own platform is back up and running. A further statement from Moonfruit last night said, ”We know how painful this has been for you and your business. We have used the time well and our defenses have improved substantially. Thank you for your patience and support throughout this crisis. We are nearly there and hope to fully restore service by early evening.
As always, we care about the Moonfruit Community and will keep you informed. You have no idea how much the messages of support have meant as we’ve burned the midnight oil over the weekend to put things right, and to better position you for the future.”
The public will see an uptick in successful cyberattacks against their online health records next year; supercomputers like IBM’s Watson will reduce patient deaths and treatment costs by 10% in 2018; and virtual healthcare will soon become routine.
Those are some of the predictions made by IDC’s Health Insights group in a new report.
The report claims that because of a legacy of lackluster electronic security in healthcare and an increase in the amount of online patient data, one in three consumers will have their healthcare records compromised by cyberattacks in 2016.
“Frankly, healthcare data is really valuable from a cyber criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data,” said Lynne Dunbrack, research vice president for IDC’s Health Insights.
Not only do healthcare records often have Social Security and credit card numbers, but they are also used by criminals to file fraudulent medical claims and to get medications to resell.
Healthcare fraud costs the industry from $74 billion to $247 billion a year in the U.S., according to FBI statistics. Fraudulent billing represents between 3% and 10% of healthcare expenditures in the U.S. each year, Dunbrack said.
The biggest problem is that the industry has been a laggard in deploying security technology. Dunbrack pointed to high-profile examples of healthcare providers who experienced massive breaches this past year, including Anthem and Premera Blue Cross.
Anthem reported that nearly 80 million records had been exposed; Premera suffered a breach of more than 11 million records.
“Part of this increase [in cyber attacks] is because there’s more electronic data than ever before,” Dunbrack said. “Some of the things leading to attacks are good things. For example, digitized formats allow [sharing] patient data among providers.”
Additionally, healthcare networks need to increase the sophistication of their security analytics software so they can identify attacks as they’re happening and head them off by learning their patterns.
The Dorkbot malware aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix.
It was first spotted around April 2011. Users typically get infected by browsing to websites that automatically exploit vulnerable software using exploit kits and through spam. It also has a worm functionality and can spread itself through through social media and instant messaging programs or removable media drives.
Microsoft didn’t provide much detail on how Dorkbot’s infrastructure was disrupted. The company has undertaken several such actions over the last few years in cooperation with law enforcement.
Coordinated actions to take botnet servers offline have an immediate impact, but the benefits can be short-lived. Cybercriminals often set up new hosting and command-and-control infrastructure and begin rebuilding the botnet by infecting new computers.
Microsoft said it worked with security vendor ESET, the Computer Emergency Response Team Polska, the Canadian Radio-television and Telecommunications Commission, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, Europol, the FBI, Interpol, and the Royal Canadian Mounted Police.
Cybercriminals have sold a kit that allows other bad actors to build botnets using Dorkbot. The kit, called NgrBot, is sold in underground online forums, Microsoft wrote in a blog post.
Hacking a major corporation is so easy that even an elderly grannie could do it, according to technology industry character John McAfee.
McAfee said that looking at the world’s worst hacks you can see a common pattern – they were not accomplished using the most sophisticated hacking tools.
Writing in IBTImes said that the worst attack was in 2012 attack on Saudi Aramco, one of the world’s largest oil companies. Within hours, nearly 35,000 distinct computer systems had their functionality crippled or destroyed, causing a massive disruption to the world’s oil supply chain. It was made possible by an employee that was fooled into clicking a bogus link sent in an email.
He said 90 per cent of hacking was social engineering, and it is the human elements in your organization that are going to determine how difficult, or how easy, it will be to hack you.
The user is the weakest link in the chain of computing trust, imperfect by nature. And all of the security software and hardware in the world will not keep a door shut if an authorized user can be convinced to open it, he said.
“Experienced hackers don’t concern themselves with firewalls, anti-spyware software, anti-virus software, encryption technology. Instead they want to know whether your management personnel are frequently shuffled; whether your employees are dissatisfied; whether nepotism is tolerated; whether your IT managers have stagnated in their training and self-improvement.”
Muct of this information can be picked up on the dark web and the interernet underground, he added.
“”Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your organization prepared?” he said.
The Infamous Darkode cyber crime forum is back up after being slammed to the ground by the US authorities earlier this year.
The forum has notoriety status, and is the kind of black market where people might have traded, sold or bought malware, zero-day exploits and access to compromised servers.
Darkode launched in 2007 and was apparently frequented by outfits including the Lizard Squad. The last time we checked Darkode.com it was showing an FBI seizure notice designed to put the wind up shoppers and visitors.
Security firm Damballa said that a reloaded version is back, but that it is loaded with plastic bullets and is not the threat it once was. However, while it was once a .com site it is now on the dark web. This certainly makes it more sinister.
Damballa said in a blog post that the problem with the Darkode redux is apparently its design. The site is open to all visitors, at least those that traverse the dark web, and usernames, forum posts and anything else you might want to see is available without log-in information.
“The forum administrator, Sven, is a very generic handle but we know that he’s a previous member of Darkode. As for the rest of the members, there is a mix of HackForum members usually called HF skids and DamageLab members. This gives you an idea about the quality of the forum,” Damballa said with a firm dose of shade.
“In terms of security, the forum is also accessible without the Tor software. It can be accessed from any browser without anonymity. Another poor design of the forum.”
It took 17 law enforcement agencies to take down the original site, but this one could potentially blow over in a gust. Damballa reckons that it does not present much risk.
“From the posts we reviewed, no significant activity stood out. It felt like a bad Darkode imitation with rigorous rules. There was no discussion of banking trojans or similar high-profile malware,” the company added.
“The criminal community has low trust in the ‘new’ Darkode forum. The lack of security and misconfiguration shows that Darkode can’t be trusted and will never regain its former glory. Another Darkode fail. In previous times, we’d provide the link, but this time we aren’t because it’s just not worth anyone’s time.”
We are a long way away from the talk we endured in the early summer, when the UK National Crime Agency (NCA) was swaggering around scalp in hand.
“This has been a truly global operation, targeting the infrastructure of an online hub for high-end cyber crime and suspected members of its criminal community,” said Steven Laval, senior investigating officer at the NCA National Cyber Crime Unit.
“Despite the exclusive nature of Darkode and the technical skills of its users, this action shows once again that we can identify and pursue those we believe are seeking to offend through an apparently secure online environment far removed from their victims.”
IBM has claimed that sophisticated criminals are responsible for 80 percent of cyber attacks, and that there are probably a lot of kids and amateurs accounting for the remaining 20 percent.
The IBM X-Force Threat Intelligence Quarterly 4Q 2015 (PDF) described this 20 percent as “script kiddies”, claiming that the attacks reveal their amateurishness. However, when people are not messing about they are able to carry out some catastrophic and expensive hacktrocities.
“The script kiddies scour the internet for ‘low hanging fruit’, the servers that can be compromised quickly and easily, and they use them for a limited time to send spam and scan other servers on the internet,” said the report.
“Or they deface the website and move on to other targets once they are discovered. These script kiddies give little thought to covering their tracks.
“In contrast, stealthy attackers might gain access to a system by exploiting the same vulnerability as the script kiddies, but they use a far more sophisticated combination of commercial tools, malware/rootkits and backdoors to increase their access level on the client’s network and compromise additional systems over several weeks of expansion.”
There is plenty to worry about, naturally, and IBM has plenty of things to spook us with. The report starts with saying that 2015 has been the year of ransomware. The FBI has already reported that such exploits have bagged attackers $18m over the period, and that it expects the problem to extend into 2016.
Take a look around your office before you read alert number two. This is the insider danger. The report said that this trend has played out since 2014, and that 55 percent of all attacks in 2015 were down to insiders, or at least people with inside information.
Perhaps as a result of this – we are not data analysts – IBM has also seen an increase in boardroom involvement and spending. Some 88 percent of respondents to a survey said that their relevant budgets had increased over the period.
Swiss bank Swedbank has had its website taken offline by hackers after suffering a distributed denial of service (DDoS) attack on Friday.
Details remain thin on the ground, but the attack means that customers are unable to to carry out online transactions or contact the bank through its website.
The site is still down, and the bank admitted to CBR that, while it probably knows who is behind the attack, “our method to cope with it hasn’t really succeeded yet”.
There’s no word as to when the website will be back up and running, but the bank has confirmed that its mobile applications are still working.
This isn’t the first time that Swedbank has fallen victim to hackers. The company admitted in a statement given to Reuters that this was the second attack in as many months, and – clearly not very confident in its own security – that it will probably happen again.
“The website was also hit by a hacker attack in October. It is not the first time and it will probably not be the last,” a spokesperson said.
News of the attack on Swedbank, which also operates in Estonia, Latvia and Lithuania, comes just hours after encrypted email company ProtonMail admitted that it had also been struck by a major DDoS attack.
ProtonMail said that, in a bid to get back to business, the company “grudgingly agreed” to pay 15 bitcoins, or $6,000, to the hackers in a bid to get them to stop the attack.
However, after handing over the cash, ProtonMail said that the DDoS attack, which was “unprecedented in size and scope”, continued, although it appears to have now stopped.
ProtonMail warned that the costs involved in avoiding another such attack are crippling and could put the firm out of business.
The finding confirms that while law enforcement can claim temporary victories in fighting cybercriminal networks, it’s sometimes difficult to completely shut down their operations.
The U.S. Department of Justice said on Oct. 13 it was seeking the extradition of a 30-year-old Moldovan man, Andrey Ghinkul. Prosecutors allege he used Dridex malware to steal $10 million from U.S. companies and organizations.
Dridex, also referred to as Cridex or Bugat, is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts.
The U.S. and U.K. said the Dridex botnet — or the collection of computers infected with the malware — had been disrupted following their operations.
Two weeks before the DOJ’s announcement, Palo Alto Networks wrote that it noticed a drop in Dridex activity but that it resumed again around the start of October.
Often, those employing Dridex tricked people into downloading it by sending spam emails with malicious links or attachments, such as XML files and Microsoft Office documents.
Much of that activity has now resumed, wrote Brad Duncan, a security researcher with Rackspace, on the Internet Storm Center blog.
He wrote that there appear to be more files labeled as Dridex on VirusTotal, a repository of malware samples. Although some of the samples could mislabeled, it backs up what Palo Alto noticed.
“Plenty of us are seeing Dridex malspam on a near-daily basis now,” Duncan wrote.
Data hacked from Experian is already on sale on the dark web and is available for grabbing by bad actors, phishers, malware writers and ID thieves.
Security firm Trustev is credited with the dark web discovery, although is it very possible that the underworld got to it first. Trustev and the internet are calling the dump a fullz, which means that it contains a lot of personal information.
T-Mobile customers make up a chunk of the potentially affected 15 million victims. The firm’s CEO, John Legere, went ballistic about what happened.
“We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach,” he said in a statement.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy very seriously.”
Experian has also gone public on this with a statement on its website, and has, perhaps ironically, offered to help victims sort their credit lives out.
“Experian North America today announced that one of its business units, notably not its consumer credit bureau, experienced an unauthorised acquisition of information from a server that contained data on behalf of one of its clients, T-Mobile USA,” the statement said.
“The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from 1 September 2013 through 16 September 2015, based on Experian’s investigation to date. This incident did not impact Experian’s consumer credit database.”
The agency said that it acted quickly to fix the problem once it was discovered, and immediately told the authorities and began an investigation into the hows and the whys.
It is the crown jewels of data that has been lost. Experian fessed to a breach of “names, dates of birth, addresses and Social Security numbers and/or an alternative form of ID like a driver’s licence number, as well as additional information used in T-Mobile’s own credit assessment”.
Experian added that no payment card or banking information was lost to the hackers.
Affected punters are being contacted and will be offered credit services, including two years of credit monitoring (although this may have lost some of its shine), and some identity protection services through its own ProtectMyID service.
Experian recommended that these services are embraced. “Although there is no evidence to-date that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services,” the firm said.
Craig Boundy, CEO of Experian North America, took the opportunity to apologise and remind people that the company takes privacy very seriously.
The company confirmed that it suffered a security breach over a period of several months from late 2013 to early 2014, affecting approximately 4.6 million customers. But in a statement, Scottrade said it had no idea that the breach had occurred until law enforcement officials told them about it.
The FBI notified Scottrade of the breach in August but asked that the company hold off on disclosing the attack until it had wrapped up another part of its investigation. The company was cleared to disclose the breach at the end of last week and began informing customers last Friday.
To its credit, Scottrade said that it believes attackers obtained only clients’ names and street addresses — not the social security numbers, email addresses and other sensitive data stored in the compromised system. According to the company, the attackers didn’t compromise Scottrade’s trading platforms, and clients’ funds were untouched.
People who had a Scottrade account prior to February 2014 may have been affected by the breach. Those people who Scottrade knows were affected will be notified of that by email. The company isn’t suggesting that users change their passwords, since it believes that they remained encrypted during the attack.
As is expected in these sorts of cases, Scottrade is offering affected customers a free year of identity theft protection. It’s not clear how much good that will do, since the data was taken more than a year ago, but offering that sort of service is something consumers expect from a breach response at this point.
Looking forward, the company said that it has secured the intrusion point the attackers used to get into its systems, and conducted an internal investigation with the help of an unnamed computer security firm. The company also said that it has further secured its network.
The Hilton organization is reportedly trying to work out whether it has been hacked and, if so, what it should do about it.
We say reportedly as we have not been able to contact Hilton ourselves and can rely only on reports. They are pretty solid reports, however, and they concern a problem at the company that happened between 21 April and 27 July.
Brian Krebs, of KrebsOnSecurity, started this off with a report about a payment card breach. Krebs said that he had heard about the breach from various sources, and that Visa – the card provider – has mailed potentially affected parties with a warning, and the news that it is the fault of a bricks and mortar company.
Visa did not name the company, but affected parties, or banks to be more precise, have uttered it to Krebs. Its name is Hilton.
“Sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: they were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts,” he wrote.
“It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.”
Krebs has a statement from the Hilton organisation in which the firm defended its security practices, and revealed that it is aware of the potential problem and is looking into it. This is a common theme among the breached, and should soon become part of mission statements.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” said the company in the statement to Krebs.
“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
We have asked Visa and Hilton for their comments.
“Mimecast experienced malicious traffic from multiple IP addresses, targeting its U.S. network. This resulted in service disruption for U.S. customers,” Mimecast Chief Executive Peter Bauer said in a statement on Tuesday.
The statement said that service had returned to normal and that the attack appeared to be limited to disruption of email service for its clients.
The company declined comment when asked who was behind the attack or if law enforcement was investigating. An FBI spokeswoman said she had no immediate comment.
Mimecast’s customers include software maker NetSuite Inc, advertising and marketing giant Omnicom Group Inc, Bon Pan restaurant chain, the Boston Celtics basketball team and the Cleveland Indians baseball team.
Hackers have penetrated the IT systems of U.S. health insurer Excellus BlueCross BlueShield and gained access to personal, financial and medical information of more than 10 million people, the company has disclosed.
The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.
The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.
Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.
The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.
No evidence has been found yet that the data was copied or misused by the attackers.
Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.
The company will not contact affected individuals via email or telephone, so any emails or phone calls claiming to be from the company in regard to this attack should be ignored as they are probably scams.
The incident comes after three other Blue Cross Blue Shield health insurers — Anthem, Premera and CareFirst — announced large data breaches this year as a result of cyberattacks.
Excellus said that it doesn’t have sufficient information about the Anthem, Premera and CareFirst investigations in order to comment about possible connections between those attacks and the one against its own systems.