Saturday, October 22, 2011

Police web sites hacked - A warning to us all!

Update on hack attacks. Read the story carefully. These are police departments. They normally would have some pretty serious security in place. Also the response is for police to reset their passwords. well maybe that helps but the real issue is that the sites were hacked and unless some drastic new security measures are put in lace the sites can no doubt be hacked at will any day.

For the rest of us this a continued sobering reality. The Internet is pretty much an unlocked door at your house. Anyone can walk in, look around, take stuff. We need extra locks and also ID theft recovery plans for every American. ID theft insurance - there are many companies provide this - can help somewhat but the urgency is for much more secure Internet protection.

Steffen Schmidt

Online political hacker group hits Boston police websites

10/22/2011 1:20 AM

A politically motivated computer hacker group attacked and brought down dozens of police websites around the country and said it posted e-mail information about nearly 1,000 Boston police officers Friday, claiming it was working in support of the Occupy protest movement.

Anonymous, the group taking credit for the computer intrusions, said in a statement, “In solidarity with the Occupation Movement and the International Day of Action Against Police Brutality, [we] aim at the corrupt bootboys of the 1 percent: the police.”

Specifically, the group said it attacked multiple Boston police websites. Most notably, Anonymous claimed to have hacked the Boston Police Patrolmen’s Association website and its web-based e-mail portal, posting the names, e-mail addresses, and passwords of Boston police officers on the Internet for all to see.

In the statement, Anonymous said it attacked BPD sites in response to “the unprovoked mass arrests and brutality experienced by those at Occupy Boston.”

“Let this be a warning to BPD and police everywhere: future acts of aggression against our movements will be met with a vengeance ... ,” the statement read.

Early on Oct. 11, Boston police moved in on some of the Occupy Boston protesters on the Rose Fitzgerald Kennedy Greenway and arrested 141 demonstrators.

Late Friday night, Boston police acknowledged the cyber attack, saying in a statement: “It has come to the attention of the Boston Police Department that various websites used by members of the BPD -- including the website belonging to the Boston Police Patrolmen’s Association -- have been hacked into and possibly compromised. In light of this information, the Boston Police Department is requiring all department personnel to secure their login information by resetting their passwords on the BPD network.”

The department recommended that police officers change their e-mail passwords and any other Internet, e-mail, and wireless device passwords.

A Boston police spokeswoman could not be reached for comment early this morning.

The group claimed that it “hacked, defaced, and destroyed several law enforcement targets, leaking over 600MB of private information including internal documents, membership rosters, addresses, passwords, Social Security numbers, and other confidential data.”

It claimed to take down at least 40 police-related websites.

The International Association of Chief of Police website was also targeted. The website was down and unreachable early this morning.

Anonymous also took aim at the website of Matrix Group International, which provides Internet services for government agencies. The Matrix website was down early this morning.

Anonymous also claimed to have hacked Birmingham/Jefferson County, Ala., police websites, releasing the names, addresses, and Social Security numbers of nearly 1,000 police officers.

Described as “e-Robin Hoods,” the Internet group Anonymous is known for its hacking skills and online activism.

In a video regarding the police clashes with occupiers on Wall Street, Anonymous said, “This event serves to remind us that we’re living in a police state with absolutely no respect for the right of the people to peacefully assemble and exercise their constitutional free speech. But we will not be scared away… This abuse of authority by the NYPD only serves to strengthen our resolve and reinforce our belief that corruption and injustice in America must be fought.”

“We are Anonymous,” said the masked, computerized voice. “We do not forgive. We do not forget. Expect us.”

So now that you've read this case study what's your reaction? How can we secure web sites better? Do you have vulnerable places that can be accessed from the Internet?

Labels: ,

Friday, October 14, 2011

Here We go gain ... AGAIN!

Here is the news from the Seattle Post.

"The Social Security Administration has failed to inform tens of thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups.

The federal agency has kept silent about a potentially harmful security breach of the personal data of about 14,000 people each year, ignoring recommended reporting guidelines for such confidentiality breaches and violating the intent, at least, of the U.S. Privacy Act, which protects personal information of private citizens."

Unlike private companies and most states (all but four) where data breaches such as this must be immediately reported the SS Administration apparently felt they were exempted.

The breach occurred with a Social Security service called "Death Master File" which supposedly lists the names of deceased Americans.

The Republic of Columbus Ohio reported on October 13, 2011 that "The names of 31,931 living Americans discovered in a Scripps Howard News Service review of three copies of the Death Master File. These files, which are available for purchase from many sources on the Internet, contained their Social Security numbers and birthdates -- critical information needed by identity thieves.

"That's just not supposed to be public information -- especially not my Social Security number," Jared said. "This needs to be corrected."

Reporters at newspapers and television stations owned by the E.W. Scripps Co. interviewed dozens of people nationwide who have suffered security breaches because of what Social Security officials have called "inadvertent keying errors" by federal workers when entering what was supposed to be information only about dead people. None reported the federal agency warned them about the breach of their confidential information.

Most of those erroneously listed as dead who were contacted for this story said they only found out about the agency's mistakes when they suffered adverse events like frozen bank accounts, cancelled cell phones, refused job interviews, declined credit card applications, denied apartment leases or refused mortgage and student-assistance loans."

How reassuring! The SS Administration is killing off living people because the idiots at SS can't type information in properly?! Our education system and SS training seems to need an upgrade!

Not only did they key in living people as dead but the idea of making that information public is troubling because even dead people can be used to create false identities.

The Republic also notes, "The government's silence about the Social Security breach apparently violates a 2007 directive from the Office of Management and Budget ordering every agency to develop a breach notification policy when the confidentiality of personal data has been compromised.

"Notification of those affected -- and the public -- allows those individuals the opportunity to take steps to help protect themselves from the consequences of the breach," the OMB directive said. "Such notification is also consistent with the 'openness principle' of the Privacy Act that calls for agencies to inform individuals about how their information is being accessed and used, and may help individuals mitigate the potential harms resulting from a breach."

We checked the Social Security Administration web site and there was NOTHING about this to be found anywhere. It was just business as normal on that web page. Guess they don't want to frighten people.

Labels: , ,

Saturday, October 08, 2011

New Incidents of Hacking and Data Losses

Just when you thought the threat couldn't get bigger we find out that the most effective weapon in the war on terror has now been breached. Wired reports that,

Image courtesy of Creech AFB

"A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system."

Keylogging is a common technique for capturing valuable information including Social Security numbers, bank accounts, passwords, credit card numbers and accounts, and other vital information. Most computers do not have a keylogging protection system which makes them highly vulnerable to someone dropping keylogging maleware on the device.

Think of what this means for civilians. If the military which is investing hundreds of millions in computer and Internet security can have its most valued and newest weapon system compromised we civilians need to also ramp up another mega-notch our security systems. That applies to the medical profession in particular because breaches of medical data bases and losses of patient information have become an endemic problem.

The New York Times reported on October 11, 2011, "Private medical data for nearly 20,000 emergency room patients at California’s prestigious Stanford Hospital were exposed to public view for nearly a year because a billing contractor’s marketing agent sent the electronic spreadsheet to a job prospect as part of a skills test, the hospital and contractors confirmed this week. The applicant then sought help by unwittingly posting the confidential data on a tutoring Web site."

In another incident, "In Orlando, officials with Florida Hospital reported that three employees had improperly combed through emergency department records of 2,252 patients, apparently to forward information about accident victims to lawyers. The employees were fired, and law enforcement officials are investigating."

So now ambulance chasing has also become a threat to identity information theft.

Finally, we need to share with you that, "Science Applications International Corporation disclosed that computer backup tapes containing medical data for 4.9 million military patients had been stolen from an employee’s car in San Antonio. The data included Social Security numbers, clinical notes, laboratory test results and prescriptions. The company said the risk of harm was low because retrieving data from the tapes would require specialized knowledge, software and hardware."

We are betting the farm that the bad guys have more than enough knowledge and equipment to extract this information.

In September 2009 a new federal law kicked in requiring disclosures of medical privacy violations involving at least 500 people.There have been over 330 incidents.

However look at this metric. " ... a report from the Department of Health and Human Services' Office of Civil Rights noted that nearly 8 million Americans were affected by almost 31,000 health information breaches in the course of a year. Alarmingly, nearly 70 percent of the investigations into data breach incidents that affected 500 people or more remain open." The Baltimore Sun Sept 19, 2011

That is not a reassuring statistic and it makes clear that we have to ve VERY careful not to incur data losses in the first place. Incompetent, sloppy or downright criminal third party providers of information services are often the primary cause. 

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft -