Wednesday, May 30, 2012

Cyber-attack concerns raised over Boeing 787 chip's 'back door'
Two Cambridge experts have discovered a "back door" in a computer chip used in military systems and aircraft such as the Boeing 787 that could allow the chip to be taken over via the internet.
The discovery will heighten concerns about the risks of cyber-attacks on sensitive installations, coming on the heels of the discovery this week of the 'Flamer' virus which has been attacking computer systems in Iran, Syria and Saudi Arabia.
In a paper that has been published in draft form online and seen by the Guardian, researchers Sergei Skorobogatov of Cambridge University and Chris Woods of Quo Vadis Labs say that they have discovered a method that a hacker can use to connect to the internals of a chip made by Actel, a US manufacturer.
"An attacker can disable all the security on the chip, reprogram cryptographic and access keys … or permanently damage the device," they noted.
Woods told the Guardian that they have offered all the necessary information about how the hack can be done to government agencies – but that their response is classified.
"The real issue is the level of security that can be compromised through any back door, and how easy they are to find and exploit," Woods said.
The back door may have been inserted by Actel itself, whose ProASIC3 chip is used in medical, automotive, communications and consumer products, as well as military use.
More here:

South Shore Hospital to pay $750,000 to settle data breach charges

South Shore Hospital in South Weymouth will pay $750,000 to settle charges related to a 2010 data breach that compromised the personal information of more than 800,000 people, according to a release from the Massachusetts attorney general's office.

The settlement, approved in Suffolk Superior Court, includes a civil penalty of $250,000 and $225,000 for a fund to be used by the attorney general's office to promote education on the protection of personal data, the release said. South Shore Hospital was also credited for $275,000 it spent on security measures following the breach.

"Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data," said Massachusetts Attorney General Martha Coakley. Coakley sued the hospital under state and federal laws that require secure storage of personal information collected by hospitals.

In February of 2010, the hospital contracted with a Pennsylvania company, Archive Data Solutions, to erase and re-sell 473 data tapes containing information on 800,000 individuals. None of the data was encrypted, and so it could be read by anyone with the right equipment and training.

The hospital did not inform Archive Data that the tapes contained sensitive information. The tapes were shipped to a Texas subcontractor in three boxes, but the hospital later learned that only one of the boxes arrived.

Since the breach, "we've actually put in a great deal of new measures to protect personal information," said South Shore spokeswoman Sarah Darcy. "Everything -- everything -- is encrypted now."

The hospital has established tougher requirements for the use of medical records on mobile devices, which could easily be lost or stolen, and employees have received additional training on the proper handling of patient data. Visit the Boston Herald for the article: .

Tuesday, May 29, 2012

CIA remembers those lost in covert war on terror

The CIA is remembering those lost in the hidden, often dangerous world of espionage, adding a new star to the intelligence agency's memorial wall and more than a dozen names to its hallowed Book of Honor.
The new star carved into the wall is for Jeffrey Patneau, a young officer killed in a car crash in Yemen in September 2008.
"Jeff proved that he had boundless talent, courage and innovativeness to offer to our country in its fight against terrorism," said CIA Director David Petraeus at a private ceremony at CIA headquarters this past week.
Petraeus' tribute was the first public identification of Patneau. The stars on the memorial wall at headquarters in Langley, Va., bear no names.
Yemen, the ancestral homeland of al-Qaida leader Osama bin Laden, was the site of the 2000 bombing of the USS Cole, which killed 17 American sailors. Patneau was part of the fight against militants in the country in a tense year in which the U.S. Embassy in Sanaa was attacked.
With the addition of the star for Patneau, the wall now commemorates the lives of 103 Americans who died in service of the CIA, "never for acclaim, always for country," Petraeus said at the annual event attended by hundreds of employees and family members of those lost. The rememberance came just days ahead of Memorial Day, when the nation remembers its military veterans and those who died in war.
The addition of 15 names to the CIA's Book of Honor means family members can openly acknowledge where their loved ones worked when they died.
More here:

Monday, May 28, 2012

Flame Cyberespionage discovered
A new and fast spreading malware tipped to already dwarf the notorious Stuxnet has been identified, codenamed Flame and believed to be state-run cyberespionage affecting PCs in Iran and nearby countries. Spotted by Kaspersky Lab, “Worm.Win32.Flame” blends features from backdoor, trojan and worm malware, and once surreptitiously loaded onto a target machine can monitor network traffic, local use, grab screenshots and record audio, sending all that data back to its home servers. Believed to be active from at least March 2010, Flame is tipped to be 20x more prevalent than Stuxnet.
Iran is the most common place Kaspersky have discovered Flame, but it’s also been discovered in Israel, Palestine, the Sudan, Syria, Lebanon, Saudi Arabia and Egypt; there are “probably thousands of victims worldwide” the researchers estimate. Interestingly, there’s a broad spread of targeted computers, across academia, private companies, specific individuals and others; the operators appear to be cleaning up after themselves, too, only leaving Flame active on the most interesting machines, and deleting it from those with little worth.
Once loaded, Flame has the ability to be updated with new functionality in the form of add-on packages, of which around twenty have been currently identified. The exact purposes of those modules is still being investigated.
More here..

Wednesday, May 23, 2012

FBI quietly forms secretive Net-surveillance unit

The FBI has recently formed a secretive surveillance unit with an ambitious goal: to invent technology that will let police more readily eavesdrop on Internet and wireless communications.
The establishment of the Quantico, Va.-based unit, which is also staffed by agents from the U.S. Marshals Service and the Drug Enforcement Agency, is a response to technological developments that FBI officials believe outpace law enforcement's ability to listen in on private communications.
While the FBI has been tight-lipped about the creation of its Domestic Communications Assistance Center, or DCAC -- it declined to respond to requests made two days ago about who's running it, for instance -- CNET has pieced together information about its operations through interviews and a review of internal government documents.
More here...

Anonymous attacks Justice Dept., nabbing 1.7GB

In a hack it dubbed "Monday Mail Mayhem," Anonymous claims to have collected and released 1.7GB of data from the U.S. Department of Justice yesterday.

"Within the booty you may find lots of shiny things such as internal emails, and the entire database dump," the hacker group wrote on the AnonNews Web site. "We Lulzed as they took the website down after being owned, clearly showing they were scared of what inevitably happened."
The group did not specifically say why it initiated the attack. Instead, it cryptically announced that, "We are releasing data to spread information, to allow the people to be heard and to know the corruption in their government. We are releasing it to end the corruption that exists, and truly make those who are being oppressed free."
The message was accompanied by a downloadable torrent hosted by The Pirate Bay that apparently had all the 1.7GB of data.
More here...

Thursday, May 17, 2012

Worker accused of selling health records

Six weeks after Howard University Hospital told more than 34,000 patients that a contractor’s laptop containing their personal health information had been stolen, federal authorities have filed criminal charges against a hospital worker accused of selling people’s medical records.
Charging documents filed in federal court in Washington this week say Laurie Napper, a technician in the surgery department, sold patients’ names, addresses, dates of birth and Medicare numbers from August 2010 until December 2011.
The court papers do not say how much money she received or what the buyer did with the information, and a hospital spokesman did not respond to questions.
Ms. Napper was charged with one count of wrongful disclosure of individually identifiable health information, which carries a sentence of up to 10 years in prison when the violation involves selling the information for money.
The charges come after Howard officials notified patients that a laptop containing protected health information had been stolen from a contractor’s vehicle.
More here:

Monday, May 14, 2012

You may want to hold off on deleting those text messages...

Twenty Years Jail Time for Deleting Text Messages?

Proper document retention and collection are hot button issues for many clients and courts. In addition to maintaining and preserving emails and electronically stored documents, parties to litigation or potential litigation must take steps to preserve information stored on their employees' phones, iPads, and other personal communication devices. Remember that almost all electronic information, even if deleted, may be recoverable through forensic analysis. The remarkable consequences of failing to protect this information include potential criminal penalties.

On April 24, 2012, the U.S. Department of Justice instituted a criminal action against an individual for intentionally deleting text messages regarding pending litigation against his employer. That employee was arrested and later released on April 25 on $100,000 bond.
After allegedly learning that his electronic files were to be collected by a vendor, a defendant's employee allegedly deleted a text string from his iPhone containing more than 100 text messages with his supervisor. Some of the texts (which were recovered forensically) allegedly included sensitive information regarding the subject of the litigation. That employee faces a maximum penalty of 20 years in prison and a fine of up to $250,000 for each count.

More here:

Scientist pleads guilty to stealing company's formulas

SALT LAKE CITY -- A scientist accused of stealing secret formulas from a Utah chemistry company has pleaded guilty to a federal computer charge.
Prabhu Mohapatra entered the plea Friday in U.S. District Court to one count of unlawful access to a protected computer, in exchanged for prosecutors dropping 25 other charges against him, the Deseret News reported.
Mohapatra, 42, had worked for North Logan-based Frontier Scientific Inc. from 2009 to 2011. He admitted to accessing a company chemical resource notebook and emailing the formula for meso-Tetraphenylporphine, or TPP, to his brother-in-law in India.
Investigators say that relative was setting up a competing company to undercut Frontier Scientific on prices it charges for pharmaceutical chemicals. Frontier Chemical, which supplies chemicals for research and drug discovery, says no other company in the world produces TPP in such large quantities.
The case marked the first time federal authorities filed industrial espionage charges in Utah, according to FBI officials. Until 1996, the theft of trade secrets wasn't a federal crime, and the FBI had spotty success trying to prosecute such cases using other statutes.
More here:

Sunday, May 13, 2012

Federal bank fraud cases up

Note: This post goes hand in hand with the FBI's recent findings of increased Economic Espionage activity nationwide. 
When was the last time your organization conducted a "Cyber TSCM / Counterespionage Survey"?? Contact us, we can help. ~JDL

BIRMINGHAM, Alabama -- Eight men and women have stood before federal judges in Birmingham the past few weeks on bank fraud charges.
Among them:
• A Mountain Brook man sentenced to four years in prison for embezzling nearly $1.2 million from his former employer by writing checks to himself on the company's bank account.
• A former Union State Bank branch employee in Trussville sentenced to a month in prison for theft of about $25,000 from the teller drawer and bank vault in 2007 and 2008.
• A former Regions Bank telebanking representative who pleaded guilty to taking $190,000 from a customer's account during a two-year period, and directing money from the account to pay her bills after she had left her job.
The number of cases being prosecuted for bank fraud by the U.S. Attorneys Office for the Northern District of Alabama has steadily increased in recent years. In 2011 federal prosecutors charged bank fraud in 22 cases, up from 16 cases in 2010, 15 cases in 2009 and 11 cases in 2008. So far, eight cases have been charged this year through May 4.
Some cases include more than one defendant and other charges are also included in some cases.
"I guess it's a sign of the times," said James Kendrick, a Birmingham attorney who has represented clients charged with bank fraud.
Rod Pittman, director of corporate security for BBVA Compass, stated in a written response to questions from The Birmingham News that recently they have "seen a significant increase in fraud attempts, the majority of which can be attributed to the economy and technology."
More here:

Lawyer, client in trouble over phone spying

A cellphone hacking scandal has landed a Pretoria attorney in trouble, after two Cape Town residents complained that he revealed confidential information illegally obtained from a spy programme planted in a BlackBerry cellphone handset.
The spy programme, Flexi-spy, can be downloaded from the internet for a few dollars. It allows a hacker to listen in on real-time conversations on a targeted cellphone, as well as to view SMSes, BlackBerry Messenger (BBM) conversations and e-mails, according to court documents.
Attorney Selwyn Shapiro had been reported to the Law Society of the Northern Provinces for bringing the name of the attorneys’ profession into disrepute by using the hacked information in a divorce case, the two complainants said.
This comes after Shapiro’s male client in a divorce case was criminally charged last year with hacking into his wife’s cellphone.
The Law Society of the Northern Provinces has confirmed it is investigating the complaint against Shapiro.
The society’s legal official, W Wolmarans, said they had received the complaint and were communicating directly with the two complainants. The complainants allege that Shapiro revealed the hacked information in court papers that are part of divorce proceedings. The divorce case will be heard in August in the North Gauteng High Court.
The couple may not be named as it is illegal for the media to report on divorces.
More here:

Industrial spies can have some common behavior, says FBI

Industrial spies operating inside U.S. corporations, who threaten the economy and possibly national security, exhibit some common traits while they’re stealing information that can expose them, according to the FBI.
Pointing to a collection of recent successful investigations of cases in which individuals inside corporations, such as DuPont and Detroit car makers, were prosecuted, the agency said in a “how to spot a possible insider threat” post on its Website that perpetrators can inadvertently tip off co-workers to their criminal activities.
Information and communications technology, the backbone of nearly every other technology is at risk from information spies from other countries, as is information about natural resources. Military technology --  particularly marine and unmanned aerial vehicle systems and civilian dual-use technology in sectors like clean energy, health care and agricultural technology are also particularly attractive targets, according to the FBI.
The agency said in its experience, industrial spies selling corporate secrets overseas often exhibit certain behaviors that co-workers could have picked up on ahead of time, possibly preventing the information breaches. It said many co-workers came forward only after the criminal was arrested and had they reported those suspicions earlier, the company’s secrets may have been kept safe.
More here:

Friday, May 11, 2012

FBI to Blitz Public With Economic Espionage Ads

Today, the FBI is doing something it rarely does — talking, in public, about spies.
In a nationwide advertising campaign launching today that includes bus shelters, billboards and a website, the FBI is targeting corporate espionage — and encouraging employees of American corporations to be wary of spies in their midst.
“We’re doing something we’ve never done before, and it’s almost counterintuitive in the espionage business,” FBI Counterintelligence Assistant director Frank Figliuzzi told CNBC Thursday. “We’re talking to the general public about the threat from economic espionage.”
According to Figliuzzi, the current FBI caseload shows that secrets worth more than $13 billion have been stolen from American companies — often by insiders or former insiders at the companies that have been victimized. The FBI says its arrests for economic espionage have doubled in the last four years, and that it has already surpassed last year’s arrest total halfway through this fiscal year.
The FBI says the sheer scale of economic espionage against the nation’s top companies threatens America’s economic and technical dominance of the global economy. 

More here:

Wednesday, May 9, 2012

DOJ: Requiring warrant for cell phone tracking would 'cripple' law enforcement

If your mobile phone is on then it is constantly pinging cell phone network towers, leaving you no choice about revealing your location. The ACLU warned the "threat to personal privacy presented by this technology is breathtaking," especially since the "government is routinely violating American's privacy rights through warrantless cell phone tracking." Apparently any mobile phone privacy is too much privacy in the early stages of an investigation, before law enforcement actually has any proof that a person has done anything illegal. An Obama administration official told a congressional panel that requiring a search warrant to obtain cell phone location tracking information would "cripple" law enforcement and prosecutors.

More here:

Friday, May 4, 2012

Taking Liberties: Cab driver isn't paranoid, the government IS watching him

Just because taxi driver Andre Olczak believes he’s being watched, doesn’t mean he’s paranoid
In fact, he’s not only being watched, he’s being monitored every second while he’s at work.
“It’s terrible,” he says as he drives his yellow cab on W. 48th St. in midtown Manhattan.
“They are constantly watching me.”
"They" are the TLC, or Taxi and Limousine Commission, the government body that licenses taxi drivers in New York City. In 2007, the TLC required all cabbies to install GPS or Global Positioning System devices to monitor their locations, speed and meters while they’re driving.
Olczak points out he came to the United States to escape the Communist regime in Poland.
“I came for freedom,” he says. “But this looks like Poland before [communism fell]."
Some cabbies are now challenging the monitoring device in court, saying it violates the Constitution.

Read more: