Category Archives: Incident of the Week

Health Insurer Hit With A Record HIPAA Penalty: What Does It Mean?

Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach.  Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach. 

The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries.  This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011

More

TripAdvisor Reports Data Breach

If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor’s member email list."  The text of that email was as follows: 

To our travel community: This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement. How will this affect you? In many cases, it won’t. Only a portion of… More

Health Net Announces Second Major Breach in Two Years; Creates Potential for Largest Ever Penalty

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health informationAccording to California regulators, these servers appear to contain the data of 1.9 million people nationwide:

The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare.. 

Since this is the… More

Incident of the Week: Army Intelligence Analyst In Custody After Claiming that He Leaked Thousands of Classified Documents

22-year old U.S. Army intelligence analyst Bradley Manning is reportedly in custody in Kuwait after claiming that he sent 260,000 classified documents to the WikiLeaks website. According to WIRED, Manning, who served at Forward Operating Base Hammer near Baghdad in Iraq, made the admission after reaching out to former hacker Adrian Lamo in a series of Internet chats beginning on May 21st.  Manning ominously began the conversation with the following:

(1:41:12 PM) Bradley Manning: hi (1:44:04 PM) Manning: how are you? (1:47:01 PM) Manning: im an army intelligence analyst, deployed to eastern baghdad, pending discharge for… More

Incident of the Week: Clickjacking Worm Induces Thousands of Facebook Users to “Like” Infected Websites

This week was an unusually optimistic one for hundreds of thousands of Facebook users who found that their accounts were automatically endorsing numerous oddly entitled websites.  If you have been avoiding Facebook, your closest Facebook user (anyone under the age of 30 is a safe guess) can explain that one way users have to share things with their friends, including websites, musicians, television shows, ideas and other users, is to click the ever-present “Like” button.  Some have begun to call this new exploit “likejacking.”

The culprit for… More

Incident of the Week: Blogger Shows Us How to Listen In On Private Facebook Chat

Yesterday, Facebook took down their Chat services to patch a flaw in Facebook’s new privacy settings that allowed users to listen in on private chat conversations.  This apparently came hours after  TechCrunch EU blogger Steve O’Hear  taught the world how to exploit the flaw in his TechCrunch post and video.  O’Hear was “tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’.”

Facebook rolled out… More

Incident of the Week: “Huge Social Networker” Indicted For Threatening Spam Email Campaign Against New York Life

Yesterday, a federal grand jury in New York issued an indictment (.pdf) against Anthony Digati based on his threats to use spam email and the www.newyorklifeproducts.com domain to drag New York Life Insurance Company “through the muddiest waters imaginable.”  Both the U.S. Attorney’s Office press release (.pdf) and the FBI press release announced the indictment.

Digati was arrested on March 8, 2010 for violations of 18 U.S.C. Sec. 875(d), which prohibits extortionate communications “containing any threat to injure the property… More

Incident of the Week: NSA Officer Indicted For Emailing Classified Documents to Reporter

On Wednesday, a federal grand jury in Maryland indicted Thomas A. Drake, a former employee of the National Security Agency (NSA), on charges that he emailed classified NSA documents and information to Siobhan Gorman, then a reporter for the Baltimore Sun.  Drake worked for the NSA first as a contractor and then as a high level employee in the NSA’s Signals Intelligence Directorate between 1991 and 2008, when he resigned following the suspension of his security clearance.

The 14-page… More

Incident(s) of the Week: Disgruntled Hacker Disables 100 Cars Purchased from Texas Auto Center

In late February and early March, around 100 cars in and around Austin, Texas either would not start or would not stop honking.  This was apparently caused by 20 year old hacker, Omar Ramos-Lopez, who remotely triggered the vehicle immobilization system installed by dealership Texas Auto Center.

Apparently the dealership installed the GPS-enabled devices so that cars can be immobilized and repossessed when a customer fails to make scheduled payments. The web-based system developed by Pay Technologies apparently lets auto dealerships trigger the horn and disable the car’s ignition system from the relative… More

Incident of the Week: Israeli Soldier Posts Details of Planned West Bank Raid on Facebook

This week the Incident of the Week title decisively goes to the Israeli soldier who updated his status on Facebook to identify the secret military raid on a town in the West Bank.  His status apparently read: “On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home” and provided the exact time of the raid.  After detecting the clear breach of OPSEC, the Israeli Defense Force (IDF) canceled the raid and jailed the soldier for 10 days.

The IDF has apparently begun distributing posters depicting a fake Facebook page… More

Incident(s) of the Week: February A Tough Month For Hackers

1.  Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn 

The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities.  On January 14, 2010, commuters on Moscow’s Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements saw two minutes of hard-core pornography.  The video, as well as the resulting traffic problems, was thanks to a hacker who is described as a 40 year old, unemployed man living in… More

Incident of the Week: Patents Help Crack Encryption Used in Cordless Telephones

This week cryptographers Karsten Nohl from University of Virginia and Erik Tews of the Darmstadt University of Technology announced that they had broken the DECT encryption standard.  Who cares, you ask?  The Digital Enhanced Cordless Telecommunications or DECT standard is what prevents someone parked outside your house from being able to listen in on telephone conversations you are having on your 1.9 GHz DECT cordless phone.  (So, that’s what that label on the receiver means.)

Nohl told Dan Goodin from The Register that he cracked the code by… More

Incident of the Week: Free iPhone Password Breaker Released

Back in October you may remember our post on Elcomsoft, a Russian software company that came out with program to decrypt common wireless network signals.  Well, they’re back this week with a program that will "enable[ ] forensic access" to password-protected backups for Apple iPhone and iPod touch devices.  In other words, if someone obtains access to the computer you use to sync your iPhone they could also get access to "backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache."  And while… More

Incident of the Week: OIG Reports that the FBI Routinely Circumvented Electronic Communications Privacy Act

A report entitled A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records (.pdf) from the Department of Justice Office of the Inspector General (OIG) indicates that between 2003 and 2005, FBI routinely “circumvented the requirements of the Electronic Communications Privacy Act (ECPA)” by using so-called “exigent letters” to obtain telephone call data from telecommunications companies.  The ECPA, 18 USC Sec. 2702, provides that service providers will not provide customer data to government authorities, absent a national security letter signed by the Director of the FBI or a subpoena.

More

Incident(s) of the Week: Recent Updates from Prior Incidents

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program.  We first posted on this case a year ago,… More

Incident of the Week: Twitter Used In Sting Operation To Find Out Who Leaked TSA Security Directive

    

Rumors are circulating that Special Agents from the Transportation Security Administration (TSA) have been posing as a Connecticut blogger on Twitter to find out who leaked airport security screening procedures put in place after the recent attack by the “underwear bomber.”  This is a new twist in what some are describing as an overzealous investigation of government documents posted online.

As many of us found out on Christmas Day, a 23 year old… More

Incidents of the Week: Iranian Cyber Army Targets Twitter & $26 Software Application Intercepts U.S. Military Satelite Feeds In Iraq

1.  Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army.  Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site.  During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites.  Given the name adopted by Twitter’s hackers, it may be no coincidence… More

Incident of the Week: Hack of Researchers’ Email Triggers “Climategate”

Compared to security breaches that involve credit card and bank account information, other breaches in security often get somewhat shortchanged in the media, notwithstanding the occasional hack of a celebrity cell phone. The same cannot be said of the purloined emails one hacker posted online that are alleged to the the back and forth between climate change researchers at the University of East Anglia in the United Kingdom which are at the center of new controversy in public debate over climate change.

Incident of the Week: U.S. Law Firms and Public Relations Firms Hit By E-mail Attack

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week.  On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using “spear phishing” attacks — personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software.  “Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching… More

Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On “Key Monitoring Tool”

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools.

Incident of the Week: Russian Company Proves That WiFi/Wireless Networks No Longer Secure

ElcomSoft Co. Ltd., a Moscow-based software company, has announced that its software can unlock wireless networks using a PC fitted with a high-end consumer graphics cards. This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted using common encryption algorithms. The easy availability of this software may mean that companies using WiFi/wireless networks may need to take additional security steps to comply with information security rules in the U.S. and Europe.

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected. According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com. The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected. The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack. But more information is surfacing that indicates that the breach is much larger than first thought.

Incident(s) of the Week: Double Feature

Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.

Incident of the Week: Declassified Documents Show FBI Expanding Data Mining Efforts Over 1.5 Billion Personal Records (And Counting)

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans’ personal and financial information.  According to WIRED, the FBI’s National Security Branch Analysis Center (NSAC) has compiled a database of  “more than 1.5 billion government and private-sector records” and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database… More

Incident of the Week: Security Officer Indicted On Obstruction of Justice Charges For Shredding Evidence

Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG’s Fort Lauderdale office to shred evidence of fraud. 

In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme.  Prosecutors obtained a temporary restraining order (.pdf) that expressly prohibited any attempt to destroy documents (among a litany of other bad behavior).  In the… More

Incident of the Week: Indictments Issue Against The Individuals Behind RNS, Pirate Site for “Pre-Release” Music

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release.  According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released, including "Blue Print 2" by Jay-Z, "Encore" by Eminem and "How to Dismantle an Atomic Bomb" by U2. 

The indictment claims… More

Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant’s Penetration Testing)

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.”  The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union.

As it turns out, the credit union was undergoing security penetration testing and the… More

Incident of the Week: Social Networking Sites Used as Command and Control Structure for BotNets

Are you having trouble making sense of social networking sites like Twitter?  It may be because you are trying to read an encoded command to a malware-infected computer.  Security consultant Jose Nazario at Arbor Networks has discovered that popular social networking sites like Twitter and Jaiku are being used to control botnets, armies of computers that have infected with malware enabling the individual controlling the botnet to steal user information and direct the computers to attack others.  Botnet commanders often use IRC (Internet Relay Chat) messages to control the “slave” computers, but Nazario discovered encoded gibberish in a user’s tweets… More

Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted

According to a press release from the United States Attorney’s Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history."  According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1" and "Hacker 2") stole "more than 130 million credit and debit card numbers together with account information" from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co.," and… More

Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. 

Especially when a… More

Incident of the Week: Lativan Internet Service Provider Shut Down After Being Linked to Cybercrime Ring

Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities.  Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was running command and control servers for the Zeus botnet (i.e., millions of infected computer slaves or "bots" used by cybercriminals to steal information and attack other computers).  The expert who linked Real Host to these activites and who goes by the pseudonym "More

Incident of the Week: Hackers to Demonstrate How To Take Control Over Every Apple iPhone In The World With A Single Text Message Today

Speaking at the Black Hat computer security conference in Las Vegas only a few hours from now, hackers (or "security experts") Charlie Miller and Collin R. Mulliner are scheduled to expose an alleged security flaw in the Apple iPhone that may allow someone sending a single SMS message to take control of any iPhone.  According to a number of reports (note Forbes and AppleInsider), the exploit would allow a hacker to take control over all of the iPhone’s functions.  This potentially could mean that a hacker could turn on the camera, microphone and GPS functions in your… More

Incident of the Week: UAE Carrier Updates Blackberry Software With Spyware, Captures Outgoing User Emails

On Tuesday, Research In Motion, Ltd. (RIM), the maker of Blackberry, posted a note on its website confirming that a software update offered to customers of its carrier Etisalat in the United Arab Emirates contained spyware.  According to the note, certain customers received an SMS message from Etisalat informing them of a software update (named "Registration") designed to improve performance.  However, RIM acknowledged, "[i]ndependent sources have concluded that Etisalat’s Registration software application is not actually designed to improve performance of a Blackberry Handheld, but rather to send received messages back to a central server."

According to RIM, the software was not RIM-authorized and was… More

Incident of the Week: French Hacker Compromises Twitter Employee Passwords, Steals Company Documents

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter’s internal company documents.  The hacker, who goes by the handle “Hacker Croll,” has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called “Final Tweet” and a February 2009 financial forecast.  Many wait to see what other documents will come to light while TechCruch negotiates with Twitter’s lawyers.

More

Incident of the Week: FBI Arrests Hacker Posing as Security Guard Who Infiltrated Texas Hospital Days Before “Devil’s Day” Attack

This week, the U.S. Attorney’s Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital’s computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.