Illinois Utility Company Hacked; Operations Weren’t Affected, DHS says


A foreign cyberattack on the computer control systems of an Illinois water utility system earlier this month burned out a water pump, according to a recent state report. The attack may be the first known attempt to successfully destroy a piece of critical US infrastructure, say industrial control-system experts.
The Federal Bureau of Investigation and other agencies are investigating the Nov. 8 cyberattack, said Peter Boogaard, a spokesman for the Department of Homeland Security (DHS), in a written statement. The name of the utility was not released.

Federal Investigators would later go on to deny that the breach occured.


eBay Discovers Massive Cyber Security Breach; Will Ask Users to Change Passwords

The company said the breach didn’t affect PayPal.

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

Ponemon: Cost of Data Breaches Rising

Ponemon Institute:

Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

Read the full report, here.

U.S. Department of Justice Levels Cyber Espionage Charges Against Five Chinese Military Hackers

From CNBC:

The U.S. Justice Department has filed the first-ever criminal charges for cyber economic espionage against a state actor, according to a U.S. government official familiar with the case. The charges name several Chinese government officials, accusing them of using military and intelligence facilities to steal trade secrets from American energy and manufacturing companies.

From DOJ:

We allege that members of unit 61398 conspired to hack into computers of six U.S. victims to steal information that would provide an economic advantage to the victims’ competitors, including Chinese state-owned enterprises.

In the past, when we brought concerns such as these to Chinese government officials, they responded by publicly challenging us to provide hard evidence of their hacking that could stand up in court.

Well today, we are.

For the first time, we are exposing the faces and names behind the keyboards in Shanghai used to steal from American businesses.

Unit 61398 was specifically mentioned in the Mandiant Report last year.

From AP, (February, 2013):

Unit 61398 of the People’s Liberation Army has been recruiting computer experts for at least a decade. It has made no secret of details of community life such as badminton matches and kindergarten, but its apparent purpose became clear only when a U.S. Internet security firm accused it of conducting a massive hacking campaign against North American targets.

Hackers with the Chinese unit have been active for years, using online handles such as “UglyGorilla,” Virginia-based firm Mandiant said in a report released Tuesday as the U.S. prepared to crack down on countries responsible for cyber espionage. The Mandiant report plus details collected by The Associated Press depict a highly specialized community of Internet warriors working from a blocky white building in Shanghai.

Summary of the Indictment, here.

LifeLock’s Digital Wallet Not (Completely) Secure: Deleting Software From App Stores

LifeLock recently alerted its customers that its digital wallet — a piece of smartphone software that holds folks’ personal credentials — is not PCI compliant.

That means, according to a consensus in the payments industry, the technology is just not safe for people to use.

As a result, the Arizona company is deleting the software from all of the app stores, Google Play and Amazon, included. Separately, LifeLock is also deleting customers personal information from its internal servers. Just to be sure.

The payments card industry standard dictates how payment card information should be stored.

From a disclosure:

We have determined the app is not fully compliant with payment card industry (PCI) security standards, and we are taking immediate steps to correct this and ensure the ongoing safety of your personal information. 

It’s important for you to know that we have no reason to believe your personal information, including credit card numbers and other data, has been compromised as a result of the PCI compliance issue. 

This does not affect [a customer’s] ability to use your credit cards or other information you have uploaded to LifeLock Wallet.

Late last year, LifeLock acquired Lemon Wallet for $42.6 million. (Read the TechCrunch story, here.)

More on payments card standard (from Wikipedia):

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debitcreditprepaide-purseATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraudvia its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

It’s worth keeping in mind that PCI standards are the bare minimum that every business has to comply with — from the deli on the corner to, yes, even Target before and after its infamous data breach debacle.

The LifeLock snafu also calls into question Lemon Wallet’s founder, Wences Casaresthe same dude behind Bitcoin vault Xapo.

Just another reason for top banking regulators, both state and federal, to be concerned.

FTC, LabMD Medical Record Security Fight Illustrates Agency’s Role in Consumer Protection


Two years in the making, a fight between the FTC and a shuttered, Atlanta medical testing company is set to take place next week.

In 2012, the Federal Trade Commission, in its mission to protect consumers’ most sacred financial and medical details, originally accused LabMD of improperly handing the digital records of roughly 10,000 customers.

LabMD fought back. Asking a federal district court to stop the investigation.

But, in a ruling this week, a judge ordered the administrative hearing to go forward.

From GovInfoSecurity:

Continue reading

Retailers Ban Together; Form Cybercrime Fighting Association

Today the Retail Industry Leaders Association (RILA), along with several of America’s most recognized retail brands, launched the Retail Cyber Intelligence Sharing Center (R-CISC). The R-CISC is an independent organization, the centerpiece of which is a Retail Information Sharing and Analysis Center (Retail-ISAC). Among those companies participating with and supportive of the R-CISC are American Eagle Outfitters, Gap Inc., J. C. Penney Company Inc., Lowe’s Companies, Inc., Nike, Inc., Safeway, Inc., Target Corporation, VF Corporation and Walgreen Company.

Through the R-CISC, retailers are sharing cyber threat information among themselves and, via analysts, with public and private stakeholders, such as the U.S. Department of Homeland Security, U.S. Secret Service and the Federal Bureau of Investigation. The R-CISC will also provide advanced training and education and research resources for retailers.