TIME Security

Chinese Hackers Breached National Weather Websites

The breach wasn't acknowledged until after several probes

Officials announced Wednesday that Chinese hackers had gained access to Federal weather data as early as September.

The hack occurred in late September, but was not acknowledged by the the National Oceanic and Atmospheric Administration until Oct. 20, the Washington Post reports. As a result of the hack, some national weather websites were unavailable for as many as two days, including the National Ice Center website. And those sites being offline impacted some long-term forecasts.

NOAA also lagged in its response to the breach. The Post reports the the administration “did not say its systems were compromised” when the problem was first acknowledged on Oct. 20. When NOAA admitted Wednesday that there had been a cyber security breach, they did not say who was responsible either. That information came from Rep. Frank Wolf (R-Va.), who disclosed that the attack had come from China. Wolf blasted the agency saying, “They had an obligation to tell the truth. They covered it up.”

Read more at the Washington Post.

TIME White House

White House Computer Networks Hacked

Early morning sunrise is seen over the White House in Washington, Oct. 28, 2014.
Early morning sunrise is seen over the White House in Washington, Oct. 28, 2014. Pablo Martinez Monsivais—AP

Russian hackers suspected

Hackers believed to be employed by the Russian government breached White House computer networks in recent weeks, temporarily disrupting services.

Citing unnamed sources, the Washington Post reported there was no evidence that hackers had breached classified networks or that any of the systems were damaged. Intranet or VPN access was shut off for a period but the email system was never downed. The breach was discovered two to three weeks ago, after U.S. officials were alerted to it by an unnamed ally.

“On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system,” a White House official told the Post. “This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.”

Cybersecurity firms in recent weeks have identified NATO, the Ukrainian government and U.S. defense contractors as targets of Russian hackers thought to be working for the government.

[The Washington Post]

 

TIME White House

Obama Signs Order to Secure Government Credit Cards From Data Breaches

US-POLITICS-OBAMA-CFPB
President Barack Obama signs an Executive Order to implement enhanced security measures on consumers' financial security following remarks at the Consumer Financial Protection Bureau (CFPB) in Washington, DC, October 17, 2014. SAUL LOEB—AFP/Getty Images

"Identify theft is now America's fastest growing crime," said Obama.

President Obama signed an executive order Friday to improve security measures for government credit and debit cards, equipping them with microchips in place of the standard magnetic strips and PINs. Obama discussed the new order during remarks at the Consumer Financial Protection Bureau Friday.

“Last year . . . more than 100 million Americans had information that was compromised in data breaches in some of our largest companies,” said Obama, referring to high-profile security breaches at Target and Home Depot. “Identify theft is now America’s fastest growing crime. These crimes don’t just cost companies and consumers billions of dollars every year, they also threaten the economic security of middle class Americans who worked really hard for a lifetime to build some sort of security.”

“The idea that somebody halfway around the world could run up thousands of dollars in charges in your name just because they stole your number or because you swiped your card at the wrong place at the wrong time—that’s infuriating,” said Obama. “For victims it’s heartbreaking. And as a country we’ve got to do more to stop it.”

Obama highlighted the efforts of Home Depot and Target to secure their systems after being hit by breaches this year. They will join Walmart and Walgreens in installing chip and PIN technology in all their stores, most by the beginning of next year. Obama also noted that the Federal Trade Commission will develop IdentityTheft.gov for victims to aide the reporting and remediation process with credit bureaus.

“Identity theft has been American consumers’ number one complaint for more than a decade, and it affects people in every community across the nation,” said Federal Trade Commission Chairwoman Edith Ramirez. “I welcome the opportunity for the Federal Trade Commission to participate in this new initiative advancing efforts to address this insidious problem on behalf of consumers.”

The White House also called on Congress to pass data breach and cybersecurity legislation. “The current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one,” wrote the White House in a statement.

With reporting from Sam Frizell

 

 

 

TIME Security

Here’s How Home Depot Could Have Combated Hacking

Experts say retailers should invest in detection rather than prevention

As Home Depot continues to assess the damage caused by a security breach that gave hackers access to 56 million credit and debit cards, tech experts say large retailers should turn their attention to addressing breaches quickly instead of trying to prevent all of them.

“Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?” asked cyber crime expert Brian Krebs, framing the issue rhetorically. “The best you can do is stop the bleeding as soon as possible when they do get in.”

At Home Depot, where hackers used malware to collect customer data at cash registers, it reportedly took nine months for the breach to be identified and stopped allowing for the damage to affect millions of customers.

Companies face myriad and evolving ways their data can be breached, making protecting data akin to a game of whac-a-mole. Once one potential threat is identified, hackers have already begun trying to get through another way. Instead of devoting all their resources to chasing the threats, companies should focus on minimizing the time it takes to identity those breaches, said Brian Foster, chief technology officer at cyber security firm Damballa.

“There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet,” he said. “The attackers only have to find one door in whereas Home Depot has to secure all their doors and before they do that they need to know where all the doors are at.”

But even if retailers like Home Depot switch focus to detection from protection, experts say they need to do a better job securing data. And, for retailers, the first place to look is the “point of sale system” where the transaction occurred (the cash register for traditional retailers).

“Some enhancement of that logical access in the point of sale would have been able to harden the system significantly,” said Guy Levy, senior vice president at technology security firm Usher. “This is part of what any big retailer that employs pos systems should be doing now. They should all be scrutinizing their systems very, very hard.”

Despite the recommendations of security experts, many companies remain reluctant to devote the funding to change. But dealing with massive security breaches almost always costs more in the long-term than instituting preventive measures would have cost. Home Depot said the breach at the company will cost at least $62 million.

“It takes awhile to update your technology, to understand the threat,” said Anup Ghosh, founder and CEO of technology security firm Invincea. “But the most expensive dollar spent in security is spent after a breach.”

TIME cybersecurity

Chinese Hackers Infiltrated U.S. Defense Contractors, Senate Report Says

Army Lt. Col. Cecil Durbin (left) and Air Force Lt. Col Tom
Army Lt. Col. Cecil Durbin (left) and Air Force Lt. Col Tom Borowiec, a reservist, man the NorthCom Operations Desk inside the Deployment and Distribution Operations Center on Thursday May 1, 2008 at USTRANSCOM, located at Scott AFB in Illinois. Belleville News-Democrat—MCT/Getty Images

Hackers staged at least 20 attacks on private firms involved in the movement of U.S. troops and equipment

Chinese hackers infiltrated U.S. defense contractors on 20 separate occasions and were only twice noticed by authorities, according to the findings of a year-long Senate investigation released on Wednesday.

The Senate probe revealed that hackers targeted private airlines, technology companies and firms that have been contracted by the U.S. Defense Department to transport troops and defense equipment.

“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” said Sen. Carl Levin in a public statement accompanying the report. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”

Read the Senate panel’s full report here.

 

TIME cybersecurity

Nearly 5 Million Google Passwords Leaked on Russian Site

Google Reports Quarterly Earnings
A sign is posted outside of Google headquarters on Jan. 30, 2014, in Mountain View, Calif. Justin Sullivan—Getty Images

The usernames and passwords of 4.93 million users were posted in a Russian Bitcoin security forum

Almost 5 million usernames and passwords purportedly for Google accounts were uploaded to a Russian online forum by hackers late Tuesday.

The International Business Times reports that data for 4.93 million Google accounts of English-, Spanish- and Russian-speaking users was leaked and published on a Russian-language Bitcoin security online forum. The posters said about 60% of the accounts were active.

In a statement sent to TIME, Google said it had “no evidence that our systems have been compromised.”

“The security of our users’ information is a top priority for us,” the statement reads. The company said that whenever it is alerted that accounts may have been compromised, “we take steps to help those users secure their accounts.” Email users are encouraged to utilize two-step verification when logging into accounts, as well as to create strong passwords.

According to Russian news service RIA Novosti, this leak followed another large hack of Russian email accounts. Several million accounts of Russia-based email services were also posted in a Bitcoin security forum.

TIME Security

Home Depot Confirms Credit-Card Data Hack

Home Depot credit card breach
The Home Depot home improvement store in Portland, ME on Thursday, September 4, 2014. Home Depot is currently investigating a potential credit card breach, and determining whether customers' card numbers were collected and sold by hackers. Portland Press Herald—Press Herald via Getty Images

The construction-equipment retailer says anyone who shopped there since April could be a victim

Hackers infiltrated Home Depot’s payment system and stole an untold amount of shopper information, perhaps including credit-card numbers, the construction-equipment retail giant confirmed in a statement Monday.

The hack “could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward,” Home Depot said in a statement, adding that shoppers online or at stores locations in Mexico do not appear to have been affected.

The firm joins the ranks of other major stores, like Target and others, that have been the victims of successful, large-scale cyberattacks.

Home Depot disclosed it was looking into reports of “unusual activity” on Sept. 2 and has offered free identity-theft protection and credit-monitoring services to anyone who shopped at a Home Depot store during the months in question.

“We apologize for the frustration and anxiety this causes our customers,” Home Depot said.

TIME cybersecurity

Surveillance in the Movies: Fact vs. Fiction

Experts at a hacker conference answer the question every spy-movie watcher has asked: “Can they really do that?”

For those of us who don’t work at a spy agency, the “intel” we’ve gathered on what state surveillance is like comes primarily from movies and TV shows. But just how realistic are those portrayals? A panel of experts at Defcon, one of the world’s top hacker conferences taking place in Las Vegas over the weekend, had some answers.

The Simpsons Movie (2007)

“You’re collecting all this hay. How many needles are you finding in the hay?” says Kevin Bankston, policy director for the Open Technology Institute at the New America Foundation, describing the practice of bulk collection. The answer? Not many. Bulk collection has led to “one case where they convicted a cabdriver in San Diego for donating less than $10,000 to a Somali terror group,” Bankston said. “So the question is: Is it worth collecting all of our phone records for that conviction?”

When it comes specifically to this Simpsons clip, Nicole Ozer, technology and civil liberties policy director for the American Civil Liberties Union, says there have indeed been cases of “local surveillance being rolled out in the buses.”

The Bourne Supremacy (2004)

No clip available online, but, to summarize: high-tech devices listening in on conversations around the world pick up on a single phrase — “blackbriar” — that tips off the government.

“As a civil libertarian, this movie was like cinematic crack to me,” Bankston said. With the quantity of data the NSA intercepts and the data-mining abilities of modern computers, picking out a keyword from a random conversation overheard by a surveillance program is not far fetched, he said. “This is not fiction.”

Brazil (1985)

The scene above depicts government agents discussing the use of surveillance tools to eavesdrop on a love interest.

“This brings me back to my days inside the belly of the beast,” says Timothy Edgar, who from 2006 to 2009 served as the first deputy for civil liberties in the Office of the Director of National Intelligence. “It’s a very realistic depiction of the kinds of compliance issues we had to address,” he said, though in reality “the technology was only slightly more obsolete.” According to Edgar, a review of NSA practices by the agency’s inspector general found that over a 10-year period there were 12 instances of intentional misuse of NSA surveillance, all relating to love interests.

The Dark Knight (2008)

A program that uses the microphones in the cell phones to create a sonar map of the city is mostly, but not entirely, insane.

“It’s a great mixture of actual plausible technology and really stupid technology,” Bankston said. Law-enforcement and intelligence agencies routinely take control of cell phones by remote in order to turn on microphones and cameras to spy on targets, but doing so with every phone in town at once would probably overwhelm the network. Bankston adds that if 30 million citizens of Gotham brought a class-action lawsuit against Bruce Wayne for this violation of the Wiretap Act, he’d be on the hook, per damages prescribed in the law, for $300 billion.

The Company You Keep (2012)

“This is a pretty straightforward depiction of cell-phone tracking,” Bankston said, which is “routinely done by local law enforcement, as well as the Feds, as well as the intelligence community.”

Minority Report (2002)

This kind of government search — thermal imaging followed by spider robots scurrying through a building and terrifying its inhabitants — is clearly unconstitutional, not to mention creepy. What’s interesting, Edgar notes, is the question of why it’s creepy.

“Is it the fact that they could find Tom Cruise by extracting this data from people in the apartment or the fact that they did it in a creepy way?” he said. (I.e., with bots that look like insects many find terrifying in their own right.) “What if we could just extract the data from the Internet of things that [were] already in your house?” With our homes becoming smarter and more wired, it’s easy to see how timely that question is.

Enemy of the State (1998)

In this scene, the head of the NSA tries to persuade a Congressman not to stop a bill that would give the agency broad new surveillance powers. The Congressman makes the argument — which we hear echoed today by firms like Google and Facebook — that the surveillance state doesn’t just invade privacy, but is bad for business at companies that depend on the trust of clients, including people outside the U.S.

Bankston noted that in the film, (spoiler alert) the NSA goes on to assassinate the Congressman. Edgar pointed out that any such assassination attempt would clearly step on Central Intelligence Agency toes.

“They would object very strongly to the NSA’s doing that,” he said.

TIME

5 Easy Ways to Hacker-Proof Your Home

Refrigerators hijacked to send malicious emails. TVs tapped to spy on their watchers. Baby monitors remotely rigged to stream a stranger’s voice.

These aren’t outtakes from a cheesy sci-fi horror flick. They’re real situations that have happened in homes around the world–made hackable, so to speak, by flawed smart devices. Although there are many advantages to buying gadgets that connect to the Internet, “many of them are not built with security in mind,” says Cesar Cerrudo, an executive at security firm IOActive. And that makes their owners vulnerable: a bit of outdated software in your connected security camera, and a hacker could use it to case your home; a weak password on your connected thermostat, and a hacker could use it as a back door into your wi-fi network–and anything on it.

To be sure, actual horror stories are few and far between. Of the millions of Americans who own at least one connected device, only a small fraction have publicly come forward as victims of malicious home-gadget attacks. And when they do, manufacturers like Samsung–whose smart products were targeted in the past–have been quick to correct security flaws, since consumer trust is paramount for good business.

But it never hurts to be prepared. Here are five expert tips on how to safeguard your smartest devices.

 

  • Do Your Research

    It may sound too simple, but your home’s first–and often best–line of defense is Google. Before you purchase a connected gadget, search its name plus words like security or vulnerability to “give yourself an idea of what you’re up against,” says Daniel Crowley of info-security firm Trustwave. More important, Cerrudo says, you should investigate how effectively the gadgetmaker responded to any breaches. If the issue was neutralized quickly, you’re probably fine. If a company took weeks to fix its mistake, buy something else.

  • Update Your Software

    In one of the most publicized connected-home hacks, security researchers broke into early models of Samsung’s smart TV, which allowed them to control its camera and access files and apps. Samsung quickly issued a software update to fix the vulnerability, but–as with smartphone apps–it’s often up to users to make sure that a patch is downloaded. The longer you wait, the larger the “window of opportunity” for hacking becomes, says Cerrudo.

  • Strengthen Your Password

    Many people want their connected devices to work right out of the box, so they don’t bother to change the default user names and passwords (or they type a simple one to get going). That makes you extraordinarily vulnerable to hacking, says Crowley, noting that weak passwords were responsible for 31% of the security compromises Trustwave investigated in 2013.

  • Hire a Professional

    If all else fails, soliciting help from an expert to install and configure your devices–and the networks they tap into–can be “the best option,” says Cerrudo. Best Buy’s Geek Squad, for example, can set up your wireless network for about $90 to $130, ensuring that you have the most up-to-date firmware, among other details. As Geek Squad specialist Derek Meister puts it, “We look over all the little settings.”

  • Guard Your Wi-Fi

    Even if your smart devices are secure on their own, hackers can still break into your control network through a lost smartphone (if you’ve used it to control your gadgets) or unsecured home wi-fi (which many gadgets use to sync with the cloud), enabling all kinds of mischief. To add another layer of difficulty for would-be hackers, Crowley suggests setting up a separate, secure wi-fi network exclusively for your connected devices.

TIME Security

U.S. Organizations Falling Behind in Fight Against Cyber Crime, Study Says

The 2014 U.S. State of Cybercrime Survey says that "common criminals, organized crime rings, and nation-states" have the upper hand when it comes to cyberthreats

A new report finds that American businesses and institutions are failing to meet the cybersecurity threat posed by hackers at home and abroad.

“One thing is very clear: The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries,” finds the 2014 U.S. State of Cybercrime Survey. “Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect.”

Syria, Iran and Russia are cited as a “a particularly pernicious threat.”

The authors of the report—PricewaterhouseCoopers, the CERT division of software engineering at Carnegie Mellon, CSO magazine, and the U.S. Secret Service—say their findings are based on a survey of more than 500 U.S. business executives, law enforcement services and government agencies, as well as previous research and recommendations provided by the National Institute of Standards and Technology.

The report lays out the mounting threat to infrastructure systems like gas pipelines and the electrical grid as well as the disproportionately high financial costs of cybercrime in America compared to the rest of the world’s organizations.

The report advises companies to invest in protecting the “crown jewels” of a company, such as customers’ financial information for a retailer and trade secrets for a pharmaceutical company. Several large companies, including Target and eBay, have recently admitted being infiltrated by hackers. In Target’s case, an estimated 40 million customers had credit and debit card data stolen.

 

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser