TIME technology

Federal Agency Announces Temporary Shutdown of Hacked Database

Katherine Archuleta
Susan Walsh — AP Office of Personnel Management (OPM) Director Katherine Archuleta testifies on Capitol Hill in Washington. The federal personnel agency whose records were plundered by hackers linked to China says it has temporarily shut down a massive database used to update and store background investigation records.

Hackers linked to China are believed to have stolen records for as many as 18 million current and former employees

(WASHINGTON) — The federal personnel agency whose records were plundered by hackers linked to China announced on Monday the temporary shutdown of a massive database used to update and store background investigation records after newly discovering a flaw that left the system vulnerable to additional breaches.

There is no evidence the vulnerability has been exploited by hackers, agency spokesman Samuel Schumach said in a statement, adding that the Office of Personnel Management took the step protectively. He said the system could be shut down for four to six weeks.

Hackers suspected of working for the Chinese government are believed to have stolen records for as many as 18 million current and former federal employees and contractors last year. Detailed background investigations for security clearances of military and intelligence agency employees were among the documents taken.

The shutdown announced Monday is expected to hamper agencies’ ability to initiate investigations for new employees and contractors, as well as renewal investigations for security clearances, Schumach said.

But, he added, the federal government will still be able to hire, and in some cases grant clearances on an interim basis.

The database is known as e-QIP, short for Electronic Questionnaires for Investigations Processing.

TIME Security

Samsung Galaxy Keyboard Bug Exposes Users to Hackers

Samsung Galaxy S6 Phone Goes On Sale
Spencer Platt—Getty Images Samsung's latest flagship smartphones, the Galaxy S6 and the S6 Edge, are viewed at a Samsung store on the day of their release in New York City on April 10, 2015

Hundreds of millions of users of Samsung Galaxy smartphone models S4 through S6 are potentially vulnerable to a computer bug that researchers disclosed at the Black Hat Conference in London on Tuesday.

The flaw, discovered by a Ryan Welton, a researcher at the cybersecurity firm NowSecure, lets attackers wreak havoc on Samsung mobile device models. It can give a hacker covert control over a phone’s microphone and camera, access to text messages, and the ability to download malicious apps, among other things.

The issue arises from a defect in the software updater for Samsung’s default virtual keyboard, a customized version of the word-prediction technology developed by SwiftKey. When a device downloads a language pack update, any man-in-the-middle attacker—a bad actor positioned on the same network as the user—can swap out the real file with malware, thus compromising the device.

The default keyboard program checks for updates automatically, so even people who use other keyboard apps are vulnerable.

Two problems with the phones’ updater process contribute to the severity of the vulnerability. On the one hand, SwiftKey does not encrypt those keyboard update files, a weakness that hackers can exploit to install malicious files on a person’s device (as described above). On the other, Samsung grants those updates elevated permissions, allowing attackers to circumvent the phone’s security controls and meddle with all sorts of data and code running on a device.

“Because Samsung phones grant extraordinarily elevated privileges to the updates,” writes Ars Technica security editor Dan Goodin, “the malicious payload is able to bypass protections built into Google’s Android operating system that normally limit the access third-party apps have over the device.”

Andrew Hoog, the CEO of NowSecure, told the Wall Street Journal that his company alerted Samsung to the flaw in November. Two months later, Samsung requested another year to patch the problem. Three months after that, the company claimed to push a software fix out to wireless carriers, like Sprint and Verizon, and said the firm could take its findings public in another three months, reports WSJ’s Danny Yadron.

Realizing that the phones weren’t patched, but believing too much time had elapsed already, the NowSecure team decided to go ahead and present its discovery at the hacker conference, according to WSJ.

SwiftKey pointed out in a statement that its other apps are unaffected by the exploit, and that the current vulnerability—labeled CVE-2015-2865 in the industry’s taxonomical parlance—takes a bit of skill and a lot of good timing to pull off: “a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

Samsung, too, released a statement addressing the bug: “We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” the company said. “Samsung KNOX,” the company’s mobile security solution, “has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy will begin rolling out in a few days.”

“In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

For now, NowSecure recommends that users of Samsung Galaxy smartphones affected by the bug (a list of the vulnerable models can be found here) should:

  • Avoid insecure Wi-Fi networks
  • Use a different mobile device
  • Contact carriers for patch information and timing

This article originally appeared on Fortune.com

TIME National Security

Authorities Say Second Hack Exposed Military and Intelligence Data

Second hack is believed to be separate from last week's cyberbreach of federal personnel data

(WASHINGTON) — Hackers linked to China appear to have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances, several U.S. officials said Friday, describing a second cyberbreach of federal records that could dramatically compound the potential damage.

The forms authorities believed to have been accessed, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.

The officials spoke on condition of anonymity because the security clearance material is classified.

The security-clearance records provide “a very complete overview of a person,” said Evan Lesser, managing director of ClearanceJobs.com, a website that matches security-clearance holders to available slots. “You don’t need these records to blackmail or exploit someone, but it would sure make the job easier.”

The Office of Personnel Management, which was the target of the hack, has not officially notified military or intelligence personnel whose security clearance data was breached, but news of the second hack was starting to circulate in both the Pentagon and the CIA.

The officials said they believe the hack into the security clearance database was separate from the breach of federal personnel data announced last week — a breach that is itself appearing far worse than first believed. It could not be learned whether the security database breach happened when an OPM contractor was hacked in 2013, an attack that was discovered last year. Members of Congress received classified briefings about that breach in September, but there was no mention of security clearance information being exposed.

The OPM had no immediate comment Friday.

Nearly all of the millions of security clearance holders, including CIA, National Security Agency and military special operations personnel, are potentially exposed in the security clearance breach, the officials said. More than 2.9 million people had been investigated for a security clearance as of October 2014, according to government records.

In the hack of standard personnel records announced last week, two people briefed on the investigation disclosed Friday that as many as 14 million current and former civilian U.S. government employees have had their information exposed to hackers, a far higher figure than the 4 million the Obama administration initially disclosed.

American officials have said that cybertheft originated in China and that they suspect espionage by the Chinese government, which has denied any involvement.

The newer estimate puts the number of compromised records between 9 million and 14 million going back to the 1980s, said one congressional official and one former U.S. official, who spoke to The Associated Press on condition of anonymity because information disclosed in the confidential briefings includes classified details of the investigation.

There are about 2.6 million executive branch civilians, so the majority of the records exposed relate to former employees. Contractor information also has been stolen, officials said. The data in the hack revealed last week include the records of most federal civilian employees, though not members of Congress and their staffs, members of the military or staff of the intelligence agencies.

On Thursday, a major union said it believes the hackers stole Social Security numbers, military records and veterans’ status information, addresses, birth dates, job and pay histories; health insurance, life insurance and pension information; and age, gender and race data.

The personnel records would provide a foreign government an extraordinary roadmap to blackmail, impersonate or otherwise exploit federal employees in an effort to gain access to U.S. secrets —or entry into government computer networks.

Outside experts were pointing to the breaches as a blistering indictment of the U.S. government’s ability to secure its own data two years after a National Security Agency contractor, Edward Snowden, was able to steal tens of thousands of the agency’s most sensitive documents.

After the Snowden revelations about government surveillance, it became more difficult for the federal government to hire talented younger people into sensitive jobs, particularly at intelligence agencies, Lesser said.

“Now, if you get a job with the government, your own personal information may not be secure,” he said. “This is going to multiply the government’s hiring problems many times.”

The Social Security numbers were not encrypted, the American Federation of Government Employees said, calling that “an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce.”

Samuel Schumach, an OPM spokesman, would not address how the data was protected or specifics of the information that might have been compromised, but said, “Today’s adversaries are sophisticated enough that encryption alone does not guarantee protection.” OPM is nonetheless increasing its use of encryption, he said.

The Obama administration had acknowledged that up to 4.2 million current and former employees whose information resides in the Office of Personnel Management server are affected by the December cyberbreach, but it had been vague about exactly what was taken.

J. David Cox, president of the American Federation of Government Employees, said in a letter Thursday to OPM director Katherine Archuleta that based on incomplete information OPM provided to the union, “the hackers are now in possession of all personnel data for every federal employee, every federal retiree and up to 1 million former federal employees.”

Another federal union, the National Active and Retired Federal Employees Association, said Friday that “at this point, we believe AFGE’s assessment of the breach is overstated.” It called on the OPM to provide more information.

Rep. Mike Rogers, the former chairman of the House Intelligence Committee, said last week that he believes China will use the recently stolen information for “the mother of all spear-phishing attacks.”

Spear-phishing is a technique under which hackers send emails designed to appear legitimate so that users open them and load spyware onto their networks.

___

Associated Press writer Lolita C. Baldor contributed to this story.

TIME Security

Why Using an ATM Is More Dangerous Than Ever

Breaches have risen dramatically very recently

In a time when major data hacks are on the rise—think Target, Home Depot, Sony—it’s no surprise breaches on individuals are also up. According to FICO, debit-card compromises at ATMs rose 174% from January to April of this year, compared to the same period last year.

And that’s just breaches of ATMs located on official bank property. Successful breaches at non-bank ATMs rose 317% in that period.

In other words, withdrawing money from an ATM is more dangerous than it’s been in a long time—specifically, the worst it has been in two decades, according to the Wall Street Journal, which cites a prediction from consulting firm Tremont Capital Group that criminals will make more than 1.5 million successful ATM cash withdrawals this year.

As Fortune reported earlier this year, a majority of American corporations believe they will be hacked in 2015. The questions they are all dealing with is how to prepare for them and how to deal with them when they happen, because preventing these compromises has become increasingly difficult.

Banking institutions, as well as the payment companies that connect banks to consumers, like Visa and MasterCard, have beefed up their technology more aggressively than ever in order to both innovate and securitize. But for a private consumer who simply wants to take money from an ATM, stats like these are nonetheless sobering.

Read next: 5 Easy Ways to Avoid Getting Hacked at ATMs

Listen to the most important stories of the day.

TIME Innovation

Are “Micro-Schools” the Future of Education?

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

These are today's best ideas

1. Are personalized “micro-schools” the future of education?

By Anya Kamenetz at NPR

2. Millions of Americans get tests, drugs, and operations that won’t make them better.

By Atul Gawande in the New Yorker

3. Can bacteria help us fight the ravages of climate change?

By Esther Ngumbi in Scientific American

4. Here’s a drone you can fly with your phone, from the designer of the Roomba.

By Jessica Leber in Fast Co.Exist

5. What’s killing the growth of mobile banking?

By Herb Weisbaum in NBC News

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

MONEY privacy

It Took Just One Email to Compromise the Leaders of the Free World

G20 Summit Leaders
Reuters

Many of the world leaders who attended last year’s G20 summit in Brisbane had their personal data compromised. The cause? Human error.

Whether an autofill mishap or a “What in the name of God were you thinking?” move, somebody’s shrimp is on the barbie at Australia’s immigration department after an officer there emailed President Obama’s passport number and other personal information to an organizer at the Asian Cup football tournament. And before you think otherwise: Yeah, it matters.

An Australian freedom of information request recently revealed that the personally identifiable information (PII) of many of the world leaders who attended last year’s G20 summit in Brisbane — including President Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, China’s President Xi Jinping, India’s Prime Minister Narendra Modi, Japan’s Prime Minister Shinzo Abe and UK Prime Minister David Cameron — was accidentally leaked by a government employee. Worse, there was an attempt to sweep this mess under the rug.

The freedom of information request revealed that an immigration official notified Australia’s privacy commissioner about the walkabout presidential/prime ministerial PII shortly after the misdirected email was received by its startled recipient.

“The personal information which has been breached,” an email notifying the privacy commissioner stated, “is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (i.e., prime ministers, presidents and their equivalents) attending the G20 leaders summit.”

“The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. This led to the email being sent to the wrong person.

“The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.

“The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The decision not to inform any of the world leaders was based on the fact that the recipient of the wayward email had deleted it from their computer and then deleted the deleted email from the “deleted items” folder.

The Inevitable Weak Link

Unlike code, with its right/wrong, open/closed approach to data, humans make a lot of mistakes. Sometimes those mistakes have catastrophic results. The Target breach is a good example of this. The retailing icon didn’t properly segment data, and someone at a heating and air conditioning company with a Target contract, and unknowing access to far more systems than anyone could have imagined, clicked on a phishing link in a fraudulent email that ultimately allowed hackers to access its point-of-sale systems — in other words, human error. Subsequently, multiple warnings from Target’s own security protocols — indicating the presence of malware — were overridden by someone(s), also human error.

In the G20 instance, the damage was most likely not great — at least to the world leaders in question. That said, Steve Wilson, a principal analyst focusing on digital identity and privacy at Constellation Research told the Guardian, “What I’d be worried about is whether that level of detail could be used to index those people in different databases to find out more things about them.”

Wilson went on to hypothesize: “If you had access to other commercial data sources you could probably start to unpack their travel details, and that would be a security risk.”

Now comes the unavoidable question: When it involves the protection of a president or prime minister, is “most likely safe” an acceptable standard? For a government employee to send out such internationally sensitive information in an email and for a privacy commissioner to decide not to notify anyone that the breach had occurred needs to get tagged as “human error” as well. (If anyone should know better, one would assume it might be the “privacy” commissioner, yes?) One of the more crucial protocols in a data compromise is transparency, at least with respect to those who have been exposed. If you’re not aware of the fact that you are in harm’s way, how can you possibly protect yourself?

You may remember the scene in the 2006 remake of the Pink Panther where Clouseau, played by Steve Martin, gets his hand stuck inside a vase. He asks the casino owner if the item is valuable, and is told that it’s a worthless imitation. Mindful of that information, Clouseau slams the vase on a desk to free his hand, breaking both in the process.

“But that desk,” the casino owner says, “was priceless.”

So now anyone wanting to get their hands on that PII knows where it isn’t, but they also have some clues as to how to piece it together, and where it might be. (Of course, no hacker has ever raised deleted files from the dead.) They also now know that Australia has porous defenses, even if their vulnerabilities exist only at the level of a human resources failure to properly train employees on data security best practices. But then there’s the question of the privacy commissioner’s handling of the situation, which none of this explains. Sigh…

The leak of PII belonging to world leaders is an extremely serious matter. For years many have warned that any system is only as secure as its weakest link … and that humans are almost always the weakest link. So the beat goes on.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More from Credit.com

This article originally appeared on Credit.com.

TIME Crime

‘Revenge-Porn King’ to Plead Guilty and Face Imprisonment

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

Hunter Moore is charged with hacking into victims' email accounts and posting their nude photos on his website

The owner of a “revenge porn” website, accused of posting stolen nude photos of women online, has agreed to plead guilty to federal computer-hacking and identity-theft charges, prosecutors announced Wednesday.

The Los Angeles Times reports that Hunter Moore was dubbed the “king of revenge porn” for running a website called IsAnyoneUp.com, on which explicit photos of women, stolen from their personal email accounts, were posted.

Moore, 28, also paid Charles Evans to hack into computers and steal nude photos from victims’ accounts. Evans is due to go on trial March 17.

Moore faces up to seven years in prison. He is set to appear back in court on Feb. 25.

[L.A. Times]

MONEY cybersecurity

Hackers Use Malware to Steal $300 Million From Banks

Hackers used malware attached to phishing emails to compromise the security systems of more than 100 banks across the world, according to a new report from security firm Kaspersky.

TIME Hacking

Hackers Steal $1 Billion in Massive, Worldwide Breach

Russian Retail-Sales Growth Unexpectedly Gains Amid Ruble Crisis
Bloomberg/Getty Images

A prominent cybersecurity firm says that thieves have infiltrated more than 100 banks in 30 countries over the past two years

Hackers have stolen as much as $1 billion from banks around the world, according to a prominent cybersecurity firm. In a report scheduled to be delivered Monday, Russian security company Kaspersky Lab claims that a hacking ring has infiltrated more than 100 banks in 30 countries over the past two years.

Kaspersky says digital thieves gained access to banks’ computer systems through phishing schemes and other confidence scams. Hackers then lurked in the institutions’ systems, taking screen shots or even video of employees at work. Once familiar with the banks’ operations, the hackers could steal funds without raising alarms, programming ATMs to dispense money at specific times for instance or transferring funds to fraudulent accounts. First outlined by the New York Times, the report will be presented Monday at a security conference in Mexico.

The hackers seem to limit their scores to about $10 million before moving on to another bank, Kaspersky principal security researcher Vicente Diaz told the Associated Press. This helps avoid detection; the crimes appear to be motivated primarily by financial gain. “In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

[New York Times]

TIME Cybercrime

This Could Be the End of User Name and Password

Superintendent of the New York State Department of Financial Services Benjamin Lawsky Interview
Scott Eels—Bloomberg/Getty Images Benjamin Lawsky superintendent of the New York State Department of Financial Services, speaks during a Bloomberg Television interview in New York on Nov. 24, 2014.

Anthem, J.P. Morgan hacks could lead to tougher online security.

A top New York State regulator is “very likely” to impose new cyber-security rules on much of the banking and insurance industries after high profile cyber-intrusions at Anthem and JP Morgan Chase, law enforcement officials tell TIME.

The move could spell the beginning of the end for a decade-long debate among state and federal regulators over whether to require companies to go beyond the simple user name and password identity checks required to access many computer networks at the heart of America’s financial system and could affect everyone from employees at those firms to the consumers they serve.

Early investigations in the Anthem case suggest foreign hackers used the user name and password of a company executive to get inside Anthem’s system and make off with personal data for 80 million people, including names, addresses and Social Security numbers, the law enforcement officials tell TIME. Anthem had invested in extensive cyber defenses in recent years, but the officials say initial investigations suggest the theft could have been averted if the company had embraced tougher methods for verifying the identity of those trying to access its systems.

That shortcoming reflects systemic weaknesses found throughout the industry in an upcoming study by the New York State Department of Financial Services, a version of which was reviewed by TIME. Among the most worrying findings was a marked level of over-confidence among insurance industry officials regarding the security of their systems. “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here,” says Benjamin Lawsky, the department’s superintendent.

While many big health, life and property insurers boast robust cyber-defenses, including encryption for data transfers, firewalls, and anti-virus software, many still rely on relatively weak verification methods for employees and consumers, and have lax controls over third-party vendors that have access to their systems and the personal data contained there, according to the report. The study follows a similar review by Lawsky’s office of the banking sector late last year that led to tighter cyber-examinations for banks doing business in New York.

As the fourth-largest state and the home to many of the corporations in question, New York could affect consumers in other states with its decisions.

For more than a decade, federal and state regulators have debated measures to require increased security at banks and insurance companies that handle the financial and personal details of hundreds of millions of Americans. In 2005, the federal body charged with setting the examination standards for federal regulators concluded [pdf] that simple user name and password systems were “inadequate” for “transactions involving access to customer information or the movement of funds to other parties,” but stopped short of requiring tighter measures. Updated guidance in 2011 [pdf] also stopped short of requiring them.

MORE Apple Might Make Computers You Control With Hand Gestures

The primary federal regulator of big banks, the Office of the Comptroller of the Currency (OCC) says different banks need to assess their own risks in determining whether to use additional verification methods. Other regulators have worried that if one agency, like the New York State Department of Financial Services, tightens standards on its own, the result will be a patchwork of rules that make life difficult for banks doing business across the country.

Still, most agree that username and password security alone is increasingly vulnerable to hackers. As American Banker reports:

Most of the security breaches that occur in banking today use compromised credentials. More than 900 million consumer records have been stolen [in 2014] alone, according to Risk Based Security; 66.3% included passwords and 56.9% included usernames. According to Verizon’s latest Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76% of the breaches analyzed.

The additional measures New York State is likely to require are known as “multi-factor authentication” and include a range of approaches to verify the identity of those trying to sign on to a computer system. Options include sending a confirmation number to an individual’s cell phone, using a fingerprint or other biometric authentication, or using a separate identification source, like a swipe card.

Lawsky has not decided whether his new rule would require institutions to use multi-factor authentication only for employees and third-party vendors, or whether consumers would be required to use them too. However, requiring major banks and insurers under his purview—such as Barclays, Goldman Sachs, Anthem and others—to adopt multi-factor authentication could change the industry standard.

Lawsky says he is eager to see that change. “The password system should have been buried a long time ago, and its high time we buried it,” Lawsky tells TIME. “We really need everyone to go to a system of multi-factor verification. It is just too easy, whether through basic hacking or through phishing or stealing basic information, for hackers to get a password and a user name and then to get into a system,” he says.

MORE Why Your Passwords Are Easy To Hack

State and federal officials have argued that banking and insurance cyber vulnerabilities pose a threat not just to the accounts of individual consumers, but potentially to the stability of the entire financial system. The Obama administration’s recently released National Security Strategy says, “the danger of disruptive and even destructive cyber-attack is growing,” thanks to “malicious government, criminal, and individual actors,” targeting the networked infrastructure on which economy, safety, and health rely.

The New York State Department of Financial Services study of the insurance industry shows most are largely convinced they are confronting and defeating hackers. 58% claimed they had experienced no security breaches during the three years preceding the 2013-14 study, while 35% said they had only between one and five such incidents.

To some that suggests naiveté on the part of the industry. As FBI Director James Comey said last fall, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”

In addition to the new rules on identity verification, Lawsky expects to impose new requirements on third-party vendors that have access to insurance company databases. Those vendors often have lower cyber-security standards and are not required to describe those standards to the companies even though they often have full access to personal data held by the company.

Read next: The 7 Biggest Lies You’ve Been Told About Hacking

Listen to the most important stories of the day.

Your browser is out of date. Please update your browser at http://update.microsoft.com