Get ready for 1000% of your daily dose of Irony: America’s top surveillance outfit, the National Security Agency appears to have been hacked, according to announcements made by a group known as the “Shadow Brokers” and backed by a sample of data released as proof. Not only that, it may have happened as early as 2013, just days after NSA whistleblower Snowden went public. The spy agency has yet to comment on the matter, though given their usual taciturn stance on sharing information with the public, further enlightenment is unlikely to come from that source. Snowden himself weighed in on the issue shortly after this news became public, attributing the original hack as likely being the Russian government. In a further dose of irony, Snowden currently resides in Russia, presumably as part American exile and part Russian political trophy.
What this means for you:
Before you grab your bug-out bag and head for your internet-proof bunker, make sure you freak out for the right reasons. In this particular instance, the data for sale appears to be code, and not data on Americans (which they are assuredly collecting). Offered as proof of the deed, the Shadow Brokers posted source code of known malware apps the NSA is alleged (by Snowden and others) to have used to break firewalls and other security platforms in use by foreign nations, presumably to allow the install of other covert surveillance software on the computers behind those security measures. Security pundits, including industry vet Bruce Scheier, have evaluated the data released, and in light of the the current political climate between the US and Russia, are of the opinion that this might be a manuever by the Russian government in anticipation of criticism or accusations from the US about the DNC hacks. To put it in more understandable terms, we may be seeing the opening salvos in a new, thoroughly modern Cold War. Instead of warheads and undercover spies as pawns, this one may be waged via the internet through cyber warfare and social media. Ready to head to that bunker yet?
Hackers will go where the data resides, and there is perhaps no “juicier” website than the infamous Ashley Madison website that facilitates extra-marital relationships for nearly 40 million people. Owned by the Avid Life Media group, the Ashley Madison website is part of a family of similarly-minded websites including Couger Life and Established Men. The breach was allegedly perpetrated by a group known as the Impact Team, and according to their posted manifesto, the attack was in response to alleged corporate malfeasance on ALM’s part – not, as many might think, in response to the encouragement of cheating spouses. Impact Team alleges that the program promoted by ALM called “full delete” does not in fact do what it promises: for a fee, members can request their profiles be completely erased from ALM records. The supposed “hacktivists” are threatening to post online all the data they’ve stolen from ALM unless their demands are met: take Ashley Madison and Estalished Men offline permanently.
What this means for you:
Personally identifiable information aside, getting outed for having an account on an adultery website is really “sensitive” data, no question. Though it shouldn’t hurt your employment prospects in theory – employers can’t discriminate based upon marital status (or fidelity for that matter) because that category of information falls under protected status, it can definitely wreck a marriage, and theoretically your finances from that point on. Assuming Impact Team plans to release all the data they’ve stolen, someone will undoubtedly turn it into a searchable database, and even the most trusting of spouses would be hard tempted to not have a peek. So on top of having your identity stolen, you could also lose the love and trust of a spouse, friends and family. I’m pretty sure the latter is worse than the former.
Despite ALM’s vague promises to remove confidential data as it appears, once data is on the internet, you can never take it down. It’s clear that ALM has no plans to accede to any of Impact Team’s demands, and even if the hackers don’t make good on their threats to publish, it’s still highly likely that trove of info will get sold or stolen and consequently published and used. So what do you do if you happen to have an entry in ALM’s database? It’s too late to take advantage of their “full delete” service-if it ever worked in the first place! If you haven’t already done so, getting some form of credit watch service lined up is a good idea, and changing your passwords is a solid first step. Next, I’d recommend seeking advice from qualified professionals in the areas you’ll most likely be living through from here on out.
Password storage utility LastPass reported earlier this week that they discovered suspicious activity on their servers and as a result, some of their users’ data has probably been compromised: account emails, password reminders and some of the decryption hashes and salts. According to LastPass, user password vaults were not compromised, nor does it appear that any user accounts were accessed. As a precautionary measure, LastPass has turned on a secondary email authentication confirmations for all LastPass logins from new IP addresses, and they are recommending enabling multifactor authentication – a good security practice for any sensitive account (like your email).
What this means for you:
LastPass uses a very strong encryption method to secure your data, and it would take some significant computing resources to crack their encryption from a brute-force perspective. However, if your LastPass master password was easily guessable, in theory they could use the stolen hash and salt to confirm that password, and attempt to gain access to your LastPass account. In short: change your LastPass master password, and if you used that password anywhere else, change it there as well.
Four and a half million patients treated within the hospital network Community Health Systems now have something else to worry about aside from having to see a physician: identity theft. The 28-state network revealed today that its servers had been breached by Chinese hackers who gained access to CHS patients’ names, birthdates, social security numbers, phone numbers and addresses, every bit of data a criminal would need to perpetrate a robust identity takeover. The hackers did not gain access to credit cards or clinical records, which may only serve as a small consolation to this egregious breach of privacy.
What this means for you:
CHS operates primarily in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas, so if you’ve received medical treatment in one of those states any time since records became computerized, you might be affected by this data breach. As opposed to the widely publicized (but not yet independently verified) Russian hacker haul of 1.2 billion passwords, changing a few passwords isn’t going to help you if you are one of the 4.5 million affected by the CHS data leak. Supposedly, CHS is planning to offer some form of Identity Theft monitoring, which, depending on the level of patience and fortitude you have, may be worth accepting. The alternative – manually monitoring your credit for bogus accounts being opened – can be time-consuming and tedious.
Even if you aren’t impacted by the above – are you keeping a close eye on your credit history? Keep in mind that Credit Monitoring services only do just that – monitor. They can’t prevent criminals from attempting to hijack your credit via bogus credit and loan applications. They will warn you about the attempts, and at best, provide some assistance in working with the 4 credit agencies to rectify the damage. And even unsuccessful attempts ding your credit history, adding injury to insult in this case.
Telecommunications giant AT&T disclosed on June 13 that three employees of one of its vendors used their privileged access to hack a server containing sensitive customer data, including Social Security Numbers, birth dates and cellular phone numbers. Thus far, AT&T hasn’t revealed how many are affected by this breach, and for the moment it appears that the hackers gained unauthorized access for the purposes of unlocking older generation AT&T phones for use on other carrier networks. The breaches happened in April, but AT&T is only just now notifying affected customers.
What this means for you:
Unlike previous data breaches, the exposed customer data hasn’t appeared for sale (yet!) on the internet black market, but AT&T is offerring a free year of credit monitoring as a mea culpa to its affected customers. If you were affected by this breach, you should have already received a notice from AT&T of the potential exposure. This latest breach demonstrates an important point about security: no matter how much you invest in protecting your perimeter, serious threats may already be behind your “firewall”. As an individual, there is very little you can do to help AT&T be more secure, but you can take your credit history and activity seriously, and always keep your eyes peeled for unusual activity on any online account, regardless of whether they are financial services or not.
It’s getting so that it might be easier to publish a list of companies that haven’t been hacked. Sadly, this week it’s dot-com darling Kickstarter and Wall Street stalwart Forbes.com, both of whom were hacked and user data exposed. Where Forbes almost immediately acknowledged that it had been hacked (unavoidable as the infamous Syrian Electronic Army announced that it was behind the attack), Kickstarter got on the wrong side of some folks for delaying it’s own announcement that it had been breached earlier in the week. Waiting almost 5 days before sending out an email to its users was viewed by many pundits as everything from lacksadaisical to outright criminal. In both cases, user names, email addresses and passwords were stolen, though both companies state that the passwords were encrypted which would make it difficult, but not impossible for hackers to crack weaker passwords in the stolen data.
What this means for you:
If you had accounts on either of these websites using passwords that you use elsewhere, you need to go out and change that password everywhere else it was used – preferably with a unique one for each website. I had accounts on both of these websites, but I’m less worried as both were unique to the websites and will never be used again. Until the technology industry can come up with a better way than passwords to secure our safety, your next best bet is to generate unique passwords everytime one is needed. Utilities like LastPass, Passpack and 1Password are invaluable for this sort of practice and are worth their weight in gold.
It’s also worth noting that in the case of the Forbes hack, their security was compromised by a targeted phishing attack. By responding to fake emails, duped employees revealed passwords that gave the attackers access to the WordPress engine that powers the Forbes.com website. Kickstarter has yet to reveal the nature of their security breach, but I wouldn’t be surprised if a similar phishing attack cracked their security. Phishing emails are becoming increasingly harder to spot as cybercriminals pour more effort and money into crafting effective attacks. The only protection is to be suspicious of everything, and to never click links in emails before independently verifying where they actually lead.
According to the Washington Post, the Pentagon has recently received a report that states that over 2 dozen US weapon systems plans and specifications have been stolen via digital attacks on defense contractor and subcontractor systems. The list of possibly compromised systems include several key military assets such as the FA-18 fighter, the F-35 Joint Strike Fighter, the Black Hawk helicopter and the Patriot Missile. Officially, the Pentagon has downplayed the report, stating that they have no reason to believe the strength or integrity of the military compromised in any way, but Department of Defense officials have said, off record, that there is growing concern that the Pentagon and our government at large are increasingly falling behind in their ability to defend our digital borders from future cyber attacks.
What this means for you:
Regardless of your political leaning, there are few Americans who believe that our government runs a tight ship, and anyone who’s had any dealings with the Federal government knows that for the most part, they are woefully behind in just about every aspect of technology. Poor operational standards and old technology is a recipe for security disaster on a large scale for any business, and the Department of Defense is about as big a business as you can get.
Just like the problem life insurance salespeople face (no one wants to face the fact of dying), many businesses still have not come to grips with the fact that they will have (or already have had) a security breach. Many defense contractors who have lived in the bubble of American military superiority for so long have developed a complacency that is leading to poor decisions and lack of preparation until it is too late. The Chinese military is hungry to tip the scales, and it seems that they have the digital advantage.
Surely your business is more nimble than the Department of Defense. Have you grown complacent and ignored your technology’s security? Wouldn’t you rather do some work ahead of a security breach rather than scrambling to repair the damage?