Tag Archives: Cyber Security

U.S. official sees more cyber attacks on industrial control systems

MIAMI (Reuters) – A U.S. government cyber security official warned that authorities have seen an increase in attacks that penetrate industrial control system networks over the past year, and said they are vulnerable because they are exposed to the Internet.

Industrial control systems are computers that control operations of industrial processes, from energy plants and steel mills to cookie factories and breweries.

“We see more and more that are gaining access to that control system layer,” said Marty Edwards, who runs the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

ICS-CERT helps U.S. firms investigate suspected cyber attacks on industrial control systems as well as corporate networks.

Interest in critical infrastructure security has surged since late last month when Ukraine authorities blamed a power outage on a cyber attack from Russia, which would make it the first known power outage caused by a cyber attack.

Experts attending the S4 conference of some 300 critical infrastructure security specialists in Miami said the incident has caused U.S. firms to ask whether their systems are vulnerable to similar incidents.

Edwards said he believed the increase in attacks was mainly because more control systems are directly connected to the Internet.

“I am very dismayed at the accessibility of some of these networks… they are just hanging right off the tubes,” he said in an on-stage interview with conference organizer Dale Peterson.

Edwards did not say whether those attacks had caused any service disruptions or threatened public safety.

Sean McBride, a critical infrastructure analyst with iSight Partners who attended the talk, said the increase may reflect more publicity in recent years over risks over cyber attacks, which prompted operators to find more infections.

McBride said he could not say if the increase was troubling because he did not know the intent of the attackers.

Edwards and a DHS spokesman declined to elaborate on his comments.

ICS-CERT said in an alert this week that it had identified malware used in the attack in Ukraine as BlackEnergy 3, a variant of malware that the agency said in 2014 had infected some U.S. critical infrastructure operators.

A DHS official said on Tuesday that government investigators have not confirmed whether the BlackEnergy malware caused the Ukraine incident.

“At this time there is no definitive evidence linking the power outage in Ukraine with the presence of the malware,” said the official, who was not authorized to discuss the matter publicly.

Edwards did not discuss the Ukraine attack during his talk.

(Reporting by Jim Finkle in Miami; Editing by Leslie Adler)

U.S. helping Ukraine investigate December power grid hack

WASHINGTON (Reuters) – The U.S. Department of Homeland Security said on Tuesday it was helping Ukraine investigate an apparent attack last month on the country’s power grid that caused a blackout for 80,000 customers.

Experts have widely described the Dec. 23 incident at western Ukraine’s Prykarpattyaoblenergo utility as the first known power outage caused by a cyber attack. Ukraine’s SBU state security service has blamed Russia for the incident, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as “Sandworm.”

In an advisory, DHS said they had linked the blackout to malicious code detected in 2014 within industrial control systems used to operate U.S. critical infrastructure. There was no known successful disruption to the U.S. grid, however.

DHS said the “BlackEnergy Malware” appears to have infected Ukraine’s systems with a spear phishing attack via a corrupted Microsoft Word attachment.

The DHS bulletin from the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is the first public comment about the Ukraine incident.

A report released by Washington-based SANS Inc over the weekend concluded hackers likely caused Ukraine’s six-hour outage by remotely switching breakers in a way that cut power, after installing malware that prevented technicians from detecting the intrusion. The attackers are also believed to have spammed the Ukraine utility’s customer-service center with phone calls in order to prevent real customers from communicating about their downed power.

DHS and the FBI did not immediately respond to requests for additional comment.

(Reporting by Dustin Volz and Jim Finkle; Editing by Doina Chiacu and Andrew Hay)

Database of 191 Million U.S. Voters Exposed on Internet: Researcher

By Jim Finkle and Dustin Volz

(Reuters) – An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview.

Vickery, a tech support specialist from Austin, Texas, said he found the information while looking for information exposed on the Web in a bid to raise awareness of data leaks.

Vickery said he could not tell whether others had accessed the voter database, which took about a day to download.

While voter data is typically considered public information, it would be time-consuming and expensive to gather a database of all American voters. A trove of all U.S. voter data could be valuable to criminals looking for lists of large numbers of targets for a variety of fraud schemes.

“The alarming part is that the information is so concentrated,” Vickery said.

Vickery said he has not been able to identify who controls the database, but that he is working with U.S. federal authorities to find the owner so they can remove it from public view. He declined to identify the agencies.

A representative with the Federal Bureau of Investigation declined to comment.

A representative with the U.S. Federal Elections Commission, which regulates campaign financing, said the agency does not have jurisdiction over protecting voter records.

Regulations on protecting voter data vary from state to state, with many states imposing no restrictions. California, for example, requires that voter data be used for political purposes only and not be available to persons outside of the United States.

Privacy advocates said Vickery’s findings were troubling.

“Privacy regulations are required so a person’s political information can be kept private and safe,” said Jeff Chester, executive director of the Washington-based Center for Digital Democracy. The leak was first reported by CSO Online and Databreaches.net, computer and privacy news sites that Vickery said helped him attempt to locate the database’s owner.

CSO Online said the exposed information may have originally come from campaign software provider NationBuilder because the leak included data codes similar to those used by that firm.

In a statement, NationBuilder Chief Executive Officer Jim Gilliam said the database was not created by the Los Angeles-based company, but that some of its information may have come from data it freely supplies to political campaigns.

“From what we’ve seen, the voter information included is already publicly available from each state government, so no new or private information was released in this database,” Gilliam said.

(Reporting by Jim Finkle and Dustin Volz; Editing by Jonathan Oatis)

Hackers Access Power Grid, N.Y. Dam; Might Have Accessed Government Talks

Hackers gained access to the United States power grid, including detailed drawings that could have been used to cut power to millions of people, according to a new Associated Press report.

The report, published Monday, indicated that there have been roughly 12 times in the past 10 years when foreign hackers accessed the networks controlling lights across the United States.

That includes one instance where hackers, believed to be from Iran, had swiped passwords and detailed sketches of dozens of power plants, invaluable tools if one planned to cut off the power. Cybersecurity experts told the Associated Press the breach (which affected energy company Calpine, which operates 83 power plants) dates to at least August 2013 and could be ongoing.

The Associated Press reported that hackers accessed passwords that could have been used to access Calpine’s networks remotely, along with highly detailed drawings of 71 energy-related facilities across the country. That could allow skilled hackers to specifically target certain plants.

But targeting a plant and successfully shutting off the power are two different things.

The Associated Press report noted the power grid is designed to keep the lights on when utility lines or equipment fail. To cause a widespread blackout, a hacker would have to be exceptionally skilled, bypassing not only a company’s security measures but also creating specialized code that disrupts the interactions of the company’s equipment. Still, experts told the AP that it remains possible for a sufficiently skilled and motivated hacker to send a large swath of the country into blackout, and enough intrusions have occurred that a foreign hacker can likely “strike at will.”

The Associated Press report was published the same day the Wall Street Journal unveiled that Iranian hackers accessed the controls of a dam about 20 miles away from New York City in 2013.

In another breach, tech company Juniper Networks announced last Thursday that it discovered some “unauthorized code” in its software that could have allowed skilled hackers to improperly access some devices and decrypt secure communications. CNN reported the FBI is investigating the hack because it fears the code might have been used to spy on government correspondence.

Because government use of Juniper products is so widespread, one U.S. official told CNN the hack was like “stealing a master key to get into any government building.” CNN reported a foreign government is believed to be behind the hack, but it still is not clear who is responsible.

Juniper said it released a patch that corrects the issue. The company said it wasn’t aware of “any malicious exploitation” of the security loophole, but noted there likely wasn’t a way to reliably detect if a device had been compromised because hackers could have easily erased the evidence.

Hackers Access Data of 650K British Pub Chain Customers

Hackers gained access to a database that contained private information about more than 650,000 customers of a chain of British pubs, according to a posting on its website.

JD Wetherspoon reported that about 100 of its customers had the last four digits of their credit and debit card numbers stolen through a breach of the company’s former website. Because the complete numbers hadn’t been stored, the company said no stolen data could be used for fraud.

The website posting indicated the database contained information like email addresses, names, birthdays and phone numbers of 656,723 people. The pub chain’s CEO, John Hutson, said in the posting that neither its customers nor its cyber security specialists gave any indication that anyone had used that stolen customer information for fraud, “although we cannot be certain.”

Hutson said in the posting there were no passwords stored in the database. He asked customers to watch out for suspicious emails, such as ones that ask recipients to respond with personal or financial information or to click on links. Such emails are commonly seen in phishing schemes.

The breach took place in June, the company said in the website posting. The pub chain only learned of the breach last week, and subsequently began investigating and notifying customers.

Huston said in the website posting that JD Wetherspoon has “taken all necessary measures to secure” its website following the breach (the pub chain has since switched to a new website manager that it says has no ties to the hack) and that a forensic investigation is ongoing. The pub chain has also notified the British authority that regulates data protection of the breach.

As of Monday morning, it’s still not known who was responsible for the hack.

The news comes just days after digital toy manufacturer VTech announced that the personal data of millions of its customers was hacked, including some photographs of children. VTech has said it’s cooperating with law enforcement officials from around the world to investigate.

VTech Hires Cyber Security Firm After Hack, Lawmakers Want Answers

VTech hired a company to help it with cyber security after a hacker gained access to the toy maker’s customer database — and private information about millions of adults and children.

The Hong Kong-based company announced Thursday that a team from FireEye is helping it with the fallout from the massive data breach, one of the largest documented consumer hacks.

VTech said in a news release that the United States-based company is helping it beef up its security after a November cyber attack in which a hacker accessed the manufacturer’s Learning Lodge portal, which allows customers to download a variety of content to VTech’s digital toys.

The company has said the data included information like email addresses and passwords but not credit card or social security numbers. The hacker who claimed responsibility for the attack has told Motherboard he also accessed pictures of children and logs of private chats between kids and their parents. Those were originally sent through a VTech service called Kid Connect, which allowed smartphone-using parents to exchange messages with children using VTech tablets.

The hacker has told Motherboard he has no plans to release the data.

VTech said about 4.8 million parents and 6.3 million children were affected by the hack. About 2.2 million parent accounts and 2.9 million child profiles are based in the United States, it said.

The company has suspended Learning Lodge and Kid Connect and several other websites in a precautionary measure, it said. VTech adds that it has reviewed the websites and taken steps to safeguard against future attacks, and hiring FireEye appears to be another one of those actions.

“We are deeply shocked by this orchestrated and sophisticated attack on our network. We regret that users of Learning Lodge, Kid Connect and PlanetVTech, some of whom are colleagues, friends and families, are also affected,” VTech Chairman and Group CEO Allan Wong said in a statement that accompanied the announcement. “We would like to offer our sincere apologies for any worry caused by this incident. We are taking all necessary steps to ensure that our users can continue to enjoy our products and services, safe in the knowledge that their data is secure.”

VTech said FireEye’s team will lead a forensic investigation into the attack and help review its customer data security protocols. The toy maker also it is “cooperating with law enforcement worldwide to investigate the incident,” but did not mention any specific agency’s involvement.

On Wednesday, two United States lawmakers wrote VTech and inquired about the kind of information it collects from children and how the toy manufacturer safeguards that data.

Specifically, Sen. Edward Markey (D.-Mass.) and Congressman Joe Barton (R.-Texas) want to know how VTech complies with the Children’s Online Privacy Protection Act, which governs the data websites can collect from children less than 13 years old.

PC Magazine reported the VTech hack was the fourth largest breach of consumer data.

Children among 5 million affected by VTech hack

Hackers gained access to the private information of about 5 million adults and children who used VTech toys, and some security experts warn that similar data breaches could follow.

The Hong Kong-based digital toy manufacturer announced the massive data breach in a news release on Friday, saying a hacker compromised the company’s Learning Lodge earlier this month. The Learning Lodge is a portal that customers use to download content to VTech toys.

The hackers gained access to VTech’s customer database, which the company said includes information like email addresses and passwords but not social security or credit card numbers.

PC Magazine reported the hack was the fourth largest breach of consumer data on record.

The online technology magazine Motherboard reported on Monday that it spoke to the hacker behind the breach. The hacker claimed he also accessed photographs of children and transcripts of conversations between parents and their kids, some of which dated back to last November.

That data was reportedly sent through VTech’s Kid Connect service, a channel through which adults with smartphones and children with VTech tablets can exchange text and audio messages.

The hacker told Motherboard he didn’t intend to publish or release any of the data he obtained.

VTech said it investigated the breach and implemented steps to combat further attacks. Attorney generals from Connecticut and Illinois said they will also investigate, Reuters reported Monday.

The Reuters report quoted cyber security experts who cautioned that additional breaches like this one are possible. While many digital toys collect data, the experts told Reuters that toy makers don’t necessarily have the same security background as others in the tech industry.

“VTech is a toymaker and I don’t expect them to be security superstars,” Tod Beardsley, the security research manager at the cyber security company Rapid7 Inc., told Reuters. “They are amateurs in the field of security.”

Hong Kong’s Office of the Privacy Commissioner for Personal Data began a “compliance check” on VTech on Tuesday, according to a news release. The inquiry will examine if VTech did enough to safeguard the data before it was breached, as well as the corrective measures it implemented.