Archive for June, 2015

Hershey Park Investigates Possible Data Breach

Hershey Park may have become the latest target of a data breach on debit and credit cards used at the resort and theme park. The case is currently under investigation as Hershey Park works with law enforcement to track down the possible cause.

Hershey first decided to launch an investigation when multiple financial institutions reported fraudulent charges on payment cards after customers visited the park.

“We have received reports from some of our guests that fraud charges appeared on their payment cards after they visited our property,” said Kathleen McGraw, Hershey’s director of communications. “While our company does have security measures in place designed to prevent unauthorized access to our network, we immediately began to investigate our system for signs of an issue and engaged an external computer security firm to assist us. The investigation is ongoing.”

Though the official timeframe of the data breach is not confirmed, KrebsOnSecurity has reported that three financial institutions found their customers visited the park “between mid-March and late May 2015.” The cards were used for a wide range of purchases, including tickets, lodging and dining.

In a statement about the possible breach, Hershey said, “It is always a good practice for consumers to review their payment card account statements.”

The company recommends reporting any unauthorized charges to the payment provider immediately.

Article source:


No Comments

Detour Gold warns former, current employees of data breach

The Globe and Mail

Tuesday, Jun. 30, 2015 4:15PM EDT

Last updated
Tuesday, Jun. 30, 2015 5:48PM EDT

Article source:


No Comments

JPMorgan Reassigns Security Team Leader a Year After Data Breach

The executive in charge of protecting JPMorgan Chase Co.’s computer network from hackers has been reassigned, after a year on the job that included controversy over his handling of a massive data breach and the departure of several top security team members.

Greg Rattray, a former U.S. Air Force commander for information warfare and a cyber-expert at the National Security Council under President George W. Bush, no longer works as JPMorgan’s chief information security officer, according to an internal memo sent June 11 and reviewed by Bloomberg News. Rattray is now head of global cyber partnerships and government strategy and reports to Paul Compton, the bank’s chief administrative officer.

Rohan Amin, a former cyber-security executive at Lockheed Martin Corp. who joined JPMorgan last August, has replaced Rattray, according to the memo.

Rattray will oversee a few employees instead of the hundreds he managed in JPMorgan’s cyber-security unit, according to a person familiar with the change, one of three people who described events leading up to the personnel move.

One of his responsibilities will be building relationships between the biggest U.S. bank, law enforcement and other government agencies, according to the memo. That move surprised some bank insiders, considering that Rattray’s response to the breach discovered last August — in which hackers stole the names, addresses and e-mail addresses of 83 million individuals and small businesses — frayed the bank’s ties with federal agencies.

Limited Access

Rattray and his boss, Jim Cummings, a former head of the U.S. Air Force’s cyber-combat unit, tightly limited access to the breached data in an effort to prevent leaks and control the investigation, Bloomberg Businessweek reported on Feb. 19.

The Secret Service grew so frustrated that it threatened to seize the evidence, and Joseph Demarest, then assistant director of the FBI’s cyber division, called Chief Operating Officer Matthew Zames to discuss the delays. The situation was resolved with a formal agreement to share information, people familiar with the matter said.

Rattray and Cummings also argued that the attack was probably the work of the Russian government, as they tried to secure a rare waiver from the Justice Department that would have allowed JPMorgan to delay notifying customers and regulators of the loss on national-security grounds. Government investigators quickly concluded that the attack was the work of cyber-criminals, not spies.

Trish Wexler, a JPMorgan spokeswoman, declined to comment on Rattray’s reassignment.

Culture Conflict

Rattray and Cummings are representative of a growing movement among companies to hire former military cyber-warriors to protect private-sector networks. Rattray’s sidelining offers a cautionary lesson about the risks of a culture conflict.

The fit was difficult from the start. Some staff members mocked the weekly agenda Rattray sent to them, which he called a “battle rhythm,” and Cummings’s exhortations to adhere to the Air Force’s “core values,” such as service to country, in a culture focused on serving clients.

Rattray has an extensive network of contacts and supporters inside the government, including links to the U.S. intelligence community, many of whom have praised his handling of the breach.

“Greg usually knows what he’s doing,” James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington, said of him in February.

Internal Battles

Still, his tenure was marked by battles with experienced members of the bank’s security team, some of whom agreed that the breach was probably criminal in nature. He also angered some of JPMorgan’s technology vendors, who complained that he abruptly canceled contracts and delayed payments on large deals.

Some inside the bank believed the focus on a possible link to the Russian government was an excuse for shortcomings in the bank’s security. The hackers entered the bank’s network through a server that didn’t have strong protections, such as two-factor authentication, which requires a unique code along with a password to gain access.

Others familiar with Rattray’s management style, who asked not to be identified when discussing internal matters, said it was the natural result of hiring ex-cyber warriors whose training led them to immediately assume a government link to a sophisticated attack.

As the largest U.S. bank by assets, JPMorgan has played a major role implementing sanctions against Russian institutions and officials imposed as a result of the conflict in Ukraine.

Article source:


No Comments

4 in 10 Midsize Businesses Have Experienced A Data Breach

Most midsize business leaders view a data breach among their top risks and a majority consider IT security ‘very important’ when selecting a supplier, according to The Hartford’s survey of midsize business owners and C-level executives. They have good reason to be concerned: 43 percent had experienced a data breach in the prior three years, and 13 percent have had a supplier’s data breach impact their business information.

The Hartford survey found most midsize business leaders (82 percent) consider a data breach at least a minor risk to their business. Nearly one-third (32 percent) view it as a major risk.

“All types of businesses have networks and networks can be vulnerable to a breach,” said Joe Coray, vice president of The Hartford’s Technology Life Science Practice. “As we have seen in recent years, a breach involving a supplier or vendor can impact a business as much as a breach of its own IT systems. Whether businesses are hosting their data internally or entrusting it to external business partners, it is important that they validate how their information is being secured.”

Recognizing the data risks involving suppliers, more than half of the midsize business leaders (53 percent) surveyed consider IT security and data protection practices very important when selecting a supplier. By comparison, 36 percent consider a supplier’s contingency planning and 28 percent view a supplier’s location relative to their business as very important.

“Given what is at stake in terms of a company’s operations and reputation, evaluating a prospective supplier or vendor‘s IT security and data protection protocols against current best practices should be a critical part of a company’s due diligence process,” said Coray, who discusses data breaches and other technology risks for midsize businesses at


Source: The Hartford

Article source:


No Comments

Cyber UL Could Become Reality Under Leadership of Hacker Mudge

One of the longstanding problems in security–and the software industry in general–is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime researcher and hacker better known as Mudge in security circles, announced he’s leaving Google to start an initiative designed to be a cyber version of Underwriters’ Laboratory.

Zatko said on Monday that he had decided to leave Google’s Advanced Technology and Projects team and start a cyber UL, at the behest of the White House.

“Goodbye Google ATAP, it was a blast. The White House asked if I would kindly create a #CyberUL, so here goes!” Zatko said on Twitter.

The new project will not be run out of the White House, Zatko said, and the specifics of the plan are not clear right now. But the fact that someone with Zatko’s experience, history, and respect in the security community is involved in the project lends immediate weight and  potential to it.

Zatko is one of the members of the L0pht hacker collective that formed in Boston in the 1990s, and the idea for something along the lines of this project took shape back then. John Tan, one of the members of the L0pht, wrote a paper describing a possible model for a “cyber UL” in 1999, an organization that would certify the reliability and quality of a security product. The paper describes a key problem in the security industry, a problem that still exists more than 16 years later: No one has a good way to prove the claims made by vendors.

“Similarly to early electrical inventions, today’s computer security products may introduce more harm than good when implemented by end users. While some of these products do what they claim, most do not. The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil. While many of the products may solve old problems and
inadvertently introduce worse ones, some just do not perform as advertised at all,” the paper says.

Describing the problem is one thing, and solving it is another thing altogether. Product testing and certification authorities for software and hardware have existed for many years, but they are sometimes seen as ineffective or beholden to the manufacturers whose products they are testing. Creating an independent organization that will perform these functions could solve much of this problem.

Zatko has a long record in the security community and has held a wide variety of positions in the last decade. Before joining Google, he worked at DARPA for several years, running a number of influential research programs, including Cyber Fast Track, which funded security research programs. Several high-profile researchers used grants from the CFT program to fund their research, including Charlie Miller and Chris Valasek, who funded their ground-breaking work on the security of automotive systems, and Joe Grand, who did work on deconstructing printed circuit boards. CFT also helped fund Miller’s research on NFC security and Moxie Marlinspike’s work on the Convergence system.

Two years ago, when he announced that the CFT program was ending at DARPA, Zatko said that the complexity of the security landscape makes defenders’ jobs progressively more difficult.

“When you see that more and more money is being invested and the problem is getting worse, people ask whether we should invest more or none at all,” he said during a talk at the CanSecWest conference in 2013. “Why are we not making progress? There’s a whole bunch of factors involved.”

Before moving to DARPA, Zatko spent many years at BBN Technologies, a pioneering technology company, and was a top researcher at @stake, the security consultancy and research company.

Article source:

No Comments

Amazon Releases S2N TLS Crypto Implementation to Open Source

Amazon today released to open source its own TLS implementation called s2n, which stands for signal to noise.

While admittedly not meant to be a replacement for OpenSSL, for example, s2n is a slimmed-down crypto implementation analogous to libssl, the OpenSSL library that supports TLS. Amazon chief information security officer Stephen Schmidt said that s2n will soon be integrated into certain Amazon Web Services, and the experience will be seamless for users; no changes will be required to apps and none will be made that will affect interoperability, Schmidt said in a post on the AWS security blog.

“s2n is a library that has been designed to be small, fast, with simplicity as a priority. s2n avoids implementing rarely used options and extensions, and today is just more than 6,000 lines of code,” Schmidt said. “As a result of this, we’ve found that it is easier to review s2n; we have already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing.”

The relatively small number of lines of code avoids the complexity—and subsequent bugs and security issues—that the OpenSSL team is dealing with, for example. OpenSSL, Schmidt said, has more than 500,000 lines of code, including 70,000 involved in TLS processing.

“Naturally with each line of code there is a risk of error, but this large size also presents challenges for code audits, security reviews, performance, and efficiency,” Schmidt said, adding that s2n has already undergone two external code reviews—one by a commercial security vendor—and has been shared with crypto experts in the security community.

OpenSSL, meanwhile, is on a recovery track after a rocky 18-month period during which Internet-wide vulnerabilities such as Heartbleed tore open the curtain on the frailty of the under-funded and under-resourced open source project. OpenSSL’s maintainers are in the midst of a sizable code cleanup and instituting formal processes for critical changes. Funding from the Core Infrastructure Initiative allowed OpenSSL to hire two full-time employees and fund help to handle bug reports, code reviews and changes.

s2n certainly attempts to steer clear of that kind of complexity, and afford users the ability to hurdle the software upgrades and certificate rotations that accompanied Heartbleed and other Internet-wide bugs in the last year and a half, Schmidt said.

Documentation accompanying the source code, available on Github, says that s2n implements SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. It supports 128-bit and 256-bit AES in CBC and GCM modes, 3DES and RC4, for encryption. It also supports DHE and ECDHE for forward secrecy. Outdated crypto such as SSLv3, RC4 and DHE are disabled by default, however. SSLv3, for example, was recently officially deprecated by the IETF. The protocol, which has long been supplanted by TLS, is responsible for a number of fallback attacks, most notably POODLE and BEAST. s2n, however, does lack x509 certificate parsing, therefore it’s meant to be built with one of the OpenSSL-derived libraries, for example.

It also includes positive and negative unit tests and end-to-end test cases, Amazon said.

“One of the real challenges in existing TLS libraries like OpenSSL is that data structures and state flows are often difficult to test with automated tools,” said Kenneth White, a security researcher and director of the Open Crypto Audit Project. “By making unit and integration testing a first class citizen from the beginning, the AWS team is really promoting an emphasis on software quality assurance, and that benefits all their users.”

Amazon said also that s2n provides every thread with two random number generators.

“One for ‘public’ randomly generated data that may appear in the clear, and one for ‘private’ data that should remain secret,” the documentation says. “This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts.”

Article source:

No Comments

IRS data breaches – Corpus Christi Caller

Data breaches are becoming almost commonplace, but when the data is taken from the IRS, it really gets people’s attention. Indeed, the recent admission by IRS commissioner John Koskinen that criminals accessed information from over 104,000 taxpayers through an IRS site caused a significant stir throughout Washington, D.C., as well as stoking flames in the media.

Technically, the IRS information leak was not a system hack or data breach. The thieves used information obtained through other means to access past tax returns of individual taxpayers with the IRS’s Get Transcript application. The past returns gave crooks enough added information to file false tax returns and claim refunds totaling almost $50 million before the IRS shut down the application.

The IRS is notifying affected taxpayers, as well as another 100,000 taxpayers who experienced attempts to access their accounts that were foiled by the IRS filters. The 104,000 taxpayers with compromised information will be offered free credit monitoring by the IRS.

Unfortunately, many taxpayers found out about their data being compromised when their tax forms were rejected for having “already been filed.” The first filing takes precedence in the IRS’s automated systems, so affected taxpayers have to contact the IRS directly to get the situation resolved. The IRS will pay an earned refund to you even if they have already paid a thief — but it takes time to resolve the situation.

Shutting down the Get Transcript site can throw a monkey wrench into the plans of those seeking a mortgage or student financial aid. The mortgage connection is especially troubling, since lenders routinely use third-party access to pull your past tax records (with your approval) in order to underwrite a mortgage loan. What are the safeguards within these third parties? The Washington Post attempted to find out but received no comment from the IRS and few responses from the third parties.

In any case, if you were affected by the breach that means your basic information is out there in the criminal world and even more information has been opened up through your tax records. Even if you were not affected by the breach, there is no guarantee criminals are not holding onto your information and planning to use it later.

What Should You Do Now?

If you have been affected, make sure that you contact the IRS and verify the free credit monitoring has been activated. You should be issued a personal identification number (PIN) that will be supplied each year by the IRS as an extra layer of security. If you are not offered a PIN, request one — because enough of your permanent information is available now that you need the extra security level to thwart fraudulent filings. When you use third-party tax services, whether it is through a CPA or an online entity like TurboTax, do not be afraid to challenge the details of how your information is being protected.

Check with your state tax agency as well, since thieves can also file false state tax returns in your name. The refund levels are often not as large, but state returns are more easily overlooked.

The IRS could (and should) add multiple layers of security to the Get Transcript system, such as a multifactor system that requires a secondary password sent through their mobile device. However, we suggest you take your own protection steps, since your information is probably also being used to open false accounts.

Check with all three credit bureaus, and if there is evidence of attempts to open a false account, consider a credit freeze. You can also take a series of simple steps to reduce the likelihood of similar breaches — use strong passwords, change them often, and do not reuse passwords at different sites just for convenience. Don’t make life easier for criminals attempting this style of breach. A lax attitude may be part of the reason why your information is out there in the first place.

Article source:


No Comments

Meritus Health alerts over one thousand patients after data breach

HAGERSTOWN, Md. – After a routine audit in May, officials at Meritus Health discovered that private information for more than one thousand patients may have been compromised.

This includes not only demographic information, but medical records and social security numbers. Meritus Medical Center began mailing letters on Friday to 1,029 people after an investigation.

“An employee of a vendor that we work with to provide some services may have inappropriately accessed some private patient information,” said Mary Rizk of Meritus Health.

The personal information that was accessed includes demographics like date of birth, age and gender, as well as medical records such as treatment and diagnosis info. But Meritus also said that an amount of social security numbers were also compromised.

Officials said the information would have been accessed between last July to April of this year. The employee was disciplined, with their access to Meritus systems suspended. Although they admit it’s a serious situation, they said it’s not a cause for panic.

“We have no proof that any of this information has been used or misused in a manner to cause any harm,” Rizk said.

Rizk said that they are fortunate it only affected a small percentage of their overall patients, and less than 100 social security numbers could have been accessed. Meritus is still working with the unnamed vendor following the investigation.

“We’ve strengthened our controls,” she added. “We’ve developed new systems, and are currently working to create new systems in working with our vendors – to make sure their employees don’t inappropriately access patient information.”

Patients that were affected should expect to receive a letter in the mail by July 17. Meritus said that patients who may have been affected by the incident should review health insurer statements, and be on the lookout for any listed services that were not actually received.

Article source:


No Comments

Federal employee union sues Obama administration over data breach

A leading federal employee union filed a class action lawsuit on Monday against the U.S. Office of Personnel Management over the massive hack of government data, alleging that the agency was negligent because it failed to heed warnings about its cyber security defenses.

The American Federation of Government Employees lawsuit alleges the Obama administration violated federal privacy laws by allowing the records of as many as 18 million current and former federal employees to be stolen.

Massive data breach could affect every federal agency

Massive data breach could affect every federal agency

China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time.

China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time.

See more videos

OPM has faced criticism from lawmakers on Capitol Hill since acknowledging the hack this month. Maryland is home to more than 300,000 federal employees, a higher share of its population than most other states.

“AFGE will not sit idly by while OPM fails to comply with the most basic requests for information or provide an adequate response,” AFGE President J. David Cox Sr. said in a statement.

lRelated Chinese hackers got data on millions of U.S. federal workers, officials fear
Federal WorkplaceChinese hackers got data on millions of U.S. federal workers, officials fearSee all related

“Even after this historic security breach, OPM has continued to use poor data security practices and inferior private-sector strategies to solve its security woes.”

[email protected]

Copyright © 2015, The Baltimore Sun

Article source:


No Comments

Woman arrested in Cuesta College data breach also faces drug, battery charges

Local News

How firefighters saved SLO from the 1985 Las Pilitas Fire

Article source:


No Comments