Recent aggressive hacks on companies underline the need for good risk analysis, situational awareness, and incident response. Just ask AshleyMadison, Hacking Team, and Sony Pictures.
The post Hacking Team and other breaches as security lessons learned appeared first on We Live Security.
The major theme of this week’s Mr. Robot episode revolved around vulnerabilities. As much as we sometimes try to deny it, we all have weaknesses. Cybercriminals, being the intelligent people they are, unfortunately often use their smarts for evil. They know that it is human nature to have weaknesses since no one is perfect, and they exploit these weaknesses using a tactic called social engineering.
“People make the best exploits”
Whether directly or indirectly, humans and the software they create can be exploited via their weaknesses and vulnerabilities.
FSociety penetrates Steel Mountain, E Corp’s data security center, by exploiting human weaknesses. We first see this happen when Elliot exploits Bill Harper, a sales associate at Steel Mountain, by dismantling his self-worth and telling him that no one in his life really cares about him. Elliot then requests to speak to someone who matters and Bill, disheartened and humiliated, calls his supervisor.
To FSociety’s surprise, Trudy comes instead of Wendy, the supervisor they were expecting and were prepared to utilize to get into the next level of Steel Mountain. This slightly throws off FSociety for a few seconds, but they make a quick comeback by doing a bit of online research. They learn that Trudy’s weakness is her husband and use a Linux distribution called Kali to send her a text message appearing to be sent from her husband saying that he is in the hospital. I researched more about this tool and found out that when using it, it is possible for anyone to spoof SMS and make messages appear as if they are from a number the recipient knows — a trick that is also employed in fraud emails.
The interesting thing about this, though, is they say they do not have Trudy’s number, just her husband’s number. Yet, they type her number into the program to send the message.
via USA Network – Mr. Robot airs on USA Network Wednesdays at 10/9 central
How cybercriminals use social engineering
I sat down with my colleague, Mobile Malware Analyst Nikolaos Chrysaidos, to discuss social engineering and how it can affect people just like you and me.
Stefanie: First off, what is social engineering?
Nikolaos: Social engineering is a combination of psychological techniques that cybercriminals use to trick people into giving up sensitive information or performing certain actions, such as downloading malware. Social engineering essentially exploits people’s weaknesses and as Elliot said in this episode, “People make the best exploits”. No one is perfect and not everyone always has the best judgment, which makes social engineering such a successful tactic. Social engineering is not successful because people are not intelligent enough; it is successful because cybercriminals specifically target and exploit people’s weaknesses.
Stefanie: We saw FSociety socially engineer their way into Steel Mountain, but what are some examples of social engineering that target consumers?
Nikolaos: Generally, social engineering tactics targeted at consumers either trick the victim into thinking they have won a prize, create fear by implying that something is wrong, or that the victim absolutely needs something. This can happen in the form of spearphishing attacks, in which hackers send messages pretending to be a trusted entity or friend of the victim. These messages include call-to-actions that, for example, prompt the victim to update their banking information, tell them there is an important attachment that they need to open which is really malware, or that they have won a prize and need to provide information to retrieve it. Social engineering can also use apps or advertising to trick people into doing certain things.
We often see in the mobile space that hackers scare victims into downloading fake antivirus apps by telling them that their device has a virus on it. In reality, the app steals private data from the device or holds files on the device for ransom, like Simplocker did.
Another way hackers trick users into downloading malware or into giving up personal information, is via malicious advertising. These ads often tell you, for example, that you do not have the latest version of Flash and should download it. They also tend to offer adult services, such as porn, live webcam chats or even mail-order brides. Once clicked on, these malicious ads can download malware onto your device.
Stefanie: Wow! Seems like people really need to be careful! What is some advice you can give to avoid becoming a victim of social engineering?
Nikolaos: Always double check emails from your bank to make sure they are legitimate. Banks should never email you asking to enter sensitive information via a link or send vital information as an email attachment. The same goes for emails from friends that contain links or attachments, if they seem fishy or off, call your friend and ask if the email really came from them before you take any actions.
As for mobile apps, make sure you only download apps from official app stores, like Google Play. If you do choose to download from a third-party store, make sure you have an antivirus solution installed and running. If an app asks you for permissions that don’t make sense to the app’s functions or if the app wants you to alter your security settings, then something is wrong and you should not download the app. You should be similarly cautious with advertisements offering you video players or adult content.
To maximize your protection against threats, you should have antivirus software installed on your PC and mobile device. In case you accidentally fall prey to a social engineering trick, antiviruses will catch malicious programs and websites before they can cause damage.
Never use Wikipedia as a trusted source
This was drilled into my head by my professors in college. Now, I am not saying Wikipedia is bad — there is a sea full of valuable information on Wikipedia, but the site can be edited by nearly anyone. Apparently people even try to delete entire pages –ahem, Donald Trump. You can’t always trust what you read on Wikipedia, despite the editors’ best efforts to keep the pages factual. FSociety, of course, knows how easily a Wikipedia page can be manipulated and abuses Mobley’s extensive Wikipedia editing history to edit Sam Sepiol’s Wiki page. Elliot tells Bill Harper, a sales associate at Steel Mountain, that he is Sam Sepiol, a young billionaire who co-founded tech startup Bleetz and that Bill should look him up. Bill searches for Sam Sepiol and reads his Wikipedia page, where Elliot’s picture is uploaded and thus Elliot is granted a tour of Steel Mountain.
Be aware of how much you share with the Internet
This week’s Ashley Madison data breach is, hopefully, a major wake up call for a lot of people. This breach should teach everyone that the minute you put your personal information online, it’sout of your hands and could be up for grabs. In this week’s episode, Fernando realizes this when he learns he was busted, because he put his business on social media. He did use codes to cipher his communications, but apparently the codes he used were too obvious and easily crackable. Clearly, Fernando should be looking to hire a new adviser and fire his “aspirational little brother”.
You should use caution when uploading your business onto social media. FSociety discovered the weaknesses of multiple people just by Google searching them and checking out their blogs, Twitter and Facebook profiles. This can be done by anyone, so make sure to examine your social media accounts’ settings and set everything to private. Also, be sure to think twice before you upload content or sign up for services online. Think about how these choices may affect you in the future, who can see them and if you really want the world to see it.
What did you think of this week’s Mr. Robot episode? Make sure you follow Avast on Twitter and check out our Hack Chat channel on YouTube to keep up with future Mr. Robot discussions!
Ashley Madison calls itself the “most famous website for discreet encounters between married individuals”. Now, the platform for infidelity and dating has been hacked and its user database of 40 million cheaters with their real names, addresses, financial records, and explicit information were stolen. Discreet is done.
image: www.ashleymadison.com
The past months and years, Target was hacked, Home Depot, BlueCross BlueShield, and even the U.S. government was hacked and data of tens of millions of people were exposed. Wal-Mart, CVS, and Costco had to take down their photo service websites last week as they are investigating a possible data breach. News about new data breaches break every month, sometimes even every week. Just in May, the dating site AdultFriendFinder was hacked, and sensitive information about 3.5 million people was leaked. It shouldn’t come as a surprise to Ashley Madison users that this data breach happened. It was just a matter of time.
Avid Life Media (ALM), the owner of Ashley Madison, seems to have the same stance. In a statement to the media, published by Brian Krebs who first reported the hack, they said: “The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
Hackers holding ALM ransom
According to reports, a hacker group called “The Impact Team” seems to be behind this breach and they reportedly demand a ransom from ALM. The hacking group is threatening to expose “all customer records, including profile with all the customer’s secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails” if ALM does not take down Ashley Madison and their other casual dating platform, Established Men.
Moral reasons for the hack
In a document, The Impact Team explained its apparent moral motives behind the breach. Regarding the Ashley Madison users, they write “they’re cheating dirtbags and deserve no such discretion”, and describe Established Men as a “prostitution / human trafficking website for rich men to pay for sex.”
Furthermore, they call out ALM for misguiding its users by offering a “full delete” feature that will allegedly delete your payment and address details from its database for a fee of $19. The Impact Teams writes: “It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.” According to the hackers’ manifesto, ALM made $1.7 million in revenue alone with this feature in 2014.
How did The Impact Team get access to the data?
According to information revealed to Brian Krebs by ALM, it is likely that the data breach happened through somebody who internally had access to ALM’s technical systems, like a former employee or contractor.
As this data breach puts sensitive personal information at risk – is it worse than previous breaches, like the Target breach that exposed customer credit card numbers?
Jaromir Horejsi, Senior Malware Analyst at Avast said,
“From what we know about the technical circumstances of how this happened, it isn’t worse than other breaches. As a former employee or contractor might have been involved, this doesn’t sound like something that required a sophisticated hack. However, more sensitive personal data is involved, and that is what is making people shiver.”
On the other hand, if somebody is cheating on their spouse, they always are walking on thin ice and have to fear that their partner will find out about it some way or another. This is nothing new.
“What’s more sensitive in this case, is that address and financial data was revealed and therefore could be abused for identity theft,” Jaromir Horejsi added. “The personal data may be sold on hacking forums and later used for spamming the affected individuals. It also didn’t take long until the data from the AdultFriendFinder breach made its rounds on hacking forums. People should take this seriously. What users can learn from this is that any information shared online can be stolen. Just because things take place or at least start in the virtual world doesn’t mean that they have a lower impact on your real life. Users that may be affected should start monitoring their credit card statements for unusual activities and report them to their bank.”
In theory, it would also be possible for the hacker group to start blackmailing individuals – in this case it would be best for those affected to be upfront with their partner to take the wind out of the criminal’s sails. However, judging from the type of ransom the hacker group is demanding, this is rather unlikely – as their real goal seems to be to take down Ashley Madison and Established Men.
Follow Avast on Twitter where we keep you updated on cybersecurity news every day.
Ashley Madison is a social network for people in relationship (mostly married I’d guess) who want to have an affair. Now, according to Krebs on Security, the page has been hacked by “an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information”. Large parts of stolen data have been posted online by The Impact Team, the people responsible for said hack.
Apparently The Impact Team decided to post the stolen data because while Avid Life Media (ALM), the company that owns Ashley Madison, says that they will delete user profiles permanently for $19 that’s not happening, at least not completely. While there has been some controversy concerning this topic before the reaction of The Impact Team seems rather extreme.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the hacking group wrote.
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
According to ALM CEO Noel Biderman the company’s investigation is ongoing. He also states that he believes that the breach was actually an inside job – perhaps by a former employee or contractor: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.“
The post Adulterers Beware: Ashley Madison Hacked appeared first on Avira Blog.
This week’s episode was a little confusing for me – and I’m not only referring to the trippy dream Elliot has while going through his drug withdrawals.
It seems I wasn’t the only one who had questions about the hacks in this week’s episode; Forbes published an interview they did with Michael Bazzell, Mr. Robot’s technical consultant and cyber crime expert explaining the hack attack on E Corp that Elliot comes up with at the beginning of the show.
In the article, Michael Bazzell explains how Elliot plans on destroying E Corp’s data storage facility, using Raspberry Pi. Sounds like a very yummy method – too bad there’s an “e” missing at the end of “pi”! Michael explains that Raspberry Pi is a very small computer that can be accessed via the Internet through its built-in cellular chip. Using this, Elliot wants to control the facility’s climate control system to overheat it, thus melting E Corp’s tape-based back up.
While Forbes focused on the more complex hacks that targeted large corporations like E Corp and Allsafe, I was intrigued by the two physical hacks in the show.
via USA Networks
The first “IRL” hack is when two members of FSociety hack a minivan – keep in mind that FSociety does everything in their power to not leave a trail, so they need a stolen car to get to E Corp’s data facility center in order to prevent being caught.
The FSociety guys casually sit on a sidewalk and wait for someone to park and lock their car. Using what looked like an old radio to me but is more likely a transmitter, they were able to send a command to unlock the car – politely thanking “mom” for giving them the opportunity to steal her car. Once inside the car, they connect the car to their laptop using a cable and ran the code to get the car started.
I asked my colleague, senior malware analyst Jaromir Horejsi, what he thought of the hack:
All they needed was the cable and specialized control software for cars. This software can access data from sensors in the car and it can control the car’s behavior. With that, they just had to connect everything together and select their desired actions. – Jaromir Horejsi
This method of hacking a car seemed a little old school, given that there are now so many cars on the road that are keyless and start with a push of a button. Nick Bilton, technology writer and Disruptions columnist for The New York Times, recently had his car hacked and stolen and he wrote an interesting column about his experience.
Nick describes how he was standing in his kitchen and watched as two teenagers stole his Toyota Prius. Prii and many other modern cars are keyless and require the fob key to be within a certain range to start. Nick did more research into how it was so easy for the teens to steal his car right in front of his home and found that there are various gadgets on the market that can unlock BMWs, Toyotas and many other keyless cars. These gadgets are radio transmitters that either use brute force to cycle through car key fob codes or simply amplify the distance the car searches for a key fob, as was done in Nick’s case.
The solution Nick found to this problem? Putting his key fob into his freezer, which acts as a Faraday Cage that blocks external electric fields.
En route to E Corp’s data storage facility, Elliot vomits due to his withdrawal symptoms and the FSociety team has to make a stop for him to recuperate. They stop at a hotel and plug a small device into the room’s key card lock port. Within the blink of an eye they have entered the room and made themselves at home.
This made me ask myself: Can someone really enter a hotel room that easily? (I also thought it was rather convenient that they just happen to have this device with them, but I won’t get into that here ;)).
I did some research online and found out that it is very possible to hack one’s way into a hotel room and that this was proven back in 2012 by Cody Brocious. You can find his paper describing how he hacked the Onity HT lock system for hotels here.
However, we are now in year 2015 and times are changing! Now, many major hotel chains, like Hilton and Starwood, are using NFC and Bluetooth keys combined with mobile apps in place of key cards and physical keys.
The security of any application and system depends on its design and proper implementation. Vulnerabilities cannot be avoided. However, it depends on whether these vulnerabilities are exploitable or not. If exploitable, it depends on who discovers them first – the good or the bad guys. If discovered, it also depends on how quickly they are mitigated. Customers should not be discouraged from using new technology. Conversely, the more people use new technologies, the higher the chance is that potential problems are discovered and fixed — the same goes for mobile apps that work as hotel room keys. –Jaromir Horejsi, senior malware analyst at Avast
Let us know what you think of this week’s Mr. Robot episode in the comments below and make sure to follow us on Twitter and Facebook for security news updates!
Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.
Elliot, Mr. Robot’s anti-hero cyber-security engineer by day and vigilante hacker by night, has been having a life-style crisis. In episode 3, Elliot longs to live what he calls a bug-free life, otherwise known as a regular person.
“Was he drinking Starbucks?”
However, he is quickly pulled back into F Society’s hold when emails exposed during the threatened data dump revealed that E Corp executives had knowledge about the circumstances which led to his father’s death. We will leave the intrigues and plot theories, especially if Mr. Robot is real or a figment of Elliot’s imagination, to the internet. Right now, let’s look at the hacks highlighted in this episode.
At minute 7:40, you see Elliot in the hospital after Mr. Robot had pushed him off the high wall they were sitting on in the previous episode. His psychiatrist, Krista, is in the hospital and explains that the police wanted to do a drug panel, but Elliot refused. Elliot admits he has been taking morphine. Krista says the only way she can approve his release from the hospital would be if he commits to a bi-monthly drug test. Elliot starts thinking about how he will get around this problem by hacking the hospital’s IT. The IT department is lead by one single person, William Highsmith, with a budget of just $7,000 a year. According to Elliot, he uses useless virus scans, dated servers and security software that runs on Windows 98. It’s one of the reasons why Elliot made that particular hospital his primary care facility, since he can easily modify his records to look average and innocent.
Stefanie: Wow, wouldn’t it be an unusual that a hospital would actually use old infrastructure and have little budget for their IT? I also found it a bit odd that they have just one IT guy, I mean healthcare data is REALLY sensitive and definitely one of the last things I would want to have accessed by hackers!
Walter Mego: Well, unfortunately, this situation is a very real in American hospitals. Last year, the Healthcare Information and Management Systems Society (HIMSS), reported that one out of five hospitals indicates that a lack of adequate financial resources was a barrier to the implementation of new technology, and another one fifth said that a lack of staffing resources was a barrier. In the same report, 20% of hospital IT leaders indicated their organization had experienced a security breach in the past year. Now, if you think about hackers like Elliot – you can imagine that some breaches probably go unnoticed. The real number of data breaches and hacks affecting healthcare institutions are most likely higher – scary, right?
We learn more about Angela’s boyfriend Ollie and his sticky situation. Last episode Ollie received a music CD that turned out to have malware on it. The infection that resulted gave an unknown hacker access to Ollie’s laptop webcam which he used to spy on him and Angela. The hacker tells Ollie he has photos of his mistress, Angela, and even Angela’s and her dad’s banking information and social security number. He threatens to blackmail Ollie if he does not spread the malware within Allsafe’s systems.
Stefanie: This part creeped me out, despite all of the crazy stuff we have seen so far on the show! First, let me ask: How easy is it for someone to hack your laptop’s webcam? I have heard tons of stories like this in the news, but I want to believe this isn’t as easy as it may be…
Walter Mego: Unfortunately, you are right to be creeped out and afraid. Webcam hacking is relatively easy and it’s not only built in laptop cameras that we have seen being hacked and streamed to other online, it’s also baby monitors with cameras and CCTV cameras. In terms of laptops, all hackers have to do is get you to install hacking software, which is often easier than people maybe think. In this episode, we see that Elliot hacked Shayla by obtaining her login credentials using a phishing scam. Phishing scams can also be used to trick people into downloading software and once a hacker has installed certain software on your laptop they can control your webcam to watch your every move and even record via your webcam. To prevent this, you should change your CCTV, baby monitor and external webcam’s passwords. If your laptop has a built in camera, you can simply cover it up with a post it, but you should really make sure you have antivirus installed on your computer and make sure it’s always up to date to catch malicious software.
Stefanie: The other part that also scared me about this situation was how the personal information the hacker collected not only affected Ollie, but Angela and her dad as well. Do you think people are aware of how much a hacker can do if they collect your personal information?
Walter Mego: Absolutely not. People often say “here, look at my phone, I have nothing to hide” or do not protect themselves while connected to open Wi-Fi, because they think their activities and data are uninteresting. I think people underestimate the value of the data on their devices. This is the perfect example of that and the hacker didn’t even steal any of Ollie’s money while hacking, he just gathered personal information. Granted Ollie was having an affair (not very cool of him), which was what Ollie was unhappy about having potentially exposed, the hacker also got a hold of Angela’s dad’s social security number, because her bank account was linked to her dad’s account – something Ollie probably wouldn’t have thought he had on his laptop. If you hack someone and collect enough valuable and personal information, I am sure you can blackmail anyone to a certain extent using that information.
At minute 35:25 we see Tyrell do some simple Instagram stalking and he finds out where Anwar, the CEO’s assistant, hangs out. After an encounter with Anwar, Tyrell does something to Anwar’s phone that gives him valuable information.
Stefanie: We see on the cell phone’s display that Tyrell is rooting Anwar’s device. Why do you think he does this?
Walter Mego: We are not entirely sure of Tyrell’s motives, but it’s likely he targeted Anwar to gain access to the name of the candidate for the CTO job that he wants. Tyrell uses a backdoor in Anwar’s Android device to install an app that could allow remote access. It’s not strictly necessary to root the phone – just gaining physical access to the phone is all he needed.
Every week we discuss the hacks on Mr. Robot, plus current cyberthreats, nostalgic web tech, and Tips & Tricks on how to protect yourself and your devices. Subscribe to our YouTube Hack Chat channel and don’t miss a single episode.
At the height of the summer season, the shutdown is upsetting the travel plans of thousands of tourists. United Airlines flies to 235 airports within the US, making one out of every six commercial flights in the country. The shutdown was attributed to “automation information” issues.
Earlier this year something similar had happend to United Airlines already. Back then a passenger, the founder and CTO of the tech firm Cloudstitch, tweeted that his pilot told passengers that the grounding was due to a possible hack of United’s computer network and the flight plan-delivery protocol used by every airline.
What happened yesterday reminds of the May 31 issue of the Polish LOT airline in Warsaw – and the above mentioned earlier hack of the United Airlines system in the US. In the Polish attack, hackers caused the airline’s ground computer systems to issue bogus flight plans.
Just hours later the New York Stock Exchange ran into similar problems. “I have spoken to the CEO of United, Jeff Smisek, myself. It appears from what we know at this stage that the malfunctions at United and the stock exchange were not the result of any nefarious actor,” U.S. Homeland Security Secretary Jeh Johnson says.
But even if no hackers were involved it definitely is a wakeup call: If something like that happens without any involvement of cybercriminals, how much worse would it be once one of them actually manages to screw around with all the tech?
The post United Airlines & New York Stock Exchange Suffer From Tech Issues appeared first on Avira Blog.
Anyone interested in computer security and how it is circumvented, will certainly enjoy the hacking that takes place on USA Network’s hit television show Mr. Robot. The show has been praised not only for its compelling story line but for its “accurate portrayal of cybersecurity and crime.”
Every Wednesday night after the show airs, our host Ariana asks a security expert to help us examine the hacks and explor their ramifications in the real world. We record the conversation and share it with you in our video series, Avast Hack Chat. In addition to the discussion about hacking, we also take a weekly trip back in the Time Machine to revisit special people in the history of computing or how computers have been portrayed in popular culture.
In episode 2 of Avast Hack Chat, Seth Rosenblatt, an independent security and privacy journalist, takes us through the hacks on Mr. Robot. He explains hacking a major corporation’s email servers, destroying your hard drive and SIM card to get rid of evidence, and if critical infrastructure like a natural gas plant can be hacked.
Alan Turing, who is referred to the grandfather of computer science, was recently portrayed in the movie The Imitation Game. Ariana and Pedram talk about his legacy and how the advances he made are still in use today. Plus, a computer bug.
Pedram brings us up-to-date on the celebrity photo hacking that took place last year. He shares why he thinks the hacker was an idiot.
This week’s Tips and Tricks tells you the safe way to go about sexting. Not that we want you to do it, but if you are there’s a way to make sure your messages stay secure and get to the intended recipient (who probably is not some guy sitting behind a desk at the NSA.)
Subscribe to the Avast Hack Chat YouTube channel and don’t miss a single weekly episode.
Remember when you used to make sure you were home at a certain time so you wouldn’t miss your favorite TV show? That was called “appointment television”, and those of you old enough to remember watching The X-Files or Friends when they originally aired know what I’m talking about. But, with the new USA Network show, Mr. Robot, it feels like those days are back again. Sure, I have my DVR set to record, but I will definitely watch it live. Since all my buddies are watching too, I will be itching to talk about it the next day.
Avast’s new Hack Chat video series brings back that around-the-watercooler discussion. Watch our debut episode here (10:13).
In episode 1 of Avast Hack Chat, host Ariana welcomes special guest, security researcher and software developer, Pedram Amini.
In the first half of the show, they discuss the pilot episode of USA Network’s new show, Mr. Robot. Ariana walks us through the highlights of the cyberthriller, and Pedram explains if these hacks are real-world or just Hollywood magic. You can also read our interview with Pedram on Are the hacks on Mr. Robot real?
One of the earliest hacking movies, War Games, starred Matthew Broderick as a young computer wiz who inadvertently finds a backdoor into the U.S. military’s central computer. The technology he used is intriguing even now, and Ariana and Pedram discuss this old-school method in the Time Machine section.
Back to current day, Pedram answers Ariana’s question about why the NSA would want to reverse engineer Avast software and if the I-have-nothing-to-hide attitude is the wisest one to take. You can also read what Avast’s CEO, Vince Steckler has to say on the subject on Avast CEO speaks out about U.S. and U.K. spy agencies.
Subscribe to the Avast Hack Chat YouTube channel and don’t miss a single weekly episode.
The second admission followed a week later. The Office of Personel Management (OPM) announced that on June 4, a hack attack had succeeded on governmental staff – four million people affected. It now appears that an additional 18 million records were stolen. The government, communicated this as two separate events in an apparent attempt to downplay the scale.
So what happened in the alleged second hack? That 18 million Social Security numbers have been compromised, is a “preliminary, unverified, approximate” according to a letter from the Director of OPM, Katherine Archuleta. The number — 18 million – affects people working for a federal agency or who applied for funding. The data, according to US government circles, may be in the hands of spies from the People’s Republic of China. This has been flatly denied by Chinese officials.
Mrs. Archuleta was called to testify before a Congressional committee: Encryptions are not always possible due to the age of facilities. She argued, however, that even encryption would have not sufficed, because the hackers would then have copied keys and passwords.
An article from the Wall Street Journal mentions that the government described the attack as happening in two waves in orde rto downlplay the severity. In addition, the OPM had denied the disclosure of sensitive information twice, even though the FBI had informed the OPM on June 5 about the attack…
The post Office of Personal Management Hacked – US Government Downplays the Event appeared first on Avira Blog.
