Categories
cybersecurity

What we know about the cyberattack on major US websites

The cyberattack that brought Twitter, PayPal and hundreds of other online sites to a halt Friday hijacked millions of routers, digital video recorders and other internet-connected appliances to carry out the assault.

The onslaught, which began around 7:10 a.m. EDT, centered on servers run by Dyn, a major provider of services that steer traffic to web pages. The servers at Dyn ground to a halt from the bombardment, which began on the East Coast and spread west in at least three waves throughout the day.

The attack reportedly relied on a strain of malware known as Mirai, which searches the web for devices that are plugged into the network then logs into them via factory default usernames and passwords. The infected devices can then hurl massive amounts of traffic at the target in an attack known as as distributed denial of service (DDoS).

https://twitter.com/Dyn/status/789444349998268416

Sites targeted in a DDoS attack groan under the barrage of traffic until they slow or shutter completely. A similar attack in September on the website KrebsonSecurity involved an assault with many orders of magnitude more intensity than needed to knock sites offline.

“Someone has a botnet with capabilities we haven’t seen before,” Martin McKeay, a senior security advocate at Akamai, told Brian Krebs, the site’s editor, following the attack on the Krebs site. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”

Many of the devices hijacked by Mirai reportedly infect hardware and software made by XiongMai Technologies, a Chinese company that sells the components to manufacturers who mass-produce the parts into DVRs and other devices.

The source code for Mirai was released publicly in September, according to Krebs, who predicted that the internet would soon be awash in attacks such as the one on Dyn, which serves many of the internet’s largest news, entertainment and shopping companies.

Mirai is one of at least two strains of malware that hackers use to launch DDoS attacks, which marshal millions of devices that make up the so-called Internet of Things.

A spokesman for the FBI told the Times that agents were investigating all possible causes, including a state sponsor, in Friday’s attack.

Categories
cybersecurity Law

EU readies rules to bolster cybersecurity, require notice of data breaches

The European Union is readying an approach to cybersecurity that may subject services as Google and Facebook to breach notification requirements that mirror those for banks and health-care providers.

The Network and Information Security Directive, a proposal under consideration by the European Commission, would require companies in industries deemed critical to strengthen digital safeguards and report breaches to national authorities.

The directive represents one of the first attempts to legislate a rule for security breaches that crosses borders. That stands in contrast to the U.S., which has yet to adopt a national notification law and leaves companies to comply with a series of notification requirements set by states.

Members of the European Parliament who have been negotiating the rules have agreed to extend the reach of the directive to social networks, cloud computing platforms, commerce sites and other digital platforms, according to a report Friday by Reuters.

Under the terms of the directive, which was proposed in 2013, companies that operate so-called critical infrastructure in any of the 28 countries that constitute the EU will be required to report “significant security incidents” as well adopt measures to lessen the risk of cyber threats.

In addition to Internet companies, the directive would require companies in the financial, energy, health and transportation industries to report incidents “having a significant impact on the security of core services.” The EU currently requires telecommunications companies to report such incidents.

Members of the commission are expected to start work this September on a final version of the rule.

Ninety percent of large corporations and 74% of small businesses in the U.K. experienced a security breach in the past year, according to survey published recently by PwC.

Categories
Law Privacy

Senate pushes cybersecurity bill to September

The U.S. Senate Wednesday agreed to postpone until September debate on a bill to bolster cybersecurity.

The legislation, known as the Cybersecurity Information Sharing Act, would direct the federal government to share cyber threats with businesses and shield companies that exchange information and best practices about cybersecurity from antitrust liability.

The deal addresses concerns expressed by senators who charged that the measure as it stands will fail to prevent cyberattacks or protect privacy sufficiently.

The agreement means that Democratic Senators Ron Wyden (Ore.), Patrick Leahy (Vt.) and Al Franken (Minn.), along with Republican Senators Rand Paul (Ky.) and Dean Heller (Nev.), all will be able to offer amendments they say strengthen civil liberties and improve the bill.

“We’ve got to debate some real things like cybersecurity, and have real amendments, not pretend amendments,” Leahy told National Journal.

Categories
Law Privacy

Senate to take up cybersecurity bill as concerns about privacy continue

The U.S. Senate is slated this week to take up legislation that aims to bolster cybersecurity by spurring businesses and the federal government to share information about digital threats and best practices with one another.

The measure, known as the Cybersecurity Information Sharing Act, would direct the federal government to develop ways to share information with the private sector while taking steps to protect privacy and civil liberties. The bill also aims to address antitrust concerns by shielding businesses that share information from enforcement of laws that otherwise might dissuade those businesses from cooperating. The House passed a similar measure in April.

The push represents the third time in as many years that Congress has tried to pass legislation that would encourage sharing of cyber threats. Recent cyberattacks on the Office of Personnel Management, Sony Pictures Entertainment and other targets have prompted legislators to try again. Cybercrime costs the global economy more than $400 billion annually, according to a study released jointly last summer by McAfee and the Center for Strategic and International Studies

Though the measure passed the Senate Intelligence Committee in March, maneuvering underway since then has centered on a tension between defending digital networks and protecting the privacy of Americans whose information is stored in those systems.

Among the concerns: the measure could result in companies handing over personally identifiable information to the National Security Agency. Such information might include, for example, the browsing history of someone who happens to have visited a website that becomes the subject of a cyberattack.

On Monday, Senator Al Franken, Democrat of Minnesota, released a letter from the Department of Homeland Security (DHS), which cautioned against allowing companies to share information with intelligence agencies without first channeling the information through DHS. “The Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector,” wrote Alejandro Mayorkas, the deputy secretary of homeland security.

“The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers,” Mayorkas added.

Though Senators Richard Burr, Republican of North Carolina and chairman of the intelligence panel, and Dianne Feinstein, the committee’s top Democrat, have circulated an amendment that aims to address concerns over the legislation’s impact on privacy, some civil liberties groups say the fixes don’t go far enough. According to the Center for Democracy and Technology, the bill as modified still would authorize the government to use information about cyber threats to investigate and prosecute crimes of espionage, identity theft and trade secrets violations, regardless whether those infractions tie to cybersecurity.

The White House backs passage of cybersecurity legislation but has called on Congress to strengthen protections for privacy and to narrow an exemption from liability for companies that fail to secure their networks after receiving information they receive.

That leaves the question whether the measures actually may cause businesses and the government to exchange more information about cyber threats. While the measure aims to ease companies’ fears of legal liability, the Department of Justice and the Federal Trade Commission already have advised companies “that properly designed sharing of cyber threat information should not raise antitrust concerns.”

And as N. Eric Weiss of the Congressional Research Service observed in June, sharing of cyber threats happens currently. Industries ranging from retail to financial services participate in so-called information sharing and analysis centers (ISACs) that serve as clearinghouses for information about cyber threats.

“The ‘bottom line’ is how likely nonfederal entities—particularly businesses—value the benefits from sharing information against the cost of sharing,” wrote Weiss, who notes that neither bill would address the cost of membership in ISACs, which can cost anywhere from $10,000 to $100,000 to join and thus might exceed the ability of small and medium-sized businesses to afford.

Still, the wave of cyberattacks—and the fallout from them—might cause businesses to think anew about the advantages of sharing. “Although most data breaches have not been expensive compared with the revenues and profits earned,” noted Weiss, “recent events may change the attitude of boards of directors and senior management: the chief executive officers at Target and Sony Entertainment were forced to resign.”

Categories
News Privacy

Sorting out the cyberattacks

This post has been updated as of Nov. 11.

The cyberattack announced in June on a system that stores information about millions of current and former federal workers and contractors highlights yet again the vulnerabilities of the computer networks that connect us.

The breaches resulted in raids on files containing names, Social Security numbers, fingerprints and other personal information for nearly 26 million people, according to the Office of Personnel Management (OPM), the agency that was hacked. Investigators say the attack came from China, which has denied responsibility.

The attack on OPM spurred me to sift through a series of cyberattacks on the government, companies and others since 2013. The list, which appears below, is almost certainly incomplete. It also doesn’t include breaches of unsecured protected health information that by law are reported to the U.S. Department of Health and Human Services, which has logged 34 such intrusions this summer alone.

Though the attacks summarized below have been reported widely, the roster suggests the sweep and frequency of intrusions, which are likely to increase according to a survey fielded last fall by the Pew Research Center. I will update this post periodically. Please tweet additions, corrections or comments to @bbrowdie.

2015 (attacks listed in reverse chronological order by date of disclosure)

Scottrade (Oct.)—Between late 2013 and early 2014, thieves stole the names and street addresses of roughly 4.6 million clients, according to the retail brokerage firm, which said it had no evidence that trading platforms or clients funds were compromised.

E-Trade (Oct.)—The financial firm notified 31,000 customers that hackers may have accessed their names, email addresses, and street addresses. The intrusion reportedly occurred in 2013, but at the time the company did not think that customer information had been compromised.

Dow Jones (Oct.)—The publisher of The Wall Street Journal said in a statement that intruders who gained access to its systems may have swiped payment card and contact information for roughly 3,500 customers.

Experian (Oct.)—Hackers stole personal information for roughly 15 million Americans, the consumer data company said in a statement. The data included names, dates of birth and Social Security numbers for people who applied for service with T-Mobile over a period of two years starting in September 2013. In a statement, T-Mobile CEO John Legere said he is “incredibly angry about this data breach” and pledged to “institute a thorough review” of the company’s relationship with Experian.

CVS (Sept.)—The pharmacy chain, which in July revealed a possible breach of its online photo service, confirmed that personal information may have been swiped by hackers. The data included names, credit card numbers, phone numbers, email addresses, usernames and passwords. The company declined to say how many customers were affected.

Business Wire/PR Newswire Association (Aug.)—Federal officials charged a group of hackers and inside traders with stealing nonpublic information from servers belonging to two of the largest services that companies use to distribute news releases and using the information to profit illegally over a period of roughly five years.

Carphone Warehouse (Aug.)—The UK-based mobile phone retailer said that a “sophisticated cyberattack” resulted in the theft of names, addresses, dates of birth and bank details for as many as 2.4 million customers. The intrusion also may have resulted in the theft of encrypted payment card information for as many as 90,000 customers, the company said.

Sabre/American Airlines (Aug.)—Sabre, a company processes reservations for hundreds of airlines and thousands of hotels, “recently learned of a cybersecurity incident” but could not say what data was stolen or who might be responsible, Bloomberg reported. American Airlines reportedly was investigating whether the intruders moved to its computers from Sabre’s systrems.

U.S. Dept. of Defense (Aug.)—A unclassified system that supports email for about 4,000 military and civilian personnel who work for the Joint Chiefs of Staff returned to operation roughly two weeks after an intrusion by hackers thought to be from Russia. Officials said that no classified information was swiped or compromised during the attack.

United Airlines (July)—Hackers based in China allegedly stole manifests in May or early June that detail passengers and their travel origins and destinations, Bloomberg reported. Investigators reportedly have linked the hackers to the group that stole information from both Anthem Inc. and the Office of Personnel Management. The intrusion reportedly occurred in May or early June.

Fiat Chrysler (July)—The automaker updated software that tethers its vehicles to a series of information and navigation services after two security researchers demonstrated they could take control of a Jeep Cherokee remotely and force it into a ditch.

Ashley Madison (July)— The online service that offers casual sexual encounters for married people said that hackers obtained information about some of its 37 million users, as well as financial information and other data that belongs to Avid Life Media, Ashley Madison’s company. The hackers, who go by the name “Impact Team,” threatened to release all of the company’s information, including nude photos and members’ private postings, if management did not take Ashley Madison’s sites offline. A month later Impact Team made good on that threat. On Aug. 18, the group released postal and email addresses, descriptions of users (including height and weight), encrypted passwords, partial payment card numbers and details of transactions. Two days later, the hackers leaked a trove of data twice as large that appeared to include additional files from the company.

Hershey Resorts (July)—The theme park operator is investigating a series of fraudulent charges that appeared in payment card accounts of customers who visited its attractions in Pennsylvania between mid-March and late May.

Hacking Team (July)—Emails and records that hackers stole from the Italian maker of software that itself allows governments to hack into computers showed that the company counts Russia, Saudi Arabia, and other nations with questionable human-rights records as clients.

Trump Hotel Collection (July)—The chain of 12 luxury hotels owned by Donald Trump said in a statement it was investigating “suspicious credit card activity” stemming from a breach that may date to February.

Houston Astros (June)—Federal law enforcement officials reportedly are investigating whether the St. Louis Cardinals stole scouting reports and information about players and prospects from a database belonging to the Astros. If true, the intrusion represents the first known example of a professional sports team breaking into the network of another team.

LastPass (June)—The service, which lets customers store their passwords online and access them with master log ins, disclosed that an intruder or intruders swiped email addresses, password reminders, authentication codes and more. The breach did not include customer accounts, LastPass said.

Negotiations with Iran (June)—An unnamed state—thought to be Israel—used malware to spy on negotiations between Iran and a group of nations that aim to prevent Iran from obtaining a nuclear weapon. According to Kaspersky Lab, whoever sought the information unleashed the malware, known as Duqu 2.0, on computers at hotels where the negotiations took place.

U.S. Army (June)—The U.S. Army’s website went offline following what appears to have been a distributed denial of service attack. The Syrian Electronic Army, a group of hackers who back President Bashar al-Assad, claimed credit.

Eataly (June)—The marketplace in Manhattan for foods from Italy warned that “unauthorized individuals” set up malware designed to harvest information from credit and debit cards in the company’s payment-processing system. The intruders may have obtained names and account numbers, as well as expiration dates and security codes for cards that customers swiped at Eataly in the first three months of this year.

Office of Personnel Management (June)—The attacks, which OPM discovered in April, resulted in the theft of personal information belonging to 4.2 million current and former federal workers, as well as another 21.5 million applicants for security clearances and their spouses or partners. In a letter dated June 11, the president of the American Federation of Government Employees—the largest federal employees’ union—charged that hackers stole information for every federal worker and retiree, and that the Social Security numbers the hackers obtained were unencrypted. The union has filed a class action lawsuit that charges OPM’s director and chief information officer with negligence in failing to protect information entrusted to them. On Sept. 23, OPM increased its count of the number of people whose fingerprints were stolen to roughly 5.6 million, from approximately 1.1 million previously. Though OPM termed the potential for misusing the fingerprint data “limited,” the agency noted “this probably could change over time as technology evolves.”

CareFirst BlueCross BlueShield (May)—Hackers suspected of operating from China obtained access to names, email addresses and dates of birth for roughly 1.1 million customers of this health insurer based in Maryland and D.C.

Tesla (April)—Hackers took over the automaker’s Twitter feed and defaced the company’s website.

Mandarin Oriental Hotel Group (March)—The upscale lodging chain said that intruders used malware to swipe payment-card information from some of the company’s hotels in the U.S. and Europe.

Anthem Blue Cross (Feb.)—Hackers said to be operating from China allegedly obtained names, dates of birth, Social Security numbers, and information about bank accounts and medical conditions for as many as 78 million people insured by this Indianapolis-based company, which does business in 14 states.

Internal Revenue Service (May)—Hackers thought to be operating from Russia stole tax forms containing Social Security numbers, dates of birth, home addresses and other information for as many as 334,000 people.

Sally Beauty Supply (May)—The Denton, Texas-based retailer of beauty supplies said that intruders had breached its payment system, though the company did not speculate on the scope of the breach. The cyberattack constituted the second on Sally Beauty in as many years.

US HealthWorks (April)—Hackers allegedly pilfered personal and health-related data for an unknown number of members of this California-based insurer. The thieves reportedly breached US HealthWorks’ systems via a laptop stolen from a vehicle belonging to one of the company’s employees.

Premera Blue Cross (March)—Hackers thought to be operating from China allegedly stole names, dates of birth, email addresses, Social Security numbers, information about bank accounts and more from as many as 11 million members of this health insurer based in Washington state.

Banks in Russia, Japan, Europe and the U.S. (Feb.)—A band of thieves that reportedly included Russians, Chinese and European hackers orchestrated an attack on more than 100 banks worldwide, making off with as much as $900 million.

Park ‘N Fly (Jan.)—The Atlanta-based airport parking service confirmed that intruders stole numbers, names and addresses, expiration dates and verification codes for credit cards stored in its reservations website. The company did not say how many cards might have been affected.

2014

Korea Hydro and Nuclear Power Co. Ltd. (Dec.)—A cyberattack reportedly erased some data at the state-owned company that runs the country’s 23 atomic reactors. South Korea later blamed North Korea for the intrusion.

Chik-fil-A (Dec.)—The fast-food chain said it was investigating reports of unauthorized activity concerning credit and debit cards used at some of its restaurants. Chik-fil-A later said the investigation revealed “no evidence” of its systems being hacked or payment cards stolen.

Bebe (Dec.)—The women’s clothing chain disclosed that hackers obtained names, account numbers, expiration dates and verification codes for payment cards swiped between Nov. 8 and Nov. 26 at its stores in the U.S., Puerto Rico, and the U.S. Virgin Islands.

Sony Pictures Entertainment (Nov.)—Cyber intruders obtained names, home addresses, and Social Security numbers, as well as information about bank accounts, payment cards, compensation and more for as many as 47,000 employees. According to the U.S. government, the hackers operated from North Korea, although some experts have doubted the charge. The thieves also swiped more than 173,000 emails and nearly 31,000 documents from the studio.

JPMorgan Chase (Oct.)—Hackers obtained names, home and email addresses, phone numbers and internal bank information about 83 million customers, including 76 million households.

Apple (Oct.)—Cyberattackers reportedly sought to intercept user IDs, passwords and other information from the company’s iCloud service in China. The Chinese government denied responsibility for the attack.

Staples (Oct.)—The office-supply chain confirmed it was investigating a potential theft of payment-card data. Two months later, Staples said that hackers swiped information for roughly 1.16 million credit and debit cards after installing malware at 115 of the company’s 1,400 stores in the U.S.

NATO, the Ukraine, Poland and the European Union (Oct.)—Hackers working on behalf of the Russian government allegedly used a flaw in Windows to swipe documents and other files from government and university offices, as well as energy and telecommunications companies.

Kmart (Oct.)—The retailer disclosed that someone had installed malware on payment systems at its stores but that no email addresses, PINs or Social Security numbers were swiped. Still, the information that thieves grabbed may have allowed them to counterfeit stolen cards.

Home Depot (Sept.)—Cyber thieves allegedly used an account belonging to a refrigeration contractor in Pennsylvania to steal 56 million credit and debit cards, as well as 53 million email addresses.

Jimmy John’s (Sept.)—An intruder or intruders used log-in credentials to pilfer numbers for credit and debit cards swiped at 216 of the sandwich chain’s more than 1,900 stores, along with cardholders’ names, verification codes and expiration dates.

Viator (Sept.)—The tour-booking unit of TripAdvisor notified customers that an intruder or intruders may have made off with payment information for as many as 880,000 customers, along with email addresses and encrypted passwords for another 560,000.

AB Acquisition (Aug.)—The parent of the Albertsons, ACME, Jewel-Osco, Shaw’s and Star Markets chains warned customers of a breach that may have resulted in the theft of credit and debit card information from some of its stores. About six weeks later, the company disclosed a second breach in which thieves used “different malware” than that used in the incident announced in August.

Community Health Systems (Aug.)—Hackers allegedly operating from China stole names, addresses, Social Security numbers, birth dates and telephone numbers belonging to 4.5 million patients of the chain, which operates 199 hospitals in 29 states. The attackers did not swipe payment data or clinical information, the company said.

AT&T (June)—The company said that three employees of one of its vendors accessed records—including Social Security numbers and information about calls—for some customers.

State of Montana Dept. of Public Health and Human Services (June)—Someone who broke into the state’s systems allegedly made off with addresses, birth dates, Social Security numbers and medical records for as many as 1.3 million people.

Domino’s Pizza (June)—The company disclosed that hackers swiped customers’ names, email addresses and even favorite pizza toppings for roughly 650,000 customers in France and Belgium.

P.F. Chang’s China Bistro (June)—Cyber thieves allegedly stole more than 7 million credit and debit cards, including numbers, cardholders’ names and expiration dates, from 33 of the chain’s restaurants.

Feedly (June)—Websites for this service, which delivers RSS feeds to roughly 15 million users, went down as the result of a distributed denial of service attack.

EBay (May)—Intruders allegedly stole customers’ names, encrypted passwords, email and home addresses, phone records and dates of birth for as many as 233 million users of the auction site. Three months earlier, the Syrian Electronic Army defaced websites belonging to both eBay and its PayPal subsidiary.

Sally Beauty Supply (March)—The beauty supply chain said that hackers accessed its network and stole information for roughly 25,000 credit and debit cards.

University of Maryland (Feb.)—An attacker or attackers infiltrated a database that contained names, Social Security numbers, dates of birth and university IDs for roughly 288,000 students, faculty and staff. The hack reflected the work of someone or some group of people who knew the university’s systems well, the university’s chief information officer told The Washington Post.

Neiman Marcus Group (Jan.)—Hackers used malware to steal roughly 1.1 million credit and debit cards from the Dallas-based retailer.

Michaels Stores (Jan.)—The retailer reported that it was looking into a potential security breach. Three months later the company said that thieves broke into its payment system and made off with credit and debit card information for 3 million customers.

Snapchat (Jan.)—Hackers said they published phone numbers and handles for roughly 4.6 million users of the video-message service that the hackers swiped in a New Year’s Eve raid.

2013

Target (Dec.)—Cyber thieves suspected of operating from Russia stole credit and debit card information for roughly 40 million customers along with names, mailing addresses, phone numbers or email addresses for as many as 70 million people.

Adobe Systems (Oct.)—A cyberattack on the software maker exposed names, IDs, passwords, and payment card information for nearly 3 million customers.

Experian (Oct.)—A subsidiary of the credit bureau sold personal and financial information about millions of Americans to a Vietnamese man who later pleaded guilty to running an identity theft service. The company said its credit files were not breached.

South Korean banks (March)—A cyberattack, alleged to have originated in North Korea, suspended online banking and paralyzed systems at Shinhan Bank, Nonghyup Bank and Cheju Bank.

LivingSocial (March)—The online marketplace asked customers to change their passwords after a cyberattack on the company’s systems exposed names, email addresses, passwords and dates of birth for more than 50 million people worldwide.

Evernote (March)—The note-taking service directed 50 million users to reset their passwords after hackers gained access to user IDs, email addresses and passwords tied to accounts.

U.S. financial institutions (March)—Distributed denial of service attacks slowed websites at a series of banks. A hacktivist group that called itself the al-Qassam Cyber Fighters claimed responsibility for some of the slowdowns.