Breach Brief: Newsweek Twitter account hacked by CyberCaliphate

---

Newsweek magazine’s Twitter account was hacked, displaying pro-ISIS messages.

---

CyberCaliphate is believed to have hacked Newsweek’s Twitter account on the morning of Tuesday, February 10, 2014, displaying pro-ISIS messages that resembled those shared on CENTCOM’s social media pages back in January.

What happened? The group — who claims to be affiliated with ISIS and has hacked both the Twitter account of the U.S. Central Command and Taylor Swift — sent out threatening tweets against First Lady Michelle Obama and others. During the breach, the @Newsweek account’s profile picture and banner were changed to images of a masked man and the Black Standard flag, along with a message “Je su IS IS.” In addition, Newsweek reveals that images of hackers claimed were confidential were also posted, specifically from the Defense Cyber Investigations Training Academy and the Pentagon.

When did it occur? At 10:45 a.m. on Tuesday, February 10, 2014, the Newsweek Twitter page was accessed by a group calling themselves the “Cyber Caliphate.” The account remained hacked for 14 minutes until 10:59 a.m., which was when Twitter’s support team regained control of the social channel at the magazine’s request.

What they’re saying: “We can confirm that Newsweek’s Twitter account was hacked this morning, and have since regained control of the account. We apologize to our readers for anything offensive that might have been sent from our account during that period, and are working to strengthen our newsroom security measures going forward,” Newsweek Managing Editor Kira Bindrim said in a statement.

Also on Tuesday, the websites of International Business Times, the Newsweek Tumblr account (nwkarchivist.tumblr.com) and the official account of Latin Times were also hacked. Newsweek, IB Times and Latin Times share a parent company, IBT Media. This joins the latest string of incidents for that day, including Forbes, Delta and the breaking news system of a Maryland television station WBOC, each of whom have also acknowledged recent cyber attacks.

These events come amid growing concerns that even the most trusted sites (and devices) can be used by hackers aimed at infiltrating sensitive industries. Thus, it is becoming increasingly clear that embedded system insecurity affects everyone and every company. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network is protected?

Breach Brief: Forbes site hacked by group

---

Researchers reveal that Forbes.com was hacked in late November. 

---

Chinese hackers infected Forbes.com with malware targeting specific visitors as part of an attack on the U.S. defense and financial industry, according to cybersecurity researchers at iSIGHT Partners and Invincea.

What happened? For three days late last year, the news site’s “Thought of the Day” — a quote and advertisement shown to visitors before they view the webpage — was compromised. This widget seamlessly redirected visitors from certain organizations to another site where their computers could be infected with malware without their knowledge. The researchers said they believe the malware was only used to infect a select group of targets, despite the broad audience of Forbes.com.

How did it happen? Researches have linked similar malware controlled by the same server used in the Forbes attack to breaches of websites frequented by domestic Chinese dissident groups. According to reports, the hackers took advantage of an unpatched vulnerability in Adobe Flash, which is used by Forbes to present its “Thought of the Day.” An additional “0-day” exploit in Internet Explorer was leveraged to infect machines running newer versions of Windows.

When did it occur? It is believed the attack was active from November 28 to December 1, though a longer duration is possible.

What they’re saying: “On December 1, 2014, Forbes discovered that on November 28, 2014, a file had been modified on a system related to the Forbes web site. The file was immediately reverted and an investigation by Forbes into the incident began. Forbes took immediate actions to remediate the incident. The investigation has found no indication of additional or ongoing compromise nor any evidence of data exfiltration. No party has publicly claimed responsibility for this incident,” a recent statement shared.

As the Washington Post notes, nearly every major news outlet, including the Washington Post and the New York Times, have reported that they were victims of attacks suspected to be carried out by Chinese hackers. However, the latest Forbes attack highlights that security vulnerabilities at outlets can also put readers at risk. This recent incident comes amid growing concerns that even the most trusted sites (and devices) can be used by hackers aimed at infiltrating sensitive industries. Thus, it is becoming increasingly clear that embedded system insecurity affects everyone and every company. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network is protected?

Man startles nanny after hacking into baby monitor

---

What the hack!

---

A nanny was shaken after a man recently hacked into the monitor of the child she was babysitting. While changing the infant’s diaper, the caretaker suddenly heard a man talking to her through the device.

According to reports, the stranger managed to hack into the Houston family’s password-protected Wi-Fi system and take control of the camera in the little girl’s nursery. This isn’t the first (and most likely won’t be the last) incident of its kind. Another family in Texas went through the same ordeal back 2013, when they were startled to hear a man yell through the speaker located inside their two-year-old daughter’s room. And last year, the connected baby monitor belonging to a family in Cincinnati, Ohio was attacked with screams of “Wake up baby!” projected through the intercom.

“I thought it was [Samantha’s] mom and dad playing a joke on me,” the nanny told Houston news station KHOU 11. “I was kind of really freaked out like maybe someone hacked into the camera. He said something else like ‘you should probably password protect your camera.’”

The one-way walkie-talkie baby monitors that parents once used to listen in on their sleeping babies are a thing of the past. Parents today track their children with wireless IP cameras that are configured in nurseries and accessed through their mobile devices. Proven time and time again, systems with these capabilities are exceedingly easy for interested parties to hack when the necessary protection isn’t taken. Security experts have revealed that these Internet-enabled gadgets are ridden with flaws and can easily hijacked by cyber-criminals.

As scenarios such as these continue to arise, it is becoming increasingly clear that embedded system insecurity affects everyone everywhere. Products can be cloned, software copied, systems tampered with and spied on. What’s more, data security is directly linked to how exposed the cryptographic key is to being accessed by unintended parties, much like the instances mentioned above. The best solution to keeping the “secret key secret” is to lock it in protected hardware devices. That is exactly what these cutting-edge security devices do.

As Atmel’s resident security expert Bill Boldt says, “No security? No IoT for you!” Luckily, a new wave of ultra-secure defense mechanisms can thwart off malicious hackers and mitigate future threats. Here’s how.

Insecure dongle puts more than 2 million vehicles at risk

---

Oh Flo they didn’t! But they did…  

---

Just a few months ago, a team of cybersecurity researchers hacked into a diagnostic plug-in device and demonstrated that they could remotely control a vehicle from anywhere. Now, another firm has discovered serious vulnerabilities in a gadget currently in use by more than 2 million motorists: the Progressive Insurance Snapshot. (We’re sure you’ve seen the commercials, but just in case…)

Progressive uses a Bluetooth-enabled dongle as part of its usage-based insurance program to monitor the driving habits of its customers, tracking habits for risk assessment and premium adjustments. The device simply plugs into the OBD-II diagnostic port, collects data on how many miles are driven, what times of day a vehicle is in operation and how hard a driver brakes.

By reverse-engineering that same device, Digital Bond Labs security researcher Corey Thuen recently found a way to gain entry into the vehicle’s network, highlighting flaws that would enable any skilled hacker to unlock and start the car, hijack its steering and braking systems, as well as gather engine information. 

Regardless of the steps required to carry out a successful attack, it’s apparent such gadgets are insecure and could potentially pose a risk to car owners. “The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers,” the researcher added. However, a remote attack is only possible if the u-blox modem — which handles connections between the dongle and Progressive’s servers — is compromised as well.

“It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever,” Thuen told Forbes.  

With the rise of the Internet of Things, cyber threats will increasingly become an industry-wide concern. And, as countless connected devices infiltrate our daily lives, whether at home or in the car, many will only possess minimal security features guarding them against attacks. Luckily, storing “secret keys” in very secure, tamper-safe hardware adds a big road block to any hack attempt. This is where Atmel can help.

Hackers for hire are on the rise

---

Mercenary hacker groups are ushering in a new era of Espionage-as-a-Service.

---

Although recent cyber attacks have been loud and damaging to companies like Sony, JPMorgan Chase and Home Depot, the much larger threat stems from mercenary hacker crews who are stealing billions of dollars of valuable technology secrets every year from U.S. companies on behalf of paying clients, Taia Global warns.

The groups carrying out so-called Espionage-as-a-Service (EaaS) attacks are said to range in size and skill, and can be carried out by anybody from an amateur to an ex-spook. In addition, these hackers have no nation-state affiliation and are well-paid, available for hire whether it’s a Chinese millionaire like Su Bin, a Russian oligarch or a western business competitor of the company being targeted. The aerospace industry is among the hardest hit, but any company who is investing in high value research and development can be a target, the firm explains.

“They are rarely discovered is due in part to their skill level and in part to being mis-identified as a state actor instead of a non-state actor if they are discovered. The low risk of discovery, frequent misattribution to a nation state, and growing demand of their services ensures that the EaaS threat actor will flourish in the coming 12 to 24 months,” urges Jeffrey Carr, Taia Global President and CEO.

A new website, aptly named Hacker’s List, seeks to match hackers with people looking to gain access to email accounts, take down unflattering photos from a website or gain access to a company’s database. In less than three months of operation, the New York Times reveals that over 500 hacking jobs have been put out to bid on the site, with cyber thieves vying for the right to do the dirty work.

“In just the last few days, offers to hire hackers at prices ranging from $100 to $5,000 have come in from around the globe on Hacker’s List, which opened for business in early November,” NYT’s Matthew Goldstein writes. “The rather matter-of-fact nature of the job postings on Hacker’s List shows just how commonplace low-profile hacking has become and the challenge such activity presents for law enforcement at a time when federal and state authorities are concerned about data security.”

Data breaches are seemingly more common than ever before. The hackers freelancing for the listing service will have varying skill levels, but, as Mashable‘s Christina Warren put it, everyone should have the expectation that “our privacy and security are finite and will probably be breached.” In fact, the theft of intellectual property is estimated to cost the U.S. $300 billion per year, according to a report by the IP Commission. It’s becoming increasingly clear that IP and data theft is a growing epidemic, but it can be prevented. In the meantime, you can read all about hackers for hire here.

Breach Brief: Iran hackers targeting energy, transport and infrastructure firms

In what seems to be a year of relentless breaches, a new report from cybersecurity firm Cylance has revealed that Iranian hackers have infiltrated some of the world’s top energy, transport and infrastructure firms over the past two years in an effort that could eventually cause physical damage.

What information was breached? The hackers have stolen “highly sensitive materials” from at least 50 firms worldwide, including 10 U.S. companies. Besides the U.S., the intruders have hit other companies and agencies throughout Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey and the United Arab Emirates.

How did it happen? Dubbed Operation Cleaver, the 87-page report claims that the effort has “successfully leveraged both publicly available and customized tools to attack and compromise targets around the globe.”

What are they saying? “As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing.”

With the number of breaches continuing the rise, how can we stay secure in our connected world?

Breach Brief: Sony Pictures’ computer system hacked

According to reports, the computer system belonging to Sony Pictures has been hacked after a thread surfaced on Reddit claiming all computers at the company were offline due to a breach. The Reddit thread says that an image appeared on all employee’s computers reading “Hacked by #GOP” and demanding their “requests be met” along with links to leaked data.

What information was breached? The Next Web reveals that the ZIP files mentioned in the images contain a list of file names of a number of documents, including financial records along with private keys for access to servers. The “Hacked by #GOP” message warned that the data supposedly obtained from Sony’s systems would be divulged on Monday, November 24 at 11 pm GMT.

What are they saying? Variety reports that Sony employees have been warned not to connect to the company’s corporate networks or access their emails. The incident is still being investigated…

With the number of malicious breaches on the rise, how can you ensure that your networks are protected?

Breach Brief: Security camera footage from homes and businesses leaked online

The UK Information Commissioner’s Office is warning the general public about a website containing thousands of live feeds from stand-alone webcams and CCTV systems to baby monitors.

What information was breached? A Russian website is sneaking a peek into the homes, gyms and offices of innocent people throughout the globe. Not only does the website show these unfiltered images, CBS News reveals that they also provide the exact coordinates of the location, complete with zip codes and links to a map. The hackers note that their site has been created in an effort to highlight the significance of security, urging those with remote-access cameras change their manufacturer’s default passwords.

How many are affected? At the moment, there are more than 4,000 cameras listed in the United States, 600 from the UK and over 10,000 others from 152 countries worldwide. Furthermore, exposed footage ranges from unmade children’s beds and kids watching television in the comfort of their own homes to living rooms and workplace lounges. Heck, snapshots from places like car insurance sales offices and candy stores to tattoo parlors and backyards have been released to the public. With an estimated 350,000 remote-access cameras sold in the UK last year alone, the ICO warned that those without password protection or with weak passwords could be vulnerable to hackers. This doesn’t include those from the 150-plus other countries as well.

What are they saying? “This is a threat that all of us need to be aware of and be taking action to protect against. Remember, if you can access your video footage over the Internet, then what is stopping someone else from doing the same? You may think that having to type in an obscure web address to access the footage provides some level of protection. However, this will not protect you from the remote software that hackers often use to scan the internet for vulnerable devices,” explained Simon Rice, ICO’s Technology Group Manager for the .

This incident represents a perfect model as to why the Internet of Things requires strong security, including encryption and authentication. In fact, we could not have created a demo any better than this to exemplify that point. “The cameras are IoT nodes by default. The website is a hacker. The data is intercepted and misused. Perhaps this notion of hackers posting your data to the net could be called the inadvertent IoT. We are all vulnerable which should drive the realization that built in security is paramount,” explained Atmel’s resident security expert Bill Boldt. “Anyways, this really brings it all home… literally.”

Is someone spying on you through your webcam? It is becoming increasingly clear that embedded system insecurity affects everyone and every company, so how can you ensure that you are indeed protected?

 

Report: Cyber breaches put 18.5 million Californians’ data at risk

The recent string of major data breaches — including the likes of Target, Home Depot, P.F. Chang’s and Nieman Marcus — have spurred a 600% increase in the number of California residents’ records compromised by cyber criminals over the last year, the latest California Data Breach Report revealed.

According to the study, a total of 167 breaches were reported in 2013 – where 18.5 million personal records were compromised – an increase of 28% from 2012 where just 2.5 million records were stolen. To put things in perspective, that’s nearly half of the state’s population (38 million).

These figures experienced a large uptick following recent incidents involving Target and LivingSocial, which together accounted for 7.5 million of the breached records. Out of the incidents reported in 2013, over half (53%) of them are attributed to malware and hacking.

“Malware and hacking breaches made up 93% of all compromised records (over 17 million records). The LivingSocial and Target breaches accounted for the bulk of those records . In April, the online marketplace LivingSocial reported a cyber attack on their systems that compromised the names, email addresses, some birth dates and passwords of over 50 million customers, including 7.5 million Californians. In December, Target reported a hacking and malware insertion into its network that resulted in the theft of the names and payment card data of 41 million customers, including 7.5 million Californians,” the report noted.

Even by factoring out both Target and LivingSocial, the amount of Californian records illegally accessed last year rose 35% to 3.5 million.

“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers. The fight against these kind of cyber crimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses,” California Attorney General Kamala Harris said in a statement.

While California residents aren’t any more susceptible to data hijacking than others, the state law requires businesses and agencies to notify customers of any breach involving more than 500 accounts. This law led to the creation of the California Data Breach Report.

The last 12 months weren’t a fluke either. In fact, “These data breaches are going to continue and will probably get worse with the short term,” emphasized Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency.

Aside from payment cards, which the Attorney General urged companies to adopter stronger encrypting and safeguard technologies, one of the most vulnerable sectors is the healthcare industry. Not only are a number of medical devices coming under siege by hackers, stolen health records are also plaguing the industry. Moreover, cyber thieves accessing unprivileged information can even be more harmful than other stolen data as it can be used for identity theft and fraud over a longer duration.

In 2012-2013, the majority of breaches in the healthcare sector (70%) were caused by lost or stolen hardware or portable media containing unencrypted data, in contrast to just 19% of such breaches in other sectors.

“By now, the problem should be obvious to anyone who is paying attention — data of any kind is vulnerable to attack by a wide variety of antagonists from hacker groups and cyber-criminals to electronic armies, techno-vandals and other unscrupulous organizations and people. The reason is simple. Yes, you guessed it: It is because data = money. To make it worse, because of the web of interconnections between people, companies, things, institutions and everything else, everyone and everything digital is exposed,” explained Bill Boldt, Atmel’s resident security expert.

To safeguard information and devices, authentication is increasingly coming paramount. As the latest incidents highlight, thinking about forgoing security in a design simply because that device isn’t connected to a network or possesses a wireless interface? Think again. The days of truly isolated systems are long gone and every design requires security. As a result, the first step in implementing a secure system is to store the system secret keys in a place that malware and bugs can’t get to them – a hardware security device like CryptoAuthentication. If a secret key is not secret, then there is no such thing as security.

Want to read more? Download the entire report here.

Transforming a 3D printer into a tattoo machine

Makers Pierre Emm, Piotr Widelka and Johan Da Silveira have replaced the extruder of an [Atmel powered] Makerbot Replicator with a tattoo instrument, effectively transforming the 3D printer into a fully-functional, permanent inking machine.

The hacked device, dubbed Tatoue, attaches a traditional tattoo gun on rails to a square metal frame. These components move along three axes, enabling Tatoue to follow the path of any line or curve of the human body. An embedded sensor can read the skin’s surface, which allows the needle respond to changes in texture and dimensions of the inserted limb.

The idea for Tatoue first came about following a workshop at Paris design school ENSCI les Ateliers back in October 2013, which encouraged students to use digital material available in the public domain to make something new. The team initially replaced the extruder with a pen before inserting an actual tattoo instrument, testing it on artificial skin and ultimately, on a human volunteer.

So, how does it work? First, a user simply selects a tattoo design from a library of graphic files or uploads their own. That file is then uploaded into the hacked 3D printer. Upon inserting an arm into the frame, the design is then inked onto the skin of the person. Impressively, the modded machine inserts ink into a person’s skin at speeds of up to 150 times per second.

According to its creators, they are still developing more user-friendly software for tattoo artists.

“The idea of our machine is to give tattoo artists a new tool that offers plenty of new possibilities,” the Makers recently Dezeen.

Interested in learning more? Check out the project’s official Instructables page here.