SPOTLIGHT ON SECURITY

China Suspected in Attacks on USPS, NOAA

The U.S. Postal Service and National Oceanic and Atmospheric Administration last week confirmed that their computer systems were targeted in months-long cyberattacks that appear to have originated in China.

The attack on USPS compromised information of an estimated 800,000 employees. Data at risk includes names, date of birth, Social Security numbers, addresses and dates of employment — the kind of info that could be used to forge future forays against the service or other federal agencies.

“Specific background information about individuals can certainly be helpful in the pursuit of spearphishing attacks in the future,” Greg Kazmierczak, CTO at Wave Systems, told TechNewsWorld.

However, the information could be used in more harmful ways against employees, noted Eric Chiu, president and founder of HyTrust.

“In many ways, employee data is even more valuable than customer data, because companies store very sensitive information like Social Security, contact, healthcare, and financial data on employees, which can be used to hijack a person’s financial identity,” he told TechNewsWorld.

NOAA Breach

Although the postal service didn’t point its finger at a likely suspect, suspicions are high that the attack was perpetrated by the Chinese.

“Unfortunately, this disclosure couldn’t come at a worse time for the United States Postal Service, as consumers will be concerned and confused about their own security heading into the peak holiday mailing season,” Julian Waits Sr., CEO of ThreatTrack, told TechNewsWorld.

Meanwhile, the National Oceanic and Atmospheric Administration was called on the carpet by a member of Congress for dragging its feet on a breach of its systems by the Chinese.

NOAA informed Virginia Republican Frank R. Wolf that China was behind the hack on its systems, he told The Washington Post.

Although NOAA has acknowledged that a hack occurred and that it had to seal off data vital to disaster planning, aviation, shipping and other critical tasks, it has not confirmed that the attack originated in China.

19-Year-Old Bug Squashed

Microsoft last week said it has patched a security vulnerability that was exploitable for nearly a generation.

IBM’s X-Force team reported the flaw to Microsoft in May. On a scale of severity in which 10 is the most severe, the vulnerability (CVE-2014-6332) was rated 9.3, X-Force Manager Robert Freeman wrote in a blog.

The flaw shows how defects can go undetected for long periods of time, he noted.

“The buggy code is at least 19 years old and has been remotely exploitable for the past 18 years,” he wrote.

“This vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32),” Freeman added.

There are indications that the patched vulnerability isn’t the only serious bug in the code, he said. More bugs that allow for arbitrary data manipulation may yet be undiscovered.

“These data manipulation vulnerabilities could lead to substantial exploitation scenarios from the manipulation of data values to remote code execution,” wrote Freeman.

“Typically, attackers use remote code execution to install malware, which may have any number of malicious actions, such as keylogging, screen-grabbing and remote access,” he explained.

Breach Diary

  • Nov. 10. U.S. Postal Service reveals a “cyber intrusion” has placed at risk personnel information on some 800,000 employees and personal information of customers who contacted the agency’s customer service center from Jan. 1 to Aug. 16. One estimate pegs the number of affected customers at 2.9 million.
  • Nov. 10. Nieman Marcus appoints Sarah Hendrickson as its first chief information security officer. A data breach last year at the retailer resulted in the theft of information connected to some 350,000 payment cards.
  • Nov. 10. Kaspersky Lab posts to Internet details about its discovery of what it calls the “Darkhotels” espionage campaign aimed at corporate executives staying at luxury hotels on business trips.
  • Nov. 11. Microsoft patches a vulnerability that’s been in every version of Windows for the last 19 years. It can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine, according to IBM’s X-Force Resesarch Team.
  • Nov. 11. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter is published. In it, she reports that Stuxnet was seeded at a handful of selected targets in Iran before infecting its uranium enrichment facilities. This is the first time Stuxnet’s earliest targets are named.
  • Nov. 11. The Eastern Iowa Airport reveals information from payment cards used to pay for parking at the airport between Sept. 29 and Oct. 29 are at risk following discovery of data breach at the facility.
  • Nov. 12. Deloitte reports that between January and February, 24,105 news stories were published about data breaches. That compares with 5,474 in 2013.
  • Nov. 13. Parasole Restaurant Holdings reports data breach has put at risk about 5 percent of payment card transactions from January to July at of two of its eateries in Minnesota.

Upcoming Security Events

  • Nov. 18. Powerful Strategies for Account Takeover Fraud Prevention. 2 p.m. ET. Webinar sponsored by PhishLabs. Free with registration.
  • Nov. 18. Storms on the Horizon: Why are Cloud Services Targets of Availability Attacks? 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Nov. 19. Stealing from Uncle Sam. 7:30 a.m.-1:30 p.m. ET. Newseum, Washington, D.C. Registration: government and press, free; before Nov. 19, US$495; Nov. 19, $595.
  • Nov. 19. Stay Ahead of the Adversary with Network Security Analytics. 1 p.m. ET. Dark Reading webinar. Free with registration.
  • Nov. 20. Amazon AWS Services’ Security Basics — Escalating Privileges from EC2. 2 p.m. ET. Black Hat webcast. Free with registration.
  • Nov. 21. Cyberattacks, Data Breaches, and Serial Litigation — Should Federal Data Security Legislation Be on Congress’ Horizon? noon-1 p.m. ET. Rayburn House Office Building, Room 2237, Washington, D.C. Free with registration.
  • Nov. 21-22. B-Sides Charleston. College of Charleston campus, Charleston, South Carolina. Free.
  • Nov. 22. B-Sides Vienna. Top Kino, Rahlgasse 1 (Ecke Theobaldgasse, 1060 Wien, Vienna, Austria. Free.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesars Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.
  • Dec. 3. The Essential Elements of an Optimized Security Operations Center. 1 p.m. ET. Webinar sponsored by IBM/Trusteer. Free with registration.
  • Dec. 5. Be an Onion not an Apple. 9 a.m.-4 p.m. ET. Capital Technology University, 11301 Springfield Rd., Laurel, Maryland. Workshop sponsored by Cybersecurity Forum Initiative. $195/seat.
  • Dec. 10. Fill the Security Gaps in Your Firm’s Mobile Deployment. 1 p.m. ET. Webinar sponsored by Lacoon Mobile Security. Free with registration.
  • Dec. 8-11. Black Hat Trainings. The Bolger Center, Potomac, Maryland. Course Registation: before Nov. 1, $2,500-$3,800; before Dec. 6, $2,700-$4,000; after Dec. 10, $3,800-$4,300.
  • Dec. 12. B-Sides Zgora. Biurowiec ASTEC, ul. Wyspianskiego 11, Zielona Gra, Poland. Free.
  • Jan. 19, 2015. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: $20.
  • March 24-27, 2015. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • So when do cyber attacks become recognized as overt national aggression and invite a substantive response, such as severing diplomatic ties or inviting sanctions? At what point do we in the West start drawing a line in the sand of our personal, financial and industrial data?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels