90,000 Patients Data Compromised


The University of Washington Medical Center (UW Medicine) was breached in October, with data of up to 90,000 patients of the Harborview Medical Center and University of Washington Medical Center affected. No medical data was stolen, but SSNs may have been lost.

UW Medicine announced last week that up to 90,000 patients may have had personal data stolen. It stressed that health data was not involved. "Based on the results of an internal investigation, it is believed that patient information was not sought or targeted. However, the malware accessed the data files of roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients."

Nevertheless, what was stolen is rich pickings for identity thieves: "name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, date of birth."

The attack occurred in early October (2 October according to the Seattle Times) when an employee opened an email with a malicious attachment. "The malware took control of the computer, which had patient data stored on it. UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity."

UW Medicine has referred the matter to the FBI (although it doesn't say when it did so). It began mailing the affected patients last week, and notes that "patients may be contacted by the FBI as part of its investigation." On the basis of this announcement, it has taken around eight weeks from learning of the breach to notifying patients – and it made the notification one the eve of Thanksgiving, one of America's most important holidays.

King 5 News reports on the reaction of one patient to the UW mailing. "'The delay in letting us know is appalling, if it happened October 2nd why are we just being notified the day after Thanksgiving", Patricia Shiras said." The letter indicates that social security numbers and financial information were not compromised. The website, however, specifically includes SSNs. “I think my social security number and financial information are compromised and they're trying to cover it up” said Shiras.

Komo News also quotes an unhappy patient. Susan Phillips, whose last contact with the hospital was in 2008, received one of the letters. "I opened it up and I read this and I just got furious," she said. "I don't have a word for it right now... Waiting until the day before Thanksgiving to do a bulk mailing?"

According to the Seattle Times, UW Medicine spokeswoman Tina Mankowski said it had taken more than a month "to analyze the activity and figure out which patients are most at risk of identity theft." She also said that it is "UW policy that if more than 500 accounts are compromised in an identity-theft attempt, the UW reports the incident to the media."

Are SMART TV's Watching You?

Is your internet connected TV sending your viewing habits over to the manufacture? The post below illustrates just that. Not only are the channels you’re watching being sent, but the filenames on any external media (USB stick) are also sent. The findings below pertain to an LG SMART TV.  The illustration below shows the preference screen....



After some investigation, a rather creepy corporate video advertising their data collection practices to potential advertisers was found. It's quite long but a sample of their claims are as follows:

LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.

In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default.  This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.


It turns out that viewing information appears to be sent regardless of whether this option is set to On or Off.  A unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID. This information appears to be sent unencrypted and in the clear to LG every time you change the channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off. Not only is the channel your watching sent to LG but the the filenames of any files stored on an external USB are sent.  While is it understood why LG wants to display ads and gather "viewer watching data", it is hardly understood why LG wants to know what is on your USB media???


Original research and more information is found @ http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html

Police Agency hit with CRYPTOLOCKER virus

One of the most-dreaded computer infections out there is ransomware, which locks up one’s system and renders files unusable until a set amount is paid to the hackers responsible for it. In other words, it amounts to little more than extortion, and law enforcement generally recommends that infected users simply bite the bullet and move on rather than pay the ransom. On


Nov. 10, the Swansea, Mass., police department decided to eschew best practices, ponying up a significant payment to criminals.


Recently afflicted with the notorious CryptoLocker ransomware, the department paid two Bitcoins to liberate its files, which was the equivalent that day of $750.

Swansea Police Lt. Gregory Ryan told the local Fall River Herald Tribune that no files were compromised and that the police report/booking software was unaffected by the attack. However, the lack of cyber-education was clear in his other comments: “It was an education for those who had to deal with it,” he said. “[The virus] is so complicated and successful that you have to buy these Bitcoins, which we had never heard of.”

The Swansea Police Department was hit on Nov. 6; and it bought the key and decrypted the files on Nov. 10. Since then it has improved its anti-virus protection, but Ryan noted that he believes “there is no foolproof way to lock your system down.”

CryptoLocker differs from earlier types of ransomware, which could be cleaned off of machines fairly easily by professionals, so that files could be recovered. This virus offers essentially no remediation path without time-consuming and painstaking efforts. Ingeniously, it uses a public key to encrypt a variety of file types such as images, documents and spreadsheets, on all drives and in all folders it can access from the compromised computer.

The malware then offers to trade money for a private, machine-specific key to unlock the encrypted files. A pay page with a countdown clock pops up, giving victims a limited time to buy back the private key for the data.

The two-Bitcoin ransom seems to be the norm for the malware, which, as an online currency, has a fluctuating valuation. Last month two Bitcoins were worth half of what they are this week. But regardless of the amount, if left unpaid, the criminals will destroy the private key after the time specified, meaning that it’s lost forever, and that the files are incapable of being recovered through typical computer software techniques.

On the other hand, there’s no guarantee that the perpetrators would honor the payment in any event. Though in Swansea PD’s case, they did.

CryptoLocker is spreading rapidly, and was recently reported to be hitting millions in the UK via a spam vector. More locally, Matt Fernandes, owner of local Somerset, Mass.-based computer shop WaveOne Technologies, told the Herald News that he’s seeing five to 10 customers come in per week with the infection. He called the virus the “worst I’ve ever seen.”


Here is our story dealing with a local business that was infected..


We're making TOO MUCH CASH, say CryptoLocker scum in ransom price cut. 11/25/13

NSA Infected 50000 Systems with MALWARE


A new slide culled from the trove of documents leaked by Edward Snowden shows where the NSA placed malware on more than 50,000 computer networks worldwide, according to Dutch media outlet NRC.

The NSA management presentation slide from 2012 shows a world map spiderwebbed with "Computer Network Exploitation" access points.

Like all the NSA slides we've seen so far, this one is unlikely to win a Powerpoint beauty pageant anytime soon.

Not that this should distract anyone from the profoundly disturbing implications of this US government malware map that's being reported by a Dutch news agency -- an outlet to which the US government gave a "no comment."

Translated from Dutch:

    The American intelligence service -- NSA -- infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information.

    Documents provided by former NSA employee Edward Snowden and seen by this newspaper, prove this.

    (...) The NSA declined to comment and referred to the US Government. A government spokesperson states that any disclosure of classified material is harmful to our national security.

An NSA Web page that outlines the agency's Computer Network Operations program describes Computer Network Exploitation, or CNE, as a key part of the program's mission and says CNE "includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks."

In late August, The Washington Post reported on the NSA's "hacking unit" called Tailored Access Operations (TAO).

The Post wrote:

    According to a profile by Matthew M. Aid for Foreign Policy, it's a highly secret but incredibly important NSA program that collects intelligence about foreign targets by hacking into their computers, stealing data, and monitoring communications.

    (...) Dean Schyvincht, who claims to currently be a TAO Senior Computer Network Operator in Texas, might reveal the most about the scope of TAO activities.

    He says the 14 personnel under his management have completed "over 54,000 Global Network Exploitation (GNE) operations in support of national intelligence agency requirements."

This is one letter away from being exact.

On the NSA's network ops page, there is no program with the acronym GNE -- only CNE and,

    Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.

    Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information.

Across the newly published slide top and bottom a stripe reads, "REL TO USA, AUS, CAN, GBR, NZL."

These are the  so-called Five Eyes nations -- the U.S., U.K., Canada, Australia, and New Zealand -- that share intelligence.

Last week, the very same Five Eyes nations moved to oppose the United Nations' anti-surveillance, right-to-privacy draft resolution called "The Right to Privacy in the Digital Age."

Security researchers online are speculating that telecoms were the most likely targets for the malware.

    Only 50k milware installations globally? Must be restricted to the telcos, ISPs, banks, etc that allow for bulk collection.
    -- the grugq (@thegrugq) November 23, 2013

They may not be too far off the mark.

NRC cites an example of Britain's NSA counterpart, GCHQ, being found to use spoofed LinkedIn pages to install surveillance malware on target computers in Belgium telecom, Belgacom (translated):

    One example of this type of hacking was discovered in September 2013 at the Belgium telecom provider Belgacom.

    For a number of years the British intelligence service -- GCHQ -- has been installing this malicious software in the Belgacom network in order to tap their customer's telephone and data traffic.

    The Belgacom network was infiltrated by GCHQ through a process of luring employees to a false Linkedin page.

NRC concludes its article by telling us that the Dutch government's intelligence service has its own hacking unit, but that it's prohibited by law from engaging in the type of operations that the CNE slide suggests the NSA carried out.

This story originally appeared as "NSA malware infected over 50,000 computer networks worldwide" on ZDNet.

Google: We're bombarded by gov't requests on user data


The US government is on a data-gathering spree at Google, new data from the search giant reveals.

Between January and June 2013, the US government issued nearly 11,000 requests to Google asking for user information, or about 42 percent of the global total. India was second with nearly 2,700 government requests.

The collective requests from governments around the world during that six-month period have more than doubled in the three-and-a-half years since Google's first government transparency report, which covered the second half of 2009. "And these numbers," Google said in a blog post Thursday, "only include the requests we're allowed to publish."

It's the things that Google can't share about those data requests that really has the company hot and bothered.

"We believe it's your right to know what kinds of requests and how many each government is making of us and other companies," Google Legal Director Richard Salgado wrote in the blog post. "However, the US Department of Justice contends that US law does not allow us to share information about some national security requests that we might receive. Specifically, the U.S. government argues that we cannot share information about the requests we receive (if any) under the Foreign Intelligence Surveillance Act. But you deserve to know."

To underscore that point, Google posted a quartet of graphs illustrating the volume and nature of the government requests. In the fourth of the four graphs, to reflect the constraints on its ability to provide transparency on national security-related FISA requests, Google drew thick black lines over a barely visible bar chart, in the manner of a heavily redacted document.

FISA has become a hot-button topic this year after former NSA contractor Edward Snowden released secrets on the US government's alleged spying activities. The US government has used FISA to block technology companies like Google from sharing what kind of requests they've received. Some of those companies brought a federal case earlier this year in an attempt to share that information. So far, those efforts have failed.

Apple last week released its latest report on government data requests, with a similar call for the US government to open up. These sorts of transparency reports have become a regular thing for tech titans, with the list also including Twitter, Yahoo, Google, and Facebook.

Google also urged Washington to take action to shore up privacy protections for US citizens:

    We strongly believe that the Electronic Communications Privacy Act (ECPA) must be updated in this Congress, and we urge Congress to expeditiously enact a bright-line, warrant-for-content rule. Governmental entities should be required to obtain a warrant--issued based on a showing of probable cause--before requiring companies like Google to disclose the content of users' electronic communications.

The American Civil Liberties Union (ACLU) has been one of the more outspoken critics of the US government's secrecy. In a statement on Thursday, the organization's legislative counsel, Christopher Calabrese, expressed much the same outrage :

Law enforcement requests to Google have tripled in four years but we're still stuck with the same Internet privacy law we had in 1986. If police need a warrant to open someone's mail than they should need one to rifle through someone's e-mail, regardless of its age or if it's stored on a company's server. It's time Congress and the president updated (the) Electronic Communications Privacy Act (ECPA) so there's only one standard for government access to the content of our electronic communications: a warrant based upon probable cause. Anything less is indefensible.

It bears noting that many government requests for user data are of a rather routine law enforcement nature. Of the 10,918 requests made by the US in the first half of 2013, for instance, 68 percent were subpoenas, and 22 percent were warrants, according to Google.

In the second half of 2009, the period covered by Google's first transparency report, the US government made 3,580 data requests, for about 28 percent of the global total of 12,539 requests.

New Internet Bug Bounty holds companies accountable, protects hackers


Hackers looking to make quick cash just got a new way to grease their bank accounts with the launch of HackerOne's Internet Bug Bounty.

Security high-hats from primary sponsors Microsoft and Facebook, along with volunteers from Etsy, Chrome and ISEC Partners calling themselves HackerOne today announced a bounty program trading cash for bugs in Open SSL, Python, Ruby, PHP, Rails, Perl and "the Internet," among others.
According to HackerOne's Disclosure, the companies behind the program are not allowed special access or rights to the submitted bugs.

Hackers can submit as anonymously as they prefer. Response Teams from affected companies and products are cautioned against taking punitive action against the hackers.

And if you're on a response team for a product that might be affected by a bug on the bounty list, you'd be wise to register with HackerOne if you want to be notified about exploits and vulnerabilities immediately.

Legit bugs affecting products will be reported to Response Teams right away through the HackerOne platform, otherwise the Internet Bug Bounty panel promises to do everything possible to reach and inform affected companies with the disclosure.

And if a company doesn't pick up the phone when HackerOne calls?

Companies have seven days to respond, then:

If we aren't able to contact the Response Team, the Bug Report will be made public 30 days after our initial contact attempt.

Regardless, all bug data is eventually shared with the public.

The Internet Bug Bounty says its aim is "Rewarding friendly hackers who contribute to a more secure internet."

Before you go off thinking the program is just for white knights, the organizers have made it clear they're also looking for bug hunters who want to remain off the books: submitters can remain anonymous, even to the point of deferring payment to a charity of their choice.

To register, hackers only need provide a name, username, password, and email address; HackerOne states it deletes all access logs after 180 days.

But if you're looking for credit, HackerOne says you'll definitely get it.

HackerOne told ZDNet that hackers choosing to give their reward to charity can pick any charity they like, plus HackerOne might even throw in a little extra scratch to give the hacker's favorite charity a bit more to celebrate.

Its Disclosure Policy has some ethical guidelines for hackers to follow if they're going to play ball with HackerOne, but HackerOne has sided its policy to be clear about its stance to protect hackers who bring in bugs.

The guidelines for Response Teams that HackerOne will work with states that teams from affected products and companies have to credit the hacker for discovery, and can't threaten hackers, punish them for finding vulns, and can't turn them over to the cops.

HackerOne's Disclosure Guidelines state, "Response Teams should..."

Do no harm. Not take unreasonable punitive actions against researchers, like making legal threats or referring matters to law enforcement.

Perhaps that's because some of the people on HackerOne's interesting team have seen some action.

We’re a group of hackers and researchers who have been frustrated by the failings of vulnerability disclosure status quo.

Members of our team have managed bounty programs at Facebook, Google and Microsoft, participated in bug bounty programs, and disclosed vulnerabilities under dubious conditions.

Young hackers can join the hunt, too. There is no minimum age for submissions and payout, though in keeping with the Children's Online Privacy Protection Act hackers under 13 will need to have a parent or guardian claim the bounty.

Sandbox escapes and "the Internet" start at $5K, with Open SSL at $2500, followed by Python, Ruby, PHP, Rails and Perl coming in at $1500 per bug. Apache httpd and Nginx fetch $500 a pop, Phabricator is $300, while Django is listed at this time with no minimum bounty.

Hackers can also submit bugs via private YouTube videos, but HackerOne requires all video submissions to have bad techno playing in the background.





Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles