Former US NRC employee sent spear-phishing emails to 80 other US DOE employees containing an inert virus.
Charles Harvey Eccleston, 62, has pleaded guilty to sending spear-phishing emails to US Department of Energy (DOE) and the US Nuclear Regulatory Commission (NRC) employees in an attempt to infect them with malware that could be leveraged by foreign intelligence agencies to hack into US government computers.
The whole story starts in 2010 when Eccleston was laid off from the US NRC, and moved to Davao City, Philippines, one year later, in 2011.
According to the US Department of Justice, three years later, in 2013, Eccleston entered the embassy of an unnamed country in the Manila, Philippines, and offered to sell 5,000 email accounts belonging to employees of the US DOE.
Eccleston tried to sell a list of government email addresses to a foreign state
Eccleston said he wanted $18,800 (€17,200) for the emails accounts, which he said were “top secret,” and if the embassy would not buy them, he would go to the embassies of China, Iran or Venezuela instead.
Embassy officials tipped off the FBI, who sent an undercover agent to negotiate a deal with Eccleston.
During subsequent meetings, Eccleston sold a thumb drive containing 1,200 email addresses to the undercover FBI agent for $5,000 (€4,600). This happened on November 7, 2013, and the FBI agent confirmed that most of the email addresses were publicly available.
In the same meeting when this transaction took place, Eccleston also highlighted the fact that the email list would allow attackers to infect computers with a virus that would allow a foreign country to access sensitive government information, or even shut down NRC servers.
Eccleston tries his hand at running a spear-phishing campaign
On June 24, 2014, Eccleston had a second meeting, with a different undercover agent. Eccleston said he had another 30,000 email addresses belonging to DOE employees, and even offered to craft a spear-phishing campaign to target some of the individuals on the list.
The former DOE employee selected a few individuals from his list and crafted a spear-phishing email that advertised a conference which he knew DOE employees would be interested in.
On Jan. 15, 2015, Eccleston sent 80 spear-phishing emails to his former colleagues containing an inert virus he received from the FBI agent. The emails reached individuals across the US and even laboratories associated with nuclear materials.
Philippine authorities arrested Eccleston on March 27, 2015, when he was meeting with the undercover agent to receive an $80,000 payment for his endeavor. He was later deported to the US and has now admitted his crimes.
Eccleston faces a maximum of ten years in prison and financial penalties, but because of his age and previous records, according to the advisory federal sentencing guidelines, he’s likely to receive a prison term of 24 to 30 months and a fine of up to $95,000.
The grandpa turned hacker will receive his sentence in Washington on April 18, 2016.
There is an increase in people who have been victims of identity theft and unauthorized use of credit cards because of many companies that handle data irresponsibly. According to many studies done by a personal data protection company in countries such as Mexico, Brazil, United States, Colombia, Argentina, India, the personal data protection & privacy is a primary concern of the people, thus failure to comply with the regulatory framework can be an obstacle and can cause loss of business opportunities.
The personal data represents all the information of a person which affirms his/her identification. Personal data includes place of birth, place of residence, academic, employment, professional career, marital status, age, health, sex life, physical characteristics, political ideology, and other aspects. The personal data can help a person to interact with business and/or organizations for their services. This exchange of information causes economic growth and improvement of services.
To resolve this problem privacy & personal data protection law was adopted in countries such as Mexico, Argentina, India and others some years ago with the purpose of protecting citizens from personal data misuses and abuses that happen every day by companies and/or organizations. The personal data protection law recognizes and protects the rights that people have to access, update and correct their personal data that has been collected as well as the right to oppose personal data processing by public or private entities. The personal data that’s involved in national security, national defense, intelligence and population censuses – housing information are not considered part of personal data protection law.
According to a personal data protection company, now all entities that handle personal data will be forced to consider the right to privacy and will need to adapt to regulations which will ensure safe treatment of personal data. The privacy & personal data protection act also gives people the right to request for all their personal data that a company has. Thus generating the need to implement personal data protection solutions, policies for cancellation and removal of personal data. Companies and/or organizations that do not comply with this law will face sanctions & fines.
There are many advantages of implementing personal data protection solutions. For instance the European privacy & personal data protection law approves the transfer of personal data of European citizens to a third country that has an adequate level of data protection system established for such information, depending upon the nature of the data, the purpose, duration of processing and safety standards. If a country adapts to the international privacy & personal data protection regulations, there are possibilities of exponential increase in foreign investments in that country.
IMPLEMENTING PRIVACY & PERSONAL DATA PROTECTION LAW
Companies and/or organizations must comply with the statutory obligation of implementing personal data protection system. According to various enterprise data protection services consultants, compliance with legal obligations in the field of data protection is essential. Data protection agencies have big teams of inspectors to make an audit of personal data protection system and apply fines along with sanctions, through a complaint of any affected person. Points to consider while implementing privacy & personal data protection law:
• All the personal data processing systems belonging to companies and/or organizations must be registered with the data protection agency. The registration must submit information such as name and title of the person responsible, purpose of the system, the type of the personal data processed, process of acquiring, process of updating data, methods of interrelating data, duration of holding data and personal data security solutions implemented.
• When the companies and/or organizations get personal data, all the interested parties must be advised prior about the existence of a personal data protection system, data treatment process, the purpose of collecting data, the recipients of data, the rights of access, rectification, cancellation and opposition to data processing.
• Companies and/or organizations will designate a person responsible for personal data processing systems.
• Comply with the personal data protection policies and regulations as well as standards for enterprise personal data protection services.
• Process personal data only when they relate to the purpose for which they were collected.
• Implement appropriate enterprise data protection solutions to manage all the requests for access, rectification, cancellation of personal data; also enterprises must provide data protection training course to all public servants.
• Implement security measures for via enterprise data protection services and inform about the changes to the data protection agency.
• Modify personal data when appropriate, correcting the incorrect data and completing the partial data. All these changes must be logged in a security document.
• The client has the right to request the correction or deletion of his personal data.
• Coordinate and review the implementation of data protection solutions by enterprise data protection company and make sure it’s done as per the data protection norms.
• Implement specific set of policies for the management and maintenance of the personal data processing system.
• Develop a personal data protection training course plan. All the professionals of data protection department must take data protection training.
• Conduct or regularize the execution of the operations of data processing systems implemented by any personal data protection company.
• Inform the client when obtaining their personal data about personal data processing systems and data protection solutions implemented by personal data protection companies.
SECURITY MEASURES FOR DATA PROTECTION
As per experts from personal data protection company, businesses and/or organizations should establish technical and organizational security measures to ensure the confidentiality and integrity of personal data with the objective of preserving the data protection rights, against modification, loss, transmission and unauthorized access. All the data security measures should be implemented with respect to the highest degree of protection of personal data. The security measures should be according to following types of security:
Physical Security: This includes the protection of facilities, equipment to prevent accidental incidents cases or force majeure.
Logical Security: This includes measures for identification and authentication of people or users authorized to access and modify personal data.
Applications: It represent the permissions which personal data processing system should manage, to ensure proper use of data, preventing the participation of non-authorized users, separation of environments and penetration testing controls.
Encryption: This includes implementation and use of encryption algorithms, keys, passwords, and specific protection measures to ensure the integrity and confidentiality of the sensitive personal data.
Network Communications: This refers use of enterprise data protection services that includes use of network monitoring system that constantly monitors network communications and blocks any kind of suspicious activity or security breach.
According to experts from enterprise data protection company, following are the security checks which are mandatory for all personal data processing system to ensure compliance with the privacy & personal data protection law:
• Implementation of the security policies.
• Maintaining documentation of roles and responsibilities of personnel responsible for the processing of personal data.
• Access and incidents logging.
• Identification and authentication system.
• Support management, physical and logical access.
• System backup and recovery.
• Manage audit policies.
• Vulnerability and penetration testing.
• Support Distribution.
• Telecommunications Records.
The data security measures mentioned above constitute minimum requirements, so the companies and/or organizations should take additional inevitable measures to provide greater protection of personal data. Companies and/or organizations should take help of personal data protection company or personal data protection service consultants to implement personal data protection services & solutions.
To make sure that your company is covered with regards to privacy & data protection law, organizations like International Institute for cyber security offers tools through enterprise data protection services and personal data protection training course, which will allow you to implement data protection law and keep your business updated at all times according to requirements of the legislation. The enterprise data protection services and personal data protection solutions help customers with:
• During the implementation of privacy & data protection law they do detailed analysis of the company’s processes for management and processing of personal data. They get detailed information about the company, the personal data files, established procedures, flow of information and the degree of compliance with the regulation.
• They coordinate analysis of personal data processing systems along with development of procedures and documentation required according to the standards, as a part of our enterprise data protection services.
• In the personal data protection training they teach the development of data protection policies and best information security practices for general and technical users.
• During our personal data protection audit services they delivery data protection policies document, evaluation of the security measures implemented and data protection law certification. In addition they teach how to do all this during our personal data protection training, so that you can be an enterprise data protection services expert.
The personal data protection course is aimed at managers, legal and IT department professionals and all the people who wish to understand the privacy & data protection law. The personal data protection training is very practical course and covers the following topics:
• Introduction to data protection & privacy law.
• Implementation of environment for data protection & privacy law.
• Types of personal data and rights of access, rectification, cancellation and opposition.
• Data protection agencies and regulations.
• Detailed dataflow analysis.
• Enterprise architecture and audit procedures.
• Implementation of data protection solutions and enterprise data protection services with a methodology defined by our experience and recommended by international standards.
• Incident management procedures for handling personal data breach, sanctions and privacy complaints.
One month after cutting OneDrive storage limits for customers and completely axing ‘unlimited’ cloud storage, Microsoft has apologised and is offering to give something back. But users will still need to opt-in, and the bonuses won’t last forever.
Microsoft has back-pedalled on cuts it made to OneDrive cloud storage limits last month, giving back some of the data allowances it was set to take away and apologising for putting the blame on users for excessive use. But customers will still need to opt-in to keep their bonus storage, and the changes will expire after a year.
The company confirmed the changes in a post on its OneDrive user forum, offering users “impacted” by the changes the opportunity to get additional storage for a limited time, and the chance to opt-in to keep free storage bonuses when OneDrive plans are overhauled early next year.
The mea culpa comes a month after Microsoft announced major changes to its cloud storage, halving storage limits for paid plans (whilst keeping the price unchanged), reducing limits on free plans from 15GB to 5GB, ditching its 15GB camera roll storage bonus and completely scrapping ‘unlimited’ storage for all users.
The company is hoping the move will appease customers and curry some favour in an already competitive cloud storage market.
Microsoft is up against rivals such as Dropbox, Google Drive and the Apple-centric iCloud, all hoping to be the one place that users can store all their files to get cloud-based access from anywhere. While each provider offers free storage, these companies generate their revenue through paid plans, and storage limits are king in deciding where customers are willing to hang their hat (and their files).
But Microsoft’s group program manager Douglas Pearce came hat in hand to customers, apologising for recent changes to OneDrive plans and the way they were communicated. In his post on the OneDrive user forum, Pearce said “the announcement came across as blaming customers for using our product” and Microsoft was “genuinely sorry for the frustration this decision has caused.”
That blame referred to Microsoft calling out “a small number of users” on unlimited plans for “extreme backup scenarios,” in some cases, storing up to 75TB of data in the cloud.
While Microsoft initially set about curtailing use, Pearce said paying Office 365 Home, Personal, and University customers would continue to receive 1TB of storage, and users who received additional storage as part of Microsoft’s unlimited offer would keep this limit for at least 12 months.
To make good with disgruntled customers of the free service, anyone with more than 5GB of content stored in the cloud (under the former 15GB free storage limit) will receive a free Office 365 Personal subscription for one year. The offer will come via email early next year and will bring with it 1TB of storage.
Finally, Microsoft is offering an opt-in for its “biggest fans” to keep their 15GB of free storage after storage limits are cut early next year (and to keep their 15GB camera roll bonus, if they currently have that in place). And what constitutes being a fan? Going to the OneDrive website before the end of January 2016 and logging in to get the bonus.
While the changes may go some of the way to pacifying customers upset about the storage cuts, they still only go part of the way to clawing back the cuts made in November. What’s more, customers will need to be existing heavy users to take advantage of the bonuses, or opt in for an increase. There’s also no word on whether or not the changes will last longer than the single year.
The recent security breach on iOS platform left 220,000 iCloud user accounts vulnerable due to a backdoor privacy attack caused by the installation of a malicious jailbreak tweak, according to an online Chinese vulnerability-reporting platform WooYun.
Yes, 220,000 is a huge number considering it happened to iOS, one of the most popular mobile operating system that is designed by Apple. But don’t get too frightened because this security flaw has nothing to do with Apple’s security and happened after a jailbreak attempt.
WooYun is a Chinese platform that reports on user submitted security flaws discovered by the researchers in an attempt to provide feedbacks to relevant vendors. So it is, in fact, a reliable website.
According to the post on their website, they have outlined the details about this backdoor attack that breached 220,000 iCloud accounts because of the installation of a malicious jailbreak tweak. In the page, they have also mentioned that the notification about the security flaw has already been issued to the appropriate vendors –apparently Apple.
Below is the (slightly broken) translated version of the report.
What should make the iCloud users worried is that if your account credentials are breached then it is surely going to have a negative impact as the leaked credentials grant an easy access to your personal information stored in the iCloud including all your photos and contacts.
Now you must be wondering that what the reason behind the flaw is. One of a Reddit user, self.jailbreak created a dedicated post about the issue where he outlined that the security breach affected the users in a specific region only and had abounded reach.
“THIS WAS ANNOUNCED BY A CHINA SECURITY WEBSITE WOOYUN (IT MEANS BLACK CLOUD IN CHINESE BASED ON SOUND) EARLIER ON THEIR WEIBO, AND IT IS BASICALLY TELLING THAT THERE ARE SOME SHADY TWEAKS THAT HAVE BACK-DOORS IS STEALING JAILBREAK USER’S ICLOUD ACCOUNT AND PASSWORD TO A REMOTE SERVER, WHICH SO FAR THERE ARE ROUGHLY 220 THOUSAND ACCOUNTS HAS BEEN LEAKED. THEY HAVEN’T ANNOUNCE THAT WHO STOLE IT AND WHAT FOR, BUT AS FAR AS WE KNOW THAT, IF THEY HACK INTO OUR ICLOUD ACCOUNTS, THEY CAN HAVE ACCESS TO OUR MAILS, PHOTOS OR EVEN PRIVATE STUFF.”
So considering how privacy conscious the iOS jailbreak community is and the tweaks and plug-ins released by them is secure, which makes it highly unlikely that a malicious jailbreak tweak would affect such a huge number of users, and that too by the installation of a single tweak or plug-in.
Here is the proof of the leaked iCloud account data, but apart from this picture, there is nothing else has been surfaced on the Internet yet!
One of the related Reddit users posted a valuable comment on the post that says:
“IN ASIAN COUNTRIES, IT IS VERY COMMON FOR PEOPLE TO BUY PHONES, NEW OR USED, FROM TECHNOLOGY MARKETS. AT THOSE MARKETS ARE LOTS OF COMPETING STALLS SELLING PHONES, AND JAILBREAKING YOUR PHONE AND SELLING IT TO YOU PREINSTALLED WITH LOTS OF JAILBROKEN / PIRATED APPS IS PART OF THEIR SERVICE.
THAT IS PART OF WHY JAILBREAKING / PANGU IS SO POPULAR IN ASIA / CHINA. THERE ARE ENTIRE MARKETS OF CHINESE-ONLY PROGRAMS AND APPS THAT WE ARE NOT REALLY EXPOSED TO HERE ON THIS ENGLISH- / WESTERN-DOMINATED SUBREDDIT.
ANYWAY, MY POINT IS THAT IF ONE OF THESE “SHADY” APPS IS SOMETHING THAT WAS SOMEWHAT COMMON FOR THESE 3RD-PARTY SELLERS TO INSTALL, THEN THIS STAT WOULDN’T BE THAT SURPRISING. IT DOESN’T TAKE 220,000 PEOPLE WITH PERSONAL TECH KNOW-HOW TO JAILBREAK AND DOWNLOAD A TWEAK: IT JUST TAKES 220,000 PEOPLE BUYING FROM A FEW HUNDRED / THOUSAND TECHNOLOGY BOUTIQUE SHOPS THAT PRELOAD THE SOFTWARE.”
He did raise a valuable point here that it seems like this attack is caused by the installation of malicious tweaks and plug-ins by the third-party sellers, and then the users used those infected devices resulting in a breach of their accounts.
HOW CAN YOU PROTECT YOUR ICLOUD ACCOUNT?
We all know that jailbreaking your iOS device makes it vulnerable to malicious attacks resulting in an increased risk. To protect yourself from these malicious attacks, it is recommended you to take the following precautionary steps:
Tip #1 – Enable two-factor authentication on your iCloud account.
Tip #2 – Don’t download tweaks from any untrusted or third party repository.
Tip #3 – Stay away from pirated apps or tweaks.
But still, even after following the above-mentioned tips you might be vulnerable to security threats because a jailbroken device is never secure!
The idea of hacking IKEA products is not new, but it’s still great. It’s such a great idea that the flatpack furniture giant is developing an official IKEA Hack product. This is almost exactly a year after IKEA enlisted lawyers to shut down a down fan-made IKEA hack website, pissing off reasonable customers all over the world.
IKEA clearly doesn’t want a good idea to go to waste. The company recently announced the plan for an official Hack kit during the second annual IKEA Democratic Design Day at its headquarters in Sweden. I was there (on IKEA’s dime) to peer through the company’s utopian vision for the future. By the time two young designer types presented the hack idea and a compelling furniture swapping program, everyone in the room full of jet-lagged journalists and PR teams was at least one drink deep into the evening’s festivities. The buzz made the whole plan sound especially terrific.
Note: So that I could attend this year’s Democractic Design Day, IKEA paid for my transportation, meals, and drinks over the course of four days. The company also gave me a free poster and a free tote bag—both of which I immediately gave away.
The Hack idea is based on an interesting question. “What if you could browse a site and see hacks for all the available products?” one of the young designer types asked the crowed. “Doesn’t that already exist?” I asked my neighbor. (More on that in a second.) But what if IKEA built and curated it? You could even know when you were buying a hackable product in the store.
That’s it. IKEA would build a website that hosted a number of hack ideas for all hackable products. You’d pick a hack kit that worked with your furniture and buy it from IKEA. The prototype shown at the event involved the iconic Frosta stool. Thanks to the Frosta Hack kit, the stool became a chair.
The finished product looked a little bit janky. That’s it to the left:
But again, this is just a program that IKEA is considering. And it would be silly for IKEA to make its hacked furniture look as polished and well designed as the highly designed pieces of furniture it sells at the store. However, IKEA hacking is something that the company knows people like.
IKEA knows that its customers are already modifying furniture they buy at the stores. In some cases, sellers on Etsy and so forth are selling custom-built parts for IKEA furniture. (I know this because I just bought some.) IKEA tried to take a swipe at this burgeoning market last year by shutting down IKEAhackers.net, however the company relented after a massive backlash from fans. Now, it appears that IKEA is taking a more aggressive grab at the market.
The company is also considering taking on Craigslist and the IKEA furniture re-sale market. They’re calling it IKEA Swap. It’s exactly what it sounds like. Once IKEA launches the program, it would offer a “buy back guarantee” on certain items. There would be a little Swap logo on the tag.
Then, when you move or redecorate, you take your old furniture items to an IKEA store and exchange them for points that you can use on—you guessed it—more IKEA furniture. What’s extra cool about this idea, however, is that IKEA is also thinking of creating a second-hand furniture marketplace that would mean people could buy even cheaper IKEA furniture. The designer types called this a “Second Life” market, though I think something got lost in translation there.
The official IKEA Hack and IKEA Swap programs might not happen. Everything IKEA does is highly deliberate and well thought out, so if the numbers don’t make sense, you can be sure that IKEA will continue its inevitably symbiotic relationship with the IKEA hacker community and leave the second-hand market alone. Unsurprisingly, IKEA didn’t mention the unofficial hacking sites or the legal action in its presentation.
In the coming days, I’ll be writing about a number of IKEA products that are supposed to happen in the next couple of years. Some of them are truly exciting—especially the ones that delve into the world of home electronics. Some of them are fascinating—especially the ones that turn trash into furniture. All of them are very IKEA. You’ll see what I mean by that—if you stay tuned.
Cambia el modelo de negocio. La computación en nube cambia la forma de servicios de TI se entregan. Ya no entregan desde un lugar en el sitio, los servidores, el almacenamiento y las aplicaciones son proporcionados por proveedores de servicios externos. Las organizaciones necesitan evaluar los riesgos asociados con la pérdida de control de la infraestructura y Seguridad Informatica.
El registro inicial con un servicio de computación en nube es un proceso bastante simple. En muchos casos, el proveedor de servicios, incluso ofrece un periodo de prueba gratuito. Las organizaciones deben considerar sus riesgos de seguridad de la nube debido al registro en el anonimato, la falta de validación, el fraude de servicios, y los servicios ad-hoc como seguridad en redes.
Interfaces de programación de aplicaciones (API) se utilizan para establecer, gestionar y supervisar los servicios. Estas interfaces pueden estar sujetos a las vulnerabilidades de seguridad Informatica que ponen los usuarios en situación de riesgo.
Uno de los beneficios de la computación en la nube es que su organización no tiene por qué conocer los detalles técnicos de cómo se prestan los servicios. Procedimientos del proveedor, el acceso físico a los sistemas, monitoreo de los empleados, y las cuestiones relacionadas con el cumplimiento son transparentes para el cliente. Sin el conocimiento y el control total, su organización puede estar en riesgo y seguridad de la nube debe estar en la nube.
La computación en nube permite que múltiples organizaciones para compartir y almacenar datos en los servidores. Sin embargo, los sistemas operativos y el hardware del servidor originales fueron muy probablemente diseñados para su uso por un solo inquilino.Las organizaciones deben garantizar los controles adecuados están en su lugar para mantener sus datos seguros con seguridad en redes.
Con los recursos de infraestructura compartidos, las organizaciones deberían estar preocupados por los sistemas de autenticación del proveedor de servicios que otorgan acceso a los datos para seguridad Informatica. Las organizaciones también deben preguntar sobre el cifrado, los procedimientos de eliminación de datos, y la continuidad del negocio. Las organizaciones deben ser conscientes de que puede ocurrir el robo de cuentas. Para muchos proveedores de servicios, la atención se centra en la funcionalidad y beneficios, no la seguridad de la nube. Sin
actualizaciones de software adecuadas, prevención de intrusiones y cortafuegos, su organización puede estar en riesgo. Al utilizar los servicios de nube, las actividades de los usuarios, tales como hacer clic en los enlaces en mensajes de correo electrónico, mensajería instantánea, visitando sitios web falsos, etc puede descargar malware en una estación de trabajo local en caso que no hay seguridad en redes. Servicios de computación en la nube de Internet proporcionan tanto beneficios empresariales y técnicos.
A Russian hacker has posted the usernames and passwords of 4.93 million Google accounts, leading to a lot of anxiety among users whether or not their accounts are safe.
If you want to check if your Google account, which is the gateway to your Gmail, Plus, Drive, Hangout, YouTube accounts as well, has been compromised, then simply click this link and provide your Gmail ID.
In case you do not want to provide your email ID on this website, you can hide the last three characters of the username, for example email@example.com instead of firstname.lastname@example.org. The website will then display all the Google usernames that start with ‘abc’.
In case your password has been hacked, then immediately change it by answering the security questions that you set while signing up. Also, enable two-step verification for your account in Settings.