Hello Kitty Hacked

SanrioTown, the online community for Hello Kitty, was hacked and information including names, birth dates and email addresses were compromised. More than 3 million user accounts were accessed.

Other affiliated sites that were effected include hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com.

Sanrio Digital issued this security advisory: Corrected a vulnerability involving personal information of SanrioTown.com members

Sanrio Digital notifies that personal information belonging to members of the consumer website SanrioTown.com was publicly accessible owing to a security vulnerability. The vulnerability has been corrected and investigations are underway. To our knowledge at this time, no personal information of SanrioTown.com users was stolen or exposed.

On December 19, it was revealed by security researcher Chris Vickery that personal information (such as names, date of birth, gender) belonging to SanrioTown.com members was accessible by someone who knew the IP addresses of specific vulnerable servers.

The vulnerable data did not include credit card information or other payment information. Users’ passwords were accessible but remained securely encrypted with the cryptographic hash function SHA-1.

Please note that membership data of SanrioTown is not shared with other Sanrio services or websites (such as Sanrio.com), therefore other Sanrio services were not affected by this security vulnerability.

We investigated the problem and applied fixes, including securing the servers identified as vulnerable by Mr Vickery.

We are conducting an internal investigation and security review into this incident; at this time we have no indication that users’ personal information was stolen by malicious parties.

We apologize deeply for any concern and inconvenience this incident may have caused.

Detailed Information
1. Personal user information that may have been accessible:
First and last name
Birthday (encoded)
Gender
Country
Email address
Password (encrypted using SHA-1 hashes)
Password hint questions

2. Number of people whose personal information may have been leaked
Up to 3.3 million website members were potentially affected by this security vulnerability, however we have no indication that any user data was actually exposed or utilized by malicious parties.

3. Circumstances
Owing to server misconfiguration, some personal information of SanrioTown.com members was visible to security researcher Mr Chris Vickery.

4. Response going forward
We are requesting SanrioTown users to change their passwords on SanrioTown as well as passwords on other online services and accounts if they used similar passwords or hint questions.

5. Measures to prevent reocurrence
We installed additional security mechanisms on our servers. We will carry out periodic review of these security measures

6. Inquiries
General inquiries: Please contact Sanrio Digital at info@sanriodigital.com

Media inquiries only:
Mark Leeper (on behalf of Sanrio Digital)
Managing Director
Matrix Communications Limited
email: mark@matrixcom.org
Tel: +852 9142-1510

iPhone Apps Hacked

Many of Apple Inc.’s App Store apps were found to be infected with malicious malware. A compromised version of Apple’s developer tool kit was used by unsuspecting programmers. It is being described as “a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform.”

Compromised iPhone and iPad apps include mobile chat app WeChat, taxi app Didi Kuaidi, and a music app from NetEase. The malware can transmit information, phish for usernames and passwords, as well as, read and write information on the user’s clipboard.

“To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software and we are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” Apple said.

“We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” said Palo Alto Networks security researcher Claud Xiao.

Apple Computer Security

Are Apple computers more secure? No. “I’m convinced that OS X security is lacking,” said Patrick Wardle, from security firm Synack. “It’s trivial to write new OS X malware that can bypass everything. If I can do it, nation states and adversaries can and probably are doing it.”

In a separate instance, over 225000 Apple accounts got hijacked through malware on IPhones.

Ashley Madison Hacked

Ashley Madison is a risqué website for people that want to cheat on their spouse. Last month files started being leaked. This month another 20 gigs of user information was published.

The company released an updated statement:
Last month we were made aware of an attack to our systems. We immediately launched a full investigation utilizing independent forensic experts and other security professionals to assist with determining the origin, nature, and scope of this attack. Our investigation is still ongoing and we are simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.

We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.

This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.

Every week sees new hacks disclosed by companies large and small, and though this may now be a new societal reality, it should not lessen our outrage. These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives. Regardless, if it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing.

We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster. Anyone with information that can lead to the identification, arrest and conviction of these criminals, can contact information@avidlifemedia.com.

Chrysler Jeep Hacked

The BBC reports:

Several car infotainment systems are vulnerable to a hack attack that could potentially put lives at risk, a leading security company has said.

NCC Group said the exploit could be used to seize control of a vehicle’s brakes and other critical systems.

The Manchester-based company told the BBC it had found a way to carry out the attacks by sending data via digital audio broadcasting (DAB) radio signals.

It coincides with news of a similar flaw discovered by two US researchers.

Chris Valasek and Charlie Miller showed Wired magazine that they could take control of a Jeep Cherokee car by sending data to its internet-connected entertainment and navigation system via a mobile-phone network.

Chrysler has released a patch to address the problem.

Wired magazine reported that two US security researchers had managed to remotely take control of a Jeep Cherokee’s air-conditioning system, radio and windscreen wipers while its journalist was driving the vehicle.

“I mean that’s essentially what we did over the cell [mobile] network – we took over the infotainment system and from there reprogrammed certain pieces of the vehicle so we could send control commands,” said Chris Valasek.

U.S. Office of Personnel Management Hacked

WASHINGTON, DC — The OPM (Office of Personnel Management) was hacked. In a statement, OPM said:

The U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have compromised the personal information of current and former Federal employees.

Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation to determine the impact to Federal personnel.  And OPM immediately implemented additional security measures to protect the sensitive information it manages.

Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident.  The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

In order to mitigate the risk of fraud and identity theft, OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution.  This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM.

Additional information is available beginning at 8 a.m. CST on June 8, 2015 on the company’s website, www.csid.com/opm (external link), and by calling toll-free 844-222-2743 (International callers: call collect 512-327-0700).

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com (external link) or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov (external link).
  • Review resources provided on the FTC identity theft website, www.identitytheft.gov (external link).  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf. 

Precautions to Help You Avoid Becoming a Victim

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, www.us-cert.gov/ncas/tips/ST04-013 (external link)).
  • Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (www.antiphishing.org (external link)).
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, www.us-cert.gov/ncas/tips/ST04-004 (external link); Understanding Anti-Virus Software, www.us-cert.gov/ncas/tips/ST04-005 (external link); and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007 (external link)).
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov (external link).
  • Additional information about preventative steps by consulting the Federal Trade Commission’s website, www.identitytheft.gov (external link). The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.

    Identity Theft Clearinghouse
    Federal Trade Commission
    600 Pennsylvania Avenue, NW
    Washington, DC 20580
    www.identitytheft.gov (external link)
    1-877-IDTHEFT (438-4338)
    TDD: 1-202-326-2502

IRS Website Hacked

The IRS announced that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.

As always, the IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.

Additional information

The IRS announced today it will be notifying taxpayers after third parties gained unauthorized access to information on about 100,000 accounts through the “Get Transcript” online application.

The IRS determined late last week that unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application. Following an initial review, it appears that access was gained to more than 100,000 accounts through the Get Transcript application.

In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.

The IRS temporarily shut down the Get Transcript application last week after an initial assessment identified questionable attempts were detected on the system in mid-May. The online application will remain disabled until the IRS makes modifications and further strengthens security for it.

The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation.

The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.

On the Get Transcript application, a further review by the IRS identified that these attempts were quite complex in nature and appear to have started in February and ran through mid-May. In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles. During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.

In addition, to disabling the Get Transcript application, the IRS has taken a number of immediate steps to protect taxpayers, including:

  • Sending a letter to all of the approximately 200,000 taxpayers whose accounts had attempted unauthorized accesses, notifying them that third parties appear to have had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before attempting to access the IRS transcript application. Although half of this group did not actually have their transcript account accessed because the third parties failed the authentication tests, the IRS is still taking an additional protective step to alert taxpayers. That’s because malicious actors acquired sensitive financial information from a source outside the IRS about these households that led to the attempts to access the transcript application.
  • Offering free credit monitoring for the approximately 100,000 taxpayers whose Get Transcript accounts were accessed to ensure this information isn’t being used through other financial avenues. Taxpayers will receive specific instructions so they can sign up for the credit monitoring. The IRS emphasizes these outreach letters will not request any personal identification information from taxpayers. In addition, the IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward — both right now and in 2016.

These letters will be mailed out starting later this week and will include additional details for taxpayers about the credit monitoring and other steps. At this time, no action is needed by taxpayers outside these affected groups.

The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015. It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season.

The IRS emphasizes this incident involves one application involving transcripts — it does not involve other IRS systems, such as our core taxpayer accounts or other applications, such as Where’s My Refund.

The IRS will be working aggressively to protect affected taxpayers and strengthen our protocols even further going forward.

FBI Warning: Beware of Passengers Hacking Jets

The FBI issued a warning about passengers using in-flight wifi to hack into the plane’s systems.

“Although the media claims remain theoretical and unproven, the media publicity associated with these statements may encourage actors to use the described intrusion methods,” the alert notes. “Attempting to gain unauthorized access to the onboard networks of a commercial aircraft violates federal law.”

  • Report any suspicious activity involving travelers connecting unknown cables or wires to the IFE system or unusual parts of the airplane seat.
  • Report any evidence of suspicious behavior following a flight, such as
    IFE systems that show evidence of tampering or the forced removal of
    covers to network connection ports.
  • Report any evidence of suspicious behavior concerning aviation wireless signals, including social media messages with threatening references to Onboard Network Systems, ADS-B, ACARS, and Air Traffic Control networks.
  • Review network logs from aircraft to ensure any suspicious activity, such as network scanning or intrusion attempts, is captured for further analysis.

Wikipedia Fraud

Wikipedia has reported several cases of government employees and police officers that have made fraudulent changes to Wikipedia pages.

In 2014, Russia was caught changing an entry about the downing of a passenger jet from “shot down by terrorists” to “shot down by Ukrainian soldiers.”

Also in 2014, a Wikipedia “transparency bot” caught a computer in a U.S. House of Representatives office anonymously updating Donald Rumsfeld’s Wikipedia bio by adding that he is an “alien lizard.”

In 2015, the New York Police Department’s computer network at 1 Police Plaza headquarters was used to alter Wikipedia pages containing details of police brutality — “Garner raised both his arms in the air” was changed to “Garner flailed his arms about as he spoke.”

The “Twitter Bots” have proven effective for tracking government edits to Wikipedia for transparency.

Wikipedia Sues the NSA

Wikimedia, the non-profit organization that runs Wikipedia has filed a lawsuit against the NSA over mass surveillance. In a press release, Wikimedia stated:

The Wikimedia Foundation is filing suit against the National Security Agency (NSA) and the Department of Justice (DOJ) of the United States [1]. The lawsuit challenges the NSA’s mass surveillance program, and specifically its large-scale search and seizure of internet communications — frequently referred to as “upstream” surveillance. Our aim in filing this suit is to end this mass surveillance program in order to protect the rights of our users around the world. We are joined by eight other organizations [2] and represented by the American Civil Liberties Union (ACLU). The full complaint can be found here.

“We’re filing suit today on behalf of our readers and editors everywhere,” said Jimmy Wales, founder of Wikipedia. “Surveillance erodes the original promise of the internet: an open space for collaboration and experimentation, and a place free from fear.”

Privacy is the bedrock of individual freedom. It is a universal right that sustains the freedoms of expression and association. These principles enable inquiry, dialogue, and creation and are central to Wikimedia’s vision of empowering everyone to share in the sum of all human knowledge. When they are endangered, our mission is threatened. If people look over their shoulders before searching, pause before contributing to controversial articles, or refrain from sharing verifiable but unpopular information, Wikimedia and the world are poorer for it.

When the 2013 public disclosures about the NSA’s activities revealed the vast scope of their programs, the Wikimedia community was rightfully alarmed. In 2014, the Wikimedia Foundation began conversations with the ACLU about the possibility of filing suit against the NSA and other defendants on behalf of the Foundation, its staff, and its users.

Our case today challenges the NSA’s use of upstream surveillance conducted under the authority of the 2008 Foreign Intelligence Surveillance Act Amendments Act (FAA). Upstream surveillance taps the internet’s “backbone” to capture communications with “non-U.S. persons.” The FAA authorizes the collection of these communications if they fall into the broad category of “foreign intelligence information” that includes nearly any information that could be construed as relating to national security or foreign affairs. The program casts a vast net, and as a result, captures communications that are not connected to any “target,” or may be entirely domestic. This includes communications by our users and staff.

“By tapping the backbone of the internet, the NSA is straining the backbone of democracy,” said Lila Tretikov, executive director of the Wikimedia Foundation. “Wikipedia is founded on the freedoms of expression, inquiry, and information. By violating our users’ privacy, the NSA is threatening the intellectual freedom that is central to people’s ability to create and understand knowledge.”

The NSA has interpreted the FAA as offering free rein to define threats, identify targets, and monitor people, platforms, and infrastructure with little regard for probable cause or proportionality. We believe that the NSA’s current practices far exceed the already broad authority granted by the U.S. Congress through the FAA. Furthermore, we believe that these practices violate the U.S. Constitution’s First Amendment, which protects freedom of speech and association, and the Fourth Amendment, which protects against unreasonable search and seizure.

Additionally, we believe that the NSA’s practices and limited judicial review of those practices violate Article III of the U.S. Constitution. A specialized court, the Foreign Intelligence Surveillance Court (FISC), hears issues related to foreign intelligence requests, including surveillance. Under U.S. law, the role of the courts is to resolve “cases” or “controversies” — not to issue advisory opinions or interpret theoretical situations. In the context of upstream surveillance, FISC proceedings are not “cases.” There are no opposing parties and no actual “controversy” at stake. FISC merely reviews the legality of the government’s proposed procedures — the kind of advisory opinion that Article III was intended to restrict.

In 2013, the U.S. Supreme Court dismissed a previous challenge to the FAA, Amnesty v. Clapper, because the parties in that case were found to lack “standing.” Standing is an important legal concept that requires a party to show that they’ve suffered some kind of harm in order to file a lawsuit. The 2013 mass surveillance disclosures included a slide from a classified NSA presentation that made explicit reference to Wikipedia, using our global trademark. Because these disclosures revealed that the government specifically targeted Wikipedia and its users, we believe we have more than sufficient evidence to establish standing.

Wikipedia is the largest collaborative free knowledge resource in human history. It represents what we can achieve when we are open to possibility and unburdened by fear. Over the past fourteen years, Wikimedians have written more than 34 million articles in 288 different languages. Every month, this knowledge is accessed by nearly half a billion people from almost every country on earth. This dedicated global community of users is united by their passion for knowledge, their commitment to inquiry, and their dedication to the privacy and expression that makes Wikipedia possible. We file today on their behalf.

For more information, please see our op-ed, Stop Spying on Wikipedia Users, by Wikipedia founder Jimmy Wales, and Wikimedia Foundation executive director Lila Tretikov, in the March 10 edition of The New York Times. [3]

Michelle Paulson, Senior Legal Counsel, Wikimedia Foundation *
Geoff Brigham, General Counsel, Wikimedia Foundation

* The Wikimedia Foundation and its co-plaintiffs are being represented by the American Civil Liberties Union (ACLU) in this suit. We would like to thank them, in particular Patrick Toomey, Ashley Gorski, and Daniel Kahn Gillmor for their work and dedication throughout this process.

References:

Other defendants include: Michael Rogers, in his official capacity as Director of the National Security Agency and Chief of the Central Security Service; Office of the Director of National Intelligence; James Clapper, in his official capacity as Director of National Intelligence; and Eric Holder, in his official capacity as Attorney General of the United States.
Today, we’re proud to bring this lawsuit alongside a coalition of organizations from across the ideological spectrum, including The National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, Pen American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and Washington Office on Latin America. We believe the wide variety of perspectives represented in this lawsuit demonstrates that the defense of privacy and freedom of expression and association is not defined by partisanship or ideology.
To read more about our opposition to mass government surveillance, please see our previous blog posts on PRISM, opposing mass surveillance on the internet, and transparency in the use of surveillance.