Tag Archives: Cyber Security

Watchdog: California Wildfire Victims Personal Data Wrongly Released By FEMA

By Christine Weicher

(CBS News) — The Federal Emergency Management Agency, charged with providing support to victims of disasters, unwittingly released private personal information of 2.3 people affected by the 2017 California wildfires and hurricanes Harvey in Texas, Irma in Florida and Maria in Puerto Rico. The agency has acknowledged it is a “major privacy incident”

An investigation by the Office of Inspector General (OIG) and stamped “for official use only” criticized, saying “FEMA did not take steps to ensure it only provided only required data” to transitional shelters, including hotels. “Without corrective action, the disaster survivors involved in the primacy incident are at increased risk of identity theft and fraud,” the report read.

An unnamed private contractor was charged with administering the Transitional Shelter Assistance (TSA) program and had access to social security numbers, bank accounts and bank transfer numbers. Part of the OIG’s report is redacted.

“FEMA provided much more information than was necessary,” FEMA Press Secretary Lizzie Litzow is quoted as saying.

FEMA reported it has complied with the OIG’s recommendations to “safeguard both Personally Identifiable Information and Sensitive Personally Identifiable Information of disaster survivors.

Read Office of Inspector General’s Report

Teenagers Put To The Test In Cyber Security Competition

DENVER (CBS4) – A competition between high school and middle school students took on one of the toughest problems of our time. The teenagers were ready to tackle cyber security.

(credit: CBS)

It may not look like it by their calm demeanor, but in a computer lab at Red Rocks Community College there is a fierce, white knuckle, high-stakes competition going on.

“We usually like totally freak out,” said Lydia Tan.

Lydia Tan (credit: CBS)

It’s called CyberPatriot, and it’s a competition hosted by the U.S. Air Force. Teams from all over the country try to find security problems and challenges for a fictional customer.

“We either like update the server, try to fix some bugs, search any hacking tools try to delete them… basically like refining the whole entire computer system,” Tan said.

(credit: CBS)

This team is a group of girls from D’evelyn Middle School in Denver. They’ve been competing in these competitions for a while, but Saturday is kind of a big one.

If they win, they get a trip to the national finals in Baltimore.

“We did prepare a lot before this, so I am pretty confident that we might actually get to nationals,” said Tan.

And while a trip to nationals would be an honor, the skills these girls are learning is the most valuable prize of all.

(credit: CBS)

“As technology gets, you know, better these days, I think it’s important to know like some specific stuff in case it happens to you in the future and it makes things more productive in life,” Tan said.

Saturday it wasn’t about that though, it’s about the bond they are creating with each other while learning.

“I feel like our bond is closer now,” said Tan. “You just learn stuff, and it’s pretty fun.”

Data Often Left Unsecured As More Companies Rely On Cloud-Based Systems

MOUNTAIN VIEW (KPIX) — It’s part of our mobile-connected lifestyle: storing much of our personal information on the cloud as backup to keep it safe. But the cloud has leaks that have put millions of Americans’ private information at risk.

To all the lazy, ignorant, and careless IT administrators out there, consider this your warning.

Chris Vickery spends his days poking around databases looking for sensitive data left out in the open, unprotected on the internet. For legal reasons, we can’t even look at the screen when he’s doing this.

In just a few minutes, jackpot. “Ok, so we have now a 54 gigabyte database backup, completely exposed to the public internet,” he said.

Vickery is a legend in cloud security. Which means he’s not just good, he’s damn good. “How much damage could you do with that information?” we asked him.

“If I were a bad guy, there’s no telling, said Vickery. “It all depends on what access has been granted to that account. But the point is, there’s 54 gigs here. And I just found that by scrolling through and doing a little Ctrl-F. With time, resources, a team, you could potentially destroy the company.”

Vickery is a cyber risk analyst at Upguard, a five-year-old startup based in Mountain View. He is trying to raise awareness about the massive amounts of data currently stored in the cloud and up for grabs.

How easy is it to find this unsecured data? “I could teach a monkey to do this,” he said.

It’s sensitive stuff, stored in repositories referred to as “buckets” on web servers owned mostly by Amazon Web Services, Google and Microsoft. They’re supposed to be password-protected. But some are left open, exposing the data inside.

This year alone, Vickery stumbled upon a bucketful of data from the Republican National Committee, including dates of birth, home addresses, phone numbers and voter registration details on 198 million voters. It’s the largest known data exposure of its kind.

Another bucket he found contained date of birth, driver licenses and partial social security numbers of 1.8 million Chicago voters.

Yet another: names and cellphone numbers of 14 million Verizon subscribers, all sitting in a bucket that had no password protection.

Upguard CEO Mike Baukes says the exposures usually happen when companies migrate their data from their own in-house hard drives to the cloud, which itself is relatively new and complex technology.

“It’s pretty evident why they’ve done it. They’ve done it for the human need to make things simpler, ultimately,” said Baukes. “But then the unfortunate thing is that they’ve unintentionally left a lot of stuff open to the rest of the human population.”

Many companies don’t have the expertise on staff, so they hire a third-party vendor, who may hire another third-party vendor, passing all your private information from one hand to another. “The primary person you are working with you may be able to engage with their security, but you don’t know anything about what the vendor is doing,” said Betsy Cooper, Executive Director of the UC Berkeley Center for Long Term Cybersecurity.

“They take your data for a very short amount of time and then they move it forward, in that case there is the opportunity for lots of different touch points and therefore lots of different possible issues,” said Cooper.

In the Chicago voter database breach, a third-party company that runs voting systems all over the country – ES&S – admitted it was to blame. “When we set it up, we set it with the wrong security settings,” said ES&S CEO Tom Burt.

Verizon’s data breach happened through a third-party vendor called Nice Systems, that did not respond to our request for comment..

In a statement Verizon said, “No Verizon customer information was lost or stolen. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention.” Verizon also said six million customers were exposed by the breach.

Upguard says word is getting out, and they have noticed cloud service providers making setups more secure, but it’s a long road ahead. Until then, for Vickery, everyday is like a birthday-Christmas-treasure hunt, all rolled into one.

By the way, Upguard always gives the company that left the unguarded data on the cloud a heads up, and makes sure the unsecured data is secured — before alerting the public.

Former Yahoo CEO Grilled By Congress About Security Breach

WASHINGTON (CNN Money) — Marissa Mayer was given one final job for Yahoo: getting grilled by Congress.

Mayer, the former CEO of Yahoo, testified before a Senate Commerce Committee on Wednesday about a security breach that compromised three billion user accounts, making it the single largest breach in history.

“As CEO, these thefts occurred during my tenure and I want to sincerely apologize to each and every one of our users,” Mayer said in opening remarks at the Senate hearing.

The breach took place in August, 2013 and was disclosed by Yahoo in 2016. Yahoo initially said it impacted more than one billion accounts. Verizon, which acquired Yahoo in June, revealed last month that the breach actually compromised all accounts.

At the data breach hearing, which also featured the current and former CEOs of Equifax, Mayer was pressed on why it took so long to disclose the breach and how it could have underestimated the impact by billions of accounts.

“Yahoo did not know of the intrusion in 2013. We learned of the intrusion by files presented to us in 2016,” Mayer said. She deflected the increased estimate by noting it was revealed after her tenure at the company had ended.

Mayer left Yahoo when the acquisition closed in June. She walked away from the company with nearly $260 million at the time in stock and severance.

Sen. Brian Schatz, a Democrat from Hawaii, called it “unfathomable to the average person” that the CEOs of Yahoo or Equifax could walk away with “possibly a quarter of a billion dollars” despite the data security failures.

“You harm consumers and you walk away with the amount of money that a small city or county uses for their annual operating budget,” Schatz said.

Sen. Jerry Moran, a Republican from Kansas, pressed the Yahoo and Equifax executives on whether consumers can expect their data to be safer today in the wake of the breaches. Verizon’s chief privacy officer, Karen Zacharia, stumbled and stopped short of saying yes.

In her remarks, Mayer said companies are effectively in an “arms race” with private hackers and state-sponsored actors as their methods “become more sophisticated.”

“The threat from state-sponsored attacks has changed the playing field so dramatically that today I believe all companies, even the most well defended ones, could fall victim to these crimes,” Mayer said.

The Justice Department previously indicted two Russian spies for a separate 2014 breach of Yahoo’s data. The source of the 2013 breach remains unknown.

™ & © 2017 Cable News Network, Inc., a Time Warner Company. All rights reserved

Is Your Refrigerator A National Security Risk?

By Shaun Boyd

WASHINGTON (CBS4) – The federal government is worried some refrigerators and coffee pots could pose a national security risk, and it’s taking action.

Colorado’s U.S. Senator Cory Gardner among a bi-partisan group of senators who are sponsoring legislation to secure the so-called Internet of Things – everyday devices that are embedded with computer chips and sensors.

Gardner says those devices can be used as weapons of mass disruption.

“The federal government orders billions of dollars worth of Internet of Things devices each and every year,” says Gardner. “These are things that can be hacked into. You can try to control systems, instruments with them. You can certainly read what people are doing and maybe even eavesdrop on a conversation people are having.”

cyber security bill 6pkg transfer frame 1390 Is Your Refrigerator A National Security Risk?

Sen. Cory Gardner (credit: CBS)

Just last year baby monitors and webcams were used in a cyberattack that took down major websites like Twitter, Spotify and PayPal.

The devices serve as portals to networks.

187243543 Is Your Refrigerator A National Security Risk?

Twitter logo (Credit: Bethany Clarke/Getty Images)

As Chair of the Senate Cybersecurity Caucus, Gardner is sponsoring a bill that would require any internet-connected device purchased by the government meet basic security standards.

“Things like firewalling off information, requiring patchable and securable devices, making sure that you don’t have a hardcoded password from a factory that someone can have access to.”

He says many of the devices are imported and have little to no security making them highly vulnerable gateways into government systems that can be exploited by criminals and other countries.

cyber security bill 6pkg transfer frame 49 Is Your Refrigerator A National Security Risk?

(credit: YouTube)

“We’re facing kind of a brave new world when it comes to these things and we need to be prepared from a policy standpoint to address it. Everything around us is going to have to be looked at from a security perspective and what we are doing as country to advance innovation while make sure we are safeguarding people.”

The Internet of Things includes about 15 billion devices, from thermostats to appliances, but it could grow to 50 billion over the next few years.

While the legislation only applies to devices sold to the government, Gardner is hopeful the changes will carry over to those sold in the private sector.

Shaun Boyd is CBS4’s political specialist. She’s a veteran reporter with more than 25 years of experience. Follow her on Twitter @cbs4shaun.