Ransomware criminals are dumping kids’ private files online after school hacks

BY FRANK BAJAK, HEATHER HOLLINGSWORTH AND LARRY FENN

July 5, 2023

The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate and graphic. They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts.

“Please do something,” begged a student in one leaked file, recalling the trauma of continually bumping into an ex-abuser at a school in Minneapolis. Other victims talked about wetting the bed or crying themselves to sleep.

Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom. Other exposed data included medical records, discrimination complaints, Social Security numbers and contact information of district employees.

Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. “In this case, everybody has a key,” said cybersecurity expert Ian Coldwater, whose son attends a Minneapolis high school.

MORE

Twitter risks fraying as engineers exit over Musk upheaval

By FRANK BAJAK
November 18, 2022

Elon Musk’s managerial bomb-throwing at Twitter has so thinned the ranks of software engineers who keep the world’s de-facto public square up and running that industry insiders and programmers who were fired or resigned this week agree: Twitter may soon fray so badly it could actually crash.

Musk ended a very public argument with nearly two dozen coders over his retooling of the microblogging platform earlier this week by ordering them fired. Hundreds of engineers and other workers then quit after he demanded they pledge to “extremely hardcore” work by Thursday evening or resign with severance pay.

The newest departures mean the platform is losing workers just at it gears up for the 2022 FIFA World Cup, which opens Sunday. It’s one of Twitter’s busiest events, when tweet surges heavily stress its systems.

“It does look like he’s going to blow up Twitter,” said Robert Graham, a veteran cybersecurity entrepreneur. “I can’t see how the lights won’t go out at any moment” — although many recently departed Twitter employees predicted a more gradual demise.

Three engineers who left this week described for The Associated Press why they expect considerable unpleasantness for Twitter’s more than 230 million users now that well over two-thirds of Twitter’s pre-Musk core services engineers are apparently gone. While they don’t anticipate near-term collapse, Twitter could get very rough at the edges — especially if Musk makes major changes without much off-platform testing.

MORE

Tech audit of Colonial Pipeline found ‘glaring’ problems

By FRANK BAJAK

May 12, 2021

BOSTON (AP) — An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

FULL STORY

Whistleblower vindicated in Cisco cybersecurity case







August 1, 2019

By FRANK BAJAK

BOSTON (AP) — A computer security expert who has won a trailblazing payout in a whistleblower lawsuit over critical security flaws he found in October 2008 in Cisco Systems Inc. video surveillance software thought his discovery would be a career-boosting milestone.

James Glenn imagined at the time that Cisco would credit him on its website. The software was, after all, used at major U.S. international airports and multiple federal agencies with sensitive missions

“I mean, this was a pretty decent accomplishment,” Glenn said Thursday in a phone interview.

Instead, he was fired by the Cisco reseller in Denmark that employed him, which cited cost-cutting needs. And Cisco kept the flaws in its Video Surveillance Manager system quiet for five years.

Only Wednesday, when an $8.6 million settlement was announced and the lawsuit he filed in 2011 under the federal False Claims Act unsealed, was Glenn’s ordeal revealed — along with the potential peril posed by Cisco’s long silence.

MORE

 

WhatsApp flaw let spies take control with calls alone







whatsapp nsoMay 14, 2019

By FRANK BAJAK and RAPHAEL SATTER

Spyware crafted by a sophisticated group of hackers-for-hire took advantage of a flaw in the popular WhatsApp communications program to remotely hijack dozens of phones without any user interaction.

The Financial Times identified the hacking group as Israel’s NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.

WhatsApp all but confirmed the identification, describing hackers as “a private company that has been known to work with governments to deliver spyware.” A spokesman for the Facebook subsidiary later said: “We’re certainly not refuting any of the coverage you’ve seen.”

WhatsApp has released a new version of the app containing a fix.

The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle. The malware allows spies to effectively take control of a phone — remotely and surreptitiously controlling its cameras and microphones and vacuuming up personal and location data. Encryption is worthless once a phone’s operating system has been violated.

Hackers are always looking for flaws in apps and operating systems that they can exploit to deliver spyware. State-run intelligence agencies including the U.S. National Security Agency invest tens of millions of dollars on it. Indeed, Google’s ProjectZero bug-hunting team scoured WhatsApp last year looking for vulnerabilities but did not find any. Instead, it was WhatsApp’s security team that found the flaw.

MORE

 

A year in digital insecurity – nothing, and no one is safe







I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.

Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.

Credit: Andy Greenberg

In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team).  Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.

Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.

Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).

The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.

The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.

The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.

On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities.  Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.

Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June.  Tim CookWeakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”

So all the 2015 security news isn’t bad, after all.