NSA contractor Harold Thomas Martin’s arrest

No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State

Kindle Edition: Check Amazon for Pricing Digital Only

On August 27th, two dozen camouflage adorned law enforcement officers raided the home, 2 storage sheds, and vehicle of the man known to have once worked 3 years ago at the same consulting firm (Booz Allen Hamilton) as Edward Snowden. Top Secret classified material, six documents of data of codes developed in 2014 to hack foreign governments, are alleged to have been removed and retained by the contractor.

The charges by the justice department are described as

“A criminal complaint has been filed charging Harold (Hal) Thomas Martin III, 51, of Glen Burnie, Maryland, with theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor….” “…A large percentage of the materials recovered from Martin’s residence and vehicle bore markings indicating that they were property of the US government and contained highly classified information, including Top Secret and Sensitive Compartmented Information (SCI)…”

The charges could bring 1 year in prison for the unauthorized removal and retention of the top secret material and 10 years in prison for the theft of government property.

Hal Martin’s attorneys have exclaimed that he was a US Navy lieutenant and has devoted his entire career to protecting his country. The charges are allegations at this point.

87 weaknesses in 7 FDA systems

The Government Accounting Office (GAO) was asked to examine and assess seven key Food and Drug Administration (FDA) information systems.  The assessment was based on the effectiveness to which the FDA may have implemented information security controls intended to protect the confidentiality, integrity, and availability of information.  In the assessment, security policies, procedures, reports, and other documents were reviewed along with an examination of the FDA network infrastructure and interviews of FDA personnel.

The findings by GAO specifically state that the FDA did not always 

  1. adequately protect the boundaries of its network
  2. consistently identify and authenticate system users
  3. limit users’ access to only what was required to perform their duties
  4. encrypt sensitive data
  5. consistently audit and monitor system activity
  6. conduct physical security reviews of its facilities
# of GAO identified weaknesses at FDA
Control Area # of weaknesses # of recommendations
Access Controls 58 122
Configuration Management 23 37
Contingency Planning 5 6
Media protection 1 1
Total 87 166


Yahoo’s exfiltration of MD5 credentials

Since Yahoo’s announcement that it had approximately 500 million accounts stolen by what they believed to be state sponsored hackers, the company InfoArmor, which is based out of Arizona, claims that it has traced the Yahoo data theft to a hacker group called “Group E”.  “Group E” is believed to have attempted to sell  Yahoo credentials data 3 times since 2015.  The data is believed to have been stolen sometime prior to December 4, 2014.

InfoArmor claims to have been tracking “Group E” since 2013 after the hacker group allegedly stole 100M+ records from LinkedIn.

Further claims are that the data was exfiltrated in over 100 large portions by alphabetical order of user account names.  The Yahoo data is believed to have included (based on 8 out of 10 Yahoo IDs provided by The Wall Street Journal and successfully cracked in less than 48 hours by InfoArmor):

  1. Login ID
  2. Country Code
  3. Date of Birth
  4. Recovery email address & zipcode
  5. MD5 hash based password
  6. Mobile phone number

Yahoo initially investigated the possibility of the breach in July after discovering hackers Tessa88 and ‘Peace of Mind’ were trying to sell segments of legitimate mixed with bogus data dumps of Yahoo credentials.   At the same time period of the investigation Yahoo was selling its internet business and some real estate for $4.8B to Verizon Communications.  On September 9th in their securities filing, Yahoo claimed it was not aware of any loss, theft, unauthorized access, or security breach of user data.

example of Yahoo hash based credentials
example of Yahoo hash based credentials

ACA’s section 1557 requires Nondiscrimination Notices for Limited English Proficiency (LEP)

Beginning on October 17, 2016, covered entities under the Affordable Care Act (ACA) of 2010 will be required under section 1557 to post Notices of Nondiscrimination and Taglines which alert individuals with limited English proficiency (LEP) to the availability of language assistance services.

HHS OCR’s website has sample documents of a Notice of Nondiscrimination, Statement of Nondiscrimination and Taglines available for download in 64 languages and in two file formats at this link

To see the guideance from HHS on the top 15 languages spoken in your state, visit the this link.


Hutton Hotel PCI Breach 9/2/16

From http://www.huttonhotel.com/notice/CA/

What Happened

After being alerted to a potential security incident by our payment processor, we began an investigation of our payment card systems and engaged a leading cybersecurity firm to assist. Findings from the investigation show that unknown individuals were able to install a program on the payment processing system at the Hutton Hotel designed to capture payment card data as it was routed through the system.

What Information Was Involved

The program could have affected payment card data—including cardholder name, payment card account number, card expiration date, and verification code—of guests who used a payment card to pay for or place hotel reservations during the period from September 19, 2012 to April 16, 2015, or who made purchases at the onsite food and beverage outlets from September 19, 2012 to January 15, 2015 and from August 12, 2015 to June 10, 2016.

What You Can Do

It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card.

What We Are Doing

Hutton Hotel has implemented enhanced security measures, including the use of stand-alone payment processing devices, to prevent any further unauthorized access to payment card data. We also notified law enforcement and will continue to support their investigation. In addition, we are working closely with the payment card companies to identify potentially affected cards so that the card issuers can be made aware and initiate heightened monitoring on those accounts. For those guests that we can identify as having used their payment card during the at-risk window and for whom we have a mailing address or email address, we will be mailing a letter or sending an email to them.

For More Information

Hutton Hotel deeply regrets any inconvenience or concern this may have caused. If you have questions, please call 844-575-7462 between 8:00 a.m. and 8 p.m. Central time, Monday through Friday.

Information Assurance & Cyber Security Research and Education, a 501(c)(3)