Category Archives: Risks

NSA contractor Harold Thomas Martin’s arrest

No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State


Kindle Edition: Check Amazon for Pricing Digital Only

On August 27th, two dozen camouflage adorned law enforcement officers raided the home, 2 storage sheds, and vehicle of the man known to have once worked 3 years ago at the same consulting firm (Booz Allen Hamilton) as Edward Snowden. Top Secret classified material, six documents of data of codes developed in 2014 to hack foreign governments, are alleged to have been removed and retained by the contractor.

The charges by the justice department are described as

“A criminal complaint has been filed charging Harold (Hal) Thomas Martin III, 51, of Glen Burnie, Maryland, with theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor….” “…A large percentage of the materials recovered from Martin’s residence and vehicle bore markings indicating that they were property of the US government and contained highly classified information, including Top Secret and Sensitive Compartmented Information (SCI)…”

The charges could bring 1 year in prison for the unauthorized removal and retention of the top secret material and 10 years in prison for the theft of government property.

Hal Martin’s attorneys have exclaimed that he was a US Navy lieutenant and has devoted his entire career to protecting his country. The charges are allegations at this point.

Yahoo’s exfiltration of MD5 credentials

Since Yahoo’s announcement that it had approximately 500 million accounts stolen by what they believed to be state sponsored hackers, the company InfoArmor, which is based out of Arizona, claims that it has traced the Yahoo data theft to a hacker group called “Group E”.  “Group E” is believed to have attempted to sell  Yahoo credentials data 3 times since 2015.  The data is believed to have been stolen sometime prior to December 4, 2014.

InfoArmor claims to have been tracking “Group E” since 2013 after the hacker group allegedly stole 100M+ records from LinkedIn.

Further claims are that the data was exfiltrated in over 100 large portions by alphabetical order of user account names.  The Yahoo data is believed to have included (based on 8 out of 10 Yahoo IDs provided by The Wall Street Journal and successfully cracked in less than 48 hours by InfoArmor):

  1. Login ID
  2. Country Code
  3. Date of Birth
  4. Recovery email address & zipcode
  5. MD5 hash based password
  6. Mobile phone number

Yahoo initially investigated the possibility of the breach in July after discovering hackers Tessa88 and ‘Peace of Mind’ were trying to sell segments of legitimate mixed with bogus data dumps of Yahoo credentials.   At the same time period of the investigation Yahoo was selling its internet business and some real estate for $4.8B to Verizon Communications.  On September 9th in their securities filing, Yahoo claimed it was not aware of any loss, theft, unauthorized access, or security breach of user data.

example of Yahoo hash based credentials
example of Yahoo hash based credentials

ACA’s section 1557 requires Nondiscrimination Notices for Limited English Proficiency (LEP)

Beginning on October 17, 2016, covered entities under the Affordable Care Act (ACA) of 2010 will be required under section 1557 to post Notices of Nondiscrimination and Taglines which alert individuals with limited English proficiency (LEP) to the availability of language assistance services.

HHS OCR’s website has sample documents of a Notice of Nondiscrimination, Statement of Nondiscrimination and Taglines available for download in 64 languages and in two file formats at this link

To see the guideance from HHS on the top 15 languages spoken in your state, visit the this link.

Example:
screen-shot-2016-09-14-at-5-14-10-pm

Hutton Hotel PCI Breach 9/2/16

From http://www.huttonhotel.com/notice/CA/

What Happened

After being alerted to a potential security incident by our payment processor, we began an investigation of our payment card systems and engaged a leading cybersecurity firm to assist. Findings from the investigation show that unknown individuals were able to install a program on the payment processing system at the Hutton Hotel designed to capture payment card data as it was routed through the system.

What Information Was Involved

The program could have affected payment card data—including cardholder name, payment card account number, card expiration date, and verification code—of guests who used a payment card to pay for or place hotel reservations during the period from September 19, 2012 to April 16, 2015, or who made purchases at the onsite food and beverage outlets from September 19, 2012 to January 15, 2015 and from August 12, 2015 to June 10, 2016.

What You Can Do

It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card.

What We Are Doing

Hutton Hotel has implemented enhanced security measures, including the use of stand-alone payment processing devices, to prevent any further unauthorized access to payment card data. We also notified law enforcement and will continue to support their investigation. In addition, we are working closely with the payment card companies to identify potentially affected cards so that the card issuers can be made aware and initiate heightened monitoring on those accounts. For those guests that we can identify as having used their payment card during the at-risk window and for whom we have a mailing address or email address, we will be mailing a letter or sending an email to them.

For More Information

Hutton Hotel deeply regrets any inconvenience or concern this may have caused. If you have questions, please call 844-575-7462 between 8:00 a.m. and 8 p.m. Central time, Monday through Friday.

NorQuest College woes of alleged harassment in IT data theft

NorQuest College is in Edmonton, Alberta and Clarence Orleski was the manager of technology infrastructure until being terminated on December 4, 2012 by executives Shawn Terlson and John Smith.  Apparently, Orleski did not get along with Smith and on a September 20, 2012 morning of a planned meeting Smith received an email from Orleski stating:

"I've been wanting to touch base with you and get the name (and contact info) of the lady you introduced to me back in the late fall last year…

I forget her name, but she is the one that you and her thought no one was in the office at the time. I was going to interrupt the two of you, but I felt I might be intruding on something, so I just hung around for a while. 🙂

…I think her name was (woman's name)"

Orleski then went to the meeting and exclaimed he couldn't stand the sight of Smith and requested to work from home until his planned retirement of March 2013.  The request was denied and Orleski was given a disciplinary warning.

The next day, September 21, Orleski allegedly ran DBAN on his NorQuest work laptop to wipe his hard disk.  A few days later, Orleski was reprimanded by Smith for a $10,000 phone bill on his work phone and iPad while on vacation in Europe.  Smith told Orleski that he was not expected to be available (i.e. not to expect the college to pay the bill.)  Orleski then went on sick leave for two months until his firing.

January 21, 2013, NorQuest college then terminated Terlson.  Terlson then received an email:

"I guess what I'm trying to figure out is which one are you? 'Dumb' or 'Dumber'… Don't worry, Mr. pretty boy (Smith) won't be far behind you…

On February 19, 2013, dozens of executives and staff at NorQuest college received an email full of PDFs which started with:

"What you're about to read is correspondence of a sexual nature between myself (John Smith) and my little playful sweetie"

On March 1st, 2013, a court order was issued and Orleski's personal computer, iPad, phone, and other storage were confiscated by that afternoon.  A $2 million claim of damages was made by the college but a settlement was made in 2015 and the lawsuit ended in January 2016.  In the end, a privacy breach was uncovered of unrelated materials stored on the 2.4 gigabytes of 45,920 files in a folder on Orleski's computer including financial data, employee personnel information, and an employment contract of the college president.