system

now browsing by tag

 
 

Hack of #Baltimore’s 911 #dispatch system was #ransomware #attack, city #officials say

The hack that forced Baltimore’s 911 dispatch system to be temporarily shut down over the weekend was a ransomware attack, city officials said Wednesday.

Such attacks — another of which occurred in Atlanta last week — take over parts of private or municipal computer networks and then demand payment, or ransom, for their release.

Frank Johnson, chief information officer in the Mayor’s Office of Information Technology, said he was not aware of any specific ransom request made by the hackers of Baltimore’s network, but federal authorities are investigating.

“The systems and the software and the files are all being investigated by the FBI right now,” Johnson said.

No personal data of city residents was compromised, he added.

Dave Fitz, an FBI spokesman, could not be reached Wednesday. On Tuesday, Fitz said the agency was aware of the breach and providing assistance to the city, but otherwise declined to comment.

The attack infiltrated a server that runs the city’s computer-aided dispatch, or CAD, system for 911 and 311 calls. The system automatically populates 911 callers’ locations on maps and dispatches the closest emergency responders there more seamlessly than is possible with manual dispatching. It also relays information to first responders in some cases and logs information for data retention and records.

The breach shut down the CAD system from Sunday morning until Monday morning, forcing the city to revert to manual dispatching during that time. While the city’s 911 calls are normally recorded online on Open Baltimore, the city dispatch logs stopped recording them at 9:54 a.m. Sunday and didn’t resume recording them again until 7:42 a.m. Monday.

Johnson said the attack was made possible after a city information technology team troubleshooting a separate communications issue with the server inadvertently changed a firewall and left a port, or a channel to the Internet, open for about 24 hours, and hackers who were likely running automated scans of networks looking for such vulnerabilities found it and gained access.

“I don’t know what else to call it but a self-inflicted wound,” Johnson said. “The bad guys did not get in on their own without the help of someone inadvertently leaving the door open.”

Once the “limited breach” was identified, city information technology crews “were able to successfully isolate the threat and ensure that no harm was done to other servers or systems” on the city’s network, Johnson said. And once “all systems were properly vetted, CAD was brought back online.”

Johnson said the city “continues to work with its federal partners to determine the source of the intrusion.”

The Baltimore hack comes amid increasing hacking of municipal systems across the country, and follows one in Atlanta last week that paralyzed that city’s online bill-payment system, with hackers demanding a $51,000 payment in bitcoin to unlock it. That attack occurred Thursday, and Atlanta employees only turned their computers back on Tuesday.

Johnson said his office works diligently to prevent cyberattacks and is looking to invest more in safeguarding its networks.

Baltimore also faced cyberattacks during the unrest in 2015, when its website was taken offline. Johnson said he was unaware of any other successful attacks on the city’s networks. He said the city would be obligated to disclose any attacks that compromised residents’ personal information, health information or crime data.

Johnson said he feels the city recovered well from the breach once it was identified, but that he did not want to go into detail about what was done lest he expose the city to more attacks.

The city has a $2.5 million contract with TriTech Software Systems to maintain its CAD software and provide “technical support services to ensure the functional integrity” of the city’s CAD system.

Scott MacDonald, TriTech’s vice president of public safety strategy, said the company worked with city IT personnel to shut down the CAD software after the attack. The breach was not related to the company’s software, MacDonald said.

“When we were alerted of it, it was reported that the server had some sort of compromise,” he said. “Our techs connected and worked with the IT staff there, and the CAD system was taken down manually, in combination between our staff and theirs, while the servers could be troubleshooted by the city.”

advertisement:

The post Hack of #Baltimore’s 911 #dispatch system was #ransomware #attack, city #officials say appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Intel #Chairman: Election #Cybersecurity Fixes ‘Might Not be in #Time to Save the #System’

Homeland Security Secretary Kirstjen Nielsen told senators that most states are being cooperative with the whole-of-government effort to protect voting systems from cyberintrusions, though there are two unnamed states “who aren’t working with us as much as we would like right now.”

Members of the Senate Intelligence Committee grilled Nielsen last week about what is being done to secure the vote in light of Russia’s campaign influence operation in the 2016, and for an inside perspective on that campaign season former DHS Secretary Jeh Johnson joined Nielsen at the witness table.

Chairman Richard Burr (R-N.C.) praised DHS for making “great strides towards better understanding elections, better understanding the states, and providing assistance that makes a difference to the security of our elections.”

“But there’s more to do. There’s a long wait time for DHS premier services. States are still not getting all the information they feel they need to secure their systems,” Burr said. “The department’s ability to collect all the information needed to fully understand the problem is an open question, and attributing cyber attacks quickly and authoritatively is a continuing challenge.”

The chairman stressed that “this issue is urgent — if we start to fix these problems tomorrow, we still might not be in time to save the system for 2016 and 2020.”

Vice-Chairman Mark Warner (D-Va.) noted that in 2016 Russian actors “were able to penetrate Illinois’ voter registration database and access 90,000 voter registration records — they also attempted to target the election systems of at least 20 other states.”

“The intelligence community’s assessment last January concluded that Russia secured and maintained access to multiple elements of U.S. state and local election boards,” he said. “And the truth is clear that 2016 will not be the last of their attempts.”

Nielsen described the DHS arm of the election security mission as providing “assistance and support to those officials in the form of advice, intelligence, technical support, incident response planning, with the ultimate goal of building a more resilient, redundant, and secure election enterprise.”

“Our services are voluntary and not all election officials accept our offer of support. We continue to offer it; we continue to demonstrate its value. But in many cases state and local officials have their own resources and simply don’t require the assistance that we’re offering,” she said.

So far, the secretary told senators, “more than half” of states have signed up for DHS’ cyber hygiene scanning service, an automated remote scan “that gives state and local officials a report identifying vulnerabilities and offering recommendations to mitigate them.”

Another tool DHS is using is information sharing directly with election officials “through trusted third parties such as the Multi-State Information Sharing and Analysis Center, or MS-ISAC, and we look forward to the creation of the Election ISAC.”

Nielsen emphasized the need to “rapidly share information about potential compromises with the broader community so that everyone can defend their systems.”

“This collective defense approach makes all election systems more secure,” she said. “We’re also working with state election officials to share classified information on specific threats, including sponsoring up to three officials per state with security clearances and providing one-day read-ins as needed when needed, as we did in mid-February for the secretaries of state and election directors. We are also working with the intelligence community to rapidly declassify information to share with our stakeholders.”

Unlike DHS’ posture in 2016, Nielsen said the department now knows which person to contact in every state to share threat information.

“DHS is leading federal efforts to support and enhance the security of election systems across the country. Yet we do face a technology deficit that exists not just in election infrastructure but across state and local government systems,” she said. “It will require a significant investment over time and will require a whole-of-government solution to ensure continued confidence in our elections.”

Johnson talked about the Obama administration’s reticence to make a wrong move on Russia’s campaign interference and give the appearance that the White House was stepping into the election.

“The reality is that, given our electoral college and our current politics, national elections are decided in this country in a few precincts in a few key swing states. The outcome, therefore, may dance on the head of a pin. The writers of the TV show House of Cards have figured that out. So can others,” Johnson told lawmakers, adding he’s “pleased by reports that state election officials to various degrees are now taking serious steps to fortify cybersecurity of their election infrastructure and that the Department of Homeland Security is currently taking serious steps to work with them in that effort.”

Nielsen said DHS is trying to get security clearances for those three election contact persons in each state, but only “about 20” of those 150 officials have received the full clearance. “We’re granting interim secret clearances as quickly as we can,” she said, adding later that they’re “widely using day read-ins now, so we’re not going to let security clearances hold us up.”

The secretary said “a lot of work” has been accomplished at DHS over the past year on “related processes,” including working with the intelligence community to declassify information as “some of the information does not originate within DHS, so we need to work with our partners to be able to share it.”

“The second one is on victim notification. We have a role there, but so does FBI and so does MS-ISAC, which in this case the Multi-State Information Sharing and Analysis Center was in some cases the first organization to identify some of the targeting,” Nielsen said. “So we have to work with whomever originates the information. We all have different roles. So we’ve worked to pull it all together so that we can quickly notify victims of what has occurred.”

Pressed on the current level of cyber threat from malicious actors heading into midterm elections, Nielsen replied that “the threat remains high.”

“We think vigilance is important, and we think there is a lot that we all need to do at all levels of government before we have the midterm elections,” she said. “I will say our decentralized nature both makes it difficult to have a nationwide effect, but also makes it perhaps of greater threat at a local level. And, of course, if it’s a swing state or swing area that can, in turn, have a national effect.”

“So what we’re looking at is everything from registration and validation of voters — so those are the databases, through to the casting and the tabulation of votes, through to the transmission — the election night reporting, and then, of course, the — the certification and the auditing on the back end. All of those are potential vulnerabilities. All of those require different tools and different attention by state and locals,” Nielsen continued, adding that the federal government continues to work with state and local jurisdictions “to also help them look at physical security.”

“They need to make sure that the locations where the voting machines are kept, as well as the tabulation areas, they need access control and very traditional security like we would in other critical infrastructure areas,” she said.

Johnson told senators that “with the benefit of two years’ hindsight it does seem plain… that the Russian effort has not been contained; it has not been deterred.”

“In my experience, superpowers respond to sufficient deterrence and will not engage in behavior that is cost prohibitive. Plainly, that has not occurred and more needs to be done,” the former DHS chief said. “With the benefit of hindsight, the sanctions we issued in late December [2016] have not worked as an effective deterrent and it’s now on the current administration to add to those and follow through on those.”

advertisement:

The post Intel #Chairman: Election #Cybersecurity Fixes ‘Might Not be in #Time to Save the #System’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Will Your #Cybersecurity Defense #System Protect Your #Organization?

For a homeowner, the knowledge that a trained eye has evaluated the home security system — and attested that it is in good working order — can go a long way toward a good night’s sleep.

The same goes for business owners and executives in charge of keeping the company’s digital assets safe. Recent global ransomware attacks, such as the WannaCry and NotPetya strains, have highlighted the growing and pervasive risks to organizations of all sizes and in all sectors of the economy.

Many business owners and executives believe that they can manage these risks with technology such as firewalls and anti-virus software. However, just like an alarm system that has not been activated is useless, defensive technology will not overcome bad controls and human error.

Stakeholders Scrutinize Cybersecurity Defenses
Boards of directors, customers, employees, investors, business partners, and regulatory bodies expect organizations to have processes and controls designed to prevent, detect, and mitigate the effects of cybersecurity events. Increasingly, these stakeholders expect independent third-party reports that attest to the effectiveness of the organization’s cybersecurity risk management program.

But the challenge has been choosing from among a multitude of reporting frameworks and solution providers. In 2017, the American Institute of CPAs (AICPA) introduced a robust, industry-agnostic framework intended to provide the market with a conventional approach to evaluating and reporting on a company’s cybersecurity risk management program.

Read More….

advertisement:

The post Will Your #Cybersecurity Defense #System Protect Your #Organization? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

New York is #quietly working to #prevent a major #cyber attack that could bring down the #financial #system

Source: National Cyber Security News

Five months before the 9/11 attacks, US Secretary of Defense Donald Rumsfeld sent a memo to one of his advisers with an ominous message.

“Cyberwar,” read the subject line.

“Please take a look at this article,” Rumsfeld wrote, “and tell me what you think I ought to do about it. Thanks.”

Attached was a 38-page paper, published seven months prior, analyzing the consequences of society’s increasing dependence on the internet.

It was April 30, 2001. Optimistic investors and frenzied tech entrepreneurs were still on a high from the dot-com boom. The World Wide Web was spreading fast.

Once America’s enemies got around to fully embracing the internet, the report predicted, it would be weaponized and turned against the homeland.

The internet would be to modern warfare what the airplane was to strategic bombers during World War I.

The paper’s three authors — two PhD graduates and the founder of a cyber defense research center — imagined the damage a hostile foreign power could inflict on the US. They warned of enemies infecting computers with malicious code, and launching mass denial of service attacks that could bring down networks critical to the functioning of the American economy.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Women #allegedly #hack #college #computer system to change #grades

Source: National Cyber Security – Produced By Gregory Evans

The Bucks County District Attorney’s office said Aleisha Morosco tried multiple times to change her microbiology grade.

After several failed attempts, she enlisted a friend’s help, orchestrating a security breach at Bucks County Community College.

Authorities said while working at a medical office affiliated with Penn Medicine, Kelly Marryott accessed a faculty member’s personal information and leaked it to her friend, Aleisha Morosco.

Desperate to change her grade, Morosco then used the stolen data to gain unauthorized access to BCCC’s computer system. Officials said while inside the system, Morosco changed not just her grade, but several other student’s grades in her microbiology class.

“The investigators were able to find out the IP address used to access the professor’s account and change the grades,” said Jovin Jose, ADA Bucks County. “That same IP address was used by one of the charged defendants.”

The electronic footprint led investigators to Morosco and to her 37-year-old friend, Marryott.

“They got his personal information, and shouldn’t have obtained the use for that purpose,” said Jose. “We intend to prove at trial that they accessed his information to change grades, which is a crime.”

Bucks County Community College issued this response to Action News:

“BCCC takes the integrity of its data systems very seriously, and all of it the grades altered in the breach were restored to their correct level.”

Students on campus are stunned a classmate would go to these lengths to change a grade.

“It’s crazy. You deserve the grade you get,” said Emily Bombino. “And if you have an issue talk to your professor. Don’t go around changing, stealing his information.”

Both women face felony counts of unlawful computer use and identity theft. A court date is tentatively set for December.

The post Women #allegedly #hack #college #computer system to change #grades appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Researchers #Hack Car Infotainment #System and Find #Sensitive User #Data Inside

Source: National Cyber Security – Produced By Gregory Evans

People who are worried about their security will use a secure phone, lock down their computer, and use strong passwords for their online accounts. But how many people have considered that their car could be leaking their most sensitive data?

A researcher who recently decided to investigate his car’s infotainment system found that it was not designed using modern software security principles, yet it stored a lot of personal information taken from his phone that could be valuable to hackers.

Executing code on the car’s infotainment unit was extremely easy by connecting a USB flash drive with specially crafted scripts. The system automatically picked up those files and executed them with full administrative privileges.

Car enthusiasts have used the same method in the past to customize their infotainment systems and run non-standard applications on them, but Gabriel Cîrlig, a senior software engineer at security firm Ixia, wanted to understand the security implications of this technique.

What he found was a major privacy issue where call histories, contacts, text messages, email messages, and even directory listings from mobile phones that had been synchronized with the car, were being stored persistently on the infotainment unit in plain text.

Mobile operating systems like Android and iOS go to great lengths to protect such data by restricting which applications have access to it or by allowing users to encrypt their devices. All that security could be undone if people pair their devices over Bluetooth with an infotainment system like the one found in Cîrlig’s car.

Cîrlig and an Ixia colleague Ștefan Tănase decided to go even further and investigate how the car’s infotainment unit could be potentially abused by an attacker or even law enforcement to track users and obtain information about them that they couldn’t otherwise get from their mobile devices.

The researchers presented their findings Friday at the DefCamp security conference in Bucharest, but declined to disclose the car make or model because they’re still in the process of reporting the privacy issue they found. However, they mentioned that the car was made by a Japanese manufacturer.

Cîrlig told me that there is a firmware update available that blocks the USB attack vector on his car, but installing it requires going to a dealership. This means that a large number of cars will likely never be patched.

The infotainment system itself is a hacker’s paradise and is more powerful than most embedded devices, including home routers. It has a Cortex-A9 CPU with 1GB of RAM, as well as Wi-Fi and GPS. The operating system is based on Linux and has a fully functional Bash command-line shell with all its usual utilities. On top of that, there are various debugging tools, including for the GPS, that the system’s developers did not bother to remove, according to Cirlig.

It looks like technology that was created in a rush without any concern for security engineering, Cîrlig told me. “A production system, at least for a car, should be completely locked down.”

He thinks that some of the software design choices were driven by convenience, like the storing of unencrypted user sensitive data indefinitely instead of requesting it again from the phone when the device is in proximity.

In addition to data copied from mobile devices, Cîrlig found other sensitive information on the infotainment unit, such as a list of favorite locations the car has been driven to or from, voice profiles, vehicle status information, and GPS coordinates.

For their presentation, Cîrlig and Tanase showed a proof-of-concept malware program—a Bash script—that when executed via USB, continuously looked for open Wi-Fi hotspots, connected to them and could exfiltrate newly collected data. By combining this malware with location data from the GPS, an attacker could also track the car in real time on a map.

To make things worse, the rogue script is installed as a cron job—a scheduled task on Linux—and is persistent. Even if the infotainment system is reset to factory defaults, cron jobs are not removed, the researchers said.

Hackers could take the attack even further and create a USB worm, where a compromised infotainment system could infect all USB dongles plugged into it and potentially spread the infection to other cars, Cîrlig said. Or the car could be used in a wardriving scenario, trying to automatically exploit Wi-Fi networks and other systems it encounters, he said.

The development of infotainment systems is usually outsourced to third-party electronic component suppliers and not made by the automobile manufacturers themselves. Other researchers have shown in the past that there are ways to jump from the infotainment systems to more critical electronic control units (ECUs)—the specialized embedded computers that control a car’s functions.

The auto industry continues to work using outdated programming principles and very old technology stacks that would be unacceptable today in a modern software development environment; and that needs to change, Cîrlig said. “For someone like myself who has a software development background, that style of coding looks ancient, from the age of the dinosaurs.”

The post Researchers #Hack Car Infotainment #System and Find #Sensitive User #Data Inside appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Computer System Administrator

Source: National Cyber Security – Produced By Gregory Evans

Job Description

Provide configuring management support, connectivity to networks, performance monitoring, and maintenance on computer systems. Responsible for computer, peripheral, and software purchasing requirements, maintaining computer lists (asset tracking and turn in), troubleshooting and resolving issues, and completing necessary DOD documentation, such as Certificates of Networthiness (CONs) or Risk Management Framework (RMF) and other documentation for multiple instrumentation sections. Operations will include patching and updating of standalone computers, maintain a secure computing environment according to YPG regulations, and work closely with YPG Cyber Security Office to solve problems unique to the YPG test environment. Build and repair CAT5 Ethernet cables. Perform other duties as assigned.
Qualifications
Pay Rate: DOE

Shifts/Hours: Vary by mission requirements.

Minimum Qualifications:

• Must be a US citizen and not hold multiple citizenships.
• Must possess a valid driver’s license, without special restrictions.
• Must possess a high school diploma or equivalent.
• Must possess or be able to obtain a security clearance prior to employment and maintain security clearance for the duration of employment.
• Must be able to work all shifts, weekends, holidays and overtime as needed, sometimes on short notice, to support test missions.
• Must have dependable transportation and a dependable means of communication.
• Must be able speak, write, read, and understand English.
• Must have a well-mannered customer service attitude.
• Must be willing to cross-train in other areas.
• Must use “down-time” effectively to the benefit of test, self, and company.
• Must be punctual, responsible, and dependable.
• Must demonstrate motivation, initiative, and reliability.
• Must be adaptable, flexible, and able to adjust to new or changing instructions.
• Must have a demonstrated ability to follow instructions and company policy.
• Must be able to deliver quality products to the customer and be responsive to their needs.
• Must be safety and security conscious, complying with rules and policies.
• Must be able to work both as part of a team and independently.
• Must have an Associate’s Degree/Military training AND two years of related experience, OR Bachelor’s Degree from an accredited institution AND one year related experience.
• Must possess industry certifications within 6 months to meet DoD Directive 8570.01 training requirements, as required, such as CompTIA Security+ and Microsoft OS certification.
• Experience in computer performance monitoring and troubleshooting
• Individual must demonstrate motivation, timeliness, and initiative.
• Effective interpersonal and organizational skills, along with sound written and verbal communication skills are required. Attention to detail is a must.
• Must be able to work with minimum supervision.
• Must work well with others and demonstrate good customer service attributes.
• Must be proficient in Microsoft Office applications.

Physical Requirements:

• Must pass a pre-employment drug screening and physical and periodic retests.
• Must be able to wear appropriate Personal Protective Equipment (PPE) for work tasks assigned.
• Must be capable of working in extreme weather conditions including summer temperatures peaking around 120 degrees Fahrenheit.
• Must meet the physical requirements necessary to perform operations outlined, performed, and stated in the SOPs for the Instrumentation Data section.
• Must be able to climb up and down stairs or elevated platforms without assistance.
• Must be able to work indoors and outdoors in a desert environment.
• Must be able to lift 50 lbs unassisted.

Additional Desirable Qualifications:

• Experience with Windows and Unix/Linux operating systems.
• Experience with DOD’s Risk Management Framework (RMF).
• Experience with Microsoft Client OS Registry.
• Experience with Group Policy Objects.
• Experience with instrumentation.
• DoD Network experience.
• Associate’s or Bachelor’s degree in Computer Science, Computer Information Systems, or technical discipline from an Accreditation Board for Engineering and Technology (ABET) accredited college or university.

Closing Date: Open until filled.
Other Job Information (if applicable)
•TRAX International, Test Services Division, participates in E-Verify.
•TRAX is an Equal Opportunity Employer – Minorities/Females/Veterans/Disability.
•TRAX Test Services promotes a drug/alcohol free work environment through the use of mandatory pre-employment drug testing and on-going random drug testing, as per applicable State Laws.
•Must be able to obtain a security clearance prior to employment and maintain security clearance for the duration of employment.
•TRAX Test Services also encompasses four subcontracts to include: VETS,WESTECH, SPIRAL and MIRATEK. All positions with TRAX can always be transferred to one of the four subcontracts.

The post Computer System Administrator appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

FBI #Charges 22-Year-Old #Student for #Hacking System to Change #Grades

Source: National Cyber Security – Produced By Gregory Evans

FBI #Charges 22-Year-Old #Student for #Hacking System to Change #Grades

A former student at the University of Iowa was arrested on computer-hacking charges for accessing copies of exams in advance, and altering grades for himself and his classmates.

Chemistry major and wrestler Trevor Graves, 22, allegedly plugged keyloggers into university computers in classrooms and labs, allowing him to see whatever his professors typed, including their credentials to the university’s grading system.

In a criminal complaint submitted to an Iowa district court, the FBI claims Graves had access to the school’s grading system, Iowa Courses Online (ICON), for nearly 21 months – between March 2015 and December 2016.

During this time, Graves was able to modify grades more than 90 times on tests, quizzes and homework assignments for himself and at least five other students.

One of Graves’ professors first reported the incident to campus IT security officials after noticing changes in his assignments and quiz scores without her authorization.

An investigation led to a search of his off-campus apartment where authorities seized keyloggers, cellphones and thumb drives that contained copies of the stolen exams.

Grades were allegedly changed for a number of classes, including courses in business, engineering and chemistry.

According to the New York Times, Graves was arrested in Denver last Tuesday and released on bond pending an initial court appearance in Iowa two days later.

The Colorado native is charged with “intentionally accessing a computer without authorization and exceeding authorized access to obtain information, and knowingly transmitting a computer program to cause damage.”

Court documents state the IT expenses associated with the internal investigation, response to the breach and remedial steps to enhance IT security will cost the university roughly $68,000.

The post FBI #Charges 22-Year-Old #Student for #Hacking System to Change #Grades appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Time for a less #hacker-friendly #Social Security system

Source: National Cyber Security – Produced By Gregory Evans

Time for a less #hacker-friendly #Social Security system

Last month’s announcement by Equifax that its consumer-credit database suffered a catastrophic hacking attack meant nearly half of all Americans had their Social Security numbers and vital financial information exposed to theft. The threat of massive-scale identity theft is very real.

Equifax is only the latest of multiple, large-scale data-hacking incidents. It’s time for the federal government to come up with a more secure identification code to protect citizens. That’s not just our assessment; the White House cybersecurity coordinator, Rob Joyce, also has concluded that the Social Security numbering system has “outlived its usefulness.”

Think about your own Social Security number and the hundreds of times you’ve shared it with companies, schools, doctors, government agencies or other institutions that insisted they had a legitimate need for it. Always with the promise to keep it confidential, of course. Older Americans can recall when their Social Security numbers were used on their driver’s license or university IDs. There were those nine digits, for all to see.

Really industrious hackers can find Social Security numbers by accessing old court documents. No one is safe, and it really comes down to whose number hits on the hacking roulette wheel of chance. There has to be a better, more secure way.

“It’s a flawed system,” Joyce told The Washington Post this month. “If you think about it, every time we use the Social Security number you put it at risk. By interacting with it, you’ve given a key piece of information out publicly.”

Joyce wants the government to consider more modern means of providing citizens with a unique identifying code that can be used for transactions but also remain protected from hackers. He calls it a “modern cryptographic identifier.”

The longer the nation delays such an update, the greater the vulnerability we all will face. Right now, anyone who accesses basic information on Facebook or a simple Google search can identify where you grew up. That helps identify where you lived when your Social Security number was issued. That simple information helps reveal the first three digits of your Social Security number because those numbers were assigned geographically.

The last four digits are numbers we all routinely give out when speaking to customer service representatives to straighten out, say, credit card or phone billing questions. So seven of the nine digits already are vulnerable. Programmers have designed a computer algorithm that can accurately guess people’s Social Security numbers 44 percent of the time.

That’s scary. Americans are far too vulnerable. The potential losses from the Equifax breach alone could wind up in the billions of dollars. The cost of modernizing Social Security’s numbering system also wouldn’t be cheap.

Hackers around the world are betting the government will continue delaying and dithering. Sadly, they’re probably right.

The post Time for a less #hacker-friendly #Social Security system appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Russian Hackers Tried to Access California Election System

Source: National Cyber Security – Produced By Gregory Evans

California Secretary of State Alex Padilla said he was informed “for the first time” by the DHS on Friday of last year’s attempt, in which Russian hackers “scanned” the website with the intent to “identify weaknesses in a computer or network – akin to a burglar looking for unlocked doors…

The post Russian Hackers Tried to Access California Election System appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures