Nasty new malware locks your files forever, unless you pay ransom

Herb Weisbaum
NBC News contributor
November 6, 2013 at 10:29 AM ET

CryptoLocker, a new and nasty piece of malicious software is infecting computers around the world--encrypting important files and demanding a ransom to unlock them.

According to Sophos, the worldwide digital security company, it's been hitting pretty hard for the past six weeks or so. 

"It systematically hunts down every one of your person files--documents, databases, spreadsheets, photos, videos and music collections--and encrypts them with military-grade encryption and only the crooks can open it," said Chester Wisniewski, a senior security advisor at Sophos.

Even though it's infected, your computer keeps working normally; you just can't access any of your personal files. It's scary, especially if you haven't backed up your data. 

"Cybercrime is evolving, as the bad guys get smarter and use newer technologies," noted Michael Kaiser, executive director of the National Cyber Security Alliance. "They're always looking for new ways to steal your money."

CryptoLocker is different from other types of "ransomware" that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents.

Not CryptoLocker--it encrypts your files. There's only one decryption key and the bad guys have that on their server. Unless you pay the ransom--within three days, that key will be destroyed. And as the message from the extorters says "After that, nobody and never will be able to restore files...".

The typical extortion payment is $300 USB or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400.

To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show how much time is left before that unique decryption key is destroyed.

One victim described his anguish in an online post: "The virus cleverly targeted all of our family photos, including all photos of my children growing up over the last 8 years. I have a distraught wife who blames me!"

This sophisticated malware is delivered the old-fashioned way--an executable file hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.

Open that file and bad things start to happen, although it may take several days for the ransom demand to pop up on your screen after the machine is infected.

“The author or this (malware) is a genius. Evil genius, but genius none the less,” an IT professional commented in an online tech forum. Another wrote, “This thing is nasty and has the potential to do enormous amounts of damage worldwide.”

Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good.

“It’s the same type of encryption used in the commercial sector that’s approved by the federal government,” Wisniewski told me. “If the crooks delete that encryption key, your files are gone forever – even the NSA can’t bring them back.”

Victims large and small

The cyber-crooks are targeting both businesses and individual computer users – anyone who will pay to regain access to their files.

The CryptoLocker forum on BleepingComputer.com is filled with page after page of horror stories. Here is a small sample:

“When we discovered the infection from a user’s workstation on the network, this program had encrypted over 180,000 files through the network shares in a period of 6 days. I pretty much shut down the business for 2 days after we realized what was happening.”

“Our company was infected this morning. The virus hit a machine 4 days ago and today we got the pop up about the ransom. All files on the network drive the user had access to are now encrypted.”

“We had a workstation get infected yesterday that encrypted everything on our network share drive. We had backups, although they weren’t recent enough, so despite all feelings against it, we paid the ransom and everything started to decrypt overnight.”

Of course, there’s no guarantee there will be a happy ending if you pay the ransom. And then there’s the bigger issue – by doing this, you’re helping fund a criminal operation.

“It encourages them to continue this bad behavior,” said Howard Schmidt, former White House Cyber Security Advisor and a co-founder of Ridge-Schmidt Cyber. “As people pay the ransom, the bad guys have the money to reinvest in create research that are more virulent and hide better from detection.”

How to protect yourself

Go on the Internet and there’s no way to guarantee malware won’t make it onto your computer – even if you follow all the rules of safe computing. So you need to act defensively, and that means regular backups.

“Backup, back, up, back up,” said Schmidt. “That’s the only way to reduce the risk of losing your files forever.”

If you have a recent backup, you can recover from CryptoLocker and other malware with no serious consequences. That backup should be a snapshot of everything on the system and not a simple synchronization, as happens with most automated external hard drives and many cloud-based services.

With these synchronized backups, stored files that have changed on the master drive are overwritten with the new ones. If a malicious program encrypts your master files, those backups would also be encrypted – and useless. Your backup should be disconnected from your computer until the next time you need to access it.

http://www.today.com/money/nasty-new-malware-locks-your-files-forever-unless-you-pay-8C11511655?ocid=ansmsnbc11

Apple's iCloud cracked: Lack of two-factor authentication allows remote data download

By Violet Blue for Zero Day

Notorious Russian hacker Vladimir Katalov released findings showing Apple's iCloud vulnerable to unauthorized download access, with iCloud data stored on Microsoft and Amazon servers.

KUALA LUMPUR, MALAYSIA--Russian security researcher Vladimir Katalov analyzed Apple's secretive iCloud and Find My iPhone protocols to discover that neither are protected by two-factor authentication, and iCloud data can be downloaded remotely without a user ever knowing. 

In "Cracking and Analyzing Apple’s iCloud Protocols," presented to a crowded room at Hack In The Box security conference last Thursday in Kuala Lumpr, Malaysia, Vladimir Katalov revealed that user information and data is not as inaccessible as Apple is telling the public.

Katalov's findings appear to support his emphatic statement that Apple can access data it claims to not be able to access.

A malicious attacker only needs an Apple ID and password to perform remote iCloud backups — and do not need the user's linked devices.

He explained that there is no way for a user to encrypt their iCloud backups.

The data is encrypted, he explained, but the keys are stored with the data. Katalov added that Apple holds the encryption keys.

Katalov told ZDNet he was shocked to discover that in addition to all of these security chain issues, Apple's iCloud data is stored on Microsoft and Amazon servers.

Katalov's presentation pointed out that because Apple provides full request information to its third-party storage providers (Amazon and Microsoft), Apple could provide this data to law enforcement. 

In Apple's July public statement on the NSA PRISM surveillance program, Apple denied any backdoor server access for government agencies. Apple unequivocally stated, "Apple does not give law enforcement access to its servers."

When a user performs an iCloud backup download, they receive an email informing the user that the process is complete.

Katalov discovered that when a remote download is performed, the user receives no notification email. If a user's data is accessed and downloaded from iCloud by a remote third party, they would not know.

Katalov's work represents the first time anyone has analyzed and publicly presented findings on Apple's secretive iCloud protocol.

Vladimir Katalov analyzed Apple's iCloud and Find My Phone protocols by sniffing http traffic on jailbroken devices — though he was careful to explain that a user's devices do not need to be jailbroken for a malicious entity to exploit the remote backup protocol security omissions Katalov discovered.

Analyzing the traffic, he told the crowded room during his Thursday presentation, was not difficult.

Apple's iCloud data is comprised of what a user stores as a data backup. It contains documents, Dropbox files and sensitive user data.

In his analysis, Katalov discovered that iCloud files are stored as a container — plist and content— in a files-to-chunks mapping schema.

But he found that Apple's two-factor authentication, a layer of user security used in addition to a username and password, is not used for iCloud backups (or Find My Phone).

Apple's two-step authentication ("2FA") does not protect iCloud backups, Find My Phone data and the documents stored in the cloud. Katalov details this further in a blog post: "Apple Two-Factor Authentication and the iCloud."

Katalov showed Hack In The Box attendees that with simple queries, it's possible to get the authentication token for accessing the iCloud backup, backup IDs, and the encryption keys. Then one can download the files from where they're stored in Windows Azure or Amazon AWS.

ZDNet caught up with Katalov after his presentation to find out more.

When asked if he had presented his discoveries to Apple, he explained that his findings were the results of protocol analysis — and are not a vulnerability.

Put another way, the iCloud security hole falls into the "it's a feature, not a bug" category.

When ZDNet asked Katalov if there was a way for Apple to fix this issue — such as extending two-factor authentication to its iCloud and Find My Phone services — he shook his head and told us that Apple's implementation of two-factor auth was likely "only an afterthought."

Katalov told ZDNet the best thing a user can to do to protect their iCloud data is to simply not use iCloud.

However, Katalov told us he still uses Apple's iCloud as a backup service. "It is not exactly safe, but I am selecting between security and privacy," he said.

It's easy to argue that because a remote attacker needs an Apple user ID and password, the data is still out of reach to most malicious entities.

However, obtaining Apple user IDs and passwords isn't impossible — aside from email phishing techniques, which are more effective than most would believe. Social engineering techniques are sadly common and also very effective.

A recent example is the spate of Apple ID data thefts in Norway. This past February, a significant number of teenage girls were targeted by boys who easily surmised the girl's user ID and password recovery information to gain access to their Apple accounts, download photos and the girls' data — which, sadly, ended up pass around and also sold online.

In his Hack In The Box presentation, Katalov told the audience that he was also surprised to discover that when a user shuts off location tracking services, the user's location is still stored for around 3-6 hours.

We wondered if this is what led Katalov to mention that next he will analyze Touch ID protocol and storage — as soon as iOS 7 is jailbroken, he told ZDNet.

"Apple says it never sends the information, and it is never copied to local [storage]" he added, "but I am not so sure."

ZDNet asked why Katalov felt this way, when Apple specifically states that it does not transmit Touch ID information.

Katalov's eyes glittered, and a boyish smile crept across his face. In his thick Russian accent he replied, "Trust no one."

ZDNet has contacted Apple for comment and will update this article if Apple responds.

http://www.zdnet.com/apples-icloud-cracked-lack-of-two-factor-authentication-allows-remote-download-7000022196/?s_cid=e589&ttag=e589 

Columbia College Shred Event!

Please join Technology Services and New World Recycling for an opportunity to shred all your unwanted documents FREE OF CHARGE. Visit us Monday, October 28th from 1:00 to 4:00pm on Cougar Drive (behind the mail room) to shred your documents, get tips on identity theft prevention, and celebrate Halloween with Technology Services!

You Google Yourself, and That's Okay

By Peter Kafka

The Internet is great because it opens up new vistas, letting you learn all sorts of stuff about people and things in far-flung corners of the world.

And also, you can Google yourself.

Which lost of you do; 56 percent of Web users told Pew Researchers last spring that they "self-search."

That's down slightly from 2009, but up from 22 percent in 2001, when maybe people were preoccupied watching Jon Woo/Clive Owen BMW adds.

But if you feel at all embarrassed about your preoccupation with yourself, this may make you feel better: Self-searchers tend to be younger, better-educated and more affluent than the general population.

http://allthingsd.com/20130930/you-google-yourself-and-thats-ok/

Medical Info for Sale Online

You can find almost anything on the Internet these days. The News4 I-Team discovered with just a few clicks and a couple hundred dollars anyone can even buy private medical details online only you and your doctor should know.

"There are between one and two million Americans affected  by medical identity theft each year," Lisa Schifferle, with the Federal Trade Commission, told the News4 I-Team. "It can happen in all sorts of ways. There can be insiders that are paid to steal information from hospitals and nursing homes."

D.C. has had its share of breaches. In 2012, more than 66,000 people were put at risk after someone stole a Howard University Hospital contractor's laptop. In 2011, the company which provides healthcare for the military, Tricare, lost tapes containing private information of almost five million people.

A Howard University Hospital spokesperson said there's no evidence that any private information on that stolen laptop was misused. After the incident, the hospital toughened up security procedures with encryption and more HIPPA retraining. Tricare said it could not comment on the case involving its lost tapes due to ongoing litigation.

So, where does the compromised information end up? According to the FTC, the information often goes overseas, sold for big bucks. "Some studies have indicated that on the black market, you can get more for medical information than you can for a social security number," Schifferle said.

Terry Martinez was shocked when the News4 I-Team showed up at his door with private information we found for sale online. "That's my social, date of birth, IP address. They got everything. My driver's license number. They even got the term life insurance," said Martinez as he looked through what we found.

When the News4 I-Team asked him if he has ever checked to see if his medical records had been compromised, he told us "No. I hardly ever even go to the doctor. Very seldom do I ever check that."

Martinez knew something was up, though, since he's been fighting for the past year to get his identity back after discovering someone tried to file his taxes and emptied his bank account. But Martinez had no idea some of his medical information was floating around on the Internet, too.

He's not alone. The News4 I-Team found private information for people all over the D.C. area, including physician contacts, insurance providers, whether people smoke and even the amounts of insulin doses administered each day.

The man who was selling the information agreed to talk via Skype from Costa Rica but would not show his face.

He said he got most of the current medical records from India, where call centers gather information by phishing over the phone. In those call centers, he said, "You're going to see people buying data, selling data, like it's candy at a store."

The seller also described how the operation worked when he, himself, was a telemarketer for an overseas company. He said callers would try to get missing private details from people over the phone. "They gave me a script that I had to read," he said. Part of the script read, "'So what is your name? What is the doctor's name?' When we didn't even have the doctor's name on it," he explained. "We were just saying that."

Those private details were then often sold to medical companies that targeted people with health conditions and charged insurance companies for services and supplies.

You can protect yourself. The FTC says everyone should check their credit report for unusual medical bills or charges. Ask your health insurance provider for a list of benefits in your name. And never provide medical information to a caller over the phone.

If you do find out you have been a victim, you should file a complaint with the FTC and police. Also, contact your medical providers.

http://www.nbcwashington.com/investigations/Medical-Info-for-Sale-Online-224954762.html


                        

Amazon 'wish list' is gateway to epic social engineering hack

By Chenda Ngak/CBS News

Comedian Erik Stolhanske didn't know what he was getting himself into, when he let a cybersecurity expert at SecureState take a crack at hacking him. The "Super Trooper" actor gave the company the green light to access his Twitter account with nothing more than his name. What he found out was that his entire digital life could have been compromised using simple techniques.

SecureState profiling consultant Brandan Geise went on a mission to hack into Stolhanske's Twitter account, but instead was able to gain access to his Amazon, AOL, Apple and Dropbox accounts, as well his Web hosting account. 

A manipulation tactic called social engineering can give anyone smart enough to connect the dots a gateway into your digital domain. It doesn't require a single line of programming code.

"Pretty much anyone can do this," Geise told CBSNews.com.

Geise started by running a search of Stolhanske's name on Spokeo.com, a website that aggregates public information about people. Information found on Spokeo can include a home phone number, email addresses, all associated home addresses, family members, and occupation. It took two pieces of information from Spokeo to gain access to Stolhanske's Amazon.com account: an email and home address.

Amazon has a feature called wish lists that let members bookmark items they want to buy and save them in a list. Anyone can run a search for wish lists using either a name or an email address. That may be convenient when friends or relatives are wondering what you want for your birthday, but it can make you vulnerable. By trying all of the email addresses found on Spokeo, Geise was able to find Stolhanske's Amazon wish list, confirming that he also had a registered account.

The next step would be the key to making the rest of the dominoes drop.

Geise called Amazon customer service and asked to add a credit card using an account name, email address and billing address. When it came time to verify his identity, Geise told the Amazon representative that he forgot which home address he used for the account, and went down the list he obtained from Spokeo. A match was found, and he was able to add a credit card to the account.

After hanging up, he called back 30 minutes later saying he lost access to his account and backup email address. Geise was able to verify his identity by using the last four digits of the credit card he added in his previous call. He faced one last hurdle: Amazon required him to name an item that he recently purchased. Geise was able to bypass this requirement partially due to thorough research and a bit of luck.

During his initial research, Geise found a lot of personal information on Stolhanske just by going through his Twitter and Facebook posts.

"It definitely required a lot of recon work," Geise said. "But to find that kind of information, you don't have to dig that deep."

Geise knew from social media that Stolhanske was a fan of the HBO series "Game of Thrones." He told the Amazon customer representative that he rarely used the account, and that his wife may have purchase a "Game of Thrones" book or DVD. It was an educated guess that turned out to be correct.

He was in.

Geise was allowed to change the email address and reset the password to the account.

"Once I had access to Erik's account, there were quite a few credit cards on there. It didn't show the full credit card number, but showed the last four digits," Geise said.

He points out that most of the times when are people asked to verify an account, they are asked for the last four digits of the card and a billing address. Armed with that information, Geise went down the line and accessed the rest of Stolhanske's accounts -- starting with AOL.

Geise was able to gain access to Stolhanske's AOL account over the phone, by providing just his billing address and last four digits of his credit card number.

Many people link accounts together, so breaching the right combination of accounts could lead to a jackpot for a cyber criminal. In Stolhanske's case, accessing the Amazon and AOL accounts opened the door for taking over his digital life. As it turns out, Stolhanske's AOL account was the email address used to reset his Apple account, which was also his main email address. After taking control of the Apple account, Geise was able to search Stolhanske's emails to find other accounts associated with the email address, and send requests to reset passwords.

If this all sounds familiar, it's because a similar case was reported last year, when a hacker gained access to Wired reporter Mat Honan's email, Twitter, Amazon and Apple accounts. Wired later reported that Amazon quietly closed the loophole that allowed a hacker to add a credit card to an account, but Geise says the only additional hurdle he faced was naming a recent purchase.

Amazon declined to comment on Geise's claims.

Geise says using two-factor authentication could stop the potential hacker in their tracks because it would also require access personal devices, like a smartphone. But it would not make the social engineering hack impossible to accomplish. Apple, Twitter and Facebook have added the additional security measure in the last year.

Sometimes it could just be negligence of old accounts that could be the weak link. In Stolhanske's case, it was the combination of being on social media, having old mailing addresses listed on his account and having a public Amazon wish list that caused a chain effect.

Geise suggests deleting old email accounts, adding complex passwords, using random email accounts for password recovery and making Amazon wish lists private.

http://www.ktva.com/home/outbound-xml-feeds/Amazon-wish-list-is-gateway-to-epic-social-engineering-hack-221326651.html?strypg=2

Internet security is a growing concern

NEW YORK (NBC News)-Turns out, trying to erase all that stuff about yourself that you've put on the internet over the years, is even harder than what you were told, but at least it's taught you to be more cautious going forward.

In the early days of social media, there was no hesitation with what we shared, with who we thought were only family and friends. But now we know others are watching.

"One in five people have had either their social media account or their email hijacked by a bad guy," said Bob Sullivan, author and online privacy expert. "So that means someone was able to impersonate them on Facebook or Twitter or send an email that looked like it was from them."

Privacy experts like Sullivan call what we've left behind on the internet, "digital breadcrumbs", that a new survey from the Pew Research Center shows, we're just now trying to trace.

Sullivan said, "Eighty-six percent say that they've tried to at least do something to clean up those digital bread crumbs."

Pew's research also shows people have lowered expectations of privacy while online, and also lowered the personal info they're posting.

"People are taking steps to protect their privacy but they don't know quite what they are doing and most of them feel pretty bad about all the information that's out there and don't really believe that they can protect themselves right now," said Sullivan.

A discouraging note from the survey, for online retailers: people want to hide personal info from not only hackers, but advertisers.

http://www.wwlp.com/news/massachusetts/internet-security-a-growing-concern

Is Your Spouse your Biggest Online Security Risk?

If your partner asked for your Facebook password, would you give it to them Chances are, you probably would. Better that than risk all the "what are you trying to hide from me" drama that would ensue, right?

Actually, an innocuous sharing of passwords--even with the person closest to you--could lead to major security breaches. With recent hacks on the New York Times and Washington Post Web Sites, you don't have to be in government or financial services to be at risk.

A third of organizations say employee negligence (a.k.a. the human factor) was to blame for security breaches, according to this study.

“Breaches related to spouses are a growing risk that people don’t realize,” says Hugh Thompson, senior vice president at global security firm, Blue Coat. “The possibilities for attacks just increase with the more data you share with your partner.”

Here are some common ways your spouse could pose a security risk:

1.)  You have different paranoia levels. People who work in security or finance are trained to be paranoid about which devices (and even which networks) they type passwords on. But that level of training is not automatically passed on to spouses. It’s surprisingly common for both partners to use the same passwords for work and personal use, says Thompson. This could give hackers access to your work passwords, if they can trick your spouse into revealing their password via a phishing attempt. Also, on shared ccounts like DropBox and Google Docs, your password security is entirely dependent on your partner’s habits.

How do you counter this? “Just because you share some passwords with your spouse, you don’t have to share all passwords with them,” says Markus Jakobsson, Principal Scientist of Consumer Securityat PayPal. The onus is on you to decide which passwords to share with your spouse, and ensure you have different (and difficult to guess) passwords for sensitive information.

2.)  Password reset questions could give you away. Not only are some passwords easy to crack (“password” is still a common one), but password reset questions are increasingly easy to find out, according to Thompson. One reset question could be your spouse’s maiden name. “Someone could get a 30-day free trial on ancestry.com and find that out,” he says.

The risks posed by “meta passwords” or password resets through security questions are significant, according to PayPal’s Jakobsson. Take time to think over which security questions are easy to find out – the city you were born in, for example, vs. information most likely to be known only by you. Meta passwords are also rarely changed if a couple splits up. “People will generally change shared passwords if they break up, but they forget to change the security question,” he says. PayPal is trying to counter this by researching whether posing security questions based on preferences would be more effective. “We’re finding most spouses will know if you love or hate something, but will probably not know your subtle preferences, like if you prefer pepperoni on your pizza,” he says.

3.) The rise of BYOD – or Bring Your Own Device to work. As more people use their mobile phones and personal laptops at work, private information could easily be shared if those same devices are used at home. This is especially the case on weekends or vacation, where one device is used by the whole family. The risks are so great, yet so simple. For example, the picture you take on your iPhone of whiteboard notes from a meeting at the office could be synced to your partner’s iPad at home, in a matter of seconds. “The malware one person downloads by accident could affect their spouse’s company in a significant way,” Thompson adds.

The best way to avoid this is by not letting your spouse download Apps or programs on your work devices, says PayPal’s Jakobsson. If a download is absolutely necessary, he suggests doing it on an iPad or Android device. “It’s not foolproof, but safer than downloading it on a laptop or desktop.”

4.) Your partner may not be your partner online. It’s becoming increasingly common for hackers to imitate spouses online – especially on instant messaging platforms. If your spouse has online presence through social media, blogs etc., their impersonator could easily “sound like them” right down to phrases they frequently use. “Never type out your social security numbers, credit card details, prescription or medical details on an online chat, even if you think it’s your partner on the other side. Spend 5 minutes on the phone to relay this type of information,” Thompson says. “Also, be aware when using technology – where does it back up? How long does it store information for?” Many chat platforms back up the logs of your conversation on two devices – yours, as well as your spouse’s, for months. That’s twice the risk.

 5.) Thanks to social media, your information is out there for all to see.  Social media makes it a breeze for anyone to figure out who you’re dating or married to. “Your spouse’s security hygiene is just as important as your own,” says Thompson. Company information is becoming easier to decipher through a partner’s social media. “Say your friend updates their Facebook status that they’re in Bentonville, Arkansas and tag their husband or wife, it’s easy to figure out their partner was doing business with Walmart. Even if the company employee wouldn’t update their own status, their partner’s update could compromise confidential company developments.”

The disparity between how each person thinks about security is a growing threat. One partner could have a log in password or remote wipe on their mobile phone, while another doesn’t. Your spouse could be logging on to a shared computer – say, at a hotel –  to access your joint bank accounts, while you wouldn’t even dream of using a shared desktop. When it comes to your personal and corporate security, it’s a team effort.

“People are the weakest link in this case,” adds Thompson.

http://www.forbes.com/sites/ruchikatulshyan/2013/08/23/is-your-spouse-your-biggest-online-security-risk/

Missouri Credit Union customer information leaked on website

COLUMBIA, Mo--Missouri Credit Union is informing all of its customers about a security breach after personal information was made public on its website.

On Aug 5, MCU discovered a file containing customer information was posted on its website. That file contained a list of customer names, addresses, Social Security numbers, account numbers, and MCU teller/call-in passwords.

The credit union says there were ten visits to the file's location in the "short time" it was accessible. MCU does not know if anyone actually looked at the information.

"On behalf of myself and everyone at MCU, I apologize to all members affected by this incident," said president Hal James in a statement to ABC 17 News. "Please be assured that we are working to enhance our security measures to prevent something like this from happening in the future."

MCU began notifying all of its on Aug 16 about the security issue. The company is arranging for AllClearID to protect the identity of each of its members for one year.

Any customer can contact MCU for additional information by calling 877-437-4006.

http://www.abc17news.com/news/missouri-credit-union-customer-information-leaked-on-website/-/18421100/21546504/-/pqlh8s/-/index.html

Lost flash drive compromises data for thousands of students

More than 20,000 students across 36 schools in the Boston Public School (BPS) system had their data compromised when the district's ID card vendor Plastic Card Systems lost a flash drive containing the information.

How many victims? 21,054 students.

What type of personal information? Names, schools, ages, grades, ID numbers, library card numbers and CharlieCard numbers (used on smartcards to pay for Massachusetts Bay Transportation Authority travel). ID photos for roughly 14,000 students also were included on the flash drive.

What happened?  Plastic Card Systems picked up the flash drive from a BPS location. The vendor reported later that day that the memory stick was missing.

What was the response? Plastic Card Systems reported the drive as missing on a Friday and the drive did not turn up after being searched for throughout the weekend. BPS is changing the design of their student ID cards. In addition it is invalidating affecting CharlieCard and library card numbers. Families of affected students received phone calls and were sent letters.

Details: Plastic Card Systems picked up the drive from a BPS location on Aug. 9 and lost it later that day. BPS high schools were affected, as well as some middle schools spanning grades 6 to 12. Elementary schools, K-8 schools and standalone middle schools were not affected. Students are expected to receive new ID badges on schedule at the beginning of the school year.

Quote: “It is important to emphasize the information on the drive is limited to what appears on ID badges – and this cannot be used to access student records,” said John McDonough, BPS interim superintendent.

“Plastic Card Systems deeply regrets the unfortunate accidental loss of the Boston Public Schools student data files, and we understand how families will be upset, as we are upset, by the situation,” said Plastic Card Systems President Don Axline. “We will make all efforts to help Boston Public Schools in addressing this situation and will assist in any way possible to quickly rectify the situation.”

http://www.scmagazine.com/lost-flash-drive-compromises-data-for-thousands-of-students/article/307298/#

High-tech toilet gets hacker warning; nothing is safe

A vulnerability in a toilet-control app leads to an unusual warning about potential bathroom hacking hijinks.

By: Amanda Kooser

Privacy has been big news lately after revelations of NSA activities hit hard. But apparently it's not just your phone calls and Internet activity you need to be concerned about. There could be hackers gunning for your toilet, too.

Security company Trustwave issued a warning about potential bathroom breaches of luxury Satis smart toilets from Lixil. The toilets can be controlled using an Android app, but the Bluetooth PIN is hard-coded to "0000." Just knowing that code number means the awesome power of the Satis could fall into evil hands. All a hacker would have to do is download the My Satis app, get in range, pair it to the toilet using the code, and flush away.

The Android app lets toilet aficionados trigger activities such as flushing and playing music. If a malicious hacker got in Bluetooth range and took control of your toilet, all sorts of havoc could ensue. You might have to listen to the combined sounds of Justin Bieber and constant flushing while you're trying to do your business.

"Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user," Trustwave cautions. Trustwave made several attempts to contact Lixil for a response, but the company has not yet commented on the issue.

The bigger mystery here may be why someone would want a remote control to flush a toilet, but it could be handy for absent-minded toilet users or germaphobes who want to minimize contact with the porcelain throne. With a starting price of around $2,400, you will pay for the privilege.

The security issue is real, though it's hard not to snicker about it. Perhaps an app update will take care of this matter of national security. If you've already been impacted by this issue, then you can finally rest easy knowing your toilet isn't haunted. It's just been hacked.

http://news.cnet.com/8301-1009_3-57596704-83/high-tech-toilet-gets-hacker-warning-nothing-is-safe/