Eyes on the Big Boys now! PBS News Site Hacked!

Epsilon, Sony, Lockheed, PBS News, who is next?
The latest hack on the PBS News site is the best hack ever.

Tupac Shakur is alive!

Not.

Check off the main news website for the Public Broadcasting System, PBS NewsHour, as the latest victim of a hacking attempt that has interrupted the site’s main activity. Hackers from “LulzSec”  were able to break into the site and posted a fake story that said rapper Tupac Shakur was still alive.

This is (now) the third high-profile cyber attack in a little more than a month on important computer networks that are increasingly seeming vulnerable to cyber attacks. A cyber attack on Sony’s PlayStation Network (PSN) led to hackers stealing sensitive information from potentially more than 100 million PSN and Station.com users. Hackers were able to break into Sony’s network on April 19, forcing the company to bring it down and beef up security.

Defense contractor Lockheed Martin was also hit by a cyber attack last week, but the company said it successfully fended off the “tenacious and significant attack” and said no information was compromised. While sensitive information about 100 million consumers was at risk during the PSN attack, sensitive information about defense contracts and advanced technology could have been at risk during the attack on Lockheed Martin’s private network.

Hacker group “LulzSec” has apparently claimed responsibility for the attack, according to its Twitter feed. But it was quick to remind the general public that it was not a part of hacktivist group Anonymous — which regularly takes up political causes and sometimes commits hacks like this for amusement. Those within Anonymous — an amorphous and loosely associated group of hackers that are regulars on message boards like 4chan — typically use the term “lulz” to describe the amusement they get out of hacks like these.

“We aren’t Anonymous you unresolved cow-shart,” the group posted in its main Twitter feed.

And, for a little while according to PBS NewsHour, he was alive and well in New Zealand 15 years after he was reportedly killed. The news publication furiously denied the story was true with its Twitter account and has been tirelessly communicating with its audience to tell everyone that the story is fake. As a reminder, Tupac Shakur died from his wounds suffered in a drive-by shooting in 1996. The rapper was known for his lyrics that glamorized the life of a “player.”

A full transcript of LulzSec’s admission to the hack is pasted below, which makes reference to a PBS story called “WikiSecrets: The inside story of Bradley Manning, Julian Assange and the largest intelligence breach in U.S. history”.

“Greetings, Internets. We just finished watching WikiSecrets and were less than impressed. We decided to sail our Lulz Boat over to the PBS servers for further… perusing. As you should know by now, not even that fancy-ass fortress from the third… Pirates of the Caribbean movie (first one was better!) can withhold our barrage of chaos and lulz. Anyway, unnecessary sequels aside… wait, actually: second and third Matrix movies sucked too! Anyway, say hello to the insides of the PBS servers, folks. They best watch where they’re sailing next time.”

Editor's Note: Cross post from www.venturebeat.com

Other reference: PBS hacked in retribution for Fronline Wikileaks episode

STOP! - LOOK! - OBSERVE! Bad People Around

Sometimes we get too technical that once we protect ourselves from external threats we feel confident and safe already. And we become too trusting to the people within our organization. Well, stop, look around and observe vigilantly.

Just recall the most recent $10M incident in Bank of America, where an insider sold customer data to outsiders. Yeah, an insider did it!

A survey showed that 40% of IT staff admit that they could hold their employers hostage - even after they’ve left for other employment - by making it difficult or impossible for their bosses to access vital data by withholding or hiding encryption keys.

A third of the Venafi survey respondents said that their knowledge of and access to encryption keys and certificates, used for both system authentication and data protection, means they could bring the company to a grinding halt with minimal effort and little to stop them. This is due to lack of oversight and poor management of their organisation’s encryption keys.

They claim that even after they have left they still could cause havoc with their knowledge of the encryption keys, shared passwords and weak controls. 40% of respondents admitted that they would still have access to vital information and could manipulate it to their own ends—both to their company's financial and reputational detriment.

31% of respondents astonishingly said that they could still access organisational data because they could easily retain the encryption keys when they left and access the information remotely.

Finally, 24% of respondents to the survey admitted that their fear of losing encryption keys is what is deterring them from investing in encryption key and certificate solutions to protect digital assets and secure sensitive system communications.

The survey shows that 82% of companies now use digital certificates and encryption keys, however, 43% admit to being locked out from their own information - because people have left the organization or keys are lost - and 76% would use automation if they knew it existed.

These same companies are unaware of how to manage their keys and certificates, leaving them exposed to unplanned system outages, security risks and reduced access to critical data. 

Jeff Hudson, Venafi CEO, said: “It’s a shame that so many people have been sold encryption but not the means or knowledge to manage it. They have found out the hard way—after being locked out from their own information—that they need an automated solution to manage the thousands of keys and certificates they have. Once the data's protected with encryption, the key becomes the data and the thing that must be managed and protected. Key Encryption is only half the solution. IT departments must track where the keys are and monitor and manage who has access to them. What this survey reveals is that organisations need to quickly come to terms with how crucial encryption keys are to safeguarding the entire enterprise as well as the heightened need for automated key and certificate management with access controls, separation of duties and improved polices. It’s no longer rocket science. Yet recent, costly breaches at Sony, Epsilon and elsewhere reinforce the need for both more encryption and effective management. There are some great solutions on the market that can manage and automate these assets at a click of a switch.”

Get the complete survey information from here.


Editor's Note: Cross post from Help Net Security.