143 Million Affected in Hack of U.S. Credit Agency

A major American credit reporting agency entrusted to safeguard personal financial information said Thursday hackers looted its system in a colossal breach that could affect nearly half the US population as well as people in Britain and Canada.

Equifax said that a hack it learned about on July 29 had the potential to affect 143 million US customers, and involved some data for British and Canadian residents.

The Atlanta-based company disclosed the breach in a release that did not explain why it waited more than a month to warn those affected about a risk of identity theft. Continue reading

UPDATE 3: U.S. probes cyber attack on water system

As written in a book called “Red Dragon Rising: Communist China’s Military Threat to America” in 1999, so it has become…

Book passage:

TARGETING AMERICA: THE REVOLUTION IN MILITARY AFFAIRS

Information warfare and electronic warfare are of key importance, while fighting on the ground can only exploit the victory. Hence, China is more convinced [than ever] that as far as the PLA is concerned, a military revolution with information warfare as the core has reached the stage where efforts must be made to catch up with and overtake rivals.1 —General Liu Huaqing, vice chairman of the Central Military Commission, 1995 On Wednesday night, June 16, 1999, officials at a California sanitation plant decided to check its computers for Year 2000 (Y2K) compliance. They were testing a back-up electrical system when they received a frantic midnight call from a park ranger: Raw, untreated sewage was pouring out of a manhole cover and spilling into a park.

Later it was estimated that four million gallons of sewage had been released. A computer had mistakenly closed a gate that should have remained open to control the transfer of sewage. A programmer’s error fifteen years earlier seems to have been the culprit. It cost taxpayers about $100,000 to clean up the mess.2 This is just one of a number of unfortunate accidents that have occurred as businesses and governments test for Y2K compliance. But Y2K accidents are just that—accidents. Suppose, however, that a competent and motivated hostile force was able to manipulate modern computer systems. Such a force could conceivably do the following:
• Change the dose levels in prescription medicines at pharmaceutical plants so that thousands of people would be poisoned3

• Infiltrate the manufacturing process for baby food so that the standard components would be increased by 400 percent—to toxic levels4

• Taint the processed-food industry for restaurants, hotels, hospitals, and retirement homes

• Subtly change airport radar signals so that air traffic controllers would unknowingly put passenger planes on the same flight path

• Open the electronic gates and fences at a number of jails and prisons around the country simultaneously, overwhelming law enforcement officials5

• Stage a surprise attack on many of the automated gasoline refineries in the nation, causing enormous, out-of-control fires that would inundate emergency officials and lead to immediate gasoline rationing6

• Contaminate the city water systems, turn the valves backwards at the sewer systems, shut down the electric power grid, and overload the natural gas pipeline system

• Loot bank accounts, transferring all funds overseas7

• Attack individuals’ identities, eliminating their Social Security records, Veterans Department records, driver’s license numbers, bank accounts and credit card numbers, and so on8

All of these are examples of what is known as “information warfare,” or more specifically “offensive information warfare.” Is there something to this, or is it just the product of an overactive imagination? The concept of information warfare—and in particular, offensive information warfare—is perhaps America’s most highly guarded military secret today.9 Most experts in the field believe that the United States is currently the world’s information warfare leader.10But the interconnected nature of modern American society makes the United states “the most vulnerable country in the world” for this sort of warfare, according to the former director of the National Security Agency, our premier electronic warfare agency.“Every one of the examples above has either been tried successfully or will be within the capability of hostile forces in a short period of time, and every one is of deep concern to the American government.12The problem is real.More alarming, the Chinese People’s Liberation Army has the world’s largest information warfare program, after the United States.13
The article:

* Researcher cites report from Illinois State Police
* Says report shows computer was hacked from Russia
* Says water pump was damaged
* Motives of attacker unclear (Adds reaction from cyber security expert)

Nov 18 (Reuters) – Federal investigators are looking into a report that hackers managed to remotely shut down a utility’s water pump in central Illinois last week, in what could be the first known foreign cyber attack on a U.S. industrial system.

The Nov. 8 incident was described in a one-page report from the Illinois Statewide Terrorism and Intelligence Center, according to Joe Weiss, a prominent expert on protecting infrastructure from cyber attacks.

The attackers obtained access to the network of a water utility in a rural community west of the state capital Springfield with credentials stolen from a company that makes software used to control industrial systems, according to the account obtained by Weiss. It did not explain the motive of the attackers.

He said that the same group may have attacked other industrial targets or be planning strikes using credentials stolen from the same software maker.

The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.

“At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” he said, declining to elaborate further. An FBI spokesman in Illinois did not return phone calls seeking comment.

SCADA SECURITY

Cyber security experts said that the reported attack highlights the risk that attackers can break into what is known as Supervisory Control and Data Acquisition (SCADA) systems. They are highly specialized computer systems that control critical infrastructure — from water treatment facilities, chemicals plants and nuclear reactors to gas pipelines, dams and switches on train lines.

The issue of securing SCADA systems from cyber attacks made international headlines last year after the mysterious Stuxnet virus attacked a centrifuge at a uranium enrichment facility in Iran. Many experts say that was a major setback for Iran’s nuclear weapon’s program and attribute the attack to the United States and Israel.

In 2007, researchers at the U.S. government’s Idaho National Laboratories identified a vulnerability in the electric grid, demonstrating how much damage a cyber attack could inflict on a large diesel generator. (To see video that was leaked to CNN: here)

Lani Kass, who retired in September as senior policy adviser to the chairman of the U.S. Joint Chiefs of Staff, said the United States should take the possibility of a cyber attack seriously.
“The going in hypothesis is always that it’s just an incident or coincidence. And if every incident is seen in isolation, it’s hard — if not impossible — to discern a pattern or connect the dots,” Kass told Reuters.
“Failure to connect the dots led us to be surprised on 9/11,” she said, describing the Sept. 11, 2001 hijacking attacks as a prime example in which authorities dismissed indicators of an impending disaster and were caught unaware.

Representative Jim Lanvevin, a Democrat from Rhode Island, said that the report of the attack highlighted the need to pass legislation to improve cyber security of the U.S. critical infrastructure.

“The stakes are too high for us to fail, and our citizens will be the ones to suffer the consequences of our inaction,” he said in a statement.

Continue Reading Article: UPDATE 3-U.S. probes cyber attack on water system (Reuters)