Hackers Manipulate Water Treatment Operations, Invade Adele’s Privacy, and Plunder Diamonds on the High Seas
Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.
In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:
Hacktivists Mess with Chemicals in Water Treatment Plant
Talk about your doomsday scenario: Hackers infiltrated a water utility’s control system and changed the levels of chemicals used to treat tap water, according to Verizon Security Solutions.
Verizon describes the attack against the "Kemuri Water Company,” a pseudonym for a real firm in an unspecified country, in this month’s IT security breach report.
A "hacktivist" group with ties to Syria compromised Kemuri's computers after exploiting unpatched Web vulnerabilities in a payment portal connected to the public Internet.
The hack -- which involved SQL injection and phishing -- was made easier because login credentials for the operational control system were stored on the Web server. The same hack also resulted in the exposure of personal information of the utility’s 2.5 million customers.
USA Cycling Riders Warned About ID Theft
USA Cycling told members personal information associated with their online accounts might have been compromised and instructed them to change their passwords immediately.
"What we know of the incident is that a hacker gained access to at least some of our databases within the last two weeks," USA Cycling said. "We believe we have now secured all our systems and face no further data security risks. We are notifying you as soon as we were able to assess the situation and secure our systems."
In an FAQ, the organization said members' passwords were unencrypted:
"We were aware of this need, and have been exploring fixing that data security vulnerability for the last several months. But the legacy IT system we have been operating on for the past decade or more makes the transition very difficult and costly. And because we are embarking on a total overhaul of our IT systems, which will include moving to encrypted data storage within the next several months, we chose not to invest in our current system and then promptly replace it with a new system. In hindsight, we regret that decision as we should have encrypted data on our old system with absolute urgency. We are very sorry for this mistake."
Hackers Tip Off Pirates to Ship’s Precious Cargo and Coordinates
A major Middle Eastern shipping concern freaked out and called Verizon’s breach response team, when it looked like robbers had advance knowledge of what was on its ships.
It can take up to days to go through the tens of thousands of shipping containers on a major cargo vessel. These looters, however, were in and out in 90 minutes.
When crews emerged from the designated “safe rooms” where they hide during hijackings, they found that most of the cargo — cars and car parts — was untouched.
The pirates had tampered with the ones holding diamond jewelry. That meant the pirates likely had access to the ships’ manifests and bills of lading, documents that would provide the exact location of the most valuable and easy-to-move cargo on the ship.
“The obvious, immediate suspicion was that the pirates had someone on the inside," BuzzFeed reports. "But the company rechecked its employees’ backgrounds and came up short."
So, the company flagged down Verizon. The team discovered someone had installed a so-called Web shell, malicious software that enabled unauthorized users to browse, query and download files from the content management system. Hackers had visibility into info on just about everything the shipping company did.
What’s worse: The shipping company’s CMS included near-real-time GPS tracking of its vessels.
Whoever was stealing this data knew exactly where the ships would be, exactly what was on them and where. It didn’t get much easier to be a pirate.
Miscreant Publishes Hacked Photos of Adele's Son, Including a Baby Scan
Images of the singer's newborn swaddled in blankets and other family photos were circulated on Facebook.
A hacker is believed to have first accessed the images through her partner Simon Konecki’s email. One image shows the results of Adele’s 5-month scan, when prospective parents usually find out the child’s sex.
The Sun on Sunday alerted Adele’s management to the breach on March 18. The pictures were circulated on the social network among a privately run group of the singer’s “mega-fans.”
One of the members was so appalled by the privacy invasion, he also contacted her management. The whistleblower told the Sun, “I think it is disgusting that her so-called fans were sending them around and I thought it should be stopped.”
While Adele is known for lyrics detailing personal heartache, the record-breaking singer is very protective of her privacy.