Jun 202018

When you think of consequences of employees clicking on phishing emails, did you ever think about how an entire state government might wind up having their email domain blacklisted?  It happened to Oregon because oregon.gov was used to send out spam after an employee clicked on a phishing email.  Hillary Borrud reports:

Oregon’s state technology workers are scrambling to fix a problem that is preventing thousands of government employees from corresponding with members of the public via email.

Several private email providers have blacklisted the state email domain Oregon.gov after a state employee apparently clicked on a phishing email earlier this month that allowed a hacker to access the state’s computer system.

“The malicious link hijacked the state-owned PC and generated over eight million spam emails from an Oregon.gov email address,” state officials wrote in an email explaining the situation to employees on Friday.

Now, private citizens with certain email providers can’t receive emails from state employees.

Read more on OregonLive.

Jun 192018

Wow. Rachel Weiner reports that data in the Office of Personnel Management (OPM) hack may have shown up as part of a fraud scheme:

Four years after hackers stole personal information from over 22 million people through the Office of Personnel Management, a fraud scheme exploiting that data has come to light in southeast Virginia.

Two people have admitted in Newport News federal court that they used the stolen identities to take out fake loans through a federal credit union. The case appears to be the first involving OPM data to be publicly revealed by the Justice Department.

Read more on The Washington Post.

Update: So that headline may have been a bit optimistic. Looking through the court filings in Cross’s case, I don’t see any hard evidence that the data used in this fraud scheme came from the OPM hack. So far, the closest I’ve found is one sentence in the “Statement of Facts” used as part of the plea deal that says:

6. Investigators determined that many of the identity theft victims had been victims of the United States Office of Personnel Management data breach and resided in Colorado.

Not exactly super-compelling, is it? So maybe we do have some evidence of misuse of the data. Or maybe we don’t.

Jun 192018

There’s a follow-up to a case noted previously on this blog involving a serial DDoS attacker described by others as the internet’s most inept criminal.

From the U.S. Attorney’s Office, District of Arizona, today:

An Arizona man was sentenced yesterday in Phoenix, Ariz., for directing distributed denial of service (DDoS) attacks at the computer networks of the City of Madison, Wis., announced Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division and First Assistant U.S. Attorney Elizabeth A. Strange for the District of Arizona.

Randall Charles Tucker, aka “Bitcoin Baron,” 23, of Apache Junction, Ariz., was sentenced to serve 20 months in prison by U.S. District Judge Douglas L. Rayes of the District of Arizona.  He was also ordered to pay restitution in the amount of over $ 69,300 to the victims of his computer attacks. Tucker had previously pleaded guilty to one count of intentional damage to a protected computer.

According to admissions made in connection with his plea, between March 9 and March 14, 2015, Tucker executed a series of DDoS attacks against various city websites, including Madison, Wis. A DDoS attack is a malicious attack where illegitimate network traffic is used to slow down or altogether crash a computer server, thereby denying service to legitimate users of the server.  In addition to disabling the City of Madison’s website, the attack crippled the city’s Internet-connected emergency communication system, causing delays and outages in the ability of emergency responders to connect to the 911 center and degrading the system used to automatically dispatch the closest unit to a medical, fire, or other emergency. Tucker, referring to himself as the “Bitcoin Baron,” boasted about his attacks via social media.

This case was investigated by FBI’s Milwaukee and Phoenix Field Offices, and Arizona’s Department of Public Safety.  Assistant U.S. Attorney James R. Knapp of the District of Arizona and Trial Attorney Laura-Kate Bernstein of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case.  The U.S. Attorney’s Office for the Western District of Wisconsin also provided substantial assistance in this manner.

CASE NUMBER:            CR-16-01065-PHX-DLR (BSB)

RELEASE NUMBER:    2018-081_Tucker

Jun 192018

Roxana Hegeman reports:

A civil rights group filed a federal lawsuit Tuesday against Kansas Secretary of State Kris Kobach challenging a multi-state voter registration database it claims exposed sensitive information including partial Social Security numbers from nearly a thousand state voters.

The complaint by the American Civil Liberties Union of Kansas alleges “reckless maintenance” of the Interstate Voter Registration Crosscheck Program, which compares voter registration lists among participating states to look for duplicates.

Read more from AP on WABI.

Jun 182018

There’s a huge update in a significant case noted last month on this blog. Adam Goldman reports:

Federal prosecutors have charged a former software engineer at the center of a huge C.I.A. breach with stealing classified information, theft of government property and lying to the F.B.I.

The engineer, Joshua A. Schulte, 29, of New York, had been the main suspect in one of the worst losses of classified documents in the spy agency’s history.

Read more on the New York Times.