Dec 122018

Catalin Cimpanu reports:

Ships suffer from the same types of cyber-security issues as other IT systems, a recent document released by the international shipping industry reveals.

The document is the third edition of the “Guidelines on Cyber Security onboard Ships,” an industry-approved guide put together by a conglomerate of 21 international shipping associations and industry groups.

While the document contains what you’d expect to contain –rules and guidance for securing IT systems onboard vessels– it also comes with examples of what happens when proper procedure isn’t followed.

These examples are past cyber-security incidents that have happened on ships and ports, and which have not surfaced in the public eye before until now.

Read more on ZDNet, where Catalin provides some chilling examples from the report. The guideline can be accessed from hereherehere, or here.

Dec 042018

Alex Isenstadt and John Bresnahan report:

The House GOP campaign arm suffered a major hack during the 2018 election, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.

The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor.

Read more on Politico.

Nov 212018

Phil Heidenreich reports:

The Edmonton Humane Society issued an apology on Tuesday after it says the personal financial information of at least five participants in one of its programs was “accidentally posted on the organization’s corporate website for a short period of time.”


Nov 132018

Bob Diachenko of reports:

Kars4Kids is a charity that asks people to donate their cars, motorcycles, RVs, and real estate. They are most known for their nationwide advertising using their hypnotic theme song where a child and a Johny Cash impersonator sing the phone number and invites people to donate their cars today.

On the 3rd of November, Bob Diachenko, Director of Cyber Risk Research at Hacken has found what appeared to be a publicly accessible MongoDB. Upon further investigation, the data seemed to contain the emails and personal data of 21,612 Kars4Kids donors/customers and super administrator login and password details.

Read more on HackenProof.  Zack Whittaker of TechCrunch also reports on the leak that also involved a hack.

But note the problems Bob had with making notification to the charity. It is the same frustrating situation that I have encountered – and reported upon – numerous times. Bob writes:

On the 3rd of November, a notification email was sent to multiple email addresses with no reply and the database remained open until the evening of November 5th. It took 3 hours by phone to reach someone despite telling the volunteers who answer the phones that this is a serious issue and we need to speak with someone in the IT Technology department or senior management. On one occasion the call was forwarded to someone in Israel who could not give me names, contacts, or emails of anyone who could secure the data and told me to call the same main number again.

We understand that it is a common practice to create a buffer zone between the public and senior managers or leadership. However, the most shocking thing was that an organization or company would not have a data breach or crisis action plan for when a report is made. During the notification process, we told anyone who would listen what happened, how important it is and that we must speak with someone to help secure this data urgently. The issue here is that every organization must understand the value of the information they store and collect. They must take every possible step to secure and protect that data. This includes training everyone to be on the same page and enact a data breach protocol for when the worst happens.

To my knowledge, the FTC has only taken enforcement action once for failure to have an incident response plan in place that enabled people to quickly report leaks or breaches. The FTC does not have authority under Section 5 to go after a not-for-profit, so who would do anything about this incident?  Would a state attorney general’s office go after a charity that is oriented to helping kids? It might make for bad PR for the office.

Anyway, if anyone received a notification from Kars4Kids, please send a copy along to I’d like to see what they told those affected.

Nov 132018

Andrew Blake reports:

Marcel Lehel Lazar, a prolific computer hacker known as “Guccifer,” has been extradited to the United States to finish serving a prison sentence related to a cybercrime spree credited with exposing Hillary Clinton’s use of a personal email account while secretary of state, outlets in his native Romania reported Monday.

Romania’s Alba Iulia Court of Appeals said that Lazar has been sent to the U.S. at the request of Interpol to finish serving a prison sentence handed down in 2016, regional outlets including Digi 24 reported.

Read more on Washington Times.