The incident, detected in January, also led to a disruption of grading and academic attendance systems, and resulted in the exposure of sensitive student information such as:

• Full names
• Dates of birth
• Ethnicity and native languages
• Identification numbers

At the moment it is unknown if each record exposed includes all the details mentioned. Soon after, it was confirmed that threat actors also managed to extract a database that includes information on students receiving special education, support for lunch at school, and other details.

Cybersecurity specialists believe that this could be the largest security breach affecting data of students ever detected, which makes it necessary for the operators of this data to reconsider their security measures, storage and access to the personal information of users. There are approximately 930,000 students in the New York public school system.

In this regard, the company only confirmed that hackers accessed the data of 15,000 students, although they mention that the investigation is still ongoing. Nathaniel Styer, a spokesman for the New York Department of Education, criticized Illuminate’s stance and accused the company of manipulating its cybersecurity protocols: “We are outraged that Illuminate has represented schools that legitimately demand critical safeguards in the industry.”

The spokesman added that the Department of Education asked the NYPD and the Federal Bureau of Investigation (FBI) to launch an investigation into the incident and the company’s practices, as this could represent a violation of privacy and data protection laws in force in the New York territory.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Personal data of former and current students in New York public schools is leaked after the hacking of a widely used online grading and attendance system appeared first on Information Security Newspaper | Hacking News.

Experts say that the threat actors managed to carry out the attack thanks to the exploitation of some vulnerabilities present in this massive communications network, responsible for managing the transport used by millions of people a day. Despite the severity of the incident, experts confirmed that users were not affected in any way.

The report also notes that the attack remained active after the initial engagement via a backdoor. In this regard, an MTA representative mentioned that digital forensic analysis did not reveal the presence of such a malicious implementation, in addition to confirming that cybercriminals did not access confidential information of users of the public transportation system.

The agency also maintains that other attack attempts targeting other government and law enforcement agencies were detected, although so far everything indicates that the hackers did not manage to access any of the other networks attacked. This does not mean that the cybersecurity of government agencies is invulnerable, as repeatedly over the past year threat actors have proven to master effective methods and tools for accessing public and private networks.

This isn’t the only recently detected security risk. Just a few hours ago, a specialized platform recently confirmed that a hacking group is exploiting a dangerous zero-day vulnerability in a WordPress plugin; the problem grows when considering that the compromised plugin is installed on almost 20 thousand websites. At the moment it has not been possible to release a security update, so users are advised to disable the vulnerable plugin until it is fixed.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New York public transportation system is attacked by Chinese hackers appeared first on Information Security Newspaper | Hacking News.

This proposal originates after the Technology and Legal Profession Committee submitted a report on the cybersecurity risks that legal firms currently face.

Approval of this proposal could take place before October, which would be a good sign of New York lawyers’ commitment to the safety of legal service users. It should be remembered that legal firms that store confidential information of their customers and employees in electronic means must ensure adequate protection of this data, which involves the constant training of their IT staff, for compliance with the New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act.

Experts say cybersecurity threats to legal firms have increased considerably. In an investigation published in the New York Law Journal, the Committee notes that the number of computer security incidents affecting law firms has increased by 100% compared to 2018.

Security incidents could increase due to the pandemic, as multiple firms have turned to work from home, largely depending on remote communication platforms and making their employees more vulnerable to cyberattacks.

In addition to applying for legal firms and law firms, the SHIELD Act also applies to any individual or company that owns or licenses computerized data from New York residents. To comply with the Act, companies and individuals must develop, implement and maintain reasonable security mechanisms to protect the safety of their users.

Legal professionals are in continuous work with sensitive and even confidential information, which is why the guild has begun to consider cybersecurity training as a way to protect private information from any incident that could compromise its integrity. In addition, under the New York Professional Conduct Rule, attorneys must make any reasonable effort to prevent inadvertent or unauthorized disclosure or use or unauthorized access to the information they work with, so this proposal is, in practice, a new way to enforce state law. 

The post Cybersecurity training will be compulsory for lawyers in some U.S. states appeared first on Information Security Newspaper | Hacking News.

With the release of the iOS8 operating system, Apple began implementing encryption on all of its products to protect users, as they were too exposed to malicious hacking activity. An identical measure was implemented by Google soon after. Since then it began somewhat a race between US government agents trying to obtain information from these devices and the developer companies, which were increasingly implementing stringent security measures.

The dispute between the US government and these companies is far from be over; meanwhile, law enforcement agencies have found a third way to bypass encryption on these devices without violating data protection legislation. Cyrus Vance Jr., Manhattan district attorney, and the city’s Cybercrime Unit, created a kind of prison for a specific purpose: extracting information stored on some smart devices using brute force tactics before their owners delete this data, which could be useful in criminal investigations.

The entrance to this “prison” resembles that of a bunker. This installation consists of a radio frequency isolation chamber protected behind two hermetically sealed steel doors. On the walls of this camera are connected dozens of Apple devices (iPad/iPhone), which were confiscated during the commission of currently investigated crimes.

All devices found in these facilities are connected to a set of massive processing power computers, dedicated to generate random number sequences to try to decrypt the access codes to these confiscated devices. Researchers working here can even take advantage of other systems that aren’t used at night to create a local supercomputer network, mentions a review of the business magazine Fast Company.

During the interview, Steve Moran, director of the High Technology Analysis Unit, shows as an example of the work done in this lab an iPhone in which more than 10k possible combinations have been tested: “This would have been enough to decrypt a four-digit password. However, Apple has been using six-digit access codes for the last five years, which requires a million possible combinations to be tested,” he said.

In addition, data protection specialists point out that Apple restricts the number of times per minute an access code can be entered; this is where investigators of these possible crimes come in. “It is required to think about possible combinations. We need to know some facts: date of birth, wedding anniversary, birthday of wives or children, even the number of favorite baseball player can be helpful in reducing the number of attempts needed to unlock the devices of the suspects” , adds Moran.

This is not the only variable that affects the operations of this lab, because in addition to the huge number of combinations to test, researchers should also prioritize some specific devices. To this, Moran designed a workflow that evaluates the most urgent cases; there are currently more than 3,000 low-priority devices sheltered in these facilities.

As already mentioned, Apple and Google’s main argument for encryption is data protection, a position entirely justified considering that these companies cover almost 99% of the global smartphone market.

While companies claim that no one, not even their internal staff, can access a device with encryption, prosecutor Vance believes it highly likely that Apple will have some kind of secret backdoor. “Apple accesses our devices all the time: OS updates, SMS messages, external links, it’s all part of that invasive practice.” Despite these claims, shared by a considerable number of experts on the subject, the user privacy speech has prevailed over the demand for access to these files.

On the other hand, Vance considers that the request to remove encryption is not exaggerated or unfounded, as there are cases where information stored on smart devices recovered at crime scenes or raids has been instrumental to solve complex cases. An example is the arrest and conviction of Lamar Davenport for the murder of E’Dena Hines, granddaughter of actor Morgan Freeman. The prosecutor in charge of the case presented as evidence a video found on the defendant’s iPhone after months of investigation to access to the device. “Not only that; thanks to the activity of this laboratory we have found useful information to prove the innocence of at least 16 suspects in various crimes,” he adds.

Vance’s anti-encryption campaign has not been limited to his local environment. The prosecutor has met on several occasions with members of Europol, Interpol, besides publishing articles in all kinds of magazines, in addition to trying to establish contact with the representatives of the technology companies.

The International Institute of Cyber Security (IICS) points out that, before 2014, technology companies seemed to have no problem cooperating with law enforcement agencies, even noting that Apple’s collaboration was considered outstanding and effective. However, this cooperative work came to a breaking point after Edward Snowden’s revelations about the US National Security Agency’s espionage activity. While all of the tech companies mentioned by Snowden denied collaborating with the US government, Apple opted for a more vigorous demonstration of privacy engagement, launching the iOS 8 system, which included full encryption for the first time.

This laboratory is one of the main tools for the investigation of criminal cases in the city, as it has the most complex hardware resources available, in addition to specially developed software to apply brute force to these devices. However, with the emergence of new versions of mobile operating systems, the work of these researchers becomes increasingly complex. “At the beginning of this project, only 52% of the smartphones analyzed were locked, while the number of locked devices is currently 82%,” Moran says, so government agencies also bet on legislation on encryption on mobile devices streamlines this work. 

The post New York has an electronic prison for hacking iPhones appeared first on Information Security Newspaper | Hacking News.

Since its inception in the 20th century computers were programmed to store dates by modifying only the last two digits of the year instead of all four digits. As the year 2000 approached, this method had to be changed, otherwise systems around the world would reset their dates to 1900, which was a matter of serious concerns as more and more industries and public and private services depended on the use of computer networks.

To prevent the supposed catastrophe, developers had two options: rewrite the code to modify the four digits of the year, or release a temporary fix; in the end, the temporary correction was chosen, using a method known as “windowing”. According to today’s cybersecurity experts, this method allowed systems to identify 1900s as the 2000s; almost 90% of computer systems around the world were corrected using this method.

New decade, new bug

This programming error is not unique to the new millennium, as 2020 has only just begun and there are already a couple of reports on a similar flaw. The Department of Transportation (DOT) of New York, US, reported that the city’s parking meters were affected by a flaw that caused drivers’ credit and pre-paid cards to be rejected. “This is an issue related to a system ending date that was never updated,” the DOT said.

The city’s IT department began working immediately on the flaw, so a few days later the city’s more than 10,000 parking meters were working normally, cybersecurity specialists mentioned. The DOT tracked the incident through its Twitter account.

A similar bug affected the gamer community. Some users of the WWE 2K20 video game reported an error forcing a reset of the date to 2019 that was noticeable from the first minutes of January 1st, 2020. A few hours later, 2K, developers of this video game, announced the release of a fix for this flaw.

According to the International Institute of Cyber Security (IICS), these errors occurred during the transition from 2019 to 2020 because only temporary solutions were implemented twenty years ago, so these may not be the only cases of failures in the dates of computer systems.

The post In 2020, a Y2K-like vulnerability affects parking meters and videogames appeared first on Information Security Newspaper | Hacking News.

On Thursday, Albany County Airport officials acknowledged the incident, indicating that the attack was detected after LogicalNet, the airport’s IT services contractor, revealed that its management services network had been compromised. Subsequently, the encryption malware managed to spread and reach the airport administration servers, including backup servers.

According to ethical hacking experts, ransomware managed to encrypt thousands of administrative files, such as spreadsheets with information about the budget of facilities, itineraries and personal information of both employees and users. However, the authorities state that the incident did not compromise the operations of the airport or the activities of the airlines providing services there.

The airport administration had an insurance policy against cybersecurity incidents, so the insurer authorized the payment of a ransom in Bitcoin to restore compromised systems. Although airport officials did not specify the ransom amount, they mentioned that it was an under six figure. The payment would have been sent to hackers on December 30, by early 2020 everything had returned to normal.

Philip Calderone, CEO of Albany Airport Authority, mentions that the airport contract with LogicalNet included the insurance policy in the event of an incident like this, which was very helpful in acting promptly. However, the airport executives decided to terminate the contract with this IT company; so far LogicalNet has not commented on this.

Although the incident has already been resolved and operations have returned to normal, ethical hacking experts mention that the investigation is still ongoing, so the FBI and the unit known as New York State Cyber Command will request the appearance of airport officials and the contracting company.

The International Institute of Cyber Security (IICS) was informed that the malware variant used in this attack is Sodinokibi, which had already been used in other similar incidents, such as that at the currency exchange company Travelex, which suffered an infection that forced the shutdown of its operations worldwide.

The post A New York airport under ransomware virus attack appeared first on Information Security Newspaper | Hacking News.

Robert Pearce, the school district’s superintendent, mentioned that they have been in contact with hackers since the incident was spotted. “After infection the attackers contacted us to inform us about the situation, as well as to set the amount of Bitcoin demanded as a ransom; there are other details that I cannot reveal now, as an investigation is underway,” the superintendent said.

The district’s digital forensics team concluded that hackers did not managed to access students’ personal information; however, the attack shut down some school systems and email servers. “At this moment it is not possible to access all our systems, but operations have not stopped completely,” Pierce added. This is the third ransomware incident in a recently reported school district in Florida.

Nonetheless, bad news is not limited to Florida. The Central School District in Groton, a small town in Connecticut, has disclosed a ransomware infection in its systems that occurred during the past week. During the incident, the records of nearly a thousand students were exposed; compromised personal data include students’ full names, email addresses, dates of birth and school identification numbers.

According to digital forensics specialists, the incident would have begun in November 2018 due to unauthorized access to one of the school district’s storage systems, which stopped receiving support and updates nearly 4 years ago. On this occasion, it was the FBI to notify Groton school authorities of the incident.

People from the small town Wolcott have reportedly been hardest hit by this incident, as authorities are continuing to investigate the attack that completely shut down access to the district’s school systems. “Our school systems were attacked, a team of digital forensics experts is working to regain access to the systems,” said Thomas Dunn, Mayor of Wolcott.

Finally, last June 13 users detected that the ransomware had blocked access to multiple storage systems. The incident forced authorities to shut down all computer systems in the district for more than a week.

Experts from the International Institute of Cyber Security (IICS) recently reported multiple similar incidents affecting school districts in other U.S. territories, mainly in New York and Louisiana, where it was even decreed, for the first time, an information security emergency estate, which allowed local authorities to obtain the resources needed to begin their data recovery process.

In other cases, such as Riviera Beach in Florida, local authorities decided to set a payment with the attackers and regain access to their systems immediately, as they considered the recovery process, in addition to being too costly, to be too slow.

The post Once again Connecticut, New York and Florida schools are infected with ransomware appeared first on Information Security Newspaper | Hacking News.

“A cybersecurity threat has significantly impacted operations all around the school district, so the date of the school year beginning will be changed,” mentions an email from the Monroe-Woodbury School District sent to parents last Monday night. In addition, the school will hold an extraordinary meeting with Elsie Rodriguez, the school district’s Superintendent in the coming days.

“We are aware of the difficulties that this change at the beginning of the school year may cause to families whose children attend this school,” the message sent to parents mentioned. “The safety of our students is our top priority, so we consider it necessary to take a little more time to correct this incident,” she says.

The school district is collaborating with a web application security firm to restore compromised systems using daily information backups. “This is part of our regular cybersecurity incident care protocol,” Rodriguez said. Although not explicitly mentioned, it is presumed that the school district will not pay the ransom to hackers.

Although they are not common targets of cyberattacks, this is the fourth time that a school district in the U.S. state tri zone (composed by the states of New York, New Jersey and Pennsylvania) has been the victim of a ransomware attack over the past two months, so this has become a trend that worries the cybersecurity community.

According to web application security specialists from the International Institute of Cyber Security (IICS) a couple of weeks ago a serious encryption malware infection was detected in some school districts on Long Island and Mineola. A third ransomware attack was reported at Rockville Center, in that case, local authorities decided to pay the threat actors nearly $90k USD.

The post A New York school is under a major ransomware attack appeared first on Information Security Newspaper | Hacking News.

It is an infection of the dangerous Ryuk ransomware, which has compromised the systems of the Rockville Center School District in New York; due to the infection, the local government had to pay almost $90k USD to hackers to regain access to the files encrypted by the malware.

The incident occurred on June 25, according to a report published by the specialized platform SC Media. Although the administrators implemented the best available security measures, the ransomware operators managed to complete the infection and eventually district security services personnel were forced to close all computers on the network to prevent the spread of ransomware.

“We detected the encryption process at a relatively early stage, so our insurance company was able to arrange payment of less than what was initially intended by the attackers, so it only corresponds to the New York government a $10K USD payment of deductible,” school district officials said. SC Media’s report holds that the initial ransom amount was over $170k USD.

On their decision to pay the ransom, the authorities stated, “We exhausted all our efforts trying to regain access to the information on our own. However, after analyzing the consequences that the permanent loss of this data could generate, we decided to pay the ransom to keep up the district’s operations.”

According to cybersecurity services experts, the Rockville Center School District is not the only one that has been the victim of cyberattacks in recent times. Several reports indicate that a series of malicious campaigns have been deployed for at least the past six months against the entire New York Department of Education, which has sent safety warnings to all school districts in the state, trying to prevent future security incidents.  

While specialists strongly recommend not paying the ransoms demanded by hackers in these cases, it is increasingly common for affected companies to try to negotiate with the attackers; even some cybersecurity insurance policies have been updated, including coverage against ransomware attacks.

International Institute of Cyber Security (IICS) cybersecurity services specialists have reported similar incidents recently. Among the most prominent cases are ransomware infections in multiple cities and counties in the state of Florida and at least two school districts in northern Louisiana. In these cases, the affected organizations have also decided to yield to the demands of the threat actors and pay the ransom to recover their information.  It is necessary to remember that this is not the most advisable, as there is no guarantee that the attackers will comply with their part of the deal and restore the compromised accesses once the required money is given to them. 

The post New York government paid $88k USD due to ransomware attack despite having firewall and antivirus solutions appeared first on Information Security Newspaper | Hacking News.

Con Edison, one of the power provider companies in New York, mentioned that the incident, which occurred Saturday at 16:47, was caused by a transformer failure, although the full information will be known until the investigation is completed; the electricity service was restored in its entirety around midnight, local authorities mentioned.

In addition to the glare failures in the public lighting, the blackout caused the closure of four New York subway stations (Columbus Circle, Rockefeller Center, Hudson Yards and Fifth Avenue); according to network security experts, train operators had to manually operate some mechanisms to get passengers to the nearest station.

Due to the blackout, hundreds and hundreds of people had to light their way home with the lanterns of their smartphones, while in large residential buildings people had to use the stairs, as the elevators did not work. In some parts of Manhattan, such as the neighborhood known as Hells’ Kitchen, residents had to assist the police to direct traffic.

Although neither responsible authorities nor companies have determined the exact cause of the incident, rumours were not made to wait. According to network security specialists at the International Institute of Cyber Security (IICS), some believe there could be a link between this incident (and similar incidents) and the cyberwarfare that has begun between the U.S. government and Iran.

Recently, the Iranian authorities claimed to have dismantled a CIA-operated spy network that concluded with multiple arrests of international spies conducting intelligence tasks in the Middle East. In addition, it is known of the disruptive power of government-sponsored hacker groups as, on previous occasions, hacking campaigns have been reported targeting other governments’ power grids capable of massively disrupting energy supply using sophisticated malware variants. While there is still a long way to go for the investigations to conclude, experts should not rule out any possibility. 

The post New York power blackout; did Iran did performed a counter cyberattack? appeared first on Information Security Newspaper | Hacking News.

Last weekend the New York government announced that the city suffered a ransomware attack that managed to compromise some government administrative systems, reported ethical hacking training specialists from the International Institute of Cyber Security (IICS).

The attack focused almost exclusively on the Albany area, capital of New York, and affected the regular functioning of some of the city’s systems, of which some continue to be unable to normally operate. For now, people who wish to obtain copies of their birth certificates, marriages, licenses, among others, must wait for the restoration of the affected systems or to go to alternative locations in other cities.

“The City of Albany has become the most recent victim of a ransomware attack; we are conducting the relevant investigations to determine the full scope and impact of the incident”, said Kathy Sheedan, mayor of Albany. Sheedan clarified that the rest of the local systems and services operate normally.

According to the ethical hacking training specialists, the initial scope of the ransomware attack is still unknown, although the authorities already have some indications to determine the magnitude.

Representatives of the Albany police officers union trade recently stated that they do not currently have access to some of the local police systems, such as scheduling systems, corporate email or any system that requires Internet connection for its operation. Some officers even claimed that the ransomware has affected the computer systems installed in the patrols; these systems are used by police officers to carry incidents records, monitoring, etc.

“Because of this situation, our ability to respond to incidents may be affected, as our work tools are not working at all,” the union representatives said.  “A police corporation’s computer systems should be harder to hack,” they concluded.

Ransomware attack campaign operators have shown a growing interest in compromising government systems, said the ethical hacking training specialists. Some specialists believe that the need to keep the government’s administrative systems on line makes it more likely that the authorities will agree to pay for the ransom demanded by the threat actors.

Two Iranian hackers were indicted by the U.S. Department of Justice (DOJ) for the ransomware attack campaign against some companies and institutions of the U.S. government and Canada last November. According to the DOJ, the damage caused by these attacks is estimated at over $30M USD.

The post New York City suffers massive ransomware attack against several government institutions appeared first on Information Security Newspaper | Hacking News.

Following the adoption of strict regulations such as GDPR and CaCPA, New York takes vigorous action to demonstrate that cybersecurity is not optional

For ethical hacking specialists, this 2018 has been marked by the approval of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CaCPA). Ethical hacking experts from the International Institute of Cyber Security consider that these regulations represent a significant change in the way the business community manages and protects consumer information.

Despite the implementation of these regulations, the approval of the cybersecurity regulations of the New York State Department of Financial Services (23 NYCRR 500) has been unnoticed, the deadline to comply with this Act was September 4.

This is a set of regulations of the New York Department of Financial Services (DFS) that establishes new cybersecurity requirements in all financial institutions covered by this law. This law shall apply to all entities operating under license, registration or charter of the Department of Financial Services of New York, or otherwise governed by DFS.

While its counterparts GDPR and CaCPA refer to the duty to maintain safety practices and procedures equivalent to the risk of harm to consumers, the New York regulation explicitly demands a strong and unique application security program.

As marked in section 500.08: The cybersecurity program of each Covered Entity will include written procedures, guidelines and standards designed to ensure the use of safe development practices by the Covered Entity, as well as procedures to evaluate or test the security of in house and external applications used by the Covered Entity in its technological environment.

In other words, it is the duty of organizations to comply with an application security standard, while speaking of in house applications, as well as external developments, this law ensures that any software used by these organizations is analyzed, in addition, the law specifies that continuous analyses should be implemented.

Organizations that employ less than 10 people, who have produced less than $5M USD in annual gross revenues in each of the last three years, or have less than $10M USD in total assets at the end of the year are exempt from compliance with certain requirements of the regulation.

Ethical hacking specialists mention that the cybersecurity budget of an organization is usually invested for network protection, but application code vulnerabilities are the primary goal of hackers. This can be seen in any case of high-profile data theft known, where vulnerabilities lie in some unrepaired software, that is one of the reasons why this law includes a specific section of security in applications.

The post Deadline to comply with cybersecurity legislation in New York appeared first on Information Security Newspaper | Hacking News.