Hackers got into the New York Law Department’s secure files with just one password, Telecom News, ET Telecom

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

By Ashley Southall, Benjamin Weiser and Dana Rubinstein

New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, medical records and personal data for thousands of city employees.

But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network early this month was one worker’s pilfered email password, according to a city official briefed on the matter.

Officials have not said how the intruder obtained the worker’s credentials, nor have they determined the scope of the attack. But the hack was enabled by the Law Department’s failure to implement a basic safeguard, known as multifactor authentication, more than two years after the city began requiring it, according to four people with knowledge of the legal agency’s system and the incident.

The intrusion interrupted city lawyers, disrupted court proceedings and thrust some of the department’s legal affairs into disarray. And on Tuesday morning, in a conference call, Mayor Bill de Blasio admonished the heads of city agencies to shore up their cyberdefenses or face consequences in the event their agencies were hacked, according to three people who were on the call.

The mayor’s warning to the agency heads comes 10 days after the city’s Cyber Command, created by de Blasio in 2017 to defend the city’s computer networks, detected unusual activity on the Law Department’s computer system.

The next afternoon, June 6, city officials have said, they removed the department’s computers from the city’s larger network. Many remain disconnected.

De Blasio, in public appearances last week, said that the hack was under investigation by the New York City Police Department’s intelligence bureau and the FBI’s cyber task force. He said officials were not aware of a ransom demand being made or of any information being compromised.

Officials also said there was no evidence that the attack had damaged the city’s computer systems, though the investigation was still in an early stage. Investigators are still trying to determine the identity of the perpetrator and the motive.

“We’ve identified the…


The AN0M fake secure chat app may have been too clever for its own good • The Register

Comment In April 1943, Japanese admiral Isoroku Yamamoto was killed when the US Air Force shot down the plane carrying him to Balalae Airfield in the Solomon Islands.

The attack was made possible by the USA cracking Japanese codes and decrypting a message that revealed Yamamoto’s flight plan would just take him within range of America’s scarce long-range aircraft.

The chances of those aircraft happening upon Yamamoto were very small so US strategists worried Japanese analysts might conclude an attack was only possible had their codes been broken.

The US chose to kill Yamamoto, because he was felt to be so important to the war effort that losing access to decrypted intelligence was worth the risk. But on other occasions in World War II, troops were sent into harm’s way to protect intelligence sources.

Which brings me to last week’s news that Australian and US law enforcement agencies seeded a backdoored encrypted chat app named AN0M into the criminal underworld, then intercepted word of a great many crimes and swooped to arrest those responsible.

Late last week, FBI International Operations Division legal attaché for Australia Anthony Russo added another important piece of information: speaking to Australian newspapers he said one reason for discontinuing use of AN0M was that it produced too much intelligence.

“The volume [of content] was increasing at a scale and our ability to resource it and monitoring it really wasn’t scalable commensurate to the growth,” he reportedly said.

Russo said authorities therefore decided enough was enough, so revealed AN0M’s existence. We also noted that, in March, someone poking around in the software’s code spotted what looked like a backdoor and raised the alarm in a later-deleted blog post.

I’d been thinking about the Yamamoto story since news of AN0M’s existence was revealed….


Chinese Hackers Breached the New York Subway Computers Through Pulse Connect Secure Vulnerabilities

The Metropolitan Transportation Authority (MTA) disclosed that the New York subway system was attacked by hackers associated with the Chinese government. The Chinese hackers are believed to be part of threat actors involved in a global cyber espionage campaign against government agencies, critical infrastructure entities, and private organizations.

Chinese hackers used Pulse Connect Secure VPN to breach the New York subway system

The Chinese hackers exploited Pulse Connect Secure VPN zero-day vulnerabilities whose patches were yet to be released.

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had issued a joint alert on hackers targeting organizations via VPN vulnerabilities.

The joint alert recommended various mitigations to block Chinese hackers from exploiting Pulse Connect Secure VPN vulnerabilities. A day later on April 21, The MTA applied those mitigations.

Additionally, CISA had said it assisted several federal agencies, critical infrastructure entities, and private organizations breached since March 31 via Invanti’s Pulse Connect Secure. Transit officials believe the exploit was part of the wider breach identified by CISA.

Chinese hackers breached the New York subway twice in the second week of April before they were discovered on April 20.

The New York subway reported the attack to the federal authorities without publicly acknowledging the breach until the New York Times reported.

Investigation into the New York subway breach

The transit agency involved FireEye’s Mandiant division and IBM to conduct a forensic audit. The investigation revealed that hackers accessed three out of 18 computer systems.

Investigation on the New York subway data breach found that the attack did not affect operational systems and “no employee or customer information breached, no data loss and no changes to our vital systems.”

“Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain…


Five free steps to become a secure small biz

Late nights, early mornings, and working over weekends; familiar phrases for the small business owner, solo operator, and freelancer. So why should such a busy person cut into their limited time to improve their cyber security?

Because businesses across Australia experiencing every day how a business email compromise or ransomware cyber attack can unravel those countless hours in a fell swoop.

You cannot entirely outsource cyber security. The fundamental defences that spell the difference between a failed attack and a ruined business are the responsibility of everyone.

Fortunately, the tools and methods to achieving great cyber defence have never been easier. And you don’t need to spend a cent. Below are your greatest threats and the defences you can implement to knock them out.

Business email compromise

Small business owners often wait on invoices. Clear deadlines, gentle reminders, and terser emails are standard fare for getting paid. So they may not sweat it when funds fail to materialise after a client’s promise to pay. But business owners and now individual consumers are finding their payments funnelled into the bank accounts of cyber criminals.

These attacks, known as business email compromise (BEC), work in different ways but are typically centred on your email inbox.

How it works: The method of accessing inboxes varies but a common starting point for crims is to try to log in with stolen email and password logins that are found in massive databases compiled from security breaches.

Logging in like this works when people reuse passwords across apps and services. A business owner who reuses the same password for their business email account and their indoor plant fancier’s forum is in peril should the forum be hacked and the password copied into an online database.

Cyber criminals could search the database for a business’ email address and, if they find a hit, use the corresponding password to try to log into the business’ email account.

Criminals engaged in BEC have a few options once inside an inbox. A common tactic is to manipulate invoices by setting various mail rules that can redirect incoming and outgoing emails that contain invoices to folders. Setting…