Monthly Archives: October 2016

The Russian national arrested earlier this month by Czech police has been charged in the United States for hacking into the systems of LinkedIn, Dropbox and Formspring.

Yevgeniy Aleksandrovich Nikulin, 29, of Moscow, Russia, was arrested by Czech authorities on October 5, but news of the arrest only came to light last week.

While initially some believed that the arrest was related to cyberattacks supposedly launched by the Russian government against political organizations in the United States, LinkedIn revealed that the law enforcement operation, carried out in cooperation with the FBI, was actually linked to the breach suffered by the social media company in 2012.

The U.S. Department of Justice announced on Friday that Nikulin had been charged by a federal grand jury in Oakland, California, with nine counts related to obtaining information from computers, causing damage to computers, trafficking in access devices, aggravated identity theft and conspiracy.

Authorities said Nikulin is believed to be behind not only the LinkedIn breach, but also the 2012 attacks on Dropbox and Formspring.

The Dropbox hack, carried out after an employee’s credentials were stolen, has affected more than 68 million accounts, but the full extent of the incident only came to light recently. As for the social Q&A site Formspring, hackers leaked 420,000 hashed passwords back in 2012, which triggered a password reset on all user accounts.

According to the DoJ, LinkedIn and Formspring were also breached after hackers obtained employee credentials. Authorities said Nikulin conspired with others to sell the information stolen from Formspring.

Nikulin is currently in custody in the Czech Republic and the United States hopes to convince Czech authorities to approve his extradition. On the other hand, Moscow insists that the man be handed over to Russia.

Related: Moscow Confirms Ministry Website Attack After U.S. Hacker Claim

Related: 50 Hackers Using Lurk Banking Trojan Arrested in Russia

Related: US Jury Convicts Russian MP's Son for Hacking Scheme

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

ICS Cyber Security Conference

Admiral Michael Rogers, Director of the U.S. National Security Agency (NSA) and Commander, U.S. Cyber Command to Keynote SecurityWeek's 2016 ICS Cyber Security Conference on Oct. 25

Security professionals from various industries will gather next week at the 2016 edition of SecurityWeek’s ICS Cyber Security Conference, the longest-running event of its kind. The conference takes place on October 24-27 at the Georgia Tech Hotel & Conference Center in Atlanta, Georgia.

SecurityWeek is honored to host Admiral Michael S. Rogers, Director of the U.S. National Security Agency (NSA) and Commander, U.S. Cyber Command, as our keynote speaker.

The event kicks off on Monday with a series of open and advanced workshops focusing on operational technology (OT), critical infrastructure, SCADA systems, and management. Participants will have the opportunity to learn not only how an organization can be protected against attacks, but also how attackers think and operate when targeting control systems.

Following his keynote on Tuesday, Admiral Rogers will take part in a conversation and questions session with SecurityWeek's Mike Lennon and conference attendees.

On the same day, Yokogawa’s Jeff Melrose will detail drone attacks on industrial sites, ICS cybersecurity expert Mille Gandelsman will disclose new vulnerabilities in popular SCADA systems.

ICS Cyber Security ConferenceIn addition to an attack demo targeting a Schweitzer SEL-751A feeder protection relay, the day will feature several focused breakout sessions and a panel discussion on risk management and insurance implications.

The third day of the event includes presentations on PLC vulnerabilities, attacks against air-gapped systems, cyberattack readiness exercises, and management issues.

Also on Wednesday, ExxonMobil Chief Engineer Don Bartusiak will detail the company’s initiative to build a next-generation process control architecture. Breakout sessions will focus on risk management, incident response, safety and cybersecurity programs, emerging technologies, and the benefits of outside cybersecurity services in the automation industry.

On the last day of the ICS Cyber Security Conference, attendees will have the opportunity to learn about the implications of the Ukrainian energy hack on the U.S. grid, practical attacks on the oil and gas industries, and how technologies designed for video game development and engineering can be used to simulate cyberattacks and evaluate their impact.

Speakers will also detail the status of ICS in developing countries, the need for physical security, the implications associated with the use of cloud technologies in industrial environments, and the implementation of a publicly accessible database covering critical infrastructure incidents. 

Produced by SecurityWeek, the ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Since its first edition in 2002, the conference has attracted a continually rising interest as both the stakes of critical infrastructure protection and the distinctiveness of securing ICSs become increasingly apparent.

Register Now

*Additional reporting by Ed Kovacs

view counter

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

AirLink cellular gateway devices by Sierra Wireless are being infected by the infamous Mirai malware.

Sierra Wireless

Sierra Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50 are listed as vulnerable.

“The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” the company noted in a security advisory.

“Based on currently available information, once the malware is running on the gateway it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a Distributed Denial of Service (DDoS) attack on specified targets.”

ICS-CERT pointed out that the malware does not exploit a software or hardware vulnerability in the gateway devices.

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices,” they explained, and added that with the recent release of the Mirai source code on the Internet, more IoT botnets are likely to be created.

Sierra Wireless has advised administrators of these devices to reboot the gateway to eliminate the malware (it resides in memory, so it will be automatically deleted), then immediately change the ACEmanager password to a unique, strong (complex and long) one.

Other attack mitigation options, such as disabling remote access on the devices and IP whitelisting, have been noted.

Help Net Security

Honeypots provide the best way I know of to detect attackers or unauthorized snoopers inside or outside your organization.

For decades I've wondered why honeypots weren't taking off, but they finally seem to be reaching critical mass. I help a growing number of companies implement their first serious honeypots -- and the number of vendors offering honeypot products, such as Canary or KFSensor, continues to grow.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

If you're considering a honeypot deployment, here are 10 decisions you'll have to make.

1. What's the intent?

Honeypots are typically used for two primary reasons: early warning or forensic analysis. I'm a huge proponent of early-warning honeypots, where you set up one or more fake systems that would immediately indicate maliciousness if even slightly probed.

Early-warning honeypots are great at catching hackers and malware that other systems have missed. Why? Because the honeypot systems are fake -- and any single connection attempt or probe (after filtering out the normal broadcasts and other legitimate traffic) means malicious action is afoot.

The other major reason companies deploy honeypots is to help analyze malware (especially zero days) or help determine the intent of hackers.

In general, early-warning honeypots are much easier to set up and maintain than forensic analysis honeypots. With an early-warning honeypot, when you detect a probe or connection attempt, the mere connection attempt gives you the information you need, and you can follow the probe back to its origination to begin your next defense.

Forensic analysis honeypots, which can capture and isolate the malware or hacker tools, are merely the beginning of a very comprehensive analysis chain. I tell my customers to plan on allocating several days to several weeks for each analysis performed using a honeypot.

2. What to honeypot?

What your honeypots mimic is usually driven by what you think can best detect hackers earliest or best protect your "crown jewel" assets. Most honeypots mimic application servers, database servers, web servers, and credential databases such as domain controllers.

You can deploy one honeypot that mimics every possible advertising port and service in your environment or deploy several, with each one dedicated to mimicking a particular server type. Sometimes honeypots are used to mimic network devices, such as Cisco routers, wireless hubs, or security equipment. Whatever you think hackers or malware will most likely to attack is what your honeypots should emulate.

3. What interaction level?

Honeypots are classified as low, medium, or high interaction. Low-interaction honeypots only emulate listening UDP or TCP ports at their most basic level, which a port scanner might detect. But they don't allow full connections or logons. Low-interaction honeypots are great for providing early warnings of malicious behavior.

Medium-interaction honeypots offer a little bit more emulation, usually allowing a connection or logon attempt to appear successful. They may even contain basic file structures and content that could be used to fool an attacker. High-interaction honeypots usually offer complete or nearly complete copies of the servers they emulate. They're useful for forensic analysis because they often trick the hackers and malware into revealing more of their tricks.

4. Where should you place the honeypot?

In my opinion, most honeypots should be placed near the assets they are attempting to mimic. If you have a SQL server honeypot, place it in the same datacenter or IP address space where your real SQL servers live. Some honeypot enthusiasts like to place their honeypots in the DMZ, so they can receive an early warning if hackers or malware get loose in that security domain. If you have a global company, place your honeypots around the world. I even have customers who place honeypots that mimic the CEO's or other high-level C-level employees' laptops to detect if a hacker is trying to compromise those systems.

5. A real system or emulation software?

Most honeypots I deploy are fully running systems containing real operating systems -- usually old computers ready for retirement. Real systems are great for honeypots because attackers can't easily tell they're honeypots.

I also install a lot of honeypot emulation software; my longtime favorite is KFSensor. The good ones, like KFSensor, are almost "next, next, next" installs, and they often have built-in signature detection and monitoring. If you want low-risk, quick installs, and lots of features, honeypot emulation software can't be beat.

6. Open source or commercial?

There are dozens of honeypot software programs, but very few of them are supported or actively updated a year after their release. This is true for both commercial and open source software. If you find a honeypot product that's updated for longer than a year or so, you've found a gem.

Commercial products, whether new or old, are usually easier to install and use. Open source products, like Honeyd (one of the most popular programs) are usually much harder to install, but often far more configurable. Honeyd, for example, can emulate nearly 100 different operating systems and devices, down to the subversion level (Windows XP SP1 versus SP2 and so on), and it can be integrated with hundreds of other open source programs to add features.

7. Which honeypot product?

As you can tell, I'm partial to commercial products for their feature sets, ease of use, and support. In particular, I'm a fan of KFSensor. If you choose an open source product, Honeyd is great, but possibly overly complex for the first-time honeypot user. Several honeypot-related websites, such as, aggregate hundreds of honeypot articles and link to honeypot software sites.

8. Who should administer the honeypot?

Honeypots are not set-and-forget it solutions -- quite the opposite. You need at least one person (if not more) to take ownership of the honeypot. That person must plan, install, configure, update, and monitor the honeypot. If you don't appoint at least one honeypot administrator, it will become neglected, useless, and at worst, a jumping-off spot for hackers.

9. How will you refresh the data?

If you deploy a high-interaction honeypot, it will need data and content to make it look real. A one-time copy of data from somewhere else isn't enough; you need to keep the content fresh.

Decide how often to update it and by what method. One of my favorite methods is to use a freely available copy program or a copy commands to replicate nonprivate data from another server of a similar type -- and initiate the copy every day using a scheduled task or cron job. Sometimes I'll rename the data during the copy so that it appears more top secret than it really is.

10. Which monitoring and alerting tools should you use?

A honeypot isn't of any value unless you enable monitoring for malicious activity -- and set up alerts when threat events occur. Generally, you'll want to use whatever methods and tools your organization routinely uses for this. But be warned: Deciding what to monitor and alert on is often the most time-consuming part of any honeypot planning cycle.

InfoWorld Security Adviser

J003-Content-Microsoft-Patch-Tuesday-Oct2016_SQThis Tuesday’s update addresses 49 vulnerabilities within 10 security bulletins, of which five are rated as critical, and four of them are zero-day flaws.

After the start of the announced changes on the way patches are delivered on Patch Tuesday, which we covered in our yesterday’s blog post, Microsoft has released the security bulletins for October 2016. Among affected products are Edge, Internet Explorer, Office, Windows, Skype for Business, and of course Adobe Flash Player, and most of the critical updates are for Remote Code Execution issues.

MS16-118 (KB 3192887) This is a cumulative security update for Internet Explorer fixing issues which could allow remote code execution if a user views a specially crafted webpage using IE9, 10 or 11, gaining the attacker the same user rights as the current user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by correcting how Internet Explorer handles objects in memory and namespace boundaries.

MS16-119 (KB 3192890) This is a similar cumulative security update like the previous one, this time for Edge browser, resolving remote code execution issues on Windows 10-based computers using Edge as a primary browser.

The patch modifies how Microsoft Edge and certain functions, like the Chakra JavaScript scripting engine, handle objects in memory, and restricts what information is returned to Microsoft Edge. It also changes the way Microsoft Browsers store credentials in memory and handle namespace boundaries, and corrects how Microsoft Edge Content Security Policy validates documents.

MS16-120 (KB 3192884) Yet another critical fix for remote code execution, but this time for the Microsoft Graphics Component, and it resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.

This update is rated critical for all supported Windows versions, Office 2007 and 2010, Lync/Skype for Business 2010, 2013 and 2016, .NET Framework and Silverlight, and it addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.

Since it affects Windows operating systems since Vista SP2 and Server 2008 SP2 until Windows 10, including Windows RT 8.1, and covers seven vulnerabilities verified by CVE, this patch should not be taken lightly. Also, this is the only zero-day vulnerability on this batch which there were already registered exploits.

MS16-122 (KB 3195360) This vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. Of course, if the user is logged on with administrative user rights, an attacker could take control of the affected system.

This security update is rated Critical for Windows Vista, 7, 8.1, RT 8.1, and Windows 10, and it fixes the vulnerability by correcting how Microsoft Video Control handles objects in memory.

MS16-127 (KB 3194343) And, as usual, this Patch Tuesday brought another update for Adobe Flash Player. It updates the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge, on all supported editions of Windows 8.1, RT 8.1, 10, and on Windows Server 2012 and 2012 R2.

The patch covers a set of 13 CVE vulnerabilities, described in Adobe Security Bulletin APSB16-32, and there are several known workarounds and mitigation actions for these issues. Apart from blocking Adobe Flash Player completely, of course.

MS16-121 (KB 3194063) This update resolves an Office RTF remote code execution vulnerability which exists in Microsoft Office, when the Office software fails to properly handle RTF files. It affects Office 2007, 2010, 2013 (including the RT version), 2016, Office for Mac 2011 and 2016, and some other Office apps and services, such as SharePoint Server 2010 and 2013.

An attacker who would successfully exploit this memory corruption vulnerability could run arbitrary code as the current user, and the update fixes the issue by changing the way Microsoft Office apps handle RTF content.

MS16-123 (KB 3192892) This security update resolves several vulnerabilities in various editions of Microsoft Windows, from Vista to 10 and Servers 2008 and 2012, where the more severe ones could allow elevation of privilege of an attacker.

Microsoft has not identified any mitigating factors or workarounds for these five CVE vulnerabilities, and this security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-124 (KB 3193227) Like the previous one, this update fixes a vulnerability that allows attackers to perform unauthorized privilege elevation and gain access to registry information, and corrects it by changing the way how the kernel API restricts access to this information.

It applies to variants of Microsoft operating systems from Windows Vista SP2 to Windows 10, and addresses four known CVE vulnerabilities, all marked as important.

MS16-125 (KB 3193229) This security update is rated Important for all supported editions of Windows 10, and resolves a vulnerability which could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses this vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.

MS16-126 (KB 3196067) The last update in today’s batch is marked as Moderate, and addresses an information disclosure vulnerability, when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploits this vulnerability could test for the presence of files on disk, but for an attack to be successful an attacker must persuade a user to open a malicious website.

The security update affects Windows Vista, 7, Server 2008 and 2008 R2, and is rated moderate on client and low on server operating systems. Also, note that you must install two updates to be protected from this vulnerability: this one, and the update in MS16-118.

You will find more details about all the updates listed above in the Security Bulletin Summary for October 2016.

You may also like:

  • Microsoft Patch Tuesday has changed and now all patches are…
  • Third Party Patch Roundup – September 2016
  • Microsoft Patch Tuesday – September 2016

GFI Blog

The 2016 Open Source Jobs Report released earlier this year by Dice and The Linux Foundation analyzed trends for open source careers and the motivations of professionals in the industry. Now, the data have been broken down to focus specifically on European open source professionals, and how they compare to their counterparts around the world.

open source jobs

This is the fifth year Dice and The Linux Foundation have partnered to produce the jobs report. The four previous years’ research focused exclusively on the job market for Linux professionals, but this year’s installment looks at the broader category of open source professionals. Overall trends between Europe and the world are generally similar, but show that open source careers may be even more in demand and rewarding in Europe than the rest of the world.

“Demand for open source talent is growing and companies struggle to find experienced professionals to fill open roles,” said Bob Melk, president of Dice. “Rising salaries for open source professionals indicate companies recognize the need to attract, recruit and retain qualified open source professionals on a global scale. Regardless of where they reside around the world, these professionals are motivated by the opportunity to work on interesting projects.”

European confidence is high

Europeans are more confident than their global counterparts in the open source job market. Of over one thousand European respondents, 60 percent believe it would be fairly or very easy to find a new position this year, as opposed to only 50 percent saying it would be easy globally.

In fact, 50 percent of Europeans reported receiving more than 10 calls from recruiters in the six months prior to the survey, while only 22 percent of respondents worldwide reported this level of engagement. While worldwide 27 percent of respondents received no calls at all from recruiters, only five percent of Europeans said the same.

The most in-demand skills

Application development skills are in high demand in Europe. Twenty-three percent of European open source professionals reported application development as the most in-demand skill in open source – higher than any other skill. Globally, only 11 percent identified application development as the most in-demand skill, second behind DevOps at 13 percent. DevOps was second among Europeans at 12 percent.

Retaining staff

Employers in Europe are offering more incentives to hold onto staff. Forty percent of European open source professionals report that in the past year they have received a raise, 27 percent report improved work-life balance, and 24 percent report more flexible schedules.

This compares to 31 percent globally reporting raises, and 20 percent globally reporting either a better work-life balance or more flexible work schedules. Overall, only 26 percent of Europeans stated their employer had offered them no new incentives this year, compared to 33 percent globally.

What differentiates open source jobs?

Open source professionals enjoy working on interesting projects more than anything. European open source professionals agreed with their global counterparts that the best thing about working in open source is the ability to work on interesting projects, at 34 percent (31 percent globally). However, while respondents around the world said the next best things were working with cutting-edge technology (18 percent) and collaboration with a global community (17 percent), European professionals selected job opportunities second at 17 percent, followed by both cutting-edge technologies and collaboration tied at 16 percent each. Five percent of European respondents said money and perks are the best part of their job, more than double the two percent who chose this response worldwide.

“European technology professionals, government organizations and corporations have long embraced open source,” said Jim Zemlin, executive director at The Linux Foundation. “The impressive levels of adoption of and respect for open source clearly have translated into more demand for qualified open source professionals, providing strong opportunities for developers, DevOps professionals and others.”

The findings of the annual Open Source Jobs Report are based on survey responses from more than 4,500 open source professionals worldwide, including 1,082 in Europe.

Help Net Security

Two teenagers suspected of being members of the Lizard Squad and PoodleCorp hacking groups were arrested last month by law enforcement authorities in the United States and the Netherlands.

Zachary Buchta, of Fallston, Maryland, and Bradley Jan Willem van Rooy, of Leiden, the Netherlands, have been charged with conspiracy to cause damage to protected computers, which carries a maximum sentence of ten years in prison.

The suspects, both aged 19, have been accused by U.S. authorities of operating a service that allowed users to launch distributed denial-of-service (DDoS) attacks. They are also suspected of trafficking payment card information stolen from thousands of individuals.

The Lizard Squad and PoodleCorp are best known for massive DDoS attacks that disrupted the servers of several gaming companies, including the PlayStation Network, Xbox Live, EA and Blizzard. The Lizard Squad is also known for hacking the websites of companies such as Lenovo, Malaysia Airlines and Cox.

According to the Department of Justice, Buchta used the online monikers [email protected],” “pein,” “xotehpoodle” and “lizard,” while van Rooy used the nicknames “Uchiha,” [email protected],” “dragon” and “fox.”

The FBI’s complaint also mentions two other individuals associated with Lizard Squad and PoodleCorp. They have not been named, but they use the online monikers “Chippyshell” and “AppleJ4ck.”

The complaint also shows that Buchta was linked by investigators to the @fbiarelosers account, which had discussed the DDoS attacks in private conversations with other members of LizardSquad, based on messages sent via Twitter. Records obtained by investigators from Twitter, AT&T and Sprint linked the Twitter account to a phone number associated with Buchta’s residence.

Records from Comcast showed that his IP often connected to an overseas VPN service that had been used to access the @fbiarelosers account and the websites operated by Lizard Squad and PoodleCorp. The FBI determined that Buchta’s Comcast account had accessed the @fbiarelosers account at the exact time when it had been used to discuss DDoS attacks.

Van Rooy, who is currently in custody in the Netherlands, did not even bother to hide his real IP address, which he used to access @UchihaLS and other Twitter accounts associated with the Lizard Squad. Subscriber records allowed law enforcement to link the IP to a residence in Leiden.

In private conversations with other Twitter users, @UchihaLS said he lived above a police station and claimed that even if they could trace him, they would simply “think it as a hoax.” These messages and a photograph shared by @UchihaLS linked van Rooy to the account.

Last year, police in the UK questioned at least two individuals suspected of being involved with the Lizard Squad, but so far there is no news of a conviction. A teen in Finland, also suspected of being a member of the group, was convicted last year on fraud and harassment charges, but he only received a suspended sentence.

Authorities in the UK also arrested six individuals accused of using the Lizard Squad’s LizardStresser DDoS service.

Related: UK Crime Agency Website Downed by Hackers as Revenge

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Mac malware could piggy-back on your legitimate webcam sessions - yep, the ones you've initiated - to locally record you without detection, a leading security researcher warns.

Patrick Wardle, a former NSA staffer who heads up research at infosec biz Synack, outlined the vulnerability together with counter-measures he’s developed during a keynote presentation at the Virus Bulletin conference. Peeping Tim-stye malware that abuses the video capabilities of an infected computers to record an unwitting user is a threat to both Windows and Mac users. Mac malware such as Eleanor, Crisis, Mokes and others, all attempt to spy on Mac OS X users via their webcam.

Luckily, modern Macs contain a hardware-based LED indicator that can alert users when the camera is in use. And physically covering the built-in camera - a la Mark Zuckerberg - also provides a low-tech approach to locking out snoopers, with the downside that it also prevents legitimate use.

Wardle has uncovered a fresh dimension to the problem. After examining various "webcam-aware" OS X malware samples, Wardle identified a new "capability" that would permit this type of malware to stealthily monitor the system for legitimate user-initiated video sessions before surreptitious piggyback on these conversations in order to covertly record the user. There are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.

During his presentation, titled Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings, Wardle outlined the threat together with techniques geared towards detecting "secondary" processes that attempt to access an existing video session on OS X.

“I have not seen any malware using this technique at this time [but] this is something that would be trivial for malware to do, and there aren’t any tools to detect this capability,” Wardle explained, adding there “may be malware already (ab)using this technique that we just haven’t detected”.

Malware along the lines Wardle discussed would be able to record both sides of a conversation once it detects the webcam being used.

Waddle has a released a free Oversight tool that he says can detect and identify any process that accesses the webcam before giving users the ability to either block or allow a process. All these notifications/alerts are logged, so a system admin (say on a corporate network) could reactively also look through the logs to see what was using the webcam. ®

Sponsored: Boost business agility and insight with flash storage for analytics

The Register - Security

An American who worked at the same intelligence contractor as NSA whistleblower Edward Snowden has been charged with the theft of classified documents.

Harold Martin, 51, of Glen Burnie, Maryland, was arrested in late August after the FBI raided his house and storage shed, allegedly finding a number of top secret documents he had taken home without permission.

It is believed the files included source code for exploiting software vulnerabilities to hijack systems used by Russia, China, Iran and North Korea.

"These documents were produced through sensitive government sources, methods, and capabilities, which are critical to a wide variety of national security issues," US prosecutors said on Wednesday.

"The disclosure of the documents would reveal those sensitive sources, methods, and capabilities."

US Department of Justice lawyers said in an unsealed court document that Martin had been granted top secret security clearance through his work as a private contractor with the government. Specifically, Martin was employed by military contractor Booz Allen Hamilton when he was cuffed by the Feds – the same outfit Snowden worked for when he took off to Hong Kong with a clutch of super top-secret NSA files in 2013.

In a statement today, Booz Allen said it has fired Martin and offered its "total cooperation" to investigators. Curiously, Martin's home has been scrubbed from Google Street View.

We're told Martin took home with him printed and digital documents at least six of which were designated as top secret by Uncle Sam. The DoJ noted that Martin cooperated with g-men when they turned up at his home to search it for the missing material.

While the DoJ is not providing details on the documents themselves, the filing notes that the dossiers contain intelligence gathered in 2014 and "were produced through sensitive government sources, methods, and capabilities, which are critical to a wide variety of national security issues."

"The documents have been reviewed by an original classification authority of the government and, in each instance, the authority has determined that the documents are currently and properly classified at the TOP SECRET level, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security of the United States," the filing reads.

The filing does not disclose what Martin is said to have planned to do with the stolen documents – it is suggested he allegedly made an operational security blunder rather than seek to leak the contents of the blueprints. If convicted, he could face more than a decade behind bars.

The US government has hit Martin with charges of theft of government property, carrying a maximum of 10 years in prison, and unauthorized removal and retention of classified materials, which carries a maximum of one year in prison.

"Hal Martin loves his family and his country. There is no evidence that he intended to betray his country," lawyers for Martin said on Wednesday. ®

Sponsored: Optimizing the hybrid cloud

The Register - Security