Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Nigerian Man Charged in Hacking of Los Angeles County Emails (theguardian.com) 44

Posted by msmash from the mere-hacking dept.
A 'mere' 10.8% phishing success rate has forced Los Angeles County to notify approximately 756,000 individuals that their personal information may have been compromised. The attack occurred on May 13, 2016 when 1,000 County employees received phishing emails. 108 employees were successfully phished. A Nigerian national has been charged in connection with the hack. From a report on The Guardian: Many large organizations would welcome a 10% success rate in their internal anti-phishing training sessions, with 30% and above being common. The 2016 Verizon DBIR suggests that 30% of all phishing emails are opened. The high number of individuals affected from a relatively low number of successes in LA County demonstrates how dangerous phishing attacks can be. The nature of the potentially compromised information is also concerning. "That information may have included first and last names, dates of birth, Social Security numbers, driver's license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history, or medical record numbers," said the County of Los Angeles Chief Executive Office in a statement.
This discussion has been archived. No new comments can be posted.

Nigerian Man Charged in Hacking of Los Angeles County Emails More

Nigerian Man Charged in Hacking of Los Angeles County Emails

Comments Filter:

  • Must be Russian (Score:3, Funny)

    by Oswald McWeany ( 2428506 ) on Monday December 19, 2016 @02:48PM (#53515393)

    A Nigerian man caught hacking?

    He must be Russian.

    • I always considered the "Nigerian Prince" thing to be a complete joke; for the spammers can claim to be anybody from any country such that the Nigerian connection here sounds dodgy.

      What's next, the butler actually did it?

    • Which would explain, why Hillary Clinton [aim.org] got 4 million votes more in California, than Trump...

  • Prince? (Score:2, Funny)

    by Anonymous Coward

    I bet it was a Nigerian prince they caught.

  • So what about the county's responsibility. (Score:3)

    by Brigadier ( 12956 ) on Monday December 19, 2016 @02:58PM (#53515463)

    So big hurrah for LA Counties judicial system. I am frustrated however that no entity be it private corporate, or municipality has simply said protection of our information shall come first. This thought that let's just contract with (insert name provider, likely Microsoft) for an off the shelf solution which clearly isn't secure is absurd. Now I am also not saying some municipality pay a contractor to custom design a system, we know which way that will go (see link).

    DWP billing system errors add $245 million to uncollected debt
    http://www.latimes.com/local/c... [latimes.com]

    Am I the only one who thinks all 'secure' networks should be on a isolated protocol e.g. email be only text with no public network dependent information. user systems with no access to the internet, and no user level login on public devices including your phone.

    The price being paid for the convenience of looking up bread pudding recipes from your work station (or ranting on /. for that matter) is simply too high. Just a thought.

    • Re: (Score:1)

      by mmell ( 832646 )
      You're right - the county should ensure that its employees can make only the most minimal use of the web, and only for the specific purpose of performing their work related duties. Laptops should not be issued and their use prohibited, and the use of personal mobile equipment (including smart phones) should be absolutely banned. Also, all county employees should be required to obtain a Bachelor's degree in Information Processing within two years of being hired, regardless of their capacity within county g

    • My experience with similar orgs is that the executives want instant connectivity, even when at home or at "important" conferences (cough cough). The executives out-rank most IT security personnel, and thus if they want risky toys/access, they get risky toys/access.

      County government is very rank-sensitive. Logic is secondary to rank. Powerful idiots are dangerous.

    • Am I the only one who thinks all 'secure' networks should be on a isolated protocol e.g. email be only text with no public network dependent information. user systems with no access to the internet, and no user level login on public devices including your phone.

      That only moves the bar slightly. Information still needs to get in and out. If it's not done via the internet, then it'll be network shares, USB Flash drives, or similar, and that's where the malware will develop. The data it collects will eventu

      • On the contrary, my issue is with the client not the protocol. A good client will sterilize any links or downloads and present the information in text only format. File transfers will get handled similar to google approach (need to confirm) but the file is scanned server side then made available via a server link which cannot extend to the internet. Lastly user stations have no access to the internet, likewise any systems which phone home are identified immediately and shut down.

  • Anti-Phishing Training (Score:5, Interesting)

    by Anonymous Coward on Monday December 19, 2016 @03:12PM (#53515583)

    My company HR sent notice of required anti-phishing email training.

    - The email came from someone I never heard of.

    - It contained a link to an external website.

    - And the external website required we log in with our domain credentials.

    I ignored the notices for weeks until my boss came to my desk and made me do it. Just unbelievable.

    • At a previous employer, HR did some actual benefits mailing from a third party I'd never heard of... a domain with a wacky name like "12monkeys.com". (That wasn't the name, I don't think, but it was something like that.) I think the domain's whois was even privacy protected. I sounded the "We are being phished!" alarm with IT. HR was kind of put out, but my boss approved of my actions.

      • I had similar (and I think 12 monkeys *might* be right...)
        I added the domain to our blacklist within a minute of getting the e-mail. Chaos and hilarity ensued.

        I regret nothing.
        -nB

    • Re: (Score:2)

      by Tablizer ( 95088 )

      I had the opposite happen to me once.

      As the webmaster, I got a vague notice something like, "To whom it may concern, please remove item X from your commerce site. The site in question is not authorized to sell X. Contact us at [phone and email] immediately to resolve this!"

      I dismissed it as spam/phishing because it had no specifics. It was like a form-letter (generic template). It didn't mention or our site URL nor identify the page and date spotted.

      A few weeks later some angry lawyers called our org and co

    • Re: (Score:2)

      by PPH ( 736903 )

      Just wait until someone with a security clearance is contacted by an alleged outside contractor [slashdot.org] doing an "investigation". The f[censored]ing FBI can't even keep people from running around with fake badges, claiming to be agents.

    • My company HR sent notice of required anti-phishing email training.

      - The email came from someone I never heard of.

      - It contained a link to an external website.

      - And the external website required we log in with our domain credentials.

      I ignored the notices for weeks until my boss came to my desk and made me do it. Just unbelievable.

      Been there, done that. As you say, just unbelievable.

    • Re: (Score:2)

      by antdude ( 79039 )

      I see this with huge security companies too. Others and I facepalmed to mention this. :(

  • So the Nigerians have progressed from advanced fee fraud to phishing? Well,they must be getting better because it is usually clear to me when an email is sent that is not legitimate. The email is rife with spelling and grammar errors and even word misuse.

  • Set up a rule for external email? (Score:3)

    by bev_tech_rob ( 313485 ) on Monday December 19, 2016 @04:25PM (#53516085)

    Our company set up our mail system to insert this line into ANY incoming external email. Has helped us a LOT with reducing the impact of phishing emails...along with filtering known phishing domains......

    >>Attention: This email was sent from someone outside of [your company name here]. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

    • Not a bad suggestion, thanks.

      We do phishing audits here 2-3 times a year. We always get a click through of between 7 - 25% no matter how much training we do.

      Of course, when we devise our tests, we try to be as sneaky as the bad guys are likely to be while still providing enough tells to make it identifiable as a phishing e-mail.

      Our most recent effort is in mitigation since we are probably never going to get to 0% click through.

      We have been using OpenDNS for a while to help with that. We utilize L7 rules to

  • As an LAC employee, I cannot believe the hit this has taken. I got the email and dumped it, Still, I'm waiting on the $10,000 inheritance check from the former deposed Nigerian prince. I only had to submit my credit card.
  • Prince

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close