Advanced Security Analytics

Screenshot 2016-04-30 23.45.50I recently attended the Business for Breakfast seminar, held in Geneva , co-hosting by Kudeslki Security and RSA   around the theme Advanced Security Analytics. In this blog post I’m going to summarize the two talks that I particularly enjoyed, as the atmosphere lent itself : Business for breakfast!

First of all , I want to describe the context to better understand  interest of both companies to host this conference:  March 2, 2016 – RSA, The Security Division of EMC and Kudelski Security, the cybersecurity division of the Kudelski Group announced that Kudelski Security is now a leading provider of RSA products and services. Through the agreement, RSA provides Kudelski Security    fully managed security and critical incident response services, leveraging RSA’s advanced, intelligence-driven Security Operations Center (SOC) capabilities to accelerate the detection, investigation, remediation, and management of security incidents and vulnerabilities, with the ability to build services around proven advanced security operations solutions including RSA Security Analytics, the RSA® Critical Incident Response Solution, RSA® Security Operations Management solution, RSA ECAT software, and RSA® Advanced Cyber Defense Practice.

To return to the seminar , the first presentation was by Robert Griffin , Chief Security Architect at RSA.He explains how to move forward using advanced security operations like intelligence driven security and how organizations can use it , include big data analysis to embrace opportunity , improve security and reduce the risk.  Mr Griffin argued that RSA is about delivering a trust World by applying RSA’s Intelligence driven Strategy.The following slides helps to understand How and Why RSA came to this Strategy.

  • Evolving IT Infrastructure : we can’t keep applying traditionnal security defense with the third platform IT infrastructure .Screenshot 2016-04-30 22.47.35
  • The changing Threat Landscape :   The new threats more and more strong challenge traditional security defense or technologies.                             Screenshot 2016-04-30 22.44.49
  • Intrusion Kill the chain : This model is a novel way to deal with intrusions by moving from the traditional reactive way to a more proactive system based on intelligence gathered trough indicators that are observed trough out the phases. Normally the incident response process starts after the exploit phase putting defenders in a disadvantage position. With this method defenders should be able to move their actions and analysis up to the kill chain and interfere with the attackers actions

killchain

  • Solution: Intelligence Driven Security , the challenge here is to manage the risk by monitor this cycle,  Visibility , Analytics and Action. Continuous monitoring , correlate risk signals and indicators.Screenshot 2016-04-30 23.00.36
  • Benefit of this Solution : With real-time intelligence , organization can dynamically manage cyber threats.Screenshot 2016-04-30 23.03.16

The second part of seminar was presented by Olivier Spielmann , Head of Cyber Fusion Center of  Kudelski Security. He demonstrated how Kudelski Security leveraged RSA analytics to build an advanced SOC and a multi-tenant security monitoring service.

src: KudelskiSecurity , RSA, 

Advertisements

KeRanger: First Ransomware to infect Mac Computers

Screenshot 2016-03-07 22.40.05

If you are a Mac user like me, loving to download torrents via the transmission software then you will receive this warning  message at the opening of Transmission !

KeRanger ?

KeRanger is a ransomware  that aims to encrypt the hard drive of the users and then ask them for money to decrypt it. If they do not pay, their data will be lost.

KeRanger has emerged with the application Transmission, the most popular client for download torrents on Mac. Version 2.90 has been infected with ransomware, some users have been affected without knowing .

Users likely to be victims of KeRanger are those who downloaded the version 2.90 of the Transmission software on the 4th or 5th of March.

Three days after infection, this is where KeRanger strike and demand a ransom from the user by encrypting the files from his computer to bar him access.

Once installed, KeRanger will search for approximately 300 different file types and encrypt any it finds. The malware will then display a ransom message, demanding that the victim pay 1 Bitcoin (approximately US$408). Payment is made using a website on the anonymous Tor network .

Apple announced to  be aware of ransomware and has already revoked the certificate from a legitimate developer who has allowed  installation of KeRanger on Mac.

How to Know your are infected ?

Open a Terminal or use the Finder to search /Applications/Transmission.app/Contents/Resources/General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf files. If present, the transmission application is infected and it is highly advisable to remove.

Screenshot 2016-03-07 22.45.06

Screenshot 2016-03-07 22.47.46

These are  the screenshots of my own Transmission . Since I used  Transmission 2.84 release , I’ m not infected,  For infected computers the file General.rtf must be present between these blue lines ! 

Are you infected ? Sure to download the 2.92 version that will remove the malware!

Screenshot 2016-03-07 22.41.27

 

Cisco Champion 2016 !

 

 

You’ve probably seen this kind of tweet with hashtag #CiscoChampion, where nominees showed their gratitude for having been elected  Cisco Champion by Cisco.

ciscochampion2016CiscoChampion2015

Yeeaaah !!! For the second year I was honored by Cisco  to be a Cisco Champion in Security. Thank you once again Cisco to renew me your trust.

So What is a Cisco Champion ?

Just be passionate about technology Cisco (and others in general) and especially eager to share his knowledge through social networks such as twitter, Cisco’s Blog or a blog like mine.

In addition to sharing their insights and expertise, Cisco Champions make a difference by:

  • Supporting their peers in social communities, forums, and networks
  • Sharing their relevant experiences and thoughts on Cisco blogs
  • Providing valuable feedback directly to Cisco
  • And more

Cisco Champions have a unique opportunity to contribute to and enhance the way people use the latest technologies. They also receive:

  • Recognition for their contributions
  • Invitations to exclusive events
  • Opportunities to directly communicate with Cisco employees

Benefits of being a Cisco Champion?

Benefits of the Cisco Champions program include, but are not limited to:

  • Exclusive meeting and event opportunities
  • Special access to certain technology groups and executives
  • Invitations to provide feedback to Cisco on various topics
  • Access to a private online community initiated by and for Cisco Champions
  • Sneak peeks
  • A digital Cisco Champion badge that can be used in email signatures, websites, and social networks during the membership years.

I received last year this Certificate  follow by some stick CiscoChampion, Probably we will receive the same for this year …

 

My favorite is the badge that can be stapled to the jacket !!!

Beyond all these goodies, share knowledge, learn new technologies and receive such recognition is the most important thing.

 

 

Src:  Cisco Blog 

Cyber Monday : Protection Against Online Breaches

CCyberMondayyber Monday is the biggest online shopping day of the year. With Cyber Monday online shopping comes the threat of online security breaches.Unfortunately, there are more sophisticated threats that we should all beware of, as hackers have been gathering their strengths and are ready to unleash their wrath. Does this mean that we are better off abstaining from all purchases? Well, with the bargains that can be found online, good luck with your efforts to do that!  These are some tips that can help to shop securely.

  • Try to use a secure payment method whenever possible. This includes Paypal, pre-paid limited use debit cards, and credit cards that are separate from your primary bank account. Using a debit card that is tied to your primary bank
    account is the least secure form of payment, as a security breach poses the greatest financial risk.
  • When you purchase something from a small independent business online, make sure that the checkout process is a “Secure Site”. Look for a yellow padlock in the browser bar as well as “HTTPS” at the beginning of the website (as compared to “HTTP” with no “S” at the end, which stands for “Secure”).
  • Make sure that your operating system and security software are up to date.
  • Don’t make online purchases while using public WiFi connections, such as restaurant or mall hotspots, because these networks are prime targets for identity thieves and hackers. Shop only from trusted wireless connections such as home and cellular networks.
  • Never send sensitive information such as passwords, bank account numbers, or credit card numbers through e-mail. This is not a secure way to send sensitive information and legitimate companies will ask you to use some form of secure site to transmit the necessary information.
  • When using an ATM, inspect the card reader before swiping to ensure that it isn’t fake. Lately, identity thieves have been planting card skimmers over ATM card slots in order to trick people into providing their PIN and magnetic strip information, and this technique is on the rise.
  • Watch cashiers for skimming, which is when your card is swiped once at the register and again through a hand-held scanner the size of a cigarette lighter. Most registers allow you to swipe your card yourself; if a cashier asks to swipe your card by hand and turns away or puts both hands out of your sight while holding your card, ask to see a manager.
  • Review your credit card and bank statements to ensure that there are no unusual or fraudulant transactions. If you identify any suspicious activity, contact the appropriate financial institution immediately to address any accounts that may have been compromised.

ISO 27000 Series

The title firstly chosen forISO-27000-Series this post was: What areas does ISO 27001 and 27002 cover? corresponding to question 100 of our 300  infosec interview questions. But while working on this subject , I realized that I could  talk more with ISO 27000 series with more details for  27001 and 27002  .

Also Known as ISMS Family of Standards or ISO 27K for short, it  is published jointly by International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) ; hence the jointed name ISO/IEC 27000 Series. ISO 27000 series of standards have been specifically reserved by ISO for informations security matters.

The Series provide best practices recommendations on informations security management, risks  and controls within the context of an overall Informations Security Management Systems -ISMS , similar in design to to management systems for quality assurance (ISO 9000 Series) and environmental protection ( ISO 14000 Series).

The series is populated by a range of individuals standards and  documents . A number of theses have been published for others and others are scheduled for publication .

The following standards already published  reflects the current known position for the major operational standards in the series.

  • ISO 27001 : This is the specification for an information security management system-ISMS, which replaced the old BS7799-2 standard.The objective of the standard itself is to “provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”. Regarding its adoption, this should be a strategic decision. Further, “The design and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization”.

    The 2005 version of the standard heavily employed the PDCA, Plan-Do-Check-Act model to structure the processes, and reflect the principles set out in the OECG guidelines (see oecd.org). However, the latest, 2013 version, places more emphasis on measuring and evaluating how well an organisation’s ISMS is performing. A section on outsourcing was also added with this release, and additional attention was paid to the organisational context of information security.

    The content sections of the standard are:

    • Context Of The Organization
    • Information Security Leadership
    • Planning An ISMS
    • Support
    • Operation
    • Performance Evaluation
    • Improvement
    • Annex A – List of controls and their objectives

  • ISO 27002 : This is the 2700 series standard number of what was originally ISO 17799 standard , itself was formerly known as BS7799-1.The standard “established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization”. The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of “organizational security standards and effective security management practices and to help build confidence in inter-organizational activities”.

    The basis of the standard was originally a document published by the UK government, which became a standard ‘proper’ in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO ,as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other.

    In 2013 the current version was published. ISO 27002:2013 contains 114 controls, as opposed to the 133 documented within the 2005 version. However for additional granularity, these are presented in fourteen sections, rather than the original eleven.

    Finally, it should be noted that over the years a number of industry specific versions of ISO 27002 have been developed, or are under development, (for example: health sector, manufacturing, and so on).

    The content sections are:

    • Structure
    • Security Policy
    • Organization of Information Security
    • Human Resources Security
    • Asset Management
    • Access Control
    • Cryptography
    • Physical And Environmental Security
    • Operations security
    • Communications Security
    • Information Systems Acquisition, Development, Maintenance
    • Supplier Relationships
    • Information Security Incident management
    • Information Security Aspects of Business Continuity
    • Compliance

  • ISO 27003 : This will be the official number of a new standard intended to ffer guidance for the implementation of an ISMS – IS Management System
  • ISO 27004 : This standard covers information security system management measurement and metrics , including suggested ISO27002 aligned controls.
  • ISO 27005 : This is the methodology independent ISO standard for information security risk management.
  • ISO 27006: This standard provides guidelines for the accreditation of organizations offering ISMS certification.

For others 

  • ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system)
  • ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)
  • ISO/IEC 27010 — Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
  • ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
  • ISO/IEC 27014 — Information security governance.  Mahncke assessed this standard in the context of Australian e-health.
  • ISO/IEC TR 27015 — Information security management guidelines for financial services
  • ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
  • ISO/IEC 27032 — Guideline for cybersecurity
  • ISO/IEC 27033-1 — Network security – Part 1: Overview and concepts
  • ISO/IEC 27033-2 — Network security – Part 2: Guidelines for the design and implementation of network security
  • ISO/IEC 27033-3 — Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
  • ISO/IEC 27033-5 — Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
  • ISO/IEC 27034-1 — Application security – Part 1: Guideline for application security
  • ISO/IEC 27035 — Information security incident management
  • ISO/IEC 27036-3 — Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security
  • ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence
  • ISO 27799 — Information security management in health using ISO/IEC 27002. The purpose of ISO 27799 is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.

Scheduled for publication:

  • ISO/IEC 27017 — Information security management for cloud systems
  • ISO/IEC 27019 — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
  • ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (parts 1-3 are published already)
  • ISO/IEC 27036 — Guidelines for security in supplier relationships
  • ISO/IEC 27038 — Specification for redaction of digital documents
  • ISO/IEC 27039 — Intrusion detection and protection systems
  • ISO/IEC 27040 — Guideline on storage security
  • ISO/IEC 27041 — Assurance for digital evidence investigation methods
  • ISO/IEC 27042 — Analysis and interpretation of digital evidence
  • ISO/IEC 27043 — Digital evidence investigation principles and processes

src: http://www.27000.org

Question 93 : What’s the difference between stored and reflected XSS?

I have a question ...
I have a question …

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting.

XSS attacks can generally be categorized into two categories: stored and reflected. There is a third, much less well known type of XSS attack called DOM Based XSS that is discussed seperately here.

Stored XSS Attacks

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

Reflected XSS Attacks

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on “normal” pages returned to other users in the course of regular browsing, without proper HTML escaping.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type.[10] These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request

Question 37 : What is DNS Hijacking and How it works ?

I have a question ...

DNS hijacking is a process in which an individual redirects queries to a domain name server (DNS). It may be accomplished through the use of malicious software or unauthorized modification of a server. Once the individual has control of the DNS, they can direct others who access it to a web page that looks the same, but contains extra content such as advertisements. They may also direct users to pages containing malware or a third-party search engine.

ISP hijacking

DNS hijacking is also done by some Internet service providers, such as Comcast, so that they can link users to their own search pages when they visit a web page that no longer exists. Many claim this is to improve the users experience; however, this can also be another great source of extra revenue since they control the site and get paid off any advertisement clicks. Currently, there are no laws against an ISP doing this to its users.

How DNS Hijacking Works?

As mentioned before, DNS is the one that is responsible for mapping the user friendly domain names to their corresponding IP addresses. This DNS server is owned and maintained by your Internet service provider (ISP) and many other private business organizations. By default, your computer is configured to use the DNS server from the ISP. In some cases, your computer may even be using the DNS services of other reputed organizations such as Google. In this case, you are said to be safe and everything seems to work normally.

DNS Hijacking

But, imagine a situation where a hacker or a malware program gains unauthorized access to your computer and changes the DNS settings, so that your computer now uses one of the rogue DNS servers that is owned and maintained by the hacker. When this happens, the rogue DNS server may translate domain names of desirable websites (such as banks, search engines, social networking sites etc.) to IP addresses of malicious websites. As a result, when you type the URL of a website in the address bar, you may be taken to a fake website instead of the one you are intending for. Sometimes, this can put you in deep trouble!

Src: gohacking, Computer Hope 

Duqu 2.0 : Kaspersky Lab investigates hacker attack on its own network

images (3)Duqu is back. The Russian computer security company Kaspersky revealed to have detected in its own internal networks a program similar to malware that occurred in 2011. This new worm, dubbed “Duqu 2.0“, is considered the “most advanced in its category” by the anti-virus vendor. If Kaspersky is careful to identify a culprit, It believes that only a State Nation is able to design this software, It estimated at $ 50 million.

Attack’s discovery…

For Kaspersky, the people behind Duqu 2.0 were fully confident it would be impossible to have their clandestine activity exposed; however,they  did manage to detect it – with the alpha version of their  Anti-APT solution, designed to tackle even the most sophisticated targeted attacks.  The thinking behind it is a generation ahead of anything they had seen earlier – it uses a number of tricks that make it really difficult to detect and neutralize. Kaspersky’s Customers  have nothing to fear from a security point of view because this attack has been no incident on Kaspersky products and services.

Purpose of Attack …

The attackers were interested in learning about Kaspersky’s technologies, particularly:

The bad guys also wanted to find out about Kaspersky’s ongoing investigations and learn about Kaspersky’s detection methods and analysis capabilities. Since they are well known for successfully fighting sophisticated threats they sought this information to try stay under Kaspersky’s radar. According to Kaspersky ,  Attacker  now lost a very expensive technologically-advanced framework they had  been developing for years.

Who is behind the Attack ??? …

Kaspersky have found that the group behind Duqu 2.0 also spied on several prominent targets, including participants in the international negotiations on Iran’s nuclear program and in the 70th anniversary event of the liberation of Auschwitz. They are confident that the prevalence of this attack is much wider and has included more top ranking targets from various countries. The advantage is that They  will use this attack to improve their defensive technologies. Eugene Kaspersky confirm that, their  malware databases have not been affected, and that the attackers had no access to Kaspersky customers’ data.

Kaspersky don’t attribute attacks,  They claims to be  security experts and don’t have to involve in political way . However they think that Governments attacking IT security companies is simply outrageous: Governments and Company are supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. If various murky groups – often government-linked – treat the Internet as a Wild West with no rules and run amok with impunity, it will put the sustainable global progress of information technologies at serious risk. Kaspersky once again call  on all responsible governments to come together and agree on such rules, and to fight against cybercrime and malware, not sponsor and promote it.

Several clues indicate the responsibility of Israel…

Athrought Israel denies its involvement , Nevertheless, several indicators suggest that it is involved in the design of Duqu 2.0. First, the first version of Duqu, dating from 2011, is itself a derivative of Stuxnet. The latter was developed by the United States in cooperation with Israel to attack Iran’s nuclear program, in particular centrifuges, to try to slow the efforts of Tehran, suspected of wanting to develop nuclear weapons.

In March, US officials claims  that Israel spied talks between the P5 + 1 and Iran in 2014, according to the Wall Street Journal. Israel has denied spying negotiations on the Iranian nuclear issue. “International news about Israel’s involvement in this affair are baseless,” said Israel . Austria and Switzerland, for their part, had already started investigations before the public revelations of Kaspersky.

images (5)

Why Duqu 2.0 ?  It Exploit three Zero-Day vulnerabilities …

Duqu is a sophisticated malware platform discovered by CrySyS Lab, and investigated by Kaspersky Lab in 2011. Its main purpose was to act as a backdoor into the system and facilitate the theft of private information. In 2011 Duqu was detected in Hungary, Austria, Indonesia, the UK, Sudan and Iran. There are clues that Duqu was used to spy on the Iran nuclear program and also to compromise Certificates Authorities to hijack digital certificates. These certificates were used to sign malicious files to evade security solutions.

Both discreet and versatile, it is composed of numerous modules, which enable it to collect a variety of information. It can for example operate microphones in hotel lifts that have them. . The worm exploits no less than three faults “zero-day”. These are flaws that are unknown and unprotected, in this case, in the Microsoft Windows operating system.

Scr : Kaspersky Lab

U.S. Blame China for Massiv Hack Attack

usa-versus-chinaFour million U.S. government workers hit by cyber breach. The information was revealed this Friday, June 5 by Washington. According to the Cybersecurity expert advising U.S. government this vast cyber-attack against the federal government appears designed to build a vast database in what could be preparation for future attacks by China against U.S.

The breach was initially thought to have affected the Office of Personnel Management and the Department of Interior, but government officials said hackers hit nearly every federal government agency. An assessment continues, and it is possible millions more government employees may be affected. The stolen information included Social Security numbers and performance evaluations.

Historically …

The detection of this “cyber-intrusion” dated April, but according to information obtained by the Washington Post to officials, who requested anonymity, the operation would have been fomented in December, just when the personnel management office was putting in place new safety procedures.

Failure to update software behind federal data breach…

The cybersecurity experts added that some government agencies have not been following the government’s own best practices for cybersecurity, such as updating operating systems with latest protections.

Security researchers have pointed to a cyber tool or family of malicious software called Derusbi that has been linked exclusively to Chinese actors.

Chinese Cyber espionage…

According to Analysts and Experts , other Chinese entities, including the military,may also be involved in the campaign, Chinese government hackers “are like a vacuum cleaner” in sucking up information electronically, “They’re becoming much more sophisticated in tying it all together. And they’re trying to harm us.”

China dismissed the allegation of hacking as “irresponsible and unscientific.” Chinese Foreign Ministry spokesman Hong Lei said Beijing wanted to cooperate with other nations to build a peaceful and secure cyberspace : “We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation,”.

The big-data approach being taken by the Chinese might seem to mirror techniques used abroad by the NSA, which has come under scrutiny for its data-gathering practices under executive authority. But in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.

EINSTEIN Detection System…

Employees of the legislative and judicial branches and uniformed military personnel were not affected.

The federal personnel office learned of the data breach after it began to toughen its cybersecurity defense system. When it discovered malicious activity, authorities used a detection system called EINSTEIN to unearth the information breach in April, the Department of Homeland Security said. A month later, the federal agency learned sensitive data had been compromised.The FBI is investigating what led to the breach.

src: cnn, washingtonpost