Over 500 million financial records hacked in the last year

I read an interesting article in USA Today recently.  The FBI says that over 500 million financial records have been hacked in the last 12 months (given that the Chase hack accounts for over 80 million records alone, this number in itself is not surprising).

Here are a few tidbits out of the article that should get your attention:

  • The FBI says that nearly 519 million financial records were stolen in the last 12 months
  • Joseph Demarest, Assistant director of the FBI’s cyber division says “You are going to be hacked … have a plan”
  • 35% came from website breaches, 22% from cyberespionage, 14% from point of sale and 9% when swiped your credit or debit card.
  •  About 80% of the hacking victims in the business community didn’t even realize they’d been hacked until they were told by the government, vendors or customers.

Probably the most telling item on this list is that most companies did not figure out that they were hacked themselves.  This is very different than having your car stolen.  When that happens, you go looking for your car and it is not where you left it.  You know you have a problem.  When a good hacker breaks into your business systems, nothing is missing, nothing is askew.  Absent you being proactive, how would you know you have been had?

It’s scary, but doing nothing is not an option any more.  It is much harder to hit a moving target – so plan on moving.  Otherwise you are a sitting duck.


Mitch Tanenbaum

A Whole New Level Of Breach

With the Snapchat and Dropbox breaches this week, the attack surface just got raised a notch.

In case you are not familiar with these two breaches, I will describe them at a high level what happened.

With Snapchat, users assume that their pictures will disappear quickly on the other end after they are opened.  However, if the other person violates the terms of service and adds an app like snapsaved to their phone, they can save, forever, that chat.  In this case, not only can that happen, but the app saves your chats to their web site and that website got hacked – along with a whole bunch of child porn (the demographic of users for snapchat is 13 to 18 year olds and they seem to like to share naked selfies a lot).

The Dropbox breach is similar. The details are not all available yet, but it seems that, again, it was a helper app that was breached.  In this case, there was no violation of the terms of service, but millions of userids and passwords were apparently stolen.

The dropbox case is a little different than the snapchat case in that with dropbox, you elected to install the helper app, so you cannot say that you did not know what was happening.  In the snapchat case, you didn’t do anything to contribute to the breach and were likely unaware that the other person had that extra app installed.

What this means is that you as a user of online services have to not only vet the service that you want to use but also need to vet any related apps that you are using.  It also means that if there are other people sharing your information (like nekkid selfies in the case of snapchat), that you need to make sure that the other person is not doing something wrong.

Of course, in a sense, this is no different than what we have always had to do.  If you are sharing information with someone, you need to validate that the information will remain secure – to your level of comfort – on both ends.

In the situation where you are dealing with a regulated entity (like a bank or healthcare provider), you also have to keep the regulators happy.  They may start asking a new set of questions as a result of this breach.

In the case of the snapchat breach, you may just want to reconsider what you send to your friends.

Mitch Tanenbaum

Snapchat Breach – MAYBE!

Forbes and other media outlets are reporting that we may be seeing the next version of the celebrity nude picture breach (called the fappening) that leaked nude pictures of famous celebs such as Jennifer Lawrence and many others.

This breach, nicknamed THE SNAPPENING, apparently came from a third party SnapChat helper app and website which allows users to save supposedly destroyed SnapChat pictures.

THIS BREACH HAS NOT BEEN VERIFIED YET, SO STAY TUNED TO SEE IF IT REALLY HAPPENS.  Sources say it is supposed to come down on October 12th.

The challenge here is that YOU could do everything right and if the person you are SnapChatting with is using one of the helper apps and that app gets compromised then you are toast.  AND, you won’t know about it until copies of your pictures that were never intended to last more than 10 seconds are posted on the web.

If you don’t want it to become public, don’t do it.  Sorry.  There is no easy answer.

Mitch Tanenbaum

More breaches – KMart, Dairy Queen and MBIA

The breaches just keep happening.

The most recent breaches include KMart (the size of which is still being determined), Dairy Queen (395 stores) and MBIA.  The first two are, once again, from a Point of Sale (cash register) system.  The MBIA breach came from a misconfigured web server.

When will it end?  Not until people start taking security more seriously.  Stay tuned for the next breach.

Mitch Tanenbaum

Marriott Fined $600,000 by FCC For Messing With People’s Personal Wi-Fi Hotspots

According to an article on CNN.com and other places, the FCC has fined Marriott $600,000 for doing what I suspect other properties have been doing also but not (yet) caught at.

According to CNN, Marriott, for reasons unknown, decided that they should be allowed to kill visitors Wi-Fi hot spots that were not connected to the hotel network at all.

Some people speculate this is because they want to sell you their Wi-Fi access.  At the event in question, at a Marriott property in Nashville (Gaylord Opryland), the hotel was selling Wi-Fi access for $1,000 per device.  I assume this was at a convention center event.  Some admins speculate that they killed the personal Wi-Fi access points by masquerading as the user and sending DEAUTHs.

Marriott contends this is legal;  the FCC has a different opinion.  Marriott said they were merely “protecting” their customers and that they will try to convince the FCC to change their rules. They are required to file compliance plans every three months for three years and this covers all Marriott properties anywhere in the US.

Mitch Tanenbaum