Minecraft Hacked – Decided It Was Better Not To Tell Anyone; 17 Also Breached

Motherboard is reporting that over 7 million user accounts belonging to the Minecraft community “Lifeboat” are for sale.

Security researcher Troy Hunt is loading the data onto his web site “Have I been Pwned?” so that people can check if there data was in hacked group.

Lifeboat runs servers for custom multiplayer editions of Minecraft Pocket Edition (for mobile users).

Motherboard reached out to several victims who said that they had not been notified by Lifeboat of the breach.

Lifeboat said that they had been aware of the breach for some time.

They said that when this happened in early January, they decided that the best thing for their players was to quietly force a password reset and not let the hackers know that they had a limited time to act.

I am not aware of any state data breach law or any clause in the FTC Act that says that if a company is breached and they “quietly force a password reset”, they do not have to let the victims know that their data was compromised.  I do not know if the FTC is now looking at this, but I would not advise clients to use this solution in the face of a breach.

To make matters worse, the users that Motherboard spoke to said that they had not received a password reset.

The good news, if there is any, is that the amount of information that the company keeps on users is low, but there is a dark side, still.

Lifeboat used the MD5 hash algorithm to hash their passwords.  MD5 is considered very weak, so that hash does not offer much protection.  If the password was reused on other sites, then the user could be at risk of additional compromise beyond the data that was taken from Lifeboat.

When asked why they did not tell users, Lifeboat did not respond.

Just another reason not to reuse passwords.

While researching the Minecraft breach, I came across an article on an even bigger breach – the app 17, which is, apparently, popular in Asia.  The hackers claim to be selling 30 million identities.

Motherboard says that when the company raised Series A funding last year, they said the app had been downloaded 6 million times and the Google play store says it has been downloaded between 500,000 and a million times, so there could be a gap in the numbers, but the numbers are still possibly accurate.

17 Media first said that it didn’t look like a data set of theirs, but later said they were buying the data from the hacker.  Whether they could even buy exclusive rights at all is unknown, but the hacker had already sold it to other people according to the site where it was for sale.

So, these two breaches represent close to 40 million users.  The good news is that it doesn’t seem to contain any credit card data, but if the passwords are reused elsewhere, then all bets are off.

Information for Lifeboat came from Motherboard.

Information on the app17 also came from Motherboard.

Wendy’s Sued Over Data Breach

As could be expected, the Wendy’s data breach saga continues.  A proposed class action lawsuit was filed by a credit union in Pittsburgh representing all banks who were affected by the breach.

As reported by Brian Krebs in March, credit unions said that they saw a rise in fraudulent credit card use that was greater than what they saw after the Target or Home Depot breaches.  One credit union said the fraud was 5 to 10 times the loss than during the Target and Home Depot breaches.  That money has to be recovered somehow, either through higher bank fees, higher fee to merchants which are reflected in higher prices or lawsuits against the store that caused the expense.  As we saw in both the Home Depot and Target breaches, those lawsuits only recover a small portion of the costs.

Wendy’s has been pretty mum about the extent of this breach.  It is not clear why they have not disclosed the scope of the breach.  The lawsuit is providing a little bit of information.

The lawsuit claims that Wendy’s “refused to take steps to adequately protect its computer systems from intrusion”.  That is a pretty strong claim.

The lawsuit claims that the breach ran from Oct 22, 2015 to March 10, 2016, or about 5 months.

Wendy’s was notified by customers in January that they were seeing unusual activity on their credit cards after visiting Wendy’s locations.  In other words, Wendy’s didn’t figure out they were breached, customers did – which is why it is important to review your credit card and bank statements regularly.  An even better solution is to have your bank send you a text message every time your credit or debit card is used.  Most banks have this capability and it is free.  That way you will know instantly if your credit card is used fraudulently.

Wendy’s did not admit to the fraud until February 9th and then told customers not to worry – that the banks would reimburse them for any fraud.  While this is true, it wouldn’t seem to be the most responsible way of dealing with the situation.  Most businesses agree to being responsible if consumers lose money, even though they know that the banks will provide the first line of defense.

The lawsuit goes on to say that “Despite the growing threat of computer system intrusion, Wendy’s systematically failed to comply with industry standards and protect payment card and customer data”.  Readers of this blog may remember that I reported earlier that the Wendy’s CFO said that it was cheaper to pay the fraud than to upgrade their point of sale system to accept chip based cards.  It is not clear if he still feels that way.

As a result of the breach, the banks have been forced to cancel and reissue cards, change or close accounts, notify customers that they cards have been compromised , investigate fraud claims, refund charges, increase monitoring and take other steps, the lawsuit says.

What is different in this case from say Target, is that under new credit card rules effective October 1, 2015, businesses are now liable for all of these costs if the consumer presented a chip based card and the store did not have a chip based credit card reader.  As of the last report I saw, only about 50% of businesses have chip based credit card readers.  Wendy’s is not one of those stores.

The banks would likely want to make a showcase of Wendy’s to get the stores to increase store’s adoption of the chip based technology.  So while the Wendy’s CFO was likely thinking of the fraud costing him the $5 cost of a burger. under the new rules, it could cost him $100 or $200, per fraudulent transaction, for all of the expenses described above.  If there were only, say, a million fraudulent transactions, you can do the math.

The lawsuit goes on to say that Wendy’s, in a recent SEC filing, said that it was heavily dependent on it’s POS system and any breach could impair their ability to operate efficiently.  The report was filed in January;  whether they knew about the breach at that time is unclear.

The lawsuit also says that Wendy’s was not following 2007 FTC guidelines and similar state regulations designed to protect consumer data.  2007 was a long time ago, so it is going to be hard to defend themselves as to why they were not following those rules.

I suspect that Wendy’s will settle out of court given these claims.  The truth  would likely be way uglier than paying the banks.  What is unclear is how much the banks will be asking for.  In past large breaches, the banks settled in the $10 million to $30 million range.  Since the banks are claiming that this breach is costing them way more than the Target or Home Depot breaches did and considering the new credit card liability rules, it is not clear how much this will cost Wendy’s.

Wendy’s has also not said if they carried cyber liability insurance or if they did, how much coverage they had.  I will be amazed if it turns out that they did not have some coverage.

While the suit likely won’t be settled for years, we should see some more information in future Wendy’s SEC filings.

Information for this post came from Krebs On Security and the Courthouse News Service.

We Only Thought Blackberry Was Secure

Blackberry CEO John Chen said that tech companies must balance customer privacy with lawful government interests.  The translation of this is “we have given the Blackberry keys to a variety of governments”.  And we only THOUGHT that Blackberrys were secure.

One point that is important to understand is that for companies that have their own BES (Blackberry Enterprise Server), we do not think that Chen has those keys to give out.  But who knows – we didn’t think he was giving out other keys either.

The President has a Blackberry.  Did Chen give the key to the President’s Blackberry to China?  I hope not, but…  To alleviate those concerns, while the Feds are silent on the issue, we can assume that the Prez’s phone has “extra” security in it.

In the cases in question, it appears that Blackberry may have given the KEYS to these governments, not just select messages from select customers.

That means that those governments can eavesdrop on any message from any customer without any further intervention from Blackberry.  Blackberry can plead ignorance because, basically, they unlocked the door and left it ajar.

What this means, if true, is that Blackberry customers should not assume that their communications are secure.  As consumers, we do not know what countries Chen gave keys.  Are those governments reading consumers’ messages because they think those consumers are terrorists?  Have committed a crime?  Or just disagree with the government.  Who knows?

For those people who have assumed that their Blackberry is more secure than say, an Android or Apple phone, maybe they should rethink that decision.

Information for this post came from Infoworld.

British Surveillance No Different Than U.S.

While the U.S. has Snowden, The Brits have Privacy International.  As part of a lawsuit, Privacy International obtained formerly secret files regarding the extent of British surveillance.

The data the Brits are hoovering up includes private medical records, correspondence with your doctor or lawyer, financial data and other information.

And the government admits that the majority of the data collected is about people who are not suspected of a crime or a threat to national security.

It seems that the British rules regarding data collection are looser than the NSA’s rules.

The documents say that the data includes sensitive information like political and religious affiliation, sexual preferences and legally privileged information.

It even includes data on people who are dead – and therefore unlikely to be much of a threat to British security.

The documents do say that employees should not search for information on themselves or friends – unless their friends are suspects.  Public figures are also off limits.

One program called KARMA POLICE, the documents say, aims to create a web browsing profile of every person visible on the Internet.

To me, this seems more invasive than or at least equal to, what the NSA is doing.

So while the EU is complaining that the U.S. negotiated Privacy Shield doesn’t reign in the NSA enough, maybe they ought to look at home first.

Just my two cents.

Information for this post came from The Intercept.

FISA Court Affirms FBI Does NOT Need A Warrant To Read Your EMail

The Foreign Intelligence Surveillance Court or FISA Court has affirmed that the Feds do not need a warrant to search your email.  Of course, if that email is encrypted – not like GMail, but with real encryption – then while they may have the FISA court’s permission to look at it, they will have to figure out how do decrypt it first.

FISA Court Judge Thomas Hogan, in an opinion from last November that was recently declassified, said that Section 702 of the Patriot Act, including as amended by the FISA Amendments Act allows the government to keep any emails from American citizens that they hoover up as part of their mass data collection if that email is evidence of a crime.  Evidence of a crime is a pretty low bar.  After all, a lot of evidence would never convince a jury of anything.

This confirms a couple of things.

First, you should not say incriminating things in email.  To me, this falls into the “DUH!” category.

And second, Section 702 of the FISA Amendments Act allows the government to hoover up a lot of email and keep it and share it if they think it could be evidence of a crime.

The implication of this is that if you expect your email to be private, that would require extraordinary steps on your part to make sure that it is.

In that same opinion, the criticized the NSA for not destroying old surveillance data in spite of rules that require them to do that.

“Perhaps”, Judge Hogan wrote, ” more disappointing that the NSA’s failure to purge this information for more than four years, was the Government’s failure to convey to the Court, explicitly during that time that the NSA was continuing to retain this information,”.

Let me translate that to English.

Ye Olde Judge is pissed that the NSA lied to him when they certified that they were complying with the rules for Section 702,  when in fact, they were not compliant.  I am gathering that the judge is saying that this was not an oopsie.

The NSA replied to the ruling by issuing a statement from ODNI Director James Clapper that said “prior representations could have been clearer”. – i.e., we lied and got caught at it.  My bad.  Sorry.

And some people are wondering why some citizens don’t trust the government.  Seems pretty clear why some people don’t trust the government.

Information for this post came from SC Magazine.

Hand Over Your Phone If You Are In An Accident!

In the “what could go wrong with this” department, New York lawmakers are considering a piece of legislation that would require drivers who are involved in an accident to submit their phone to roadside testing to determine if they were using their device prior to crashing the vehicle.  License, registration, proof of insurance and phone, please.

Refusing to turn over your phone would cause an immediate suspension of your license or cross-state permission to drive in New York.

While this bill has not been passed – or signed into law – the mind boggles as to how this could be abused and misused.

Here is the concept:  the cop would take your phone and plug it into a forensic analyzer like the ones that the police already use when they seize a phone at a crime scene.  Companies like Cellebrite, the Israeli/Japanese company that was originally thought to have unlocked the San Bernadino shooter’s phone, are already working on software to do this.

To attempt to get around the Fourth – and Fifth – Amendment issues, the software that Cellebrite is developing, supposedly, would not capture conversations, contacts, phone numbers and other stuff that, in theory, would require a warrant.  I *definitely* believe that.

This bill follows some intense lobbying from a group called Distracted Operators Risk Casualties (DORC).  Like MADD, the son of the group’s co-founder was killed by a supposedly distracted driver.

Assuming this bill makes it into law, I am sure it will be the source of many court cases, possibly up to and including those 8 folks in black robes in Washington.

If the phone is locked or encrypted, I gather, you will be required to unlock and thereby decrypt the data for the cops.

What the FBI could not get Apple to do, maybe the NYPD can get the owner to do.  Note that, it appears, it does not matter if you are at cause.

While Cellebrite could, possibly, be honest in what data they are extracting, the FBI has already admitted that they have technology to snoop on your phone.  What is to stop a police officer from inserting that technology while “checking” your phone for distracted driving?  Or, in an admittedly even more far fetched case, causing an accident to happen in order to get their hands on your phone to insert that technology.

It is also unclear if the law applies to passenger’s phones.

On the other hand, having a burner phone handy could be a simple way around the problem.

A more subtle way around this is to use virtualization technology like Samsung Knox or Google’s Android for Work, which encrypts the data on the phone in a separate partition.  As long as that partition is not active at the time, my guess is that the Cellebrite tech would not be able to read it – short of any bugs in the software that make it vulnerable.

One more other thing to consider.  There is already a way to get this data which is a lot less invasive and that is to ask the driver’s cell phone carrier for usage data.  This requires a warrant, which requires more work, but also protects people’s privacy.  Curiously, this is exactly what they did in the case of DORC’s co-founder’s son’s accident – and they did find that the phone was in use near the time of the accident.


Information for this post came from Ars Technica.