The Year Of The Voter List Breach

Early this year, we learned of a voter database of 191 million U.S. voters was found, unprotected on the Internet.   The list contained name, address, political party, telephone and voting record  (not who you voted for, but in which general elections and primaries).

For people who want to keep that information private, such as judges and prosecutors, the cat is now out of the bag.

Under U.S. law, that data is public and most states sell or give that data to politicians who use it to harass you.  Err, excuse me, call you at dinner time.

Now we have learned of a second voter database leak.  This time about 56 million voters.  This list contained some other information that comes fro the questions you choose to answer when they call you and merged from other public records.  The information exposed this time includes Christian values, bible study and gun ownership in 19 million of those profiles.

That is the result of you answering those questions when pollsters call you.  If you answer and talk to them, the data that you provide will get added to that generic database.  In addition, data from other public record sources can be merged.  I suppose the gun ownership question could come from gun licenses or maybe even background checks, but those records are not supposed to be public.

Now the same researcher, Chris Vickery of MacKeeper, said he has found a third voter database.

While the first two were stored on Amazon, this one is stored on Google.

And, I would not blame Amazon or Google for the breach.  These hosting providers give you tools to configure your security, but they are not responsible for how or if you use them.

This latest database contains 154 million records.  Besides your name, address and Congressional district, this database contains estimated income, ethnic background, gender, party information, whether the person was likely to have children and other information.

One of the challenges for Chris is to try and figure out who owns the database so that he can contact them.  Amazon and Google are unlikely to tell him for fear that they would get sued for giving that information out.  In this case there was a telltale sign and Chris called the company whom he thought might own it.  Turns out they did not, but they had a good idea of which of their customers might own it.

A few hours later, it was locked down.

Of course, we don’t know how many months it was available or who might have downloaded it before Chris discovered it.

The magnitude of these data breaches is breathtaking.  The 191 million record list includes the name of every registered voter in the U.S.  That means these other breaches are subsets of that data with the extra fields as a bonus for whoever finds it.

And likely, this is just the tip of the iceberg.  Stay tuned as the election season cranks up.

And maybe you should not tell people that you are a gun owner or do bible study, since these folks can’t seem to secure that data.

The world of big data.  It can me big breaches.


Information for this post came from Daily Dot.

655,000 Healthcare Records Up For Sale

A hacker called thedarkoverlord is offering 3 unique medical databases for sale at prices ranging from 151 bitcoins to 607 bitcoins. Deep Dot Web got to look at images of the database, shown below.




One database has 48,000 records from a healthcare company in Missouri.

The second database has 210,000 records from a healthcare care company in the midwest.

The last database contains 397,000 records from a healthcare company in Georgia.

The hacker claims that he exploited a remote access vulnerability to access the data and he also said that the data was not encrypted.

Here is the scary part – kind of a warning.  The hacker said that if an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee, take the offer.   There is a lot more to come.

There is no telling – yet – where this data came from and is there more to come.

This is just another indicator that health care data is a hot topic because unlike credit cards, you cannot just get a new one.

It will be interesting to see how many more databases this hacker has for sale.

Information for this post came from Deep Dot Web.

CFA Institute Says Don’t Become The Hacker’s Next Victim

The Infosec Institute says that malicious cyber activity cost the US between $24 billion and $120 billion and worldwide that number was $300 billion to $1 trillion (see here).  And that was in 2013!

For investment professionals (and other businesses as well), poor cyber security practices which lead to being hacked can cause a complete loss of client confidence – leading to a loss of clients.

That of course does not include fines and lawsuits.

Some investment pros ask why would hackers go after me and why do I have deal with cyber security.  The CFA Institute’s (Chartered Financial Analyst) answer?

Those were decent questions – 10 years ago.

Combine the huge amount of financial information that an investment professional keeps with the general lack of interest in cyber security that the CFA Institute says some investment professionals have, and you have a recipe for a cyber disaster.

So how do hackers complete their attack?  Here is the answer.

Step 1 – Reconnaissance

Check out social media posts. Information on online purchases that you shared about, other public information.  Google yourself and see what shows up.  If you Google me, you will find articles I wrote 20 years ago.  The Internet never forgets.

Given this, a hacker will identify a mark- say a particular high net worth individual.  The hacker will figure out what company(s) the mark is working with, maybe find employee’s LinkedIn profiles. Maybe find out who the managers are.  Once the hacker has zeroed in on the sucker, he  moves on to step 2.

Step 2 – Infiltration

So now we know who the hacker is going to try to attack.  He knows what sites the target visits and maybe he knows that he visits social media at lunch.  He finds out what the target’s interests are – hobbies, charities, sports, etc.

Now he crafts a spear phishing email – called that because it only targets one person.  He buys some domains that look very much like the real domains of the organizations that the target is associated with.

He crafts an email that seems very believable to the target.  Maybe it is a confirmation for a meeting associated with his favorite charity and entices him to click on the link in the email.

At this point, it is all over but the crying.

Step 3 – Escalation

The attacker has inserted a remote access trojan or RAT into that link which the target clicked on.  Now the attacker has control of the target’s PC, can do anything the target can do.  Maybe even capture every keystroke the target types (such as passwords).  If the target is a local administrator, he can change the configuration of the computer. If the target is a domain administrator, he can do even more and if he is an enterprise administrator – well, you don’t want to ask.

He can now, for example, find every file of interest on the target’s PC and network shares and send them to Russia.  What do you think the odds are of arresting that hacker in Russia?

Step 4 – Exploitation

Maybe the hacker uses the information to obtain lines of credit and forge identities.  Maybe he sells the data for other people to use.

Maybe he asks for a ransom to get the data back.  Even if the ransom is paid, the attacker may not give back the data.  Ransomware attacks are up ovewr 500% this year.  Because they work. In fact, the attacker could share the data with the media.  Just for revenge.

This is a very real and relatively easy to execute scenario and anyone who thinks they are immune from this is likely fooling him or her self.

There are steps you can take to improve your odds.  Watch what you share on social media.  Don’t use work computers (or PHONES or TABLETS) for personal email and browsing.  Carefully examine what links you click on.  Get educated – hire experts if you need to.

This is not a simple problem and there are no simple solutions.  The only solution which is a sure failure is to pretend it is not a problem.

While this post is geared to investment professionals, it really applies to almost everyone.  I recommend you consider the advice.

Remember that if a hacker wants to target a particular high net worth individual,  it may well be easier to get their through his advisors.

Information for this post came from the CFA Institute.

FBI Doesn’t Need Warrant To Hack Your Computer, Court Says

Judge Henry Coke Morgan Jr of the District Court in the Eastern District of Virginia says that the FBI can hack your computer without a warrant.

Judge Morgan said that the defendant  “has no reasonable expectation of privacy in his computer”, in part because the FBI only collected limited information.

The defendant is involved in a child porn case, which does not make him a very likable defendant.

As part of the investigation, the FBI took over a site called Playpen. When they did that, they changed the site so that it downloaded malware onto the computers of any visitors so that they could get information from the user’s computer.

In this case, the FBI actually did get a warrant, but the judge said that they really didn’t need to, because users don’t have an expectation of privacy on the Internet.  According to the judge, the Fourth Amendment does not apply here.

The FBI doesn’t call it hacking, they call it a Network Investigation Technique or NIT and they could, according to this judge, do that you you or me, without a warrant, suspicion or probable cause and without any judicial oversight.

Of course, whether the malware the FBI placed on some computer did other things, such as break the computer or make it susceptible to hackers or capture more data than the FBI – apparently without a warrant – is entitled to, is less than clear.

Also remember that this malware that the FBI is deploying could be buggy.  How do you know if the data collected by the malware is even accurate or came from the computer that the FBI said that it did.  After all, the FBI is not disclosing this malware.  There is another motion in this case to disclose this malware, which the judge, apparently, has not ruled on yet.  But you would need more than the malware; you would need the entire chain of custody process from the user’s computer to the time it was used in court.  Otherwise, what we know is that some data was collected from some computer and stored and some data, possibly different, was presented in court.  Not very compelling.

It is likely that the judge had little understanding of what he was approving and after all, many people think that people who view child porn  should be locked up and the key thrown away, which is hard to argue with.  But the problem is that once the precedent is created, that logic can be used on any other case.  It is the proverbial slippery slope.

It is not clear whether this defendant has the money to appeal this decision is not clear.  Hopefully they will,

Information for this post came from Motherboard.

Psst! Want to Buy A Server? $6 Please

The Russian security firm Kaspersky Labs reported last week that they had found a dark web marketplace selling access to servers – possibly yours and mine – for as little as $6 and as much as $6,000.

The key benefit of these servers is that since they are not actually the hacker’s servers, if they are able to use them in a way that forwards thier illegal business, it is going to be hard to trace things back to them.  Obviously, if they access that server (to administrate it) from their Comcast Internet connection in their living room, the odds of them getting caught goes up.  A lot!

The web site, xDedic, brokers access to these hacked servers.  As of last week, Kaspersky had a list of around 70,000 servers that were available.

This week, a hundred thousand servers got added to that list, making the pool around 170,000.

In the grand scheme of things 170,000 servers is not that many, but xDedic is just one web site.

Interestingly, after the first list was released, Brazil and China were the top two countries for available servers.  After this new list came out this week, the top two countries are the U.S. and the U.K.  In some way, that makes sense, because there are a lot more servers here and the quality of the servers (in terms of performance and capacity) is likely better.

These servers are likely some of the ones used to promote male enhancement drugs and other spam, as well as to deliver malware.

From a business standpoint, if the volume of malicious content being served up by these servers is sufficient, it will gain the attention of groups like the Electronic Crimes Task Force run by the U.S. Secret Service and you may get a knock on the door from the men in black.

While there is some discussion on the ‘net about whether the second list – the one that added the 100,000 additional servers – is legit, no one seems to be arguing whether the first list of 70,000 servers is legit. And at least some news sources are now saying that second list is, in fact, real.

And, as servers are sold in this forum, their IP address comes off the list, so the 70,000 or 170,000 number may represent only servers that have not been sold yet.  How many servers churn through that web site in a month is unclear.

When hackers use these servers, it is their goal that you can still use it as well.  That gives them cover, so the smart ones will work real hard to make sure that they don’t interrupt your work.  This means that your server could be on the list and you would not even know it.  Not something that any reputable business wants to happen.  How many of these web sites there are selling hijacked access is also unknown.  Based on spam that I see, it is probably a large number.


Information for this post came from Computerworld.

Newsbites: GoToMyPC, Carbonite, DHS and CISA and the FBI

Carbonite: Carbonite sent out an email to all customers to reset their passwords.  They claim that they have not been hacked but that they are seeing a large number of attempts to log in by third parties.

They say that based on their security review, they have no evidence that they have been hacked.

If none of these attempts to get in was successful, then why force millions of people to change their password?  Likely, at least some of these attempts were successful.

Source: Carbonite web site.

GoToMyPC:  GoToMyPC, a division of Citrix that allows users to remotely access their PCs, is also forcing all of their users to change their passwords.

Apparently so many users decided to do this at the same time that Carbonite had effectively performed a denial of service attack on their own web site.

Citrix provided little additional information about the situation.

Source: BBC News.

Both of these events point to the fact that as hundreds of millions of passwords are compromised every year, users are being forced to up their game.  Some recommendations are:

  1. Use a password manager so that you don’t have to remember all those passwords.  Many of them, such as LastPass, will automatically log you in, making the password step easier.  While this is a security risk in itself, it is likely less of a risk than using simple passwords.
  2. DO NOT reuse passwords across important sites like online backups, banking, email and remote access.  Unique passwords combined with a password manager is not just a best practice, it is a survival tip.
  3. For any important web site, such as banking, Amazon and others, use two factor authentication.  I know it adds an extra step to the login process, but it makes stealing passwords much less useful.

DHS and CISA:  DHS released the final rules for the data sharing rules of engagement that were part of the CISA bill that was sneaked into the Defense appropriations bill last year.  The bill created a voluntary system trying to encourage businesses to share threat data with the government.  The system has two automated tools, STIX or Structured Threat Information Exchange and TAXII or Trusted Automated eXchange of Indicator Information to scrub and categorize the data.  Out of the 30 million or so businesses in the United States, so far 30 are using it.  That would be .0001 percent.  I think it is going to need some more users to be effective.  To be fair, it is, pretty much, a new thing and around 70 more companies are planning to participate.

Source: IAPP.

FBI:  The FBI, by way of those super secret National Security Letters or NSLs, has been asking for the kitchen sink and leaving it up to companies to tell them no.  Big companies with lots of expert attorneys such as Microsoft, Google, Apple and Yahoo, have told them to have a nice day, but small tech companies don’t have an army of lawyers and likely have given the government whatever they asked for.

Michael German, of the Brennan Center said “there’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want.  And it’s all happening in secret.”

The FBI also keeps any data that it is illegal for them to ask for if uninformed companies give it to them.  The DoJ Inspector General said that at least one company turned over email messages including images, which is expressly prohibited in the statute.

Now they (the FBI) are going to have to pick a fight in Congress to get the law changed if they want to get more data from companies and Congress-critters are unlikely to approve that in an election year.

Source: IAPP