Why Do Hackers Break In To Porn Sites?

Hacking, just like all other Internet businesses, is morphing to survive. And to be very clear, hacking is a business.

Before people make funny jokes, no, hackers do NOT  hack into porn sites for the pictures.  They could use stolen credit cards if that was all they wanted.

The porn site Brazzers was hacked, apparently back in 2013, but the data is surfacing now.  The passwords are from a forum part of the site, but the main site and the forum shared userids and passwords, for convenience.

It is important to understand that the fact that the data is surfacing now does not mean that it hasn’t been used for the last three years by the hacker.  It could mean that the hacker got hacked or it could be that this is yet another way to monetize the data.

It is believed that the hacker(s) took advantage of fact that the site was running an old version of vBulletin, the software that users interacted with. There have been other breaches of vBulletin sites such as Grand Theft Auto.

The data taken included names, email addresses and passwords.  The passwords were not encrypted.

So let’s review what we know so far:

  1. The operator of the web site did not think it was important to patch the web site and run the most current version of the web site software to at least make it harder for hackers to break in.
  2. The Operator of the web site did not consider security to be important given that they did not encrypt the user’s passwords.

Ignoring, for the moment (I will get back to it) that this was a porn site, what thoughts come to mind?

The first thought is that this could be any web site that I visit.  How would I know if the web site owner used current software or not and how would I know whether they encrypt passwords?  I need to consider this as I provide data to any web site that I visit.

The second thought is that if the site stores passwords unencrypted (remember, this could be any site) and I reuse passwords between sites, there is nothing to stop the web site owner or a hacker from trying my unencrypted password on any other site to see if it works.  Kind of like testing a key in a lock.  If it works, then bingo.

This is yet one more reason not to reuse passwords.

One easy way to tell that the web site likely stores your password unencrypted is if they send you an email with your password in it after you register (yes, this happens to me regularly and with some seemingly mainstream web sites).  Since email is not secure, this also tells you that they are clueless about security.  The second way to tell is if, when you forget your password, they email your password to you.  Technically they could do both of these if they encrypted the password with a key that they have, but if they did this, it is not much more secure than storing it unencrypted.

Getting back to why hack a porn site, the obvious answer is to extort money from the members.

People, for some unknown reason, sometimes use their work email to register for these sites.  The blackmailer can threaten to tell your boss that you are active on a porn site.  He or she can also threaten to tell a spouse or publicly out you to get a ransom.  Even if the amount of the extortion is small by blackmail standards – $100 per user – that equates to $800 million if every user paid up (which of course, would not happen).  If 10 percent of the users paid, that would be $80 million.

Other possible people to out you to might include your church, your kids school, a public officials constituents and co-workers.

In this case, since this was a forum site, people would be discussing their thoughts about the performers and their activities and actions they might like the performers to do in the future.  This can get pretty warped, pretty fast.  Given the hacker has the userid and password, getting this data is not very hard.  And given the likely warped nature of the conversations, it ups both the likelihood of people paying and the price of silence.

Remember during the Sony hack where those emails surfaced that were not very appropriate.  People lost their jobs.  If an executive at a company was outed regarding his or her porn fantasies, that executive might also be unemployed.  That would definitely be worth more than $100 to bury.

A couple of lessons here –

  • Do not reuse passwords.  You have no clue how diligent the owner of the web site is.  You don’t know if the web site has been hacked and, in many cases, neither does the owner of the web site.
  • If you must participate in shady web sites (and I don’t just mean porn sites, I mean any site that you do not have a high degree of confidence in.  Facebook likely has decent security, but can you say the same about the last web site that you created a userid at – or worse yet, logged in to with your Facebook credentials), create a generic Gmail account (Bob47932@gmail.com) and a unique password so that it is much harder to tie it back to you.  Do not enter your real name and address and if it requires a credit card, use a disposable one available at the grocery store and do not register that card to you.

Information for this post came from BBC, Motherboard and Business Cybersecurity Law.


Three More Hotel Chain Credit Card Breaches

This is getting a bit crazy.  I am thinking about paying cash next time I stay at a hotel.

UPDATE:  The Hutton breach is tied to another breach from last week, HEI Hotels.  The Hutton is managed by HEI.  HEI also manages hotels for Intercontinental, which owns Kimpton.

Also, Noble, which owns Ocean Key, below, is now saying that 10 of its properties were breached, not just the Ocean Key, from Florida to Seattle.

First comes Ocean Key Resort and Spa.  One more time, the hotel did not know that they had been breached until the Secret Service came knocking on the CEO’s door and ruined his day.

They seem to have discovered it pretty quickly – which means, since Ocean Key didn’t know about the breach at all, that the hackers were actively using the cards that they stole.  The time window for the breach was April 26, 2016 to June 8, 2016 – about 6 weeks, but remember that short time window was likely due to the fact that the hackers were actively using the stolen cards and it became easier to figure out the common denominator.

In this breach they are saying that both restaurant and hotel credit card users are at risk – likely because of a common credit card system or lack of isolation between two systems.

The second hotel chain announcing that they have joined the club of hotels that have been breached is the Kimpton chain.  For them, about 50 properties were affected including properties from coast to coast.

Kimpton heard about the breach on July 15th – they did not say how – and started investigating.  The breach ran from February 16 to July 7, 2016, so this one ran longer than the first – about 5 months vs. 6 weeks, but neither of them take the prize; that is reserved for the last hotel in the trio.

Again, the breach affected both front desk and restaurant computers.  I am not sure why we are starting to see the front desk affected more of the time than we were seeing before.

In both of these cases, for many users, they do not have the name of the card owner in order to notify them, so they will not be notifying you.

This means that you are responsible for checking your payment card charges.  Depending on the type of card, you typically have up to 60 days to notify the bank of fraudulent charges by law.  If you notify them after that, it is up to the bank if they want to credit you or not.

The last entry into the club of breached hotels is, in my opinion, the winner.  It is the Hutton Hotel in Nashville.  Their breach also affected both the front desk and the restaurants, but the length of the breach is the breathtaking part.    The food and beverage breach ran from September 19, 2012 to April 16, 2015 or about 30 months.  The front desk breach ran from September 2012 to January 2015 but was reinfected between August 2015 and June 2016 or almost 40 months.

The Hutton breach was a little different in that the hackers were able, apparently, to capture the cardholder’s name as well as the card info;  that may allow them to notify cardholders.

Hutton also said that the breach affected everyone who used a card to reserve rooms or pay their room bill may be affected.

The common theme here is that point of sale systems appear to be way too soft a target for hackers to ignore.

This also means that if you run a POS system, that cyber breach insurance is probably a smart purchase, but make sure that the insurance covers events that started before you bought the insurance.  Given that the Hutton breach was active for almost 4 years, if they bought insurance three years ago, but it didn’t cover exists breaches, they would not get reimbursed.

It also means that you should be asking a lot of questions regarding how your vendor is protecting you and what liability they have if the system is breached.  If the answer is that they are not liable, I would start looking for another vendor.

Information for the Ocean Key breach came from Databreaches.net.

Information on the Kimpton Hotels breach came from Kimpton’s web site.

Information on the Hutton breach came from Softpedia.



Business Email Compromise – A Slightly Different Version

While this column is directed at lawyers, it applies equally well to anyone sending or receiving confidential communications via email and expecting those communications to actually be confidential.

We think of business email compromise  as one of those spear phishing emails that pretend to come from the boss telling you to wire money to China for a secret deal;  well here is a different version with a couple of twists and turns.

In this case, it was a lawyer’s email that was hacked AND the lawyer knew that someone was going after his email.  He had just prevailed in a case and the other side was due to pay $63,000 to his client, through him.

He sent opposing counsel the wiring instructions via email, even though he know that his email was under attack.  He had even discussed the attack with his client, but he did not tell the opposing counsel.

As you probably guessed, the hacker sent  another email to the other attorney with new wiring instructions which needless to say, did not send the money to the prevailing attorney’s client.

There are a number of twists to this settlement – weird ones – you can read the article below if you are interested, but one twist was that the prevailing side was supposed dismiss their case in two days, but the other side didn’t have to pay for 15 days, so fundamentally, the dismissal was not conditioned on the prevailing party getting their money.

Both sides went to court – one side to get the losing side to pay another $63k; the other side to get the prevailing side to dismiss their suit without getting paid.

The court said that the side that paid had behaved reasonably.  That side said that the replacement email even used the typical bad grammar that the prevailing attorney use.

Another interesting aspect of this case is that the prevailing counsel claimed that he had no obligation to tell the opposing counsel that his email had been hacked.  The court and counsel could not find any cases that said that counsel had an obligation to  inform the other side of the breach.

The court decided that, in the absence of law or precedent, common sense prevails (which is interesting in itself) and said that the losing side did not have to pay again and the prevailing side had to dismiss their suit.

For attorneys, it is important to understand what their obligations might be with regard to protecting email between themselves and their client.

The American Bar Association issued a formal opinion in 2011 titled “Duty to Protect the Confidentiality of E-mail Communication with One’s Client” .  ABA opinions don’t carry the force of law, but still I would think that if there was a problem, using an ABA formal ethics opinion might carry some weight either in court or in front of the ethics committee, should a client choose to go there.  The summary of the opinion is this:

“A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may
gain access. In the context of representing an employee, this obligation arises, at the very least, when the lawyer knows or reasonably should know that the client is likely to send or receive substantive client lawyer communications via e-mail or other electronic means, using a business device or system under
circumstances where there is a significant risk that the communications will be read by the employer or another third party.”

It seems like you can break this opinion in half.  The first half says that if the attorney thinks there is significant risk of a third party intercepting emails between the client and attorney, the attorney must warn the client of the risk of using that email.

The second part is related to the first – if the client is an employee of a company and the company has the ability to monitor employee email or routinely does monitor employee emails – including ones to the employee’s attorney, that qualifies as a significant risk and the attorney should warn the client.  The opinion goes on to say that this is only one example of a situation where the emails may be intercepted.

The opinion is tied to ABA model ethics rule 1.6(a) which requires a lawyer to refrain from revealing information relating to his or her client.  Comment 16 to that rule says that a lawyer must act competently to safeguard the client’s information and Comment 17 to that rule says that a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.

Back in 1999 the ABA issued opinion 99-413 that said that lawyers could, in general, use email to communicate with clients without violating rule 1.6, but they need to make sure that it was okay with the client.

It is important to remember that the 1999 opinion is 17 years old – pre-Snowden, pre Sony email breach and pre- most of the modern day cyber breaches that we see every day.

This new opinion does not define the terms SUBSTANTIVE, SIGNIFICANT, REASONABLY, ORDINARILY or COMPETENT, which is certainly annoying.  It works both for and against the attorney.  An attorney could argue that they are competent, that the risk wasn’t significant or substantive, but just as easily, the client could argue the other side.

Given the large number of email breaches that we have seen in the last few years, it could certainly be claimed that it is REASONABLE that there is a SIGNIFICANT risk in the eyes of a COMPETENT attorney that email may be compromised and both model ethics clause 1.6 and opinion 11-459 are more recent than the 1999 opinion.  A client could certainly claim if the 1999 opinion was used as a defense, that while that opinion might have been valid in 1999, it likely isn’t today.

Until the legislatures, courts or ABA opine more definitively on the subject, it might be wise for attorneys – and other business professionals handling confidential information – to err on the side of caution and NOT use unencrypted email for confidential communications.

We recommend the use of Absio Dispatch; the low end version of which is free and the enterprise version of which is very reasonably priced.  (full disclosure:  I am one of the founders of Absio and have a stake in the company).


Information for this post came from The Lawyerist.

The ABA Formal Opinion 11-459 can be found here.

Yet Another Reason Why HTTPS is a FAIL!

Merchants want you to believe that HTTPS equals secure.  I keep saying that it doesn’t.  Here is another story for my side of the argument.

First, a little background.  If a web site want to support HTTPS (also known as SSL or TLS), they need to have a certificate.  The certificate is used as part of the process of generating an encryption key for each session.  The owner of the web site buys (or gets one for free) a certificate and depending on the type of certificate, the buyer has to prove, more or less, that they own the domain that they want a certificate for.

Why do they have to prove they own the domain?  Because if they didn’t have to prove they own it, anyone who wanted to could buy a certificate and install it and launch a bogus web site that pretends to be Facebook or Amazon or whoever.

Using the standard methods that certificates use, any certificate authority – and there are hundreds of them – can issue a certificate for your web site.  As long as that certificate authority is trusted by your browser, you will have no clue that the web site that you think is owned by Amazon or Google or whoever is not legit.  You will see the padlock and everything.

To make things worse, under these circumstances, an attacker can even create a bogus Google.Com or Amazon.Com, fool your browser into going to that site (using DNS spoofing or other techniques) and you now think you are at the real Google or Amazon.

Under the way things normally work with certificates, any certificate authority anywhere in the world can issue a certificate for your domain.

On some operating systems/browsers, you can disable which of the hundreds of certificate authorities you want to trust.  That doesn’t solve the problem of a hacker imitating your web site and someone believing it, but it does solve the problem of you trusting sites certified by authorities in say China.

Curiously, it is pretty easy to disable, say, a certificate authority in China on Android but it is literally impossible for you to do this on an iPhone.  This is because Apple’s philosophy is that Apple knows best.  For details on how to do this (it is  pretty geeky) on different environments, check the link below.

SO, now what is the new problem.  The problem is that a Chinese certificate authority, WoSign, had a bug in their software that allowed people to get a certificate for a domain, say Google, if they could show that they could control a sub-domain, say mitch.google.com.  A researcher tested this by using this bug to get a certificate for the popular web site GitHub and also for a Florida University.  When they explained the problem to WoSign, they did revoke the certificate to GitHub, but did not revoke the one to the university.  This is leading some people to speculate that they do not know what certificates they issued.

But remember that your browser trusts WoSign, so even though they are issuing bogus security certificates, your browser will trust them.  If  you are not using an iPhone, at least if you are motivated, you can decide that YOU are not going to trust WoSign, but I doubt very many people will go to that trouble.

Remember I said that WoSign revoked the bogus certificate to GitHub.  Well that is nice, but it turns out, for a variety of reasons, certificate revocation doesn’t actually work.  So while that GitHub certificate is revoked in theory, it may still work in practice.

While I don’t have a better answer for HTTPS, I can say with some confidence it is seriously broken.  There are some possibilities like DNSSEC+DANE or certificate pinning, but very few web sites, in the grand scheme of things, have the ability to do this.

Which is why I keep saying that SSL is broken.  We are giving people the delusion that things are secure, when they are not really very secure.

We really ought to do something about this before some hacker comes up with a really creative way to steal a lot of money.

Information for this post came from The Hacker News.

Information on how to remove the trust for certain certificate authorities can be found at CertSimple’s blog.