Breach Exposes 58 Million. Or is it 260 Million?

One more time an open source database, MongoDB, is the source of another huge breach.  But it isn’t Mongo’s fault.  It wasn’t configured correctly.  Human error one more time.

OK, what are the details?  And is it almost 60 million or 260 million?

Modern Business Solutions apparently provides data storage services, although they have refused to comment on the breach.

The names, email addresses, birth dates, vehicle data and other information for at least 58 million subscribers was taken and posted.  The data was removed, reposted, removed again and reposted again.

After the researchers contacted Modern the database was secured.

While the 58 million records were publicly posted, the hacker – or researcher – who originally posted a pointer to the leaked data said there was another table exposed that contained 258 million records.

Since the database has now been secured better, it is not possible to validate that this additional table was exposed.

Interestingly, the leak/breach may have been disclosed accidentally.  The Twitter user who disclosed the leak – or breach – may have done it accidentally by posting a public tweet instead of a private message.

How long was this data exposed?  We don’t know since Modern is not saying.  It could have been hours.  Or it could have been years.

How many people knew about it?  Again, not clear.

What fields were in the bigger table – the one with 260 million records?  Again, we don’t know.

Apparently, whoever’s database it is feels that this doesn’t qualify as a breach that is required to be disclosed.

So what do you do?  Unfortunately, all you can do is keep your antennae up.  Unless the folks at Modern decide that they really do have a breach that they have to disclose.

OR, some state or national law enforcement agency decides that they need to fess up.

Stay tuned.


Information for this post came from ARS Technica.


Spying on You For Fun, But Mostly For Profit

We often tell you about web sites that use your data and sometimes in ways that you don’t expect, but usually it is to sell it to advertisers.

However, apparently, AT&T has created a new revenue stream.

AT&T calls the program Project Hemisphere.

Hemisphere is a program which allows law enforcement to search AT&T call records – not because of a warrant – but for a fee.

Harris County, home of Houston, paid AT&T $77,000 in 2007 and $940,000 four years later.  Sounds a bit like a drug dealer.  Get the addict hooked and then jack up the price by a factor of ten.

There are around 4,000 counties in the U.S. plus probably ten times that many cities, not to mention state governments.  If every one of them paid AT&T a million dollars a year – which of course they are not – that is a lot of money.

How much money?  We have no idea because AT&T isn’t telling.

Normally companies share data with law enforcement when they are legally compelled to.

In this case, AT&T has turned it into a product line and profit center.  And since law enforcement is buying a service from AT&T, they don’t have to worry about convincing a judge that there is probable cause in order to get a search warrant.   An administrative subpoena is just fine.

While AT&T would be required to comply with an administrative subpoena, they are not required to develop software to slice and dice the data and provide that information.

In case you were wondering whether AT&T thought this product offering was sleazy, they did.  AT&T required that the government agencies to agree to not use the data in any judicial or even administrative proceeding unless there is no other available and admissible probative evidence.  In other words, if it got out that AT&T was analyzing and aggregating data and then selling it to the government, customers might leave.

In support of this service, AT&T has retained cell phone data back to 2008 or 8 years.  By comparison, Verizon keeps their data for a year and Sprint keeps theirs for 18 months.

AT&T saves call data, text message data, Skype chat data, and other communications, in some cases back to 1987 – almost 30 years.

That seems like a bit more than what is “required”.

Now that this is out, people may start voting with their checkbooks.

Information for this post came from The Daily Beast.

Please Send Your Personal Information – Via Email

You would think after all the stories about data breaches that companies would not be asking you for your personal information via email.

As long as people will do it, companies will ask.  After all, it is easy and when easy fights with secure, easy almost always wins.

In the source article for this post (see below), companies were asking for copies of credit cards, passports and drivers licenses via email.  Since the people they were asking worked for a security consulting firm, they said no, but that is a drop in the bucket compared to all the ones that say yes.

Since email is (almost always) not encrypted and has no controls over what happens to it, providing your sensitive personal information via email puts you at higher risk for identity theft.

You could type the email address incorrectly or the requester could provide the wrong address.  In addition, there may be many places along the route that email travels where it could be exposed.

Of course there could also be a rogue employee who decides to keep your information.

It is also likely that a company that engages in the questionable practice of asking for sensitive information via email probably engages in other poor cyber security practices.

It would also seem that storing that information in email likely breaks many state privacy laws that require that non-public personal information be encrypted in storage.

However, as long as people keep sending that information, companies will continue to ask for it.

Even financial services firms like mortgage companies and accountants  may ask for your information via email.

Just don’t do it.  Tell them that you are not comfortable providing your information that way.  Ask them for a more secure method.  YOU are actually in control.

If enough people vote with their feet and their pocketbooks (like former Yahoo customers who are leaving due to the breach and other privacy issues), then companies will get the message.

Unless the FTC explains the issue to them first, of course.  They do frown on the practice, but they haven’t filed suit against anyone yet, that I am aware of.

Information for this post came from Risk Based Security.

The Insecurity of Email

While everyone has heard about the DNC and DNCC hacks and the hack of the Hillary Clinton campaign emails, there was another recent email hack – at .

The attack was not to obtain credit cards, nor was it to steal customer lists or the sales forecast.

This time the hacker wanted to know what the board was up to.  Like most boards in the country, Salesforce’s board communicated via email.

In this case, the board member who’s email was hacked was none other than Colin Powell.

What we do know about what was in those emails was a board presentation.  The presentation was about acquisition targets – Linkedin (code name Burgundy); Service Now (code name Sonoma); Tableau (code name Tuscany) and Demandware (code name Champagne).  Salesforce bid on LinkedIn but lost to Microsoft.

Also in the presentation was a list of potential competitors: HP, IBM, Oracle, Apple, Facebook and others.

In this case, perhaps, the revelation of the board presentation wasn’t fatal to Salesforce, LinkedIn or Microsoft, but consider this.

What if the attacker used the information to play the market?  Or sell it to change the market?  Unlike with the attack against Dyn last week, if someone did that, people could still get to Twitter, so the world is still good.

But someone could get rich.  They could sell that information many times and not personally do insider trading.  That would make it much harder to trace back to the hacker.  The hacker might not even be in the U.S.

But ponder this.

What ELSE was in Colin Powell’s email?

Likely, his email was not limited to one board presentation.  Or even his board work for one company.

He is or was on the board of Revolution Health, the Council on Foreign Relations and, of course, Salesforce.

He probably also advises other companies on a wide variety of matters.

Likely all in the hands of a hacker.

Nowadays, people use email as a filing cabinet.  Powell’s email may go back years or possibly, even decades.

What other interesting stuff might be in there?

Because people value convenience over security, those years of email are all stored on some ISP’s server.  Get Powell’s password, log on from anywhere in the world and J.A.C.K.P.O.T.!

There are many ways to make things much more secure such as end to end email encryption.  Break into the ISP and what you get is a bunch of gibberish.   Combine that with two factor authentication and things are definitely harder for the hacker.  But not as convenient for you.

If you are in a position where you are a party to sensitive, confidential information, you should rethink the idea of traditional email as a communication vehicle.

But understand that things may be somewhat less convenient.

Security.  Convenience.  Be the next Colin Powell.  Your choice.

Information for this post came from The Street.

IoT Maker Says It Will Recall; China Says it Will Sue Journalists

Maybe a little good will come from the day the Internet died last week.  And maybe, also, a little bad.

To very briefly recap, attackers using the now free and open source malware Marai attacked Dyn’s servers.  Dyn provides DNS services to the likes of Twitter, Amazon and hundreds of other companies.  The attack against Dyn didn’t directly affect those companies but stopped users from being able to get to those company’s servers – effectively producing a complete outage.

Akamai and Flashpoint have said that infected IoT devices were a large part of the attack – because people don’t patch their refrigerators and don’t change the refrigerator’s default password.

In this case, the Chinese company XiongMai Technologies or XM makes circuit boards for DVRs and IP cameras for lots of other companies.  The default password, in some cases hard coded into the device and impossible for the user to change, is static and well known.  Hence the attack.

XM released a statement which, in part, read “XM have to admit that our products also suffered from hacker’s break-in and illegal use”.

XM said it would be issuing a recall on millions of devices, but XM doesn’t know who owns the devices that their circuit boards were put into.  In fact, in many cases, the company that sold the finished product has no clue who owns those products.

The result of this is that most of these products will never be replaced or fixed.

XM did say that they have made two important changes late last year.  One is to turn off the service, Telnet, that this particular malware used to attack the devices and the other is to make the users change the default password when they initially power up the devices.

99+% of the users who buy these devices have no clue what Telnet is, no clue of how to figure out whether it is on or off for a particular device and no clue of how to fix it -if that is even possible.  Nor do they know how to patch their DVR or cameras.

Which means that this problem isn’t going away any time soon.

Also remember that this attack used these devices and this technique.  Since there are billions of IoT devices, next month it will be a different device and a different technique.  This is kind of like a game of whack-a-mole.

In the meantime, the Chinese Ministry of Justice threatened journalists who reported on the story for issuing “false statements”.

Google translate, which apparently doesn’t deal with grammar well, reported their statement, in part, as “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”

The good news, besides getting attention for the problem and getting at least one company to do a recall and issue patches, is that this apparently scared the poop out of the Department of Homeland Security.  While last week’s attack was on Twitter (and others), the next attack could be against the power grid, the DoD or maybe even something important.

The Department of Homeland Security has issued some contracts in the past year to companies working to thwart DDoS attacks and this event is likely to spur more contracts.

What we need to do is find a way to identify these tens of millions of infected systems and get them cleaned up or turned off.  THAT is not a simple task.

Then we need to get vendors to stop implementing the least possible security.  If product liability laws were extended to cover these types of events, or if the Consumer Product Safety Commission could issue mandatory recalls in cases like this, the cost of poor security would move back to the vendors, motivating them to do better.  Unfortunately, I don’t think either of these will happen any time soon.

Information for this post came from Krebs on Security.

Your Tweets Could Affect Your Insurance Rates

While the big data vs. insurance rates battle is in its infancy, that does not mean that insurers don’t have plans.  They do.

Some are already using data from consumers to affect rates.  Some insurers say that the data that consumers give them could lower rates and SOME insurers say that the data won’t be used to raise rates.  Since this is still in its infancy, don’t count on those statements for much.

Swiss Re, one of the biggest reinsurers (the insurance companies’ insurance company) just bought . is currently allowing consumers to aggregate data in their system .  That data will be shared with businesses to give consumers targeted ads and discounts.  At least for now.

Discovery’s Vitality program collects diet, exercise and other information.  Make the “right” choices and you might get a premium discount or cash back.  Make the wrong choices and…

Allstate’s Drivewise gives drivers who install a gizmo in their car which sends driving data to Allstate discounts if you drive “appropriately”.  That is only a short step from penalizing you if you drive like Mario Andretti.

They could also use people’s public social media posts to affect rates too.  Have a salad for dinner and get discount points.  Have a burger and beer and your rates go up.

Refuse to share data and maybe you can’t get insurance at any price.

There are very few laws in the United States that control what insurance companies can do with “public” data or even data that they buy from the likes of R.L. Polk (owned by IHS now), A.C. Nielsen and others, each of which have data on tens of millions of people.

Also remember that the Internet never forgets.  Even if you improve your behavior, that data is still there in those databases.  Articles that I wrote in the 1990s are available.

And with things like smart TVs and smart refrigerators, what you eat and what you watch might affect your ability to get insurance.  Or your rates.

This is complete conjecture at this point but I sure wouldn’t rule it out.

Information for this post came from Reuters.