Facebook Hack Compromises 50 Million

Ancient Chinese Proverb: May You Live In Interesting Times.

Well welcome to interesting times.

Today, Facebook said that the accounts of 50 million users were compromised.

The hackers compromised the security “tokens” that Facebook uses to authenticate users and not the passwords themselves.  Facebook revoked those users “tokens” to stop them from continuing to be used.

Later in the day Facebook said that they revoked another 40 million user’s tokens because they might have been compromised.

Finally, to put a cherry on top of things, Facebook admitted that any site that you log into with your Facebook ID may have been compromised too.

So now not only does Facebook have to investigate, but so do sites like Tinder, Instagram, Spotify, AirBnB and thousands of other sites.

Here is why this is interesting.

Hacks are old school. YAWN!

This is the first mega hack after the effective date of GDPR.  Sure British Airways lost 380,000 credit cards, but this is 50-90 million users just on Facebook alone.  We DO NOT KNOW if other sites were affected that share logins, but if they do, this could affect dozens to hundreds of companies and hundreds of millions of accounts.  All of them COULD be fined under GDPR.  If that happens, they will likely sue Facebook.  Of course Facebook’s software license agreement with other sites like Tinder and Spotify probably says that they use the software at their own risk, but the courts MAY rule that this is negligence and not covered by that disclaimer.  If such a disclaimer exists.  Would companies like Spotify and AirBnB actually agree to terms like that?  Maybe.  That is why this is such an interesting day.  BTW,  my token was apparently hacked as login was revoked.  So was Zuck’s.  Karma. 🙂

Remember that fines could go (but likely would not go) as high as 4% of Facebook’s global revenue.

Facebook is already talking to Helen Dixon.  Helen is Ireland’s Data Protection Commissioner and in a large sense, Facebook’s destiny in this breach – and their wallet – is in Helen’s hands.  I would say, right now, her hands are full.

So what should you do?

Depends on your level of paranoia. 

First, I would change my Facebook password and the password on any other sites that use the same password.  Since we do not THINK that passwords were taken but rather tokens, this is a precaution.

Second, enable two factor authentication.  Facebook’s two factor process is really simple.  When you log in you get a pop up on your phone asking if it is you.  If you click yes, you are logged in.

Third – and this is the most painful one – those sites that you log into with your Facebook userid and password – create a local account.  I know.  It is a pain in the ….. but so is having multiple accounts compromised.  Even if they figure out in this case that didn’t happen, what about next time?  Security. Convenience.  Pick one and only one.

Information for this post came from Business Insider.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Facebooktwitterredditlinkedinmailby feather

Open Source – The New Attack Vector

There are people who think open source is the holy grail of software,  I am not one of them.  Apparently hackers agree with me.  So does the Department of Defense.  They have even coined a term – SCRM or Supply Chain Risk Management.

Bottom line, developers need to understand that there is a war out there and they are the target.  According to Sonatype, the open source tools and governance company, said that the use of vulnerable open source components is up by 120% over the last 12 months,

Sonatype estimates that there are 1.3 million – yes, million – vulnerabilities in open source software components that are not recorded in the National Vulnerability Database managed by NIST.

Sonatype estimates that the average enterprise downloads 170,000 source components a year of which possibly 1 out of 8 of those have some form of vulnerability.  Sometimes those vulnerabilities get exploited in as little as 3 days.

Developers are still downloading vulnerable versions of Apache Struts (as in Equifax breach).  About 80,000 times every month.

Downloads of a vulnerable version of the Spring Framework was around 85,000 a month last year;  this year it is still 72,000 a month.

To add insult to injury, hackers are starting to inject vulnerabilities directly into some open source packages.  Done cleverly, such a logic bomb might never be discovered.

Point is, still a HUGE problem.

So what do you need to do?

#1 – Admit that open source software is far from bug free – even hugely popular packages like Apache Struts.

#2 – Create a SCRM program.  The larger the open source software package is, the more difficult it is to make sure that it is safe.  

#3 – Consider using automated tools to detect vulnerabilities.  Some of the tools are free and others are very expensive, and all of them change the development process.  Some of them are built into the software tools that developers are already using.

#4 – Create a process for finding out about patch availability.  Unfortunately,  except for the most popular open source packages, they are never patched, so you are pretty much on your own.

#5 – Treat open source packages just like code you develop when it comes to code reviews and testing.  The only difference that you can’t influence the development process.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Credit Card Theft Continues to Rise

The hackers seem to be winning.

One solution I have advocated for over the last many years to reduce credit card fraud is a technique called credit card tokenization.  When a merchant accepts a credit card, that card information is immediately tokenized and that token is all that the merchant keeps.  If they need to rerun the credit card, say for a monthly recurring charge, they present that token to their payment processor and they get paid.  If hackers steal the tokens, it does them no good because those tokens can be locked down to that merchant or even to that server.

So the hackers innovate, even though the vast majority of merchants don’t tokenize.

They slip a tiny bit of code (15 lines) into a library that MANY merchants use and it watches for a credit card passing through.  They grab the card info before it is encrypted and before it is tokenized.

Since online transactions do not take advantage of chip technologu (yet), this card information can be used in other online environments.

This week’s announcement is NewEgg.Com, a computer hardware and software seller.  The hackers ran wild from mid August to mid September.  The malware is called MageCart.

This is the same malware that attacked Ticketmaster and also British Airways.

Along with thousands of other sites.

So What do you do?

If you are a merchant, you have to deal with the lack of security on your web server that could allow a bad guy to install MageCart.  Since this is buried inside some other software that you use as part of the your development.   Eliminating this is part of what the DoD calls SCRM or Supply Chain Risk Management.  Not easy, but absolutely required.

If you buy things online, you can protect yourself by shopping locally.  🙂

Sure.  That is not gonna happen.

But there are a couple of things you can do.

Sign up for text alerts from your bank or credit card company so that you get notified EVERY time you card gets used.  In real time.  That way, at least, you can kill the card before even the first transaction clears.

Second, you can use one of the vendors that single use credit card numbers.  The biggest issuer that does this that I am aware of is Capital One.  Their service, called ENO (one spelled backwards), includes a browser plugin that automatically issues disposable card numbers that are uniquely tied to a single merchant.  If the number is stolen, it can’t be used at a different merchant and while that card number is tied to your actual card, the actual card number is never exposed so that if that one site is hacked, only that card number has to be replaced, not every one.  And, since they have a browser plugin, the process is pretty simple to use.

The last option I have is to use prepaid cards.  Most banks offer them.  Chase calls theirs Chase Liquid, for example.  Sometimes the bank charges a few bucks a month for the service, but often you can get them to waive that.  That card is tied to your online userid but the account does not draw from any other account.  If you, for example, leave $100 in that account, that is the max the bad guys will get and you will be reimbursed by the bank if the charge is unauthorized.  The challenge is that you have to manage having exactly the right amount of money in that account, so the Capital One strategy is a lot easier.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending Sep 21, 2018

New Web Attack Will Crash Your iPhone, iPad or Mac

A new CSS-based web attack will crash and restart your i-device with just 15 lines of code.  The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use. Anything that renders HTML on iOS is affected. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone.  Source:  Techcrunch

Ajit Pai Says California Net Neutrality Law Radical and Illegal

Ajit Pai, Chairman of the FCC and the guy who repealed the FCC net neutrality policy said that California’s new bill replacing that repealed FCC policy is illegal.   Why?  Because, he says, that it is preempted by Federal law.  This is the same guy who said the FCC didn’t have the power to regulate net neutrality.  Do they?  Don’t they?  Are you confused too?

If Pai intervenes, I am sure this will go all the way up to the Supreme Court – who may or may not hear the argument.

He said this at a talk conservative think thank in Portland.  Maine, like about 30 other states, is in the process of creating its own net neutrality law.  If he thought that the states would bow down to him when he repealed the FCC policy, apparently, he was wrong.

Also apparently, his beef is with zero rating, a practice where a carrier doesn’t charge you if you use their service or use a service that has paid them a lot of money, but does charge you to use a service who has not written them a big check.  His theory, apparently, is that if poor people must (due to financial constraints) use only those services that write a carrier a big check, that will, somehow, promote an open and innovative Internet.  Source:  Motherboard

Another Day, Another Crypto Currency Exchange Hacked

Japanese crypto currency exchange Zaif was hacked to the tune of $60 Million of Bitcoin, Bitcoin Cash and Monacoin.  About a third of that was owned by the exchange;  the rest owned by customers.

For now, withdrawals and deposits have been halted, with no specified time when it might – or might not – resume.  If ever.

The company says that they will compensate  users who lost $40 million or so and have sold the majority of the company for $5 billion yen (roughly the amount of money not owned by them that was stolen).

Assuming that deal actually closes, they figure out how the attack happened and fix the problem … and, and, and.  Japan’s financial regulator has stepped into the poop pile.

I assume that if and when customers actually get access to their money – the part that wasn’t stolen – they will find someplace else to store their crypto currency.  That likely means the end of Zaif, no matter what.

In the mean time, they will just have to hang out and wait to see what happens.  Source: Bloomberg.

3 Billion Malicious Logins Per Month This Year

According to Akamai, there were over 3 billion malicious logins per month between January and April and over 8 billion malicious logins during May and June at sites that they front end.

Many malicious login attempts come from the technique of credential stuffing where hackers take credentials exposed during hacks and try them on other web sites.  For example, try the 3 billion exposed Yahoo passwords on Facebook or online banking sites.  Even though we tell people not to reuse passwords, they do anyway.

According to Akamai, one large bank was experiencing 8,000 accounts being compromised per month.

One bank experienced over 8 million malicious login attempts in a single 48 hour period.  I bet some of these attempts worked.  A load like that will impact the bank’s ability to serve real customers.  Source:  Help Net Security.

Facebooktwitterredditlinkedinmailby feather

So What Are You Gonna Do – Sue Them?

A security researcher has found, he thinks, years worth of customer data available on Craigslist.  Not exactly the dark web.

The servers were from bankrupt computer store chain NCIX.  The seller had, supposedly, hundreds of servers that were in storage.  The storage company owner was selling the servers after NCIX did not pay their storage bill.

Add to that hundreds of hard drives.

None of this data was encrypted.

Also note that this story wasn’t verified, but we hear stories like this all the time, so even if this was isn’t true, the problem is still real.

This particular seller, according to the story, wasn’t necessarily a complete crook, but he was willing to get money any way he could.  What about if you had a sophisticated crook.  Although we do see this stuff on Craigslist all the time – do doubt sold by clueless people.

In theory people should remove data or wipe encryption keys, but we hear story after story like this.

In the case of this bankrupt retailer who is no longer in business, well, it would probably be hard to prove who did what and even harder to sue them.

For responsible businesses —

You should make sure that there is no data still accessible before you dispose of your computers.  And phones.  And tablets.  And COPIERS (BIG, BIG problem).

Alternatively, remove the hard drives and destroy them. While (assuming you are in a place where this is legal) taking them out back and  putting a few .30-06 rounds into them is fun (and will make them pretty difficult to extract data from unless you are the CIA), many paper recyclers like Iron Mountain will literally shred them for $5 in volume.  That is fun to watch.  I have done it many times.

Many companies will give used hardware to their employees.  This is a particular case to make sure there is no data left, because your employees will likely know the people who’s data might be on those devices.

All this requires is a little care and business process.

Information for this post came from ZDNet.

 

Facebooktwitterredditlinkedinmailby feather