Category Archives: Best Practices

Hacker Selling Almost a Billion Hacked User Records

A Pakistani hacker who last week put up 600 million hacked accounts has added another hundred million records plus to the pie.

The first batch included 617 million records from 16 hacked sites —

  • Dubsmash – 162 million accounts
  • My FitnessPal – 151 million accounts
  • MyHeritage – 92 million
  • ShareThis – 41 million
  • HauteLook – 28 million
  • Animoto – 25 million
  • EyeEm – 22 million
  • 8Fit – 20 million
  • WhitePages – 18 million
  • Fotolog – 16 million
  • 500px – 15 million
  • Armor Games – 11 million
  • Bookmate – 8 million
  • CoffeeMeetsBagel – 6 million
  • Artsy – 1 million
  • DataCamp – 700 thousand

Several of these sites have admitted they were hacked;  none has denied it.

The 600 million record package is selling for about $20,000.

The new batch of 127 million records includes

  • Houzz – 57 million
  • YouNow – 40 million
  • Ixigo – 18 million
  • Stronghold Kingdom – 5 million
  • Roll20.net – 4 milion
  • Ge.tt – 1.83 million
  • Petflow and Bbulletin forum – 1.5 million
  • Coinmama – 420 thousand

Only Houzz on this second has has confirmed they were hacked.

So what does this mean for you?

First of, if you are using the same password on multiple sites, you should stop that practice right away.  It is just too dangerous.

Second, if you are not using two factor authentication, you just need to suck it up and get over it.

The days of passwords alone as a reasonable login authentication means are over and will likely never return.

And, obviously, if you have accounts, even little used accounts, on any of these sites, change your passwords there immediately.  IF YOU USED THE PASSWORD ON ANY OF THESE SITES ELSEWHERE, YOU HAVE TO CHANGE THOSE PASSWORDS TOO.

And, if you are a web site operator and you are storing passwords, consider your security.  If you have not had an expert try to hack your site recently (as in, say, the last 6 months), you probably need to do that.

The brand damage to these sites will be big.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 15, 2019

Anybody Know What 5G Cellular Means?

5G is the next generation of cellular, promising blindingly fast service and web page loads in the blink of an eye.

Unfortunately, it doesn’t really exist yet.  Yes, a few carriers have set up a few cell sites in a few cities, but there are basically NO phones that are 5G capable at this time.  Apple should launch one in 2020.

5G will also require a LOT more cell sites that don’t exist and that most people don’t want in their backyard.

What this means in reality is that 5G won’t be a factor for years and in many places – low density areas – it may never come due to the expense.  And definitely not until you buy a new phone.

But that hasn’t stopped AT&T from adding a 5G “e” to some of their phones.  AT&T is doing preemptive marketing hoping that people won’t understand that they are not getting 5G service and not getting a 5G capable phone.  But, by that time, they will be locked in.

AT&T says the “E” means evolution, whatever that means.  Other people say the “E” means eventually – just not with that phone or that cell site.

Here’s what Verizon said about it:

5Ge. It’s pretend, it’s fake, it’s the kind of BS that gives marketers, communicators businesses and the wireless industry a black eye. So let’s have some fun. Some people call it “Faux Five G”. There’s “5G Eventually”. What’s your name for @ATT false marketing?

So Sprint is suing AT&T.  AT&T says that people won’t be confused.  Sprint did a survey in which 17% of the people said that they already had this non-existent 5G service.  Stay tuned.  Source: PC Mag.

 

Discarded Smart Lightbulbs May Be a Security Hole

Smart lightbulbs are smart because they are network connected and since most people are not going to plug a network cable into that bulb, they talk over WiFi.

Researchers took a LIFX smart bulb apart and took the circuit board out of it.  When they analyzed the board they found the WiFi password – not encrypted.

Next all of the security settings for the processor are disabled.

Finally, the company’s RSA private encryption key and root certificate are also accessible.

Given this takes a bit of work to reverse engineer, it is not likely a hacker is going to do it, but to get the company’s private encryption key, which would allow them to sign malicious code and download it wherever they want – that would be worthwhile.

Maybe they should call it a dumb lightbulb.  Source: Limited Results web site.

 

If You Live in the UK, be Careful Where You Click 

The UK signed into law (what they call Royal Assent) the Counter Terrorism and Border Security law this week.  This law makes it a crime to VIEW information “likely to be useful to a person committing or preparing an act of terrorism”.

One click.  Penalty is up to 15 years in prison.

Seems like a bit of over-reaction to me.  The UK’s special rapporteur on privacy said the law was “pushing a bit too much towards the thought crime”.  1984, we are here.  Source: The UK Register.

 

FTC in Negotiations with Facebook over Multi-Billion Dollar Fine

Sources have confirmed that the FTC and Facebook are negotiating over a multi-billion dollar fine over Facebook’s privacy practices.  The details have not been released and it could ultimately wind up in court if the two sides cannot agree.  If it does, get your popcorn out because it could be a humdinger.  The FTC’s investigation has been going on for about a year.  Source: Washington Post.

 

Gov Testing Smartphones as a Replacement for CAC Access Cards

The DoD is testing whether your smartphone can identify you as well as their current Common Access Card to get into DoD buildings and computer systems.

Your smartphone knows how you walk, how you talk, how you type.  You get the idea, but there is more.

With software on the phone, they are going to know exactly where you are at every moment of the day, where you spend your free time (maybe you have someone on the side), what web sites you visit, what bars you visit and how long you stay there.

It may work, but it may be a little bit too 1984 for me.

Using constant monitoring of the user’s behavior—including how they walk, carry the device, type and navigate on it and even how they commute to work and spend their free time—and the system will automatically and continuously verify the user’s identity, enabling them to seamlessly work on secure networks without having to plug in a card each time. Source: Nextgov .

 

Facebooktwitterredditlinkedinmailby feather

Are You Trusting Your Web App to Backup Your Data?

Many of us use Internet services – Dropbox for file sharing, Google for collaboration, Mint for finances and many others.  Some of us – individuals and businesses – have data spread far and wide over the web.  So wide that in many cases we really don’t know where our data lives or how it is protected.

This week many people learned the hard way that that doesn’t always turn out the way you want it to.

Email provider VFEmail announced that they had a catastrophic event that wiped out all of their user’s emails and all of their backups.  The first signs of the attack came on February 11th.

The founder of VFEmail says that 18 years of customer data are likely gone and will never be recovered.

Some emails that were stored on a backup in the Netherlands may be recoverable, but how many and when – that is unknown.  Most of the user’s info was stored in the U.S. and that, they say, is all history.

VFEmail had multiple servers in multiple data centers with multiple authentication methods and they were all wiped by an attacker.

At this time they have not provided any reason for the attack, but clearly the attacker wanted to do some real damage.

But this is a word of warning to any person or business who assumes that their service provider is going to protect them.

Number 1 – Read your contract.  Does it say that your provider provides any guarantee regarding your data?  It would be very unusual if any of your providers offer any guarantees at all.

Number 2 – Find out what measures each of your providers takes to protect your data.

Number 3 – How much trouble would you be in if you lost ALL of your data from one or more of these providers?  For example, all of your email.  Forever.  Or all of your pictures.  Or all of your finances.

Number 4 – For those services which your data is important – for which losing some or all of the data would be a “problem”, create an alternate backup.  Or two.

The bottom line is that ultimately, you or your company are responsible for your data.  Unless you have a written agreement with your provider that says that they are legally liable, which is almost unheard of.  Even then, that is only as good as the damages available.  Many times in contracts your claim is limited to the amount of  money you paid.  Pay a $100 a month for a year and the most you can collect is $1,200.    Does that cover the loss of your data?

You, and only you, need to figure out what is required to protect your data. 

Our recommendation is at least one set of offline, disconnected backups.  After all, it is hard to hack a backup that is powered down and stored in a safe or a vault.

Also remember, backups are not like fine wine – they don’t age well.  Backup early, backup often.

Information for this post came from Brian Krebs.

 

Facebooktwitterredditlinkedinmailby feather

Are You Prepared to Handle the Digital Assets of Your Loved Ones After They Are Gone?

No one has made it out of this life alive.  That I am aware of.

Sometimes, while it is not comfortable, we know when a loved one is about to pass and sometimes we are able to prepare for it.

In other cases, you don’t know  it is going to happen and are completely unprepared.

In my case, I have some personal experience with this.  My brother was hit and killed by a car driven by a mass murderer fleeing from the police and I had to deal with this lack of preparation in spades.  My brother was a young guy (62) and he had not prepared for his untimely demise.

Assuming that you have to deal with this horrible situation of closing out the digital life of a loved one, here is some information.

CREDIT CARDS

Collect all of credit cards that you can find.  Depending on how close the loved one is, you may or may not know what cards exist.  You may have to check the mail for a month or three to see if there are credit card statements.  If there is no balance on the account you may not hear from the credit card company until the card is about to expire.  Once you have the cards, call the bank and cancel them.  You will have to prove who you are, most likely, provide a death certificate and evidence that you are the administrator of the deceased’s estate.  At that point you will be able to find out about balances and close the accounts.

MAIL

Mail can be a challenge. IF you lose access to the mail, you will lose a lot of information.  Did the deceased have a post office box, either at the US Post Office or a private box service?  The Post Office will NOT send you a bill.  They will just cancel the box for non-payment.  Make sure that you keep paying that bill and checking that box.  If the deceased lived in another city you may need to forward the mail.  The Post Office will only do that for a limited time.  If the deceased had a spouse and someone is going to continue at the address, that makes things easier, but if not, you only have, at  most, a year and that is not as long a period of time as you might think.

ONLINE ACCOUNTS

Technically, this may be against the law, but if the deceased had online accounts and you know or guess the password or can successfully do a password reset (if you have access to the deceased’s phone and email), then you can impersonate that person.  More than likely most online providers won’t know or care that the person passed away.  BUT, beware, if they do find out they may lock the account with no advanced warning.  Get in quickly, get what you need and get out.

PAYPAL

Paypal, like most online providers, has a process.  If you can log on then you can withdraw whatever funds are there, payable to the estate.  If you can’t log in, you will have to provide them with documentation – a will, letters testamentary or something similar, etc.  Consider that a significant pain, especially if the estate did not need to be probated otherwise.

FACEBOOK

Facebook has a process where someone can designate a legacy contact in which case you can tell Facebook how to handle the account, but they will not give you the ability to log on. You can only freeze the account or delete it.  I assume you will have to prove the person has passed away.  If there is no legacy designation then you will have to provide paperwork.

INSTAGRAM

Instagram has a process similar to Facebook.

TWITTER

Twitter has a privacy form to report a death.  You have to provide the appropriate paperwork and then you can get the account deleted.

GOOGLE

Like the above, they have a form and a process in order to make sure that you are doing things legally, but you can get data or close the account.

MICROSOFT

Microsoft says that the deceased’s account will be deleted after a year of inactivity.  Of course, that doesn’t give you access to any data.

The best way to handle this is to record your passwords and store them securely.  Some password manager software has an “on death” feature that allows you to gain access to the person’s password vault upon proving the person is deceased and you have been designated as the guardian of the passwords.

Check out the source article below for a few web site links.

PAPERLESS BILLING

I assume that companies will eventually contact you about past due bills if they plan to get paid, but I have seen some circumstances where they want to add late fees and legal fees for past due accounts.  To the degree that you can, figure out what bills might be due and reach out to the companies involved.

THE LAW

Delaware has passed comprehensive legislation forcing online providers to do the right thing.  In some cases, Delaware residents were denied access to spouse’s email due to privacy policies – that will no longer cut it in Delaware.  Check your state for specific laws.

Bottom line, plan if you can, but that is not always possible.  If not, it can be done, but it will definitely take some work.

Planning definitely makes things easier.

Information for this post came from Entrepreneur magazine.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.

 

Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.

 

Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.

 

Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .

 

Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .

 

Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Facebooktwitterredditlinkedinmailby feather

GoDaddy Users Beware

GoDaddy has an interesting feature.  If a hacker creates a FREE GoDaddy account they can and have created a whole bushel of mischief.

If you have a free account, you can use GoDaddy’s managed DNS service for free for a limited amount of time.

Only problem is that GoDaddy didn’t validate that you owned the domain that you wanted to add to your free account.

Once you own DNS for that domain you can send mail, read mail and act as a man in the middle attacker of the domain’s web site.

Since the account was free, the hacker didn’t actually own the domains in question and the IP addresses associated with the attack were not in the U.S., good luck finding the culprit.

This attack method apparently also works at other registrars.

Since the domains in question were dormant, nobody noticed or cared that they had been taken over for a month – long enough to send out tens of millions of spam emails.  Two recent campaigns, one threatening to expose pictures of you watching porn if you didn’t send them money and the other saying that there was a bomb in your building and it would go off if you didn’t pay up, used these hijacked domains.

Thousands of domains were compromised.  Soon after the story of the attack method was published GoDaddy said that they put a fix in place.

They also said that they fixed 4,000 hijacked domains.

The only problem is that there are many thousands of more domains that they didn’t detect or fix.

GoDaddy says that they have now fixed more domains but are also looking for other similar attack vectors that may not have been closed.

GoDaddy now says that they believe that it is not possible to hijack domains any more using this specific method.  Other methods – not so sure.  Existing domains compromised?  You’re on your own.

Some researchers think that some of GoDaddy’s DNS servers have been compromised but GoDaddy says that its not the case.

One of the attacks using this scheme distributed the Gand Crab ransomware.  One company, A.S. Price Mechanical, a small metal fabricator in South Carolina, was hit with the ransomware.  The ransom was initially $2,000 but went to $4,000 while they decided what to do.

Charlene Price, co-owner of the company, said “it’s not fair or right and this is unjust“.  “We  have accepted the fact, for now, that we are just locked out of our company’ information.  We known nothing about this type of issue other than we have to pay it or just start again.

While she is absolutely correct, the crooks don’t really care.  The fact that she is not knowledgeable about protecting her valuable company information is also not of concern to attackers.

So what do you need to be doing?

First of all, if you don’t have offline backups – ones that cannot be infected – you need to create them now and keep them current.  I keep mine in a bank vault.  The good news is that it is not a smart vault and the vault does not have an internet connection so it will be pretty hard to encrypt those backups.

Second, beef up employee training.  The A.S. Price attack happened when an employee clicked on a malicious link.

Third, add robust anti-malware protections.  There are lots of them out there.  It does cost money, but so does losing access to your data. In the A.S. Price case it is $4,000 (not including the cost/value of losing access to the data).  While it is a lot of money, what if they asked for $100,000 instead.  It has happened.  And the hackers have been paid.

Next, have a strong, tested incident response program.  A few months before the Sony attack, the same group attacked some of Sheldon Adelson’s casinos (the Sands in Las Vegas).  Because Adelson’s IT team had a tested incident response program and even more importantly, they were empowered to act without a committee’s approval, they minimized the damage so much that you didn’t even hear about the attack.  Visualize this.  Geeks with pocket protectors running through the casino’s floor unplugging live, operational, computers so they didn’t get infected.  Unplugging the entire Sands empire from the Internet.  WITHOUT A SINGLE MEETING.  That is training, trust and empowerment.  And it worked!

Finally, implement the processes that Homeland Security recommended in Emergency Directive 19-01.

Information for this post came from Brian Krebs.

Facebooktwitterredditlinkedinmailby feather