Category Archives: Breach

Security News for the Week Ending November 29, 2019

The Problem with Big Data is, Well, That it is Big

On October 16th researchers revealed that they had found an exposed database with 4 billion records covering 1.2 billion people.  The first database contained information on 1.5 billion unique people (note these numbers do not exactly match) including work phone numbers and mobile phone numbers.  The second database contains hundreds of millions of scraped profiles from LinkedIn.  The data appears to be linked to “data enrichment” firms, People Data Labs and Oxy.io, but the firms say that the server doesn’t belong to them.  They did not say that the data did not originate from them.  Likely, the server belongs to one of their customers.  The good news is that the databases do not contain passwords or credit cards, but still there is a lot of data there.  The term data enrichment is an expression for “we aggregate data from a bunch of sources and put it all together, so if all YOU have, for example is a person’s email, we can tell you how much they make, how many kids they have and the roads they travel on to work, etc…”  Source: Computer Weekly.

 

California DMV Made > $50 Million Last Year Selling Your Data

First the law requires you to provide all kinds of information to the DMV.  Then the DMV sells that information to anyone who’s check clears.  And they do not need to ask your permission.  In theory the law restricts who they sell your data too, but there are a lot of exceptions. One example was a private investigator who bought the information and gave it to his stalker client who killed the person.  Another is data brokers like Lexis/Nexus.  Maybe the law should be changed, but in the meantime the DMV loves the cash.  Source: Vice

 

Another Public Leakware Attack

As I said in my November 19, 2019 post titled “Argh – They Have a Name for it Now – Leakware“, leakware is becoming more popular.  Now we have a case of the security and building facilities firm Allied Universal ($7 billion in revenue, 200,000 employees).  Allied was breached and the hackers want money.  To make a point, they leaked 700 megabytes of data.  They say that they have 4 GB+ more to leak and they will give it to Wikileaks.  They posted the sample data to Bleeping Computer’s forum, which took it down and also to a Russian crime forum who was not so supportive.  The hackers initially wanted $2 million.  Not they want $4 million; Allied offered $50k.    A bit of a gap.  Allied says that they take security seriously but didn’t say what they planned to do to protect the stolen data.  If these hackers are Russian, there really isn’t much they can do other than to negotiate.  They have brought in security experts after the breach.  While it is useful to close the barn door once the horses are gone and the barn is burned to the ground, that probably won’t make much difference to the customers who’s data was compromised.  Stay tuned for lawsuits.  Assuming this trend continues, we need to create different defenses for ransomware.  Source: Bleeping Computer

That Thanksgiving e-Card – Yup, Its Malware

With the holiday season starting, the purveyors of malware  are in the holiday spirit too.  They are sending out millions of MALICIOUS, INFECTED e-greeting cards.

Open the card and you, too, will be infected.  In one campaign, the malware is the emotet password stealing trojan.

Open that card and all of your passwords will be sent to Russia or China or some other friendly place.

When I get one of these cards, I send the person who sent it a note thanking them, but telling them that, in an unfortunate sign of the times, it is too risky to open it.

Then I hit the delete key.  Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 25, 2019

Database Leaked 179 GB of Personal Data of military personnel, officials and hotel customers.

I wish this was a new story.  Autoclerk, a Best Western service that manages reservations, revenue, loyalty programs, payment processing and other functions for the hotel chain. left an elastic search database exposed.

Hundreds of thousands of guest reservations were exposed including names, home addresses, dates of birth, travel dates and other information.

The reason why government and military personnel are affected is that a government contractor that deals in travel reservations was sucked into the breach.  Source: SDNet.

 

San Bernadino Schools Hit By Ransomware

A message on the school district’s web site says not to worry, all of your data is secure.   (it’s just that it has all been encrypted by a hacker).    Phones are working but email is not working.   Schools in Flagstaff closed last month for several days while officials got things under control after a ransomware attack there.  Source: ABC

 

Russia Using “False Flags” to Confuse Security Experts

Researchers are still dissecting the attack on the 2018 Olympics in South Korea.  Russia inserted false signals and other misdirections in order to may people think that the attack came from China or North Korea.  This does point out that if you are willing to spend millions of dollars, you likely can figure out quite about a cyber attacker.  The story is so complex that one of the researchers wrote a book, Sandworm, which will be available on Amazon on November 5, 2019.  Source: WaPo

 

Amazon’s Web Services DDoSed for 10 Hours This Week

For about 10 hours earlier this week parts of Amazon were effectively offline.  Amazon’s DNS servers were being hammered by a DDoS attack.  This meant that Amazon backend services such as S3 may have failed for websites and apps that attempted to talk to those services.  The outage started around 0900 east coast time so it impacted users throughout the work day on Tuesday October 22, 2019.   For developers and businesses this is just one more reminder that nothing is bullet proof if the bullet is large enough.  Even though Amazon has an amazing about of bandwidth and infrastructure, it can get taken down.

Other services that were affected included RDS (database), Simple Queue Service, Cloudfront, Elastic Compute Cloud, and Elastic Load Balancing.  Amazon did offer some ways to mitigate the damage if it happens again – see the link below.  As a business you need to decide how much cost and effort you are willing to expend to mitigate rare occurrences like this.  Source: The Register.

 

Comcast is Lobbying Against Browsers Encrypting DNS Requests

Here is a big surprise.  As the browser vendors (Chrome and Firefox) add the ability to support encrypting your DNS requests to stop people from spying on you, one of the biggest spies, Comcast, is lobbying against this.  They say that since Google would be able to see the data, that puts too much power in Google’s hands.  Ignore for the moment that Firefox is not using Google as a DNS provider and also ignoring that Google is offering  users at least 4 different encrypted DNS providers.  Lets also consider that encrypted DNS is not even turned on by default.  The much bigger issue is that Comcast will not be able to see your DNS requests and therefore will not be able to sell your web site visit data.  But of course, we would not expect them to be honest about why.  Source: Motherboard.

Facebooktwitterredditlinkedinmailby feather

Details of Equifax Breach Coming Out

After the FTC created a settlement with Equifax over the breach in 2017 of the data of close to 150 million people that turned out to be mostly smoke and mirrors, some of the lawsuits are now moving forward showing how bad things were at Equifax.

  1.   Equifax used a default userid of admin and password of admin to protect some of your data.
  2. Equifax failed to use multifactor authentication.
  3. They failed to adequately monitor its networks and systems.
  4. Because of the ineffective logging, hackers were able to roam around in the Equifax network undetected for 75 days.

After first promising $125 to all affected users, they decided that since the FTC had allowed them to limit the cash payouts in the supposedly $700 million settlement to only $31 million, they figured out that was only enough money to pay 25,000 out of the 150 million people affected.  Now they are saying well, you can get credit monitoring (which you are already getting from any of the other breaches that you have been affected by, so it is really giving you something that is worthless) instead of cash.

Maybe the class action will actually extract some cash out of them – to be seen.

In the meantime, companies need to make sure that they are taking cyber hygiene seriously because even if this payout is a joke (mostly because of the way the law is written in terms of what the FTC is allowed to do), Equifax has racked up over a billion dollars in costs resulting from this attack.  Source: SC Magazine.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 18, 2019

Less Than Half of Mississippi State Agencies Even Have a Cybersecurity Policy

In Mississippi’s first ever state cybersecurity audit, the state auditor reported dismal results.   54 state agencies did not respond to the audit.   38% of those responding did not encrypt sensitive data.  22 agencies had not conducted a third party security risk assessment.  11 did not even have a cybersecurity policy plan.  Overall, over half of the respondents (remember 54 agencies did not even respond) were less than 75% compliant with state law.  State agency heads know that, unlike you or me, they are not going to get hauled into court for breaking the law and if they get fined, it isn’t their money.  I wonder how typical this is in other states.  Source: Govtech

 

Karma Wins

Dark web website BriansClub (named after former WaPo journalist turned security author, columnist and speaker Brian Krebs, but which has no relation to him) was hacked,

BriansClub is in the business of selling stolen credit cards and apparently they do very well, thank you.  In the first 8 months of this year, the site sold about 9 million stolen credit cards netting the site’s operator $126 million (in 8 months).   If we assume an average loss to the credit card issuer of $500, that represents a $4 billion loss.

But now hackers hacked the hacker and stole 26 million credit cards from them.  Needless to say, BriansClub can’t ask the cops for help.

Remember that this is only ONE site on the dark web, so you can kind of get an idea of the massiveness of online fraud.

Krebs shared this data with the fraud folks from the credit card industry, so hopefully they can shut off these cards and make live a little better for the victims.

Source: Brian Krebs

 

Hotel [NON] Security

Kevin Mitnick, the Chief Hacking Officer of security training company KnowBe4, posted a video on YouTube about the security – or more accurately the lack of security – of hotel room safes.  I always assumed that they had backdoors because people are pretty likely to forget whatever they set the combination to.

On the other hand, why bother to change the backdoor combination from all zeros.  See the video on YouTube.

 

One Of President Trump’s Websites Was Leaking Donor Information and Open to Attack

One of the President’s web sites left a debugging tool enabled which allowed an attacker to hijack the site’s email server and intercept, read or send emails from that domain.  Trump’s website is one of hundreds that have left the tool enabled.

The researcher who discovered it worked very hard – much harder than he should have had work to – in order to get the Trump campaign to fix the bug.  How long the data on the site was exposed is unknown.  Source: Threatpost.

 

Samsung Issues Alert for Fingerprint Reader Fail

Apparently Samsung is in trouble because if you put a silicone gel screen protector on the front of your S10 anyone’s fingerprint will unlock the phone.

Samsung’s response was that you should only use official Samsung accessories.  FAIL!!!   Early Samsung branded screen protectors had a hole over the fingerprint sensor to fix this problem.  Why fix the problem if you can die cut the screen protector for a whole lot less?

Samsung is working on a fix, but this is another example of convenience over security.  Fingerprint and facial scan readers on inexpensive (relatively) consumer devices are low security.  In fact, biometrics should never be used to authenticate you, only to identify you.  Source: Ars

 

Facebooktwitterredditlinkedinmailby feather

Vendor. Cyber. Risk. Management!

I don’t know how to say this any more clearly, but vendors represent a huge risk to every organization.

Lion Air, the Indonesian parent of Malindo Air and other subsidiaries that were breached, confirmed the breach last week.

Why did they confirm it?  Perhaps they were being good corporate citizens.  An alternative explanation is that the Russian security firm Kaspersky (that the United States banned from federal systems, probably for good reason) outed them and warned customers in Malaysia and Thailand.

The breach compromised 46 million people’s data.

Lion Air cheerfully said that no credit cards – which are easily replaced –  were compromised.

What was compromised is passport information (which is difficult and expensive to replace), birth dates (which I have been told are very hard to replace), names, home addresses (I guess you could move) and other personal information.  But no credit cards, so relax.

Oh, yeah, the data was left in an unprotected Amazon S3 bucket – NOT AMAZON’S FAULT!

This is just one of many vendor induced breaches.  In June Upguard reported a terabyte of backup data belonging to Ford, Netflix and TD Bank was found unprotected on several Amazon S3 buckets.

Companies need to to create and implement a comprehensive vendor cyber risk management program.  This differs from the traditional vendor risk  management program which worries about whether a company has insurance and is  licensed and in addition considers how the data that is entrusted to them is being protected – either by the vendor, your company or both.  Many cloud providers, including Amazon, have what they call a “shared security model”, meaning that both parties are responsible.  In Amazon’s case, they provide the tools and the documentation, but you must use that information.  And frequently test. And test again.

Costs, fines and lawsuits as a result of this breach will no doubt cost Lion Air many millions of dollars.

One more consideration if you are wondering if you need a vendor cyber risk management program.

Colorado law (for those of you based here or with customers here) requires you to ensure that vendors are protecting your data before you share data with them, so by not having a vendor cyber risk management program you are actually committing a crime.

Source: ZDNet’s Dark Reading.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 6, 2019

Cisco: Critical Bug Allows Remote Takeover of Routers

Cisco rated this bug 10 out of 10.  For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request.  So yet another reminder that patching your network gear is critical.  For Cisco, that means having to purchase their maintenance agreement every year.  Source: Threatpost.

USBAnywhere – Especially Places You Don’t Want

Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine.  Like stealing your data, installing malware or even disabling the server entirely.  The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference.  Part of the problem is that almost no one knows who’s motherboard is inside their server.  The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually.  Isn’t that exciting?  Source: The Hacker News.

Remember When we Thought iPhones Were Secure?

Apparently that myth is beginning to get a little tarnished.  In fact, Android zero days are worth more than iPhone attacks.  Why?  Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.

I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs.  All software has bugs.  Practice safe computing, no matter what platform you are using.  Source: Vice.

Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web

When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.

The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable.  But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price.  Does this mean they are working on the other 35 million?  Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too.  Source: Bleeping Computer .

Researchers Claim to Have Hacked the Secure Enclave

CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer.  Intel calls their feature SGX.  Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave.  If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe.  Source: Bruce Schneier.

Facebooktwitterredditlinkedinmailby feather