Category Archives: Breach

Hacker Selling Almost a Billion Hacked User Records

A Pakistani hacker who last week put up 600 million hacked accounts has added another hundred million records plus to the pie.

The first batch included 617 million records from 16 hacked sites —

  • Dubsmash – 162 million accounts
  • My FitnessPal – 151 million accounts
  • MyHeritage – 92 million
  • ShareThis – 41 million
  • HauteLook – 28 million
  • Animoto – 25 million
  • EyeEm – 22 million
  • 8Fit – 20 million
  • WhitePages – 18 million
  • Fotolog – 16 million
  • 500px – 15 million
  • Armor Games – 11 million
  • Bookmate – 8 million
  • CoffeeMeetsBagel – 6 million
  • Artsy – 1 million
  • DataCamp – 700 thousand

Several of these sites have admitted they were hacked;  none has denied it.

The 600 million record package is selling for about $20,000.

The new batch of 127 million records includes

  • Houzz – 57 million
  • YouNow – 40 million
  • Ixigo – 18 million
  • Stronghold Kingdom – 5 million
  • Roll20.net – 4 milion
  • Ge.tt – 1.83 million
  • Petflow and Bbulletin forum – 1.5 million
  • Coinmama – 420 thousand

Only Houzz on this second has has confirmed they were hacked.

So what does this mean for you?

First of, if you are using the same password on multiple sites, you should stop that practice right away.  It is just too dangerous.

Second, if you are not using two factor authentication, you just need to suck it up and get over it.

The days of passwords alone as a reasonable login authentication means are over and will likely never return.

And, obviously, if you have accounts, even little used accounts, on any of these sites, change your passwords there immediately.  IF YOU USED THE PASSWORD ON ANY OF THESE SITES ELSEWHERE, YOU HAVE TO CHANGE THOSE PASSWORDS TOO.

And, if you are a web site operator and you are storing passwords, consider your security.  If you have not had an expert try to hack your site recently (as in, say, the last 6 months), you probably need to do that.

The brand damage to these sites will be big.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather

The Times They Are A Changing, Part 2

Last week I wrote about 4 different cases where courts are moving in the direction of making it easier for plaintiffs to sue companies in case of a breach.

Now we have another situation.  In the past, judges have approved settlements that only made the lawyers rich.  The plaintiffs sometimes got, literally, nothing.  That is beginning to change.

Judge Lucy Koh (she has some impressive credentials – undergraduate and law degree from Harvard, first ever female Korean American Article III judge in the US, oversaw the Apple-Samsung case,  Apple and Google lawsuits) decided that the did not like the proposed Yahoo settlement.

The settlement called for $50 million split among 200 million people (or about 25 cents a person), zero for the remaining 800 million people plus two years of credit monitoring.  Remember this breach started in 2013, so two years of credit monitoring starting some time in 2019 …..

She also said that the $35 million in legal fees (taking the payout to the 200 million people down to $15 million or seven and a half cents a person) may be unreasonably high because the legal theories in the case were not particularly novel (SLAP! Meaning that the lawyers didn’t really have to work that hard).

That could, possibly, mean that judges are becoming educated and are hearing that people are trying not to spend their seven cent payout all in one place, meaning bigger settlements are going to be required in order to get judicial approval.

Meanwhile for Yahoo, it is back to the drawing board.

For businesses, that probably means that it would be a good idea to increase your cyber-risk insurance.

Details for this post came from Reuters.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 21, 2018

Patches This Week

Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions.  The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine.  See details here.

The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices.  Read the details here.

 

Taylor Swift Spies on Her Fans

In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers.  Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers.  They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance.  Source: The Register.

 

Marriott Breach Traced to China

What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach?  According to some sources, they are all traced back to China.  The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.

Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks.  Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.

All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us.  Is the pressure just making them hack us even more?  Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).

 

Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport

A Muslim-American traveler was  detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East.  Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused.  He was handcuffed and detained for four hours and missed his flight.  When he asked if he was under arrest and needed a lawyer and was told no.  Eventually, after many hours, he relented and unlocked his phone.  CBP examined the phone and possibly imaged the phone.

Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,

He is now suing the U.S. government.  That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting.  Source: The Register.

 

Facebook Shared Your Data with 150 Partners Without Telling You

The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others.  Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it.  Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not).  Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own.  Facebook did admit that this raises user trust issues.  Likely true.  Source: HuffPo.

Facebooktwitterredditlinkedinmailby feather

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.

 

 

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

Facebooktwitterredditlinkedinmailby feather

What Do December Breach Announcements Point Out

First it was Marriott.  The breach of Marriott’s Starwood division systems exposed data on 500 million clients and triggered multiple lawsuits and investigations.

That breach was four years in the making and across two different management teams – first at Starwood and then at Marriott.

Undetected.

This week 1-800-Flowers announced that it too was breached.  The Canadian division’s web site was breached.  In 2014.  They detected the breach in September 2018, four years into it.

Undetected.

How do hackers remain inside the systems of large companies for four years?

Were the hackers targeting Marriott or 1-800-Flowers?  Probably not, but once they got in they probably thought they went to hacker heaven.

If hackers can do that to large companies, what about small companies?

Bottom line is that smart hackers want to stay in your system for as long as possible to maximize the “value”.

If you are stealing only credit cards, you can’t wait too long because credit cards expire.  In the Marriott case, which is now linked to hackers working for the Chinese, they stole a lot of other useful information for identity theft that has a much longer shelf life.

Also, it seems to be taking Marriott a long time to figure out what was taken.  I am not clear that they even really know now.

Big companies already know that they are target of attackers, but so are small companies.

As companies increase the use of cloud based systems, detecting the attacks could be harder. 

Are you asking your cloud providers – all of them – who is responsible for detecting breaches?  I bet for many providers, they will say it is you.  And who responds to them?

Are you ready to respond to an incident.  Including figuring out what you are going to say on social media and how you are going to respond to social media chatter.  Sometimes that chatter can get pretty brutal.

Companies need to prepare for and test how they are going to respond.

Small companies say it won’t happen to them, but, while the Marriott and 1-800-Flowers type of breaches get lots of press, the vast majority, by numbers, of breaches happen to companies with a few employees up to a couple of hundred employees.

Both of these breaches were outed when the companies reported the breaches to authorities, so if you think you are going to keep your breach quiet, that is likely impossible unless it is really small.

Get prepared, stay prepared and be thankful if you don’t have to activate that preparation.

Information for this post came from Threat Post.

Facebooktwitterredditlinkedinmailby feather