Category Archives: Breach

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

Coming Clean After A Hack

A hacker claims to have breached the Argentinian government’s network and stolen ID card details for every person in the country. The data is now being sold on the underground.

The agency that holds the data, RENAPER or Registro Nacional de las Personas, is translated as the National Registry of Persons.

The agency is tasked with creating national ID cards for citizens and the data behind the ID cards is used by most other agencies to validate a citizen’s request for services.

But here is where things get messy.

The hacker posted ID card photos and personal details for 44 celebrities on Twitter – including that of the President.

The hacker also published an ad on a well-known hacking board offering to look up the details of ANY Argentinian.

Three days later the government concocted a story that says they discovered a VPN account was used to query the RENAPER database for 19 photos at the exact same time as they were published on Twitter.

Sounds convenient to me. But if the hacker posted 44 names and the VPN user queried 19 names – where did the rest of the data come from? And, at the exact moment? Shouldn’t there be some delay between stealing the data and using it. At least a little delay. They went out of their way to say at the EXACT moment.

When the media contacted the hacker after the government published their likely made up story, the hacker offered to look up the national ID number of any citizen of the reporter’s choosing.

The hacker says that he will continue to sell the data to interested buyers and that he is probably going to publish the data of 1 to 2 million citizens (out of 45 million) in a couple of days.

The hacker didn’t deny that the VPN leak was real. Possible point of data extraction.

I can’t guarantee that the government is lying and the hacker is telling the truth, but sure seems that way.

If the hacker has all of the data needed to make fake ID cards for every citizen, that is kind of a problem for the government.

It is also a problem for citizens if their card is used to commit a crime.

BUT, it is also an interesting defense – it wasn’t me, it could have been anyone since the data is for sale on the underground web.

The government may be trying to figure out what to do. Reissuing – SECURELY – 45 million ID cards quickly is going to be a challenge. What do they do in the mean time? Are they still trying to figure out whether the data was stolen?

This is a challenge for everyone who gets hacked – government or otherwise.

I think you have to tell the truth. The truth will come out in the end and if you are caught fibbing, you look worse than if you just fessed up in the first place.

For Argentina – a big mess. For everyone else – an opportunity to figure out your data breach crisis communications strategy. Credit: The Record

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

What Happens When Hackers Steal ALL of the Code to your System

Just ask Twitch. The livestreaming service for video gamers, esports, music and other content fell to hackers.

It was acquired by Amazon in 2014 for almost a billion dollars.

Hackers broke in and stole 135 gigabytes of data. This includes all of the source code to the platform, transaction data, userids, passwords and other information.

It appears that the passwords were NOT encrypted.

The data has already been posted in multiple places in the hacker underground.

It is not impressive that a company like Amazon would allow a subsidiary to store personal information this way, but apparently, they did.

Among the data stolen was the source code to a gaming platform designed to compete with Steam and information about how much (and who) the highest paid content creators were being paid.

Worse yet, the hacker, who may have had a vendetta against Twitch, said this 125 gigabytes of data was part 1.

How many parts are there? What is going to happen next?

One obvious problem for Twitch is that now that all of their source code is public, hackers will be combing through it to find vulnerabilities and given what we know so far, there are vulnerabilities.

If you are a Twitch user, you should immediately change your password and enable MFA.

Credit: Threatpost

Twitch said: We can confirm a breach has taken place,” and “Our teams are working with urgency to understand the extent of this.”

I bet they are :).

Google searches for how to delete Twitch were up 800%. Kind of like locking the barn after the animals got out.

Users of Twitch, the world’s biggest video game streaming site, staged a virtual walkout last month to voice outrage over barrages of racist, sexist and homophobic abuse on the platform.

The phenomenon of “hate raids” — torrents of abuse — has seen the platform become increasingly unpleasant many for Twitch streamers who are not white or straight.

Twitch says that they are working on fixing that. Oh, and they are suing some of their customers for organizing the hate raids.

Credit: Security Week

One source is reporting that the following items were among what was stolen:

  • Entirety of Twitch, with its Git commit history going all the way back to early beginnings
  • Payouts for the top Twitch creators
  • Every property that Twitch owns, including IGDB and CurseForge
  • Mobile, desktop, and video game console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • Every other property owned by Amazon Game Studios
  • Twitch internal security tools

We are seeing conflicting reports from different sources about userids and passwords. It is possible that they were or were not stolen and the conflicts may be due to what piece of the data each source saw.

One poster on 4Chan says the leak was done to foster more competition in the online video streaming space because Twitch is a “toxic cesspool”. While competitors won’t use Twitch’s code directly, they certainly might check it out for ideas.

Credit: Cybernews

Some sources said the hackers got in via a misconfigured server, but I would suggest, the problem goes deeper than that. Much deeper. How comfortable are you that hackers could not steal all of your crown jewels?

Company That Routes Billions of Text Messages Says it’s been Hacked for Years

Syniverse is a company that no one has ever heard of. They act as an interconnection between 300 mobile carriers and 95 of the top 100 carriers.

They are the reason you can send a text message to your friend who is not on the same phone carrier as you are.

It also allows you to use your phone when you are not in a place where your carrier has service, known as roaming. That is done using the horribly insecure protocol, developed decades ago with no security, called SS7.

In a filing with the SEC, the company admitted that hackers have been in their network since 2016, possibly on and off. Given that they have access to all of your text messages, and call records and location data and other information, that is a huge privacy nightmare.

One former employee said that since the world has not stopped spinning, clearly it is not a problem. Washington, on the other hand, says this is an espionage goldmine.

If the hack was state sponsored, then they would not “use” your data in the traditional sense. They would use it to build a profile and possibly use it to phish you. If, for example, this is a Russia or China operation, there is no telling what they planned to do with it.

If someone is having an affair or swapping nude pictures or other sensitive topics, it could also be used to blackmail people.

Not to fear, however, Syniverse said that as soon as they discovered the breach after five years, they implemented their security incident response plan.

I bet that regulators from around the world are investigating.

Syniverse is trying to go public using a SPAC merger and that is how this came out. They said that the hackers did not try to disrupt operations or ransom them, so all is good, right? If this was state sponsored, you would not expect them to do either of these things. In fairness, they know they are going to get sued, so they are trying to put the best spin on this that they can.

None of their customers were willing to comment for the article. Credit: Motherboard-Vice

What is the Back Story on China’s Hack of Microsoft Exchange Servers?

One possible answer is that they wanted to steal your email, impersonate you and use your email accounts to send spam and malware. This is certainly possible, but there is another, more sinister possibility.

What if – China was looking for mountains of data to train its AI systems?

The attacks gave them tens of billions of messages, calendar information and other files.

That translates to trillions of bits of information.

This is what some government officials and security experts are saying.

And, of course, this is addition to all the data that they have already stolen.

This includes, for example, entire security clearance files from the OPM breach, medical records from the Anthem breach, travel information from the Marriott breach and financial information from the Equifax breach.

William Evanina, former director of the National Counterintelligence and Security Center says that the Chinese have more data on the average citizen than we do.

Sounds a bit scary to me. Credit: The Register