Category Archives: Breach

Google Plus Breached Last March – Will Shut Down in 10 Months

You have to admire the gall of some marketing departments.

Today, Google announced that it was shutting down the consumer version of Google Plus after a breach of 500,000 users information.  SIX MONTHS AGO.

They said they shut it down because user engagement was low – I guess that means that no one was actually using it and that 90 percent of the sessions lasted less than FIVE SECONDS.

Of course, up until today, Google Plus was wonderful.

Now that they have to deal with a breach – including, likely, an investigation under GDPR (joining Facebook), from the FTC and likely from Congress, they say that it wasn’t important to them.

The good news is that the information that was breached was less sensitive – name, email, gender, occupation and age.

Still, it is hard to spin this in a positive light.

In an effort to do so, they also announced that they are implementing some new privacy controls – more granular ones – to control what developers can with your data.

They are also limiting what apps can do once you give them access to your GMail.

Oh, yeah, the reason that they didn’t tell you before now was because of fear of government regulation and being compared to Cambridge Analytica.  It said that it couldn’t tell exactly which users were affected and didn’t find evidence of misuse.  I am sure that all of this will sit well with regulators and Congress.

As these data platforms get bigger, it is going to be a challenge to deal with any breach.

I can’t see how hiding this for more than 6 months is going to work out well for Google, but stay tuned.

For those few users that logged into it for five seconds – you are going to have to find a new platform.

Information for this post came from CNBC, The Verge  and CNBC again.

Facebooktwitterredditlinkedinmailby feather

Credit Card Theft Continues to Rise

The hackers seem to be winning.

One solution I have advocated for over the last many years to reduce credit card fraud is a technique called credit card tokenization.  When a merchant accepts a credit card, that card information is immediately tokenized and that token is all that the merchant keeps.  If they need to rerun the credit card, say for a monthly recurring charge, they present that token to their payment processor and they get paid.  If hackers steal the tokens, it does them no good because those tokens can be locked down to that merchant or even to that server.

So the hackers innovate, even though the vast majority of merchants don’t tokenize.

They slip a tiny bit of code (15 lines) into a library that MANY merchants use and it watches for a credit card passing through.  They grab the card info before it is encrypted and before it is tokenized.

Since online transactions do not take advantage of chip technologu (yet), this card information can be used in other online environments.

This week’s announcement is NewEgg.Com, a computer hardware and software seller.  The hackers ran wild from mid August to mid September.  The malware is called MageCart.

This is the same malware that attacked Ticketmaster and also British Airways.

Along with thousands of other sites.

So What do you do?

If you are a merchant, you have to deal with the lack of security on your web server that could allow a bad guy to install MageCart.  Since this is buried inside some other software that you use as part of the your development.   Eliminating this is part of what the DoD calls SCRM or Supply Chain Risk Management.  Not easy, but absolutely required.

If you buy things online, you can protect yourself by shopping locally.  🙂

Sure.  That is not gonna happen.

But there are a couple of things you can do.

Sign up for text alerts from your bank or credit card company so that you get notified EVERY time you card gets used.  In real time.  That way, at least, you can kill the card before even the first transaction clears.

Second, you can use one of the vendors that single use credit card numbers.  The biggest issuer that does this that I am aware of is Capital One.  Their service, called ENO (one spelled backwards), includes a browser plugin that automatically issues disposable card numbers that are uniquely tied to a single merchant.  If the number is stolen, it can’t be used at a different merchant and while that card number is tied to your actual card, the actual card number is never exposed so that if that one site is hacked, only that card number has to be replaced, not every one.  And, since they have a browser plugin, the process is pretty simple to use.

The last option I have is to use prepaid cards.  Most banks offer them.  Chase calls theirs Chase Liquid, for example.  Sometimes the bank charges a few bucks a month for the service, but often you can get them to waive that.  That card is tied to your online userid but the account does not draw from any other account.  If you, for example, leave $100 in that account, that is the max the bad guys will get and you will be reimbursed by the bank if the charge is unauthorized.  The challenge is that you have to manage having exactly the right amount of money in that account, so the Capital One strategy is a lot easier.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

NSA Offers Gift That Keeps on Giving

Sometimes the gift that keeps on giving is good.  Other times, it is not so good.

In this case, it is not so good.

You may remember the Wannacry ransomware attack last year.  That virus, which took many organizations back to the stone age of computing (i.e., a pencil and paper), infected and took down organizations like the UK’s National Health Service, parts of Fedex, Hitachi, Honda and hundreds if not thousands of other organizations, many unknown, was enabled by a gift written by the NSA called ETERNAL BLUE.  Eternal Blue was designed to be a gift given to our enemies, but managed to get out in the wild and be used by the bad guys to infect hundreds of thousands of computers in at least 150 countries and cost companies billions of dollars to fix.

If it weren’t for Eternal Blue, this attack would not have worked.  Funny thing is that, like the Equifax breach, the vendor (in this case Microsoft) had released a patch months before the attack.

Of course, some people are good about applying patches while others are not so good.

A year later, the NSA gift called Eternal Blue is still giving.  There are still at least a million computers that are not patched and hackers are using Eternal Blue to launch a new attack.  After all, why bother to use new, unknown attacks and risk them being discovered, when the same old attacks as last year still work.

Right now, today, the attackers are using this attack to mine crypto currency on the infected computers.  However, if that stops being profitable.  ENOUGH profitable.  Well then, these computers are already zombies, so the zombie controller could just turn this into a massive denial of service attack or a massive ransomware attack.  Or whatever.  Or more than one thing.

The simple thing is that there are Windows patches available to be installed.  Also, you can disable the protocol that the attack uses.

Either way, there is no reason why this attack should still work.

But, since people aren’t really diligent about patches and especially patches on phones, tablets and IoT devices, the hackers will continue to have a field day and businesses will lose millions.  Some are already going out of business due to ransomware attacks.  

Just think about that for a minute.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending September 14, 2018

How, Exactly, Would the Government Keep a Crypto Backdoor Secret?

The Five Eyes (US, Canada, Australia, New Zealand and Great Britain) countries issued a statement last week saying that if software makers did not voluntarily give them a back door into encrypted apps they may pursue forcing them to do that by law.  Australia and the UK already have bills or laws in place trying to mandate that (Source: Silicon Republic).

First, parental control/spyware app Family Orbit stored their private access key in a way that hackers were able to access 281 gigabytes of spied on photos in over 3,000 Amazon storage buckets.  This means that tens of millions of photos taken by kids and of kids are now on the loose.  All because parents wanted to keep tabs on what their kids were doing.  Now the hackers can keep tabs on their kids too (Source: Hackread).   Family Orbit shut down all services until they can fix the problem, but that won’t help recover the 281 gigabytes of data already stolen.

And, for the second time in three years, spyware maker mSpy leaked the data from a million customers including passwords, call logs, text messages, contact, notes and location data, among other information (Source: Brian Krebs).

So here, in one week, two companies who’s very existence is threatened by these leaks were hacked.  Somehow, hundreds of backdoors on major apps will be kept secret by the government.

Sure.  I believe that.  Not.

This is also a word of advice to parents who either are using spyware on their kids or are thinking about it.  The odds of that data getting hacked is higher than you might like.  Would it be a problem for you or your kids if all of their pictures, texts, contacts and passwords were made public?  Consider that before you give all of that data to ANY third party.

Popular Mac App Store App Has Been Sending User Data to China for Years

In a situation that you very rarely hear about, researchers have discovered that the 4th most popular paid app in the Mac app store, Adware Doctor, has been sending user browsing history to China for years.  Apparently, when you click on CLEAN, they take a very liberal view of the request, zip up your browsing history and send it to China. They are able to do this based on the permissions that the user gives it, reasonable permissions given the app.  In other words, they abused the trust that users gave them.

This was reported to Apple a month ago and Apple did nothing about it, but within hours of the news hitting the media, Apple yanked this very popular app from the store.  That, of course, does not protect anyone who has already downloaded it, but at least it will stop new people from becoming victims.

The power of the media!  Source: (Motherboard).

ISPs Try Hail Mary in Bid to Derail California’s Net Neutrality Bill

The California legislature is on a roll.  First the California Consumer Privacy Act (AB 375) – now law, then  the Security of Connected Devices Act (SB 327)- on the Governor’s desk and now The Internet Neutrality Act (SB 822) which would implement many of the requirements of the now repealed FCC Net Neutrality policy.  ISPs such as Frontier, have asked employees to contact the governor and tell him to veto the bill.  This was after AT&T bribed, err, technically “lobbied” an Assembly committee to gut the bill.  The industry then targeted robocalls at seniors saying the bill would cause their cell phone bill to go up by $30 a month and for their data to slow down (neither is true).  It is still on Governor Brown’s desk.  (Source: Motherboard).

Facebook is in the middle of an Apple-esque Fight Over Encryption with the Feds

While this case is under seal, a few details have surfaced.  In this case the feds are asking Facebook to comply with the wiretap act, a law passed in the 1960s, long before the Internet, which requires a phone company to tap a phone conversation after receiving a warrant.

In this case is Facebook Messenger even a phone call as defined in the Act?  Facebook, apparently, says that they do not have the means to do it;  that they do not have the keys.   Can the government force Facebook to rewrite it’s code to provide the keys to the government on request?  Even if they do, the conversations themselves do not go through Facebook’s network, so they could not capture the actual traffic, even if they wanted to.  The NSA could do that, but that is between the NSA and the FBI, not Facebook.

Can they force Facebook to completely rearchitect their system, at Facebook’s cost, to comply?  Even if they do, how long would that take?  What would be the operational impact to Facebook?

Since this is all under seal, we don’t really know and may, possibly, never know.

At this point it is not at all clear what will happen.  It is possible that the court will hold Facebook in contempt, at which point, I assume, Facebook will appeal, possibly all the way up to the Supreme Court.

Think San Bernadino all over again.  Source:  The Verge.

Facebooktwitterredditlinkedinmailby feather

Equifax Hack – The Prequel

While we all know about the Equifax breach last year that compromised the data of almost 150 million people and businesses, until today we did not know about the Equifax hack two years earlier.

In the earlier hack, former employees – actually Chinese spies – stole thousands of pages of documents including plans for new products, human resource files, manuals and other information.

Equifax went to the FBI and even the CIA, but did not publicly admit the problem.

That is because there is no law that requires them to disclose the theft of intellectual property although investors may disagree and sue them now that they know.

Equifax later found out that the Chinese had asked 8 companies to help them build a national credit reporting system.

I am sure that is just a coincidence.

So what do you as a business owner need to do?

The first thing is to understand that the theft of intellectual property dwarfs credit card theft and the best we can do is guess at the magnitude because most of it is not reported.

While hackers can break into your company, it is much easier for employees to walk the data out the front door.  That problem is so bad that defense contractors and financial firms are required by law to have insider threat programs.  Understand what a competitor inside the US or internationally might be interested in.  

Implement employee training programs to make sure that employees do not contribute to the problem.

While the insider attack is one part of the problem, the outsider problem is just as big a problem.  To protect against this, you need to implement a full cyber security program – hardening servers, patches, access controls, firewall rules, etc.  

This needs to be part of a formal, documented program.

The most important thing to understand is that it doesn’t always happen to “the other guy”.  Most attacks are attacks of opportunity and small and medium businesses are disproportionately affected – likely because they do not have the sophisticated IT controls and staff that big companies have.

You have two choices – 

Prepare now.

React when an event happens.

I can tell you from experience, preparation is way better.

Information for this post came from Slashdot.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Sep 7, 2018

China Using Fake Linkedin Profiles to Recruit Americans as Spies

US intelligence officials are warning LinkedIn users that China is being “super aggressive” at recruiting Americans with access to government and commeACrcial secrets.

The Chinese are creating fake LinkedIn profiles, friending people and trolling to see if they would be valuable if flipped or conned out of information.  The Brits and Germans are seeing similar activity.

Intelligence officials are asking LinkedIn to be more aggressive at terminating offending accounts.  Twitter has recently cancelled 70 million accounts.

LinkedIn users should be on alert.  Source: The Hill .

Firefox Ups the Advertising War in Version 63

Many web sites that we visit have dozens of trackers on them.  For example, the Wall Street Journal, has 46 of them on its homepage alone (see below).

All of these trackers increase page download time and since each one of these tracker websites needs to be individually contacted and fed information to track us, it increases the time to load a page and the amount of data that we use.  While individually, the numbers may be small, if you look at, say, 100 pages in a day and every one of them calls 46 trackers (many don’t), that would be like visiting 4,700 web pages a day, just to read 100.

Firefox, which is owned by the non-profit Mozilla Foundation, unlike Chrome (Google) and Internet Explorer/Edge (Microsoft), doesn’t care much about offending advertisers.

For years now browsers have supported a user specified DO NOT TRACK flag and web sites have, pretty much uniformly, ignored the flag and tracked us any way.

Come version 63 of Firefox a new feature will be tested and in version 65 it will become the default.

The feature will block trackers by default.  Users will be able to turn the feature off and also unblock one site at a time.

uBlock and uBlock Origin are among the products out there that do similar things, although advertisers can, I think, pay them to get on their “not blocked” list.  The difference here is that it is built in, TURNED ON BY DEFAULT – you do not need to buy or install anything.

The ad war just ratcheted up a bit.  Source:  The Register.

Google Buys Offline Transaction Data from Mastercard

Bloomberg says that Google signed an agreement with Mastercard (and likely other credit card companies) that give them some access to offline purchases.  Both Google and Mastercard say that they don’t know what items you bought, only where, when and how much you spent.  They are using this data to give advertisers confidence that their online ads are working based on showing you an ad and then you go spend money in the advertiser’s store.  They also are buying loyalty card data with a different program and that could provide much more detailed data including exactly what you bought.  Both companies are being tight lipped about exactly how the program works, so we don’t know precisely what data Mastercard is sharing or how many millions Google paid to get that data.  Source: Tech Crunch.

Ten Fold Increase in Security Breach (Reporting) Since GDPR

British law firm Fieldfisher is reporting that prior to GDPR they were dealing with around 3 breach cases a  month and post GDPR they are dealing with one case every day.

This is likely not due to hackers upping their game, but rather companies that would have previously swept a breach under the rug are now reporting it, fearing that 20 million Euro sword aimed at their head if they don’t report and get outed.  That outing could be from an employee who disagrees with the idea of keeping a breach secret.

The breaches that Fieldfisher is seeing are both small, technical breaches and larger breaches similar to the British Airways breach this week that compromised 300,000+ credit cards. Source: Computing.

Data on 130 Million Chinese Hotel Guests for Sale on Dark Web

Data on guests of the Chinese hotel chain Hauzhu (3800 hotels) is available on the dark web for around $50k (8 bitcoin).  The data – 240 million records – includes everything from name, address, phone, email to passports, identity cards and  bank account information.  Make sure you have a good Internet connection if you buy it – the data is about 140 gigabytes in size.  While the Chinese are trying to shut down all forms of cryptocurrency since they can’t control it, that doesn’t stop foreigners from buying the data.  Source: Next Web.

Facebooktwitterredditlinkedinmailby feather