Tag Archives: breach

Come On Folks – Another Amazon S3 Breach

AgentRun is a startup that helps independent insurance agents and brokers manage customer relationships (CRM) and they are the latest company to do the perp walk for leaving an Amazon storage bucket unprotected.

Compromised were thousands of client’s sensitive data files like insurance policy documents, health data, medical data, social security and medicare cards, blank checks for payment info and financial data.

Andrew Lech admitted to the faux-pas and quickly fixed it.

But not to worry;  their web site says that the service is secure and uses the latest encryption technology.  Unfortunately, it doesn’t, in this case, require passwords.  Of course, that statement is mostly meaningless, although it MAY be possible to use it in court.  Probably not sufficient to gain a win, however.

Information for this post came from ZDNet.

How do you protect yourself?

First thing – who do you think is liable for the breach?  If you said AgentRun, you are very likely wrong.  the terms of services says:

h.  … Your use of the Service is at your own risk.
i. Among other things, the Service Provider does not warrant or represent to the client that:
  • defects or bugs within the Service will be eliminated or fixed
  • the client’s use of the service will meet the client’s qualifications
  • the Service will be error free, secure or undisrupted to the client
  • any information, regarding the clients use of the Service, will be accurate, current or credible
j. Warranties do not apply to the Service except to the degree they are expressed in the Agreement.
  • The Service provider is not responsible or liable for any direct, indirect or consequential damage to client which may be incurred in relation with the service, including:
  • damage associated with corruption of, deletion of or failure to store any Client’s Content
  • damage associated with any changes or alterations which the Service Provider may make to the Service
  • damage associated with the Client’s inability to provide the Service Provider with credible and accurate account information
  • damage associated with the Client’s inability to protect and secure the Client’s account details (such as a username and password)
  • damage associated with any temporary or permanent interruption in the provision of the Service
And, to add insult to injury, it also says:
n. The client must indemnify the Service Providers, its employees, employers, affiliates, etc. for any and all claims, losses, damage, costs and liabilities resulting from the breach of the Agreement and from the use of the Clients Account.

Source for the terms of service: https://agentrun.com/legal.html

If you are a large enough company, make the vendor give you preferred terms of service if they want your business.

You need to make sure that you have GOOD cyber risk insurance and that it covers breaches at third party providers and breaches of third party (as in your client’s) data.

You should have a vendor cyber risk management program.  My guess is that AgentRun’s cyber security program may be lacking.  Don’t know for sure, but, look at the evidence.  This problem happens weekly.  

Amazon has created a whole bucket of tools for you to use to help protect yourself from self inflicted mortal wounds like this. Check out Jeff Barr’s post from last year.  Jeff is AWS’s chief evangelist.  The post can be found at https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Some of Amazon’s features include default encryption, automatic permission checks, detailed inventory reports and other security features.

Finally, as an executive in your company, you need to be asking your IT guys embarrassing security questions.  After all, your head will be on the chopping block if your third party provider – or you – suffer a breach.  Since sometimes it is hard to be a prophet in your own land, contract with us to be your virtual Chief Information Security Officer (vCISO).  We don’t mind asking those embarrassing questions.

 

Facebooktwitterredditlinkedinmailby feather

WWE Leak Exposes Three Million Users

It is interesting to see what data companies collect on us.  Unfortunately, that usually happens when the company suffers a breach.

WWE joined the crowd of businesses that can’t quite remember to protect data that they make publicly accessible on the Internet.  One more time, the data was stored at Amazon.

In this case it is data on three million WWE fans.

And not just the usual name, address and email.

This data included birthdate and children’s age ranges and genders.  It included large amounts of social media data such as fan posts.

Another, smaller database of European fan data was also left exposed, but that did not include as wide a variety of data elements.  Maybe that is due to stricter European privacy laws.

After the researcher who discovered the unprotected databases told WWE about them, they removed the data from the Internet very quickly.

WWE is investigating how the breach happened.  They did not say how long the data sat unprotected in the Amazon cloud.

Among the data collected and exposed was each fan’s ethnicity.  Not sure why any fan would provide that data to a wrestling web site, but ……

It is interesting the number of Amazon related breaches we have seen recently.  I actually don’t think that there are more “breaches”, but rather researchers have figured out that Amazon is fertile hunting ground and so they have begun looking there more actively.

The real question is whether these breaches are just the tip of the iceberg or whether, for the most part, sensitive data stored in the cloud is protected.  I am not sure that we will ever know.

This is, however, another reminder to very carefully check the permissions on systems and services exposed to the cloud.  This includes all third party service providers such as Amazon.

Just because you outsource your IT infrastructure to a cloud provider does not take you off the hook – either legally or from a business reputation damage viewpoint.  WWE fans don’t care that they outsourced their data storage to Amazon.  Don’t care at all.

It is important to note that none of these Amazon data leaks  are in any way the fault of Amazon.  Amazon has not been – that we know of – hacked.

In fact, none of these breaches even involved stolen credentials.

They were all caused by human error.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather

The Insider Threat – At The NSA!

nsa-fort-meade
Photo from Flickr; Courtesy Fort Meade public affairs office

Some of you probably remember Edward Snowden (just kidding!).  Snowden was a Booz, Allen, Hamilton employee, on contract to the NSA.  Well now there is another Snowden at Booz.

Booz has annual revenue in excess of $5 billion and has contracts all over the federal government.

Earlier this month, the feds arrested Harold Thomas Martin III, another Booz employee assigned to the NSA.  Remember that package of cyber exploits that hit the dark web a couple of months ago that was thought be be an NSA toolkit lost in the wild?  Well, the feds are saying that was the work of Martin.  Earlier this month they arrested Martin and charged him with theft of government property and unauthorized removal and retention of classified materials.

If that was all, it would be an interesting story, but not news worthy.

As the story unfolds, the feds are now saying that they have found 50,000,000,000,000 bytes of stolen data in his house and car;  most of it out in the open (all though, I am not sure that makes much of a difference under the circumstances).   If you are not sure how to read a number with that many zeros, it is 50,000 gigabytes or 50 terabytes.

The 50,000 gigabyte number, the court filings say, is a conservative number, so it is likely more.

If we were talking about Netflix standard definition movies to compare with, streaming 24 hours a day, 7 days a week, that much data represents watching Netflix, non-stop for almost 6 years.  If the movies were HD, it only represents 2-3 years of 24×7 watching.

Martin, who lives in Glen Burnie, MD, near NSA HQ, has apparently been taking this data since 1996.  That makes it one of the longest running undetected cases of espionage ever.

Unlike Snowden however, it appears, so far, that he didn’t have a goal to release this data or sell it to the Ruskies, but rather, he was hoarding it.  AT LEAST, THAT IS WHAT THEY ARE SAYING NOW.

For the NSA, this is another huge black eye.

For Booz, Allen, Hamilton, it (hopefully) makes government customers leery of their ability to protect classified customer information.  First Snowden and now Martin.

For average citizens, it should make them skeptical of the government’s claims that information that is shared with them can realistically be protected.  Certainly it should call into question the government’s ability – or for that matter anyone’s ability – to keep millions of encryption keys secret.

This is the downside of the digital world.  If he had to carry those 50,000 gigabytes of data out in paper, it would represent 25 billion pages of text – definitely harder to steal and even harder to store.

It also points to the insider threat problem at most companies – who are likely not as secure as the NSA.

This is likely not the end of this story.  All I can say is holy cow!

Information for this post came from The Washington Post and USA Today.

Facebooktwitterredditlinkedinmailby feather

The Point of Sale (POS) Breaches Continue

So far this week (and it is only Monday), we have two POS breaches in the news.

HEI Hotels and Resorts, which manages almost 60 hotels for Starwood, Hilton, Marriott and other chains announced that 20 of their locations, covering all of their brands, had suffered breaches.

While they have not said how many cards may have been compromised, they have said that the data that was compromised included name, account number, expiration date and verification code.

HEI said that they thought that the data was accessed in real time because they do not store the data.  They also said that they were unable to contact people who’s cards were likely breached since they do not collect or maintain enough information to do this.  This raises some important points.

These statements would seem to indicate that they outsource the processing of payments.  If so, that points to the fact that even if you outsource credit card processing, you are still the one who has to face the music in case of a breach.

It also indicates that they are likely not using chip based credit card readers because if they were, the data would not exist in an unencrypted state except inside the card reader itself, which does not appear to be where the breach occurred.  One more time where a chip based solution might have stopped a breach in its tracks.

The breach lasted a long time – from March 2015 to June 2016 – about 15 months.  It is not clear why the malware was not detected for so long.

In the second breach of the week, Oracle acknowledged a breach affecting their Micros POS software.

Apparently, the breach is large enough that VISA issued an alert to merchants, which they usually don’t do.

Visa said that hackers broke in to hundreds of servers at Oracle and had “completely compromised” Oracle’s support portal.

Micros, according to Oracle, is installed at over 300,000 locations, including 200,000 food and beverage locations, 100,000 retail locations and 30,000 hotels.

With millions of cards used at these locations per week, this could be a major breach.

Oracle is being very tight lipped about this breach – whether that is because they do not understand the scope of the breach and don’t want to make incorrect statements or because Larry Ellison knows he is about to be hit with multiple lawsuits, is unclear.

Oracle told customers to change their passwords and to change any passwords used by Oracle staff to access their systems and not much else.  That would suggest that hackers, in hacking the Oracle servers, got credentials that would allow them to access their customers’ systems.

Some of Oracle’s customers are saying that by not sharing information, Oracle is making it harder for them to clean up Oracle’s mess – all fodder for the inevitable lawsuits.

Brian is also saying that it is possible that Oracle was breached by more than one Eastern European (read this as Russian) crime group or at least more than one is dividing the spoils.  If in fact, there are 300,000 plus locations hacked and people will eventually change passwords, the hackers have to work fast in order to install other back doors and extract data.

It appears that the customer network and Oracle’s internal network were on the same network segment, but that network was split.  Somehow, sources say, that facilitated the breach.  They do not say how.

And here is the killer.

In mid July, Oracle told employees in the hospitality division that they had to wipe their computers WITHOUT BACKING ANYTHING UP.  The computers were then reimaged with a clean operating system.

This means that employees lost implementation plans and schedules and software that was going to be deployed.  The source said that this has cost Oracle billions of dollars – however that seems like a lot of money.  Still, I am sure that did cost Oracle a bunch.

Oracle did not tell employees that the reason that they had to wipe their computers was because the company had been breached.

I am sure that more details will emerge, even if Oracle does not want them to.

What this does point out is that companies need to have an active and aggressive vendor risk management program.  In both of these cases, the problem stemmed from vendors.  The restaurants, bars, hotels and retail stores were counting on their vendors to protect them.  While it is possible that there are clauses in the customer’s contracts with Oracle in which Oracle agrees to indemnify and reimburse the stores and restaurants for all costs associated with the breach, but knowing Oracle, it probably says that they aren’t responsible for anything.  We shall see how this turns out in court – but that is years from now.

In both of these examples, these businesses are going to have very unhappy customers and not because they did something wrong, but rather because one of their vendors did something wrong.

Vendor risk management programs are effective at reducing risk associated with outsourcing.  If you don’t have a program, you should create one now.  If you do have one, you should review it for completeness.

Information on the HEI Hotels breach came from CSO Online.

Information on the Oracle breach came from Krebs on Security.

Facebooktwitterredditlinkedinmailby feather

Home Depot Still Dealing With The After Effects Of The Breach

In late 2014 Home Depot announced that hackers compromised their security and stole 50 million credit cards and another 50 million loyalty cards.  18 months later, there are still three class action lawsuits pending.  One is close to settling.  In a recent 10-K filing with the SEC, Home Depot said that they had spent over $150 million on the breach, net of what their insurance paid, which is reputed to be another $90-$100 million.

While I do not have any personal knowledge of the breach, industry reports suggest that their cyber hygiene was sub-standard, an issue that could affect the outcome of the three class actions still in play.

Some people say that the breach was not so bad.  They measure that by the stock price and that has held up.  Part of that may be that Home Depot did a better job of communicating, but it may be that investors know that the business will eventually recover.  If you assume that they spent $161 million so far and there are still lawsuits to settle, they could easily spend a quarter of a billion dollars – or more – before this is over.  That, I suggest, is bad.  It is money that would have otherwise flowed to shareholders or been reinvested in the business.  Now it will go to lawyers and plaintiffs.

The first lawsuit to be filed was by consumers and it is the least painful.  Since the banks make consumers whole, for the most part, the value of the damage is small. Currently, there is a preliminary settlement for this suit, which, if approved, would cost Home Depot another $20 million plus a requirement to enhance security – whatever that costs.

The second suit is from the banks.   They say they spent $150 million reissuing cards.  Fraud is on top of that.  Home Depot’s lawyers say that the banks don’t have standing to sue.  We shall see.  Home Depot’s story is that they don’t have a contract with YOUR bank – the one that reissued your card, only their bank.  This has been tried before without success, but you can’t blame a guy for trying.  Stay tuned.  This COULD cost Home Depot a lot of money, depending.

The third lawsuit is from the shareholders, who filed a derivative lawsuit against the company and 12 board members directly.  This is the one that could hurt.  So far, it has been next to impossible to succeed at suing Boards and Directors, but this is no ordinary breach, so stay tuned.  The suit says that the company and the Board breached their fiduciary duty by failing to make sure that the company took reasonable steps to protect consumer’s information.  What is unclear is what the damage is. If the stock price didn’t take a hit, were they damaged?  Of course, the company will spend $150-$250-$350 million dealing with the breach.  Maybe the company would be much better off if the executives could focus for 3 or 4 years on running the company rather than fending off lawsuits.  IF this suit prevails, it could open up the floodgates for similar shareholder lawsuits.

We do need to remember that the $161 million expense is pretax, so depending on their tax rate, it will be less.  Of course, that means that you and I get to pay again for Home Depot’s mismanagement – the first time in bank fees that the banks use to cover the breach cost and the second time in tax savings because breach costs are tax deductible.

All companies should be watching for the outcome of this case and checking out their cyber breach preparedness.  For small companies, suits like this are often fatal.

Information for this post came from JDSupra.

Facebooktwitterredditlinkedinmailby feather

Minecraft Hacked – Decided It Was Better Not To Tell Anyone; 17 Also Breached

Motherboard is reporting that over 7 million user accounts belonging to the Minecraft community “Lifeboat” are for sale.

Security researcher Troy Hunt is loading the data onto his web site “Have I been Pwned?” so that people can check if there data was in hacked group.

Lifeboat runs servers for custom multiplayer editions of Minecraft Pocket Edition (for mobile users).

Motherboard reached out to several victims who said that they had not been notified by Lifeboat of the breach.

Lifeboat said that they had been aware of the breach for some time.

They said that when this happened in early January, they decided that the best thing for their players was to quietly force a password reset and not let the hackers know that they had a limited time to act.

I am not aware of any state data breach law or any clause in the FTC Act that says that if a company is breached and they “quietly force a password reset”, they do not have to let the victims know that their data was compromised.  I do not know if the FTC is now looking at this, but I would not advise clients to use this solution in the face of a breach.

To make matters worse, the users that Motherboard spoke to said that they had not received a password reset.

The good news, if there is any, is that the amount of information that the company keeps on users is low, but there is a dark side, still.

Lifeboat used the MD5 hash algorithm to hash their passwords.  MD5 is considered very weak, so that hash does not offer much protection.  If the password was reused on other sites, then the user could be at risk of additional compromise beyond the data that was taken from Lifeboat.

When asked why they did not tell users, Lifeboat did not respond.

Just another reason not to reuse passwords.

While researching the Minecraft breach, I came across an article on an even bigger breach – the app 17, which is, apparently, popular in Asia.  The hackers claim to be selling 30 million identities.

Motherboard says that when the company raised Series A funding last year, they said the app had been downloaded 6 million times and the Google play store says it has been downloaded between 500,000 and a million times, so there could be a gap in the numbers, but the numbers are still possibly accurate.

17 Media first said that it didn’t look like a data set of theirs, but later said they were buying the data from the hacker.  Whether they could even buy exclusive rights at all is unknown, but the hacker had already sold it to other people according to the site where it was for sale.

So, these two breaches represent close to 40 million users.  The good news is that it doesn’t seem to contain any credit card data, but if the passwords are reused elsewhere, then all bets are off.

Information for Lifeboat came from Motherboard.

Information on the app17 also came from Motherboard.

Facebooktwitterredditlinkedinmailby feather