Tag Archives: verizon

Verizon Loses Control of Customer Information

Different sources are reporting different numbers, but the personal information on between 6 million and 14 million Verizon Wireless customers has been exposed.

Verizon Store by Mike Mozart-Flickr-Creative Commons Commercial License

The information includes name, address, phone number, general information on calls made to customer service and, in some cases, the user’s security PIN.

The details of this are going to sound all too familiar.

  1. The data was stored in the Amazon cloud
  2. The data was not password protected
  3. The data was not encrypted
  4. The data was not stored there by Verizon, but rather a third party business partner.

The partner, Nice Systems of Israel, said that the data was exposed as a result of a configuration error.  I am reasonably confident that this is true, but that doesn’t seem to make any difference, really.

Like the recent discovery of the large Republican voter data leak, this leak was also discovered by Upguard; specifically researcher Chris Vickery.

Unlike some of the other leaks which got taken down immediately, it took Verizon 9 days to lock up this data.

Verizon is claiming that no data was “stolen”, but Vickery says that due to the nature of this Amazon S3 service, there is no way that Verizon could know that.  While both sides have a vested interest in this fight, I would tend to side with Upguard in this case.

This seems like a broken record to me –

What do you need to be doing –

#1 – You’ve got to set up a third party cyber risk management program.  Verizon is going to take the heat in this case, but it is is NICE’s screw up.  The third party risk management program is designed to make sure that vendors have security controls in place.

Verizon is taking the heat because the customers have the relationship with Verizon, not NICE.  In fact, until today, most customers have never heard of NICE.  This is Verizon’s problem and they have to own it.  So far, all I have heard is a bit of spin – not to worry; nothing to see – keep moving.  That does not inspire confidence.

#2 – Amazon. Amazon. Amazon.  While this is definitely not Amazon’s fault, at this point, every company that uses any cloud services – or allows their business partners to use cloud services – needs to be checking cloud permissions very carefully.  With great power comes great responsibility.

#3 – Have an incident response plan in place.  By Verizon saying that there was nothing to worry about without any explanation isn’t very comforting.  They need to work on the bedside manner (or in this case, their cloudside manner).  You have to give people a better story than don’t worry.

Why did it take Verizon 9 days to lock down this data.  Sounds like their incident response program needs some work.

While this could have happened to anyone – and has happened to several companies just in the last month, given all the occurrences that we have seen recently, companies need to step up their game or they will get skewered in the court of public opinion.

Information for this post came from Slashgear.


The Target Breach Story – How Did They Let This Out?

Krebs On Security has extensive reporting of an investigation by Verizon conducted starting a few days after the Target breach was announced.

Target has refused to confirm or deny the report .

One thing to consider.  We do not know how Brian (Krebs) got the report, so all we can do is speculate.

This report, in my opinion, is a wonderful tool for the banks and consumers who are suing Target.  It shows all the things that Target was not doing or was doing wrong.  This report makes it so much easier to show Target was not treating cyber security consistent with even reasonable industry practices, never mind best industry practices.

What Target should have done is have their outside counsel manage the engagement of Verizon so that this report could have been shielded by attorney-client privilege.

It is certainly possible that they did that, but then, how did the report get out to a reporter?  Part of engaging the attorneys to manage this is to control the distribution of the final work product.

Any way you look at it, in my opinion, letting this report out of their control is yet another FAIL! by Target.  

While Target spokesperson Molly Snyder said that Target believes that sharing information will make everyone stronger – thereby basically validating that the report is real – it doesn’t make sense to release this kind of detail while there are so many lawsuits pending.

You can go to Brian’s web site (see link below) for the long gory details, but here is the short version:

  • Once the Verizon hacking team was inside Target’s core network, there was nothing stopping them from communicating directly with the cash registers – violating every principal of segmentation known to IT.  They should never have been able to do that.
  • Target had guessable passwords on Microsoft SQL servers and weak passwords for system accounts.
  • Target had a password policy, but it was not being followed. Verizon found clear text password files for system accounts on several servers.
  • Verizon was able to create domain administrator accounts and dump all of the password hashes.
  • Within one week, the consultants were able to crack 472,000 (86%) of the passwords.
  • Patches to systems and services were not applied consistently.
  • Verizon said that Target, who was using Tenable’s vulnerability scanning system, had a comprehensive scanning program in place but was not acting on the vulnerabilities discovered.

There is more in the report, but you get the idea.

If you are a security person, the report is a fascinating indictment of Target and a roadmap of what not to do.

If you are a CEO, the leak of a report like this falls into the worst nightmare category.

Information for this post came from KrebsOnSecurity.

Verizon Customers Can Now Opt Out Of Supercookies

I have written before about Verizon (and AT&T) supercookies (see here and here, among others).

Briefly, supercookies are tracking devices that Verizon adds to your web traffic from your phone after the traffic leaves your phone but before it reaches the intended web site.

Verizon uses this traffic to figure out what sites you visit and paint a complete picture of you (you visit REI and Starbucks and Bank Of America) to sell to advertisers.  Advertisers themselves figured out that they could use this data if they have multiple brands to track customers and see what kind of cross marketing they could do.  In addition, since you log in to one of these sites, they now know your name (and everything else about you) on all of these sites.  Advertisers were particularly interested in this because pesky consumers sometimes have the nerve to delete tracking cookies or block them completely.  Even privacy enhanced browsers fail at protecting you from these supercookies.

When AT&T got caught doing this, they immediately said “my bad”, made up some excuse that they were testing this and stopped doing it.

Verizon, on the other hand, said advertisers would never use the data that way and we never sell your data – just your usage patterns – and generally resisted the fact that they got caught with their hand in the cookie jar.

In addition, several senators have asked the FCC to investigate.

Well finally, they have come up with a mechanism for you to opt out of this tracking.  What is not clear is whether they stop adding a UIDH tracking header to your traffic or merely stop selling your data.  In either case, you can at least opt out to some degree.

To opt out, you can go to the privacy options on your personal Verizon web page (here) or call their customer service at 866-211-0874.

PCI Compliance

Dark Reading reported on Verizon’s PCI compliance assessment and I think the numbers are interesting, but not terribly unexpected (see article).  The actual report, all 84 pages, is available here.

Most of the time (maybe always), when a business has an assessment done by a third party assessor, that company will do an interim assessment first.  The purpose of the interim assessment is to find as many weaknesses as they can so that the business can fix them before the final assessment.  That way the final assessment falsely inflates the level of compliance.  As a result, Verizon looked at the interim assessments instead of the final ones.

Verizon said that last year, about 20 percent of the companies were fully compliant at the interim assessment.  That means, of course, that 80 percent of the businesses that have a contractual requirement to be PCI compliant were not compliant.

The good news in that, if there is any, is that the 20 percent number is an improvement.  That number was 11% in 2013 and 7.5% in 2012.  That means that between 2012 and 2014, the number of businesses that managed to comply with the terms of the contract that they signed with their banks for at least one year increased by almost a factor of 3.   If you are a glass half full kind of person, that is good news.  If you are not, that means that before, more than 90% of the businesses were out of compliance and now only 80% are out of compliance.

Verizon also said that only 28% of the businesses they assessed managed to stay compliant from one review to the next.  That means that more than two thirds of the businesses could not remain within the terms of their contracts for even one year.

That kind of explains why we see all the data breaches in the news.  I think that is not likely to change unless banks start enforcing the terms of the contracts.  Banks don’t want to do that because they are afraid you will take your business somewhere else.

This difference – between a point in time validation and compliance, may, in fact, be the key point in the lawsuits against Home Depot.  Home Depot has admitted that they “may not” have been in compliance at the time of the breach.

PCI compliance is a pretty low bar – even if you are compliant, it does not mean that the bad guys won’t get in.  But it is fair to say that if you can’t even maintain that level of security between reviews, that other, more complex security measures are even less likely to be in place and effective.

One strategy – actually the one that many businesses prefer – is to hope that the hackers don’t come visit you.  With only around 3,000+  breaches reported last year out of millions of businesses, that seems like a good bet.

The problem is that only breaches that violate the law (like the theft of non public personal information or health care information) are required to be reported.  And, while I can’t prove it, I bet that many of those go unreported.

Also, companies will only report breaches that they know about.  For example, Lowes had a breach that they announced last May (2014) when the attackers had been inside their system since July 2013.  If they were asked in say, January, 2014 if they had been breached, they would have answered NO.  They would have been wrong, but that is what they would have said.

Finally, theft of intellectual property is often not reported.  After all, the police will likely not be able to catch the thieves and as long as it is not publicly visible, the news won’t pick it up.  An example of this is the F-35 Joint Strike Fighter that Lockheed is building at the cost of hundreds of billions of dollars.

Mashable reported that documents leaked by Edward Snowden and published in Der Spiegel show that the NSA was aware that the Chinese had stolen terabytes of documents on the F-35.  That data was used to help China create the J-20 and J-31 stealth fighters.

The report that Snowden leaked was classified Top Secret.  In part they do that because once the “cat is out of the bag” they don’t what the Chinese to know that we know.  The other reason is that after spending $300 billion on the F-35, they don’t want to admit that the Chinese were able to steal the plans and build their version for a whole lot less.

How the F-35 story applies to regular businesses is that if they have intellectual property breaches, they typically mark it with their version of Top Secret, if they even know they were hacked and it isn’t reported.  This also includes stuff like sealed bids.  If your competitor hacks you and finds out what you are going to bid and under bids you, how do you prove that.  You just lose the work.

Bottom line is that businesses are not doing very well at security and it makes the job of the bad guys a whole lot easier.




Verizon Customers Hit With Bogus Phone Orders

A Denver TV station is reporting that they have received over 70 reports of Verizon customers who have been targeted by hackers who have masqueraded as them and ordered new iPhones shipped to out of state addresses.

Verizon claims that they have not been breached and that could be true.  It could be as simple as people guessing these customer’s passwords or resetting the passwords and then ordering phones.

For the customers, it is a very time consuming task to undo the damage and some of the customers reported that their phone plans were changed and they are having problems getting their plans restored to the old plans because they were grandfathered in.

If you are a Verizon customer, I recommend you watch your account for unauthorized changes.


Verizon Has A New Friend – The U.S. Senate

Well, maybe not a friend that you want to have, but they will likely get to visit the nation’s Capitol.

Verizon has gotten way more press than it would like by inserting super-cookies into it’s customers web traffic to allow folks like the marketing giant Turn to build dossiers on Verizon customers and then sell that information to advertisers in a thousandth of a second to the highest bidder.

Senators Bill Nelson of Florida, Richard Blumenthal of Connecticut and Edward Markey of Massachusetts have asked the FTC to investigate whether Verizon’s use of super cookies violate FTC privacy rules.  These senators wrote Verizon a short note last week asking them a few questions, which Verizon said it would respond to.

The Senators want to know if legislation is required (I assume to regulate or outlaw this activity).

Advertisers are probably really, really mad at Verizon right now.

If Verizon had just done what AT&T did last year when they got caught doing this, the ad industry would not be getting all this unwanted attention.

When AT&T got caught doing this last year, they said it was just an experiment (yeah, right!), my bad, and we will stop doing this now.

Verizon, on the other hand said that no one would ever user our super cookies to track what users were doing.  Even though Turn, who was doing that exact thing, was a vendor to Verzion (must have been a different department).

Turn said that just because people were deleting their cookies didn’t mean that they did not want to be tracked.

If Verizon has just been a little smarter and taken the AT&T route and said sorry, this would all have gone away.

And six months later they could have re-contextualized the program and started it back up.

From my point of view, I am glad they were not being very smart.