Category Archives: Data Breach

SingHealth, largest healthcare group in Singapore, suffered a massive data breach

SingHealth, the largest healthcare group in Singapore, suffered a massive data breach that exposed 1.5 Million patient records.

The largest healthcare group in Singapore, SingHealth, has suffered a massive data breach that exposed personal information of 1.5 million patients who visited the clinics of the company between May 2015 and July 2018. Stolen records include patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.

SingHealth has 42 clinical specialties, a network of 2 Hospitals, 5 National Specialty Centres, 9 Polyclinics, and Bright Vision Community Hospital.

According to a data breach notification released by Singapore’s Ministry of Health (MOH), hackers stole personal information along with ‘information on the outpatient dispensed medicines’ of about 160,000 patients. Data belonging to Singapore’s Prime Minister Lee Hsien Loong and of other ministers have been exposed in the security breach.

“About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e. no records were amended or deleted.” reads the data breach notification.

“On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity,” 

SingHealth Singapore hack

According to Singapore’s authorities, the hackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s data.

MOH explained that the data breach is the result of a targeted attack, local media speculate the involvement of a nation-state actor in the cyber attack.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)[1] confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.” reads the press release.

Commenting on the cyber attack through a Facebook post published today,

Singapore’s Prime Minister declared the attackers are “extremely skilled and determined” and they have “huge resources” to conduct such cyber attacks repeatedly, a attacker’s profile that match with an APT group.

“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed,” Singapore PM said. “My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.”  wrote Singapore’s Prime Minister.

“Those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying. Government systems come under attack thousands of times a day. Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected.”

The good news for Singapore citizens is that no medical records were accessed by hackers.

All affected patients will be contacted by the healthcare institution over the next five days.

Pierluigi Paganini

(Security Affairs – SingHealth, data breach)

The post SingHealth, largest healthcare group in Singapore, suffered a massive data breach appeared first on Security Affairs.

Singapore’s Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen

Singapore's largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018. SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics. According to an advisory released by

Multiple Incidents of Medical Healthcare Breaches Over the Last Week

While medical data breaches are climbing in general, last week, we witnessed a huge jump between July 11, 2018 and

Multiple Incidents of Medical Healthcare Breaches Over the Last Week on Latest Hacking News.

Data of 1.5 Million People Breached in Singapore’s ‘Worst’ Digital Attack

A data breach that’s being described as Singapore’s “worst” digital attack on record exposed the personal information of an estimated 1.5 million people. On 20 July, multiple ministries Singapore’s government held a press conference on what they believe was a state-sponsored attack. They didn’t reveal whom they felt was responsible for targeting SingHealth, the island […]… Read More

The post Data of 1.5 Million People Breached in Singapore’s ‘Worst’ Digital Attack appeared first on The State of Security.

Thousands of Mega account credentials leaked online, it is credential stuffing

Thousands of account credentials associated with the popular file storage service Mega have been published online,

The former NSA hacker Patrick Wardle, co-founder at Digita Security, discovered in June a text file containing over 15,500 usernames, passwords, and files names.

The presence of the files suggests that the threat actors that collected them also accessed to each account and listed its content.

Wardle discovered the file after it was uploaded to the VirusTotal service some months earlier by a user purportedly in Vietnam.

Wardle passed the data to ZDNet that verified the huge trove of data belongs to the Mega service.

ZDNet contacted many users that confirmed the authenticity of the content of the file.

The data appears to date back to 2013, when Kim Dotcom launched the service.

Mega

ZDNet asked the popular expert Troy Hunt, who runs the data breach notification site Have I Been Pwned, to analyze the files.

Hunt believes the hackers collected the credentials from other data breaches (credential stuffing).

98 percent of the addresses in the file had already been included in a previous data breach and listed in the Hunt’ service.

“Some 87 percent of the accounts in the Mega file were found in a massive collection of 2,844 data breaches that he uploaded to the service in February, said Hunt.” read the post published by ZDNet.

“Of those we contacted, five said that they had used the same password on different sites.”

Mega chairman Stephen Hall also confirmed the file is the result of credential stuffing.

Experts noticed the Mega service doesn’t implement two-factor authentication -making it easy for attackers to access an account once it will obtain the credentials from other breaches.

Mega logs the IP address of each user who accesses to an account and some users confirmed to have noticed suspicious logins accessing their account from countries in Eastern Europe, Russia, and South America since the file was uploaded.

“One of the accounts in the file contained file listings for what appeared to describe child abuse content. Given the nature of the account’s content, ZDNet informed the authorities.” continues ZDNet.

The illegal content was uploaded years earlier, suggesting that the account owner has store excluding any recent third-party involvement.

“Mega has zero tolerance for child sexual abuse materials,” said Hall. “Any reports result in links being deactivated immediately, the user’s account closed and the details provided to the authorities.”

“Mega can’t act as censor by examining content as it is encrypted at the user’s device before being transferred to Mega,” he said. “As well as it being technically impossible, it is also practically infeasible for Mega and other major cloud storage providers, with 100s of files being uploaded each second.”

Pierluigi Paganini

(Security Affairs – Mega, credential stuffing)

The post Thousands of Mega account credentials leaked online, it is credential stuffing appeared first on Security Affairs.

Algonquin College Data Breach Exposed Details Of More Than 111,000 Individuals

Recently, we have reported how various firms exposed their customer’s data online due to vulnerabilities. One such recent example is

Algonquin College Data Breach Exposed Details Of More Than 111,000 Individuals on Latest Hacking News.

Inside look at lifecycle of stolen credentials and extent of data breach damage

Shape Security released its Credential Spill Report, shedding light on the extent to which the consumer banking, retail, airline and hospitality industries are impacted by credential stuffing attacks and account takeover. The report analyzes attacks that took place in 2017 and reveals 2.3 billion account credentials were compromised as a result of 51 independent credential spill incidents. Credential stuffing collectively costs U.S. businesses over $5 billion a year. When usernames and passwords are exposed, or … More

The post Inside look at lifecycle of stolen credentials and extent of data breach damage appeared first on Help Net Security.

CarePartners Data Breach Update: Hackers Hold The Data To Ransom

Last month, CarePartners announced it faced a data breach. However at the time it did not explain any details about

CarePartners Data Breach Update: Hackers Hold The Data To Ransom on Latest Hacking News.

Security Affairs: Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

  • Full Name, suffix, prefix
  • Phone numbers (cell and landlines)
  • Address with house, street, city, state, zip, precinct
  • Political affiliation provided by state, or inferred based on voting trends/history
  • Age and birth year
  • Gender
  • Jurisdiction breakdown based on district, zip code, precinct, county, state
  • Demographics based on ethnicity, language, education

RoboCent exposed data

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.

Pierluigi Paganini

(Security Affairs – RoboCent , Amazon AWS)

The post Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online appeared first on Security Affairs.



Security Affairs

Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

  • Full Name, suffix, prefix
  • Phone numbers (cell and landlines)
  • Address with house, street, city, state, zip, precinct
  • Political affiliation provided by state, or inferred based on voting trends/history
  • Age and birth year
  • Gender
  • Jurisdiction breakdown based on district, zip code, precinct, county, state
  • Demographics based on ethnicity, language, education

RoboCent exposed data

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.

Pierluigi Paganini

(Security Affairs – RoboCent , Amazon AWS)

The post Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online appeared first on Security Affairs.

Recent Attack Suggests Ransomware Is Alive and Well in Healthcare

A U.S. hospital disclosed that it suffered a ransomware attack, the latest in a spate of such incidents befalling the industry in recent years. Despite the fact that ransomware has declined in most other industries, these continued attacks highlight the need for healthcare organizations to boost their defenses and adopt strategies to proactively fight against this persistent threat.

Another Hospital, Another Data Breach

The hospital announced that it became aware of a crypto-malware attack on the morning of July 9. The incident affected the organization’s internal communications systems and access to its electronic health record (EHR).

Soon after discovering the malware, the hospital quickly initiated its incident response protocol, and IT professionals worked with law enforcement and forensics experts to investigate the incident. The security team also evaluated the hospital’s digital defense capabilities and decided to divert ambulance patients suffering from trauma or stroke to other institutions.

Although the investigators did not discover any evidence of the attack compromising patient data, they did opt to temporarily shut down the system as a precaution.

Ransomware Rates Remain High in Healthcare

According to Recorded Future, ransomware campaigns began declining in 2017, driven largely by the disappearance of many exploit kits (EKs) on the cybercrime market. At the same time, the remaining EKs made a tactical shift toward distributing crypto-mining malware. Unfortunately for hospitals, the decline in overall ransomware attacks does not apply to the healthcare sector.

Healthcare companies are still prime targets for ransomware because they invest relatively little in IT security. In addition, hospitals are often more willing to pay ransoms due to the criticality of their IT systems and EHRs. As John Halamka, chief information officer (CIO) at Boston’s Beth Israel Deaconess Medical Center, noted in Fierce Healthcare, some of these systems are not up to date, which makes them susceptible to vulnerability-driven attacks.

“Each time a patch is introduced, the act of changing a mission-critical system impacts reliability and functionality,” Halamka explained. “Some mission-critical systems were created years ago and never migrated to modern platforms.”

According to ZDNet, many hospitals have recently paid ransoms of tens of thousands of dollars to regain access to their data. Threat actors view these incidents as evidence that ransomware is still an effective and lucrative tactic to use against healthcare organizations.

How Can Hospitals Protect Their Data?

To protect healthcare data from threat actors looking to hold it for ransom, hospitals should double down on patch management to ensure that all networks, endpoints, applications, databases and medical devices are up to date. They should also implement network segmentation to limit attackers’ lateral movement and regularly back up data so that operations can resume quickly in the event of a breach.

As always, the best defense against threats such as ransomware is continuous training and education throughout the organization. By ensuring that everyone from rank-and-file employees to top leadership can recognize signs of a ransomware attack and act accordingly, these users can serve as the first line of defense against this persistent threat.

The post Recent Attack Suggests Ransomware Is Alive and Well in Healthcare appeared first on Security Intelligence.

US Biggest Blood Testing Laboratories LabCorp suffered a security breach

Hackers have breached the network at LabCorp, one of the largest diagnostic blood testing laboratories in the US, millions of Americans potentially at risk.

The biggest blood testing laboratories network in the US, LabCorp has suffered a security breach. The company announced the incident on Monday, the security breach occurred over the weekend.

The hackers breached into the LabCorp Diagnostic systems, but the company says there’s no indication that attackers compromised also the systems used by its drug development business Covance.

“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said, in its statement.

LabCorp did not share further details about the security breach, in response to the incident the company shut down part of its infrastructure.

“LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity,” the firm said in 8-K filed with the Securities and Exchange Comission.

“This temporarily affected test processing and customer access to test results over the weekend. Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed today, and we anticipate that additional systems and functions will be restored through the next several days,” 

Biggest Blood Testing Laboratories LabCorp

Mike Thomas, a technologist at LabCorp, works with patient samples at the company’s location in Burlington. JULIE KNIGHT – Source www.bizjournals.com

The company is currently testing operations that have been resumed, other suctions will be fully restored in the next days, meantime some customers may face brief delays.

“We anticipate that additional systems and functions will be restored throughout the next several days,” it added. “Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process.”

The hack might have severe consequences for millions of Americans due to the potential extent of the breached networks that connects thousands of hospitals and testing facility offices worldwide.

Pierluigi Paganini

(Security Affairs – LabCorp, Data breach)

The post US Biggest Blood Testing Laboratories LabCorp suffered a security breach appeared first on Security Affairs.

Telefonica Data Breach Exposed Millions Of Consumer Records Online

While some hackers have their work cut out for them looking for their possible victims, some companies provide them with

Telefonica Data Breach Exposed Millions Of Consumer Records Online on Latest Hacking News.

LabCorp System Hacked For Possible Data Breach Of Millions Of Records

Once again, a medical company has suffered a cyber attack with suspicions for a possible data breach. This time, it

LabCorp System Hacked For Possible Data Breach Of Millions Of Records on Latest Hacking News.

A week in security (July 9 – July 15)

Last week, we talked about domestic abuse fuelled by IoT, doing threat intel programs right, blocking ICO fraud, and man-in-the-middle attacks. We also explained why we block shady ad blockers and provided tips to online shoppers for Prime Day.

Other news:

Stay safe, everyone!

The post A week in security (July 9 – July 15) appeared first on Malwarebytes Labs.

Are security professionals moving fast enough?

Anthony O’Mara, from Malwarebytes, explains to Information Age why security professionals need to move much faster to beat cyber criminals. With the increase in threats the cybersecurity industry faces, alongside

The post Are security professionals moving fast enough? appeared first on The Cyber Security Place.

The Most Common Hack Is Also the Most Successful. Here’s How to Fight It

Despite what movies might show, most hacks don’t involve frantic typing or brute-force attacks. In fact, Verizon’s “2017 Data Breach Investigations” report revealed that 90 percent of successful hacks aren’t

The post The Most Common Hack Is Also the Most Successful. Here’s How to Fight It appeared first on The Cyber Security Place.

Timehop provides additional details on the recent security breach

Timehop has recently announced to have suffered a data breach that affected 21 million user accounts. The company now shares additional details about the incident.

Timehop service aims to help people in finding new ways to connect with each other by analyzing past activities, earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users.

The security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. The tokens have been quickly revoked and currently don’t work.

Wednesday the company provided an update on the incident adding that further info was exposed, including dates of birth, genders, and country codes.

timehop

Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records” reads the update provided by the company.

Type of Personal Data Combination # of Breached Records # of Breached GDPR Records
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000

The company provided a detailed analysis of exposed info, specifically for the affected PII records in compliance with the introduced GDPR.

According to the company, hackers first breached into its systems on December 19, 2017, using an employee’s credentials for the company’s cloud computing environment.

The attackers accessed the systems through an IP address in the Netherlands.

In a first phase, the hacker conducted a reconnaissance, at the time the compromised environment had not stored any personal information. In early April, the company moved personal information to the compromised database and the attackers found it only on June 22.

On July 4, the hacker exfiltrated the data and changed its password. The activity was noticed by the company in nearly 24 hours.

“They did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” reads the technical analysis published by Timehop. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”

Pierluigi Paganini

(Security Affairs – Timehophacking)

The post Timehop provides additional details on the recent security breach appeared first on Security Affairs.

Military documents about MQ-9 Reaper drone leaked on dark web

Hackers have put up for sale on the dark web sensitive military documents, some associated with the U.S. military’s MQ-9 Reaper drone aircraft, one of its most lethal and technologically advanced drones, security research firm Recorded Future recently discovered. The firms’ Insikt Group on June 1 observed a bad actor trying to sell...

Read the whole entry... »

Related Stories

Average cost of a data breach exceeds $3.8 million, claims report

Data breaches are getting more expensive. That’s one of the findings of a new global study by the Ponemon Institute that examines the financial impact of a corporate data breach. So what is the actual cost of a data breach? Well, obviously it varies depending on the nature of the organisation that has lost control […]… Read More

The post Average cost of a data breach exceeds $3.8 million, claims report appeared first on The State of Security.

Smashing Security #086: Elon Musk submarine scams and 2FA bypass

Smashing Security #086: Elon Musk submarine scams and 2FA bypass

Crypto scamming Thai cave scoundrels! $25 million to make anti-fake news videos! TimeHop data breach! Phone number port out scams!

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by B J Mendelson.

Employees suffering high levels of ‘cyber stress’ in the workplace

A Kaspersky Lab study revealed that news of data breaches and pressures to manage multiple online accounts are causing German employees increased levels of stress. Click here to view original

The post Employees suffering high levels of ‘cyber stress’ in the workplace appeared first on The Cyber Security Place.

Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT

Businesses run on risk: They take a chance, place their bets in the marketplace and often reap great rewards. But when thinking about the cost of a data breach, you may wonder about the price for your company and what, exactly, is at stake.

Here’s one way to think about it: You’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent, according to WebMD). And as in the case of the flu, it’s crucial to act quickly and seek a cure for a speedy recovery. Since data breaches cost money, it’s best to take a cost-based approach to gain an accurate perspective of the problem at hand.

Sponsored by IBM Security and independently conducted by my team at the Ponemon Institute, the 13th-annual Cost of Data Breach Study includes two new factors in its analysis that influence data-breach costs: deployment of artificial intelligence (AI) and the extensive use of Internet of Things (IoT) devices.

The analysis also includes the cost of a so-called mega breach — an incident resulting in the loss of 1 million records or more — and the financial consequences of customers losing trust in your organization.

Download the complete 2018 Cost of a Data Breach Study from Ponemon Institute

The Global Cost of a Data Breach Is Up in 2018

In this year’s study, the average cost of a data breach per compromised record was $148, and it took organizations 196 days, on average, to detect a breach. Overall, we found that the total cost, per-capita cost and average size of a data breach (by number of records lost or stolen) have all increased year over year.

The average cost of a data breach increased from 2017 to 2018

Locations that experienced the most expensive data breaches include the U.S., where notification costs are nearly five times the global average, and the Middle East, which suffered the highest proportion of malicious or criminal attacks — the most expensive type of breach to identify and address. Data breaches are less expensive in Brazil and India, where detection, escalation and notification costs rank the lowest.

While the cost of a breach increased for organizations in 13 countries compared to the five-year average, it decreased in Brazil and Japan, according to this year’s report.

Based on industry and location, our data breach calculator can determine how much a security incident might cost an organization.

The Bigger the Breach, the Higher the Cost

This year’s report found that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.

This graph shows the average total cost by size of the data breach for the past 3 years

But what about those massive breaches that grab national headlines? The study revealed that a mega breach (involving 1 million compromised records) could cost as much as $39.49 million. Unsurprisingly, this figure increases as the number of breached records grows. A breach involving 50 million records, for example, would result in a total cost of $350.44 million.

How Can Companies Reduce Data Breach Costs?

Among the 477 companies examined for the study, the mean time to identify a breach is still substantial (197 days), while the mean time to contain a breach is 69 days.

The good news: There are strategies to help businesses lower the potential cost of a data breach. For the fourth year running, the study found a correlation between how quickly an organization identifies and contains a breach and the total cost.

Preparation and vigilance pays: The study found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148. Similarly, extensive use of encryption can cut the cost by $13 per capita.

Customer Trust Impacts the Total Cost of a Breach

Organizations around the world lost customers due to data breaches in the past year. However, businesses that worked to improve customer trust reduced the number of lost customers — thereby reducing the cost of a breach. When they deployed a senior-level leader, such as a chief privacy officer (CPO) or chief information security officer (CISO), to direct customer trust initiatives, businesses lost fewer customers and, again, minimized the financial consequences of a breach.

Additionally, organizations that offered data-breach victims identity protection kept more customers than those that did not. Companies that lost less than 1 percent of existing customers incurred an average total cost of $2.8 million — while companies that experienced a churn rate of greater than 4 percent lost $6 million on average.

Examining the Effects of AI and IoT Adoption

For the first time, this year’s study examined the effects of organizations adopting AI as part of their security automation strategy and the extensive use of IoT devices. AI security platforms save companies money — an average of $8 per compromised record — and use machine learning, analytics and orchestration to help human responders identify and contain breaches. However, only 15 percent of companies surveyed said they had fully deployed AI. Meanwhile, businesses that use IoT devices extensively pay $5 more per compromised record on average.

To get the full rundown of the potential costs associated with a data breach — and learn what you can do to help protect your business — download the 2018 Cost of Data Breach Study: Global Overview, and take a look at our accompanying infographic.

You can also use our data breach calculator to explore the industry, location and cost factors if you experience a security incident.

Download the complete 2018 Cost of a Data Breach Study from Ponemon Institute

Examine the cost of a data breach in 2018 with this data breach calculator

The post Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT appeared first on Security Intelligence.

Macy’s, Bloomingdales Alert Online Customers of Data Breach

Macy’s is notifying customers of a data breach involving unauthorized access to their payment card data and personal information. In a notice sent to affected customers, Macy’s said it first detected suspicious login activity from certain Macys.com accounts on June 11, 2018. “Based on our investigation, we believe that an unauthorized third-party – from approximately […]… Read More

The post Macy’s, Bloomingdales Alert Online Customers of Data Breach appeared first on The State of Security.

Popular Social Media App Timehop Hit With Huge Data Breach

The Fourth of July is characterized by barbeques, fireworks, and patriotism – and now cyberattacks! Just this past Independence Day, the popular social media app Timehop was hacked – as cybercriminals set their sights on the company’s servers, rather than enjoying hot dogs and sparklers. The attack affects a whopping 21 million Timehop users and has put their personal information at risk of being compromised.

The key ingredient for this attack: multi-factor authentication. Or, lack thereof. Hackers were able to access the company’s cloud servers on July 4th because Timehop had not turned on multi-factor authentication. “The breach occurred because an access credential to our cloud computing environment was compromised,” the company said. Once they obtained the credential to access the servers, the crooks managed to remain inside the system for approximately two hours.

In a company blog post, Timehop stated that the security breach compromised the names and emails of these 21 million users, which is essentially its entire user base. And 4.7 million of those affected users had a phone number that was attached to their account breached in the attack as well. Fortunately, Timehop says that no financial data was compromised in the attack, and all access to social media platforms was deactivated immediately by Timehop, which actually logged all users out of their accounts.

This breach joins the Exactis and Adidas breaches that have occurred in the past week, leaving millions of consumers out there concerned for their personal security. So, what next steps should Timehop users take to ensure they secure their personal information? Start by following these tips:

  • Change up your passwords. With this personal data already in hand, it’s likely cybercriminals are going to take a guess at your password and attempt to get inside your Timehop account. Therefore, make sure you change up your password to Timehop and any other accounts that use the same one.
  • Use two-factor authentication. If this breach has made anything clear, it’s that we cannot rely on passwords that use single-factor authentication to protect our accounts. Learn a lesson from Timehop and always enable two-factor authentication when given the option.
  • Invest in an identity theft monitoring and recovery solution. With the increase in data breaches, people everywhere are facing the possibility of identity theft. That’s precisely why they should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Popular Social Media App Timehop Hit With Huge Data Breach appeared first on McAfee Blogs.

Data on 21 million users compromised in Timehop hack

Data collected by smartphone app Timehop on its entire customer base of 21 million users was compromised following a security incident, the company confirmed on its website on July 4.

According to their statements, the breach was detected within two hours and 19 minutes, while the attack was still in progress, and only some user data was compromised, including names, emails, a few phone numbers and access keys that linked user social profiles to Timehop.

What led to the breach was a vulnerable cloud computing environment with an account that lacked two-factor-authentication.

“The breach occurred because an access credential to our cloud computing environment was compromised,” reads the statement. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

The company assures account holders that no messages, financial data, photos or social media posts were compromised in the breach.

“To reiterate: none of your ‘memories’ – the social media posts & photos that Timehop stores – were accessed,” Timehop said. “We have no evidence that any accounts were accessed without authorization.”

Access keys were deactivated and users logged out of their accounts as a preventative measure. The company is collaborating with law enforcement and security experts to reduce impact. Also, they assure users that none of their credit card or financial data has been stored on their servers, nor location data, IP addresses or copies of their profiles and content.

Timehop is a memento collector, it mines user photos and posts from social networks and from Dropbox and resurfaces them online.

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

Besides Timehop, another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFactory, owned by GoDaddy. The breach initially happened back in last January this year and just emerged last Tuesday when an unknown attacker himself posted a breach note on the DomainFactory support forum. It turns out that the attacker breached

Timehop Confirms Data Breach Affected 21 Million Users

Timehop confirmed that a data breach affected certain pieces of personal information belonging to 21 million of its users. According to a statement posted on its website, the service that distributes social media memories to its members detected a network intrusion in the afternoon of 4 July. Timehop learned that those responsible for the incident […]… Read More

The post Timehop Confirms Data Breach Affected 21 Million Users appeared first on The State of Security.

Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

And the hacks just keep on coming. Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users. Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on

Survey identifies three types of consumer attitudes to data privacy

Leveraging customer data is the lifeblood of today’s digital economy, but regulations like the EU’s GDPR threaten to make it difficult to mine this precious “ore.” Businesses still have a few options at their disposal, if they are to continue to sell their services – and stay competitive.

A poll of 11,474 consumers commissioned by market intelligence consortium DMA has revealed that 51% are more than happy to hand over their personal data to businesses that can offer a clear benefit in exchange.

The report – Global data privacy: What the consumer really thinks – places these 51% into a category called “data pragmatists,” a group described as those who exchange their data as long as there’s a clear benefit.

Another important demographic is the “data unconcerned” (26%), described by the surveyors as those who do not mind how and why their data is used. The remaining 23% are the so-called “data fundamentalists,” or those who never share their data for any reason.

Countries with the most data pragmatists include Spain (59%), USA (58%) and Singapore (57%), while data fundamentalists are mostly found in Australia (27%), The Netherlands (26%), and Germany (26%). However, these countries also house a sizeable proportion of data-unconcerned folk (Netherlands 35%, Germany 34%, Argentina 29%).

“We are in a new era of data privacy,” said Chris Combemale, Group CEO of DMA. “Questions have been raised about whether major data breaches and increased talk about the value of our personal data is impacting consumer anxiety over how their information is used. In fact, our research shows that even though consumers are more aware than ever and have concerns about their online privacy, the majority will continue to share their personal information if they trust the organisation and gain something in return.”

Respondents further revealed that they place great importance on transparency (86%), simple terms and conditions that they can properly interpret and understand (84%), and flexible privacy policies (82%).

On a global level, 83% of consumers would like more control over their data, and 49% named “trust” as the most important factor when deciding whether to hand over their data to an organization.

“Globally, the majority of consumers are pragmatists – willing to share their data so long as there is a benefit. Trading data is a common desire amongst consumers and data as a commodity will become more important for companies in the years to come,” reads the report. “However, ensuring that your organization is transparent, with its customers in how data is used and stored, together with putting them in control of their own data, is key to building trust with consumers and making them comfortable with data sharing. This can build a solid platform for the future of data economy, bringing benefit to consumers and businesses alike.”

Wisconsin County Reveals Phishing Attack Most Likely to Blame for Data Breach

A county in Wisconsin revealed that a phishing attack was most likely to blame for a data breach of some service recipients’ personal information. On 22 June, Manitowoc County posted a statement about the incident to its website. County officials wrote that they first learned of the attack on 24 April. Upon discovery of the […]… Read More

The post Wisconsin County Reveals Phishing Attack Most Likely to Blame for Data Breach appeared first on The State of Security.

Irish Retailer Reveals It Was Affected by International Data Breach

An Irish retailer revealed that an international data breach might have exposed some of its customers’ personal information. On 4 July, Harvey Norman Ireland sent out a letter to customers informing them of the incident. Its correspondence didn’t disclose the number of customers potentially affected by the breach. But it did identify the types of […]… Read More

The post Irish Retailer Reveals It Was Affected by International Data Breach appeared first on The State of Security.

Smashing Security #085: Doctor Who, Facebook patents, and Bob’s Burgers

Smashing Security #085: Doctor Who, Facebook patents, and Bob's Burgers

Doctor Who’s TARDIS has sprung a data leak, Facebook’s creepy patents are unmasked, and an app to keep women safe on dates has surprising origins.

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Cyber Security Roundup for June 2018

Dixons Carphone said hackers attempted to compromise 5.9 million payment cards and accessed 1.2 million personal data records. The company, which was heavily criticised for poor security and fined £400,000 by the ICO in January after been hacked in 2015, said in a statement the hackers had attempted to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. The statement confirmed 1.2 million personal records had been accessed by the attackers. No details were disclosed explaining how hackers were able to access such large quantities of personal data, just a typical cover statement of "the investigation is still ongoing".  It is likely this incident occurred before the GDPR law kicked in at the end of May, so the company could be spared the new more significant financial penalties and sanctions the GDPR gives the ICO, but it is certainly worth watching the ICO response to a repeat offender which had already received a record ICO fine this year. The ICO (statement) and the NCSC (statement) both have released statements about this breach.

Ticketmaster reported the data theft of up to 40,000 UK customers, which was caused by security weakness in a customer support app, hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Ticketmaster informed affected customers to reset their passwords and has offered (to impacted customers) a free 12-month identity monitoring service with a leading provider. No details were released on how the hackers exploited the app to steal the data, likely to be a malware-based attack. However, there are questions on whether Ticketmaster disclosed and responded to the data breach quick enough, after digital banking company Monzo, claimed the Ticketmaster website showed up as a CPP (Common Point of Purchase) in an above-average number of recent fraud reports. The company noticed 70% of fraudulent transactions with stolen payment cards had used the Ticketmaster site between December 2017 and April 2018. The UK's National Cyber Security Centre said it was monitoring the situation.

TSB customers were targetted by fraudsters after major issues with their online banking systems was reported. The TSB technical issues were caused by a botched system upgrade rather than hackers. TSB bosses admitted 1,300 UK customers had lost money to cyber crooks during its IT meltdown, all were said to be fully reimbursed by the bank.
The Information Commissioner's Office (ICO) issued Yahoo a £250,000 fine after an investigation into the company's 2014 breach, which is a pre-GDPR fine. Hackers were able to exfiltrate 191 server backup files from the internal Yahoo network. These backups held the personal details of 8.2 million Yahoo users, including names, email addresses, telephone numbers, dates of birth, hashed password and other security data. The breach only came to light as the company was being acquired by Verizon.

Facebook woes continue, this time a bug changed the default sharing setting of 14 million Facebook users to "public" between 18th and 22nd May.  Users who may have been affected were said to have been notified on the site’s newsfeed.

Chinese Hackers were reported as stealing secret US Navy missile plans. It was reported that Chinese Ministry of State Security hackers broke into the systems of a contractor working at the US Naval Undersea Warfare Center, lifting a massive 614GB of secret information, which included the plans for a supersonic anti-ship missile launched from a submarine. The hacks occurred in January and February this year according to a report in the Washington Post.

Elon Musk (Telsa CEO) claimed an insider sabotaged code and stole confidential company information.  According to CNBC, in an email to staff, Elon wrote I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties". Telsa has filed a lawsuit accusing a disgruntled former employee of hacking into the systems and passing confidential data to third parties. In the lawsuit, it said the stolen information included photographs and video of the firm's manufacturing systems, and the business had suffered "significant and continuing damages" as a result of the misconduct.

Elsewhere in the world, FastBooking had 124,000 customer account stolen after hackers took advantage of a web application vulnerability to install malware and exfiltrate data. Atlanta Police Dashcam footage was hit by Ransomware.  And US company HealthEquity had 23,000 customer data stolen after a staff member fell for a phishing email.

IoT Security
The Wi-Fi Alliance announced WPA3, the next generation of wireless security, which is more IoT device friendly, user-friendly, and more secure than WPA2, which recently had a security weakness reported (see Krack vulnerability). BSI announced they are developing a new standard for IoT devices and Apps called ISO 23485. A Swann Home Security camera system sent a private video to the wrong user, this was said to have been caused by a factory error.  For Guidance on IoT Security see my guidance, Combating IoT Cyber Threats.

As always, a busy month for security patching, Microsoft released 50 patches, 11 of which were rated as Critical. Adobe released their monthly fix for Flash Player and a critical patch for a zero-day bug being actively exploited. Cisco released patches to address 34 vulnerabilities, 5 critical, and a critical patch for their Access Control System. Mozilla issued a critical patch for the Firefox web browser.

NEWS

US Homeland Security’s ICE demands Twitter release data on cryptic Flash Gordon account

Flash Gordon (@s7nsins), a mysterious Twitter user based in New Zealand, announced in a tweet that the US Department of Homeland Security’ Immigration and Customs Enforcement (ICE) sent Twitter an export enforcement subpoena in April to disclose the real identity of the person behind the account.

ICE demanded private information such as name, address, phone number, credit cards linked to the account, IP address history, complaints filed against the account and any other information that might lead to identifying Flash Gordon. Private messages and similar content were not requested, as a court order is necessary.

Following its guidelines and policies, Twitter informed the user of the legal request. Flash Gordon received legal assistance from the Electronic Frontier Foundation and the subpoena was unsuccessfully challenged on June 20.

The reasons behind the demand were not explained, but ICE could be interested in uncovering the person’s identity because the account has regularly released information about data breaches and leaked information found on unencrypted servers.

In the past, Flash Gordon reported finding an inventory of nearly 1 million patient records stolen from HealthNow Records, a medical telemarketing company based in Florida. The database was located on an Amazon Web Services server via Shodan and included sensitive personal and health information of senior patients with diabetes, including Social Security Numbers, health insurance data and names.

Flash Gordon recently revealed another leak, this time related to the cache of law enforcement data by ALERRT, a company that trains police and civilians to respond against shooters. The leaked cache revealed which police units in Texas lacked resources to react to active shooter situations.

The Exactis Data Breach: What Consumers Need to Know

There are data breaches, and then there are data breaches. For example, who could forget the Equifax data breach, which compromised the personal information of over half of the citizens of the United States? And now, a breach of similar magnitude has emerged, as a security researcher has discovered that marketing firm Exactis’ database was sitting on a publicly accessible server. Specifically, there were two versions of the database exposed online, each with around 340 million records—roughly two-thirds on consumers and the rest on businesses.

So how did Exactis have this much data in the first place? The Florida-based marketing firm collects and trades consumer data in order to refine the accuracy of targeted ads. Which is precisely what makes this breach so crucial, as the information exposed is highly personal. The leaked data includes people’s phone numbers, home and email addresses, interests, and the number, age, and gender of their children. As of now, credit card information and Social Security numbers don’t appear to have been leaked.

The behavioral data involved in this leak, alongside the personal information, makes this breach particularly concerning because of how this information can be used by cybercriminals to improve the success of socially engineered attacks. For instance, crooks can use such personal information in phishing attacks over email or social media. Now, cybercriminals can enact highly personalized attacks against consumers, who will already be faced with potentially fraudulent activity against their names.

Therefore, it’s important consumers immediately take action to protect their personal security and identity. To do just that, follow these tips:

  • Keep an eye out for sketchy emails and messages. Cybercriminals can leverage this stolen information for phishing emails and social engineering scams. So, if you see something sketchy or from an unknown source in your email inbox or a social media message, be sure to avoid clicking on any links provided. Better to just delete the email or message entirely.
  • Set up an alert. Though this data breach does not compromise financial data, this personal data can still be used to obtain access to financial accounts. Therefore, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Invest in an identity theft solution. With this breach, almost every American adult could be facing the possibility of identity theft. That’s precisely why they should leverage an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.


{
"metadata": {
"id": "0314018a-527d-44cc-a71d-995cd761cd4a",
"version": "1.0",
"ep": "ta",
"lang": "en-us",
"original-url": "https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/exactis-data-breach/",
"author": "Gary Davis",
"author-page": "https://securingtomorrow.mcafee.com/author/gary-davis/",
"category": "Consumer Threat Notices",
"draft": "false",
"authordetail": "Gary Davis is Chief Consumer Security Evangelist. Through a consumer lens, he partners with internal teams to drive strategic alignment of products with the needs of the security space. Gary also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Follow Gary Davis on Twitter at @garyjdavis",
"tinyimage": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_1604537239013014.jpg",
"feedimageurl": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_1604537239013014.jpg",
"pubDate": "Thurs 28 June 2018 12:35:48 +0000"
}
}

The post The Exactis Data Breach: What Consumers Need to Know appeared first on McAfee Blogs.

Hitherto unknown marketing firm exposed hundreds of millions of Americans’ data

Hitherto unknown marketing firm exposed hundreds of millions of Americans' data

The detailed personal information of 230 million consumers and 110 million business contacts – including phone numbers, addresses, dates of birth, estimated income, number of children, age and gender of children - has been left exposed for anyone on the internet to grab.

Read more in my article on the Tripwire State of Security blog.

Ticketmaster breached for months, personal data stolen by hackers

Ticketmaster has warned customers that their personal information may have been compromised, after malicious code was discovered running on its website.

Up to 40,000 UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 are thought to be affected. In addition, international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018 may also be at risk.

Personal information compromised includes names, addresses, email addresses, telephone numbers, payment details and login details.

Which is all bad news of course, but how did the breach happen in the first place?

It appears that the malware was introduced to Ticketmaster’s site via a piece of external third-party code from Inbenta, a technology company that provides online chatbot and support ticketing services for websites.

As soon as Ticketmaster recognised the issue it disabled Inbenta’s code across all of its websites.

In a statement, Inbenta said that the source of the data breach was a “single piece of Javascript code” that had been customised specifically for Ticketmaster’s purposes. The code, Inbenta says, it is not in use on any other company’s websites.

Inbenta says it has now resolved the vulnerability, but not before attempting to pass some of the blame onto Ticketmaster for using its risky code on a payment page:

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

Although it’s obviously trying to pass the buck, Inbenta certainly has a point. Embedding third-party Javascript onto an online payments page introduces risks. After all, if the third-party code gets compromised there is a danger that online criminals could use it to secretly steal payment card information.

Ticketmaster says that it has emailed all customers who it believes are affected by the security incident, and is offering 12 months’ free identity monitoring for those who have been impacted.

Potential victims are also advised to keep a close eye on their bank account transactions for signs of suspicious activity.

But aside from the financial risks, Ticketmaster customers would also be wise to look out for phishing scams, where an attacker might exploit the situation by sending out bogus emails purporting to come from the company.

Curiously, digital bank Monzo claims that it warned TicketMaster that data had been compromised three months ago, in early April. In a blog post, the firm says that it met with members of Ticketmaster’s security team on 12 April, and were told that an internal investigation would take place.

“Over the course of Thursday 19th April and Friday 20th April, we sent out six thousand replacement cards to customers who had used their Monzo cards at Ticketmaster. We let them know that we were replacing their cards through their Monzo app, but didn’t name Ticketmaster as the reason at the time.”

“Throughout this period we were in direct contact with Ticketmaster. On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

And yet Ticketmaster’s official statements say that it only discovered it had a serious security issue on June 23rd.

Summer Refresh: Take Time to Relax but Not on Password Security

With summer comes permission to relax a little more, sun a little more, and fun a little more. But, as Newton’s Third Law reminds us, for every action, there is an equal and opposite reaction. Apply that principle to online safety and it might read like this: Each time you relax your family’s digital security a little, there’s a hacker nearby who will step up his or her schemes accordingly.

If your summer routine includes more traveling, online gaming, or time for social connecting, your first line of digital defense is strong, unhackable passwords.

Now is a great time to pump up those passwords to make sure your summer playlist streams seamlessly and summer goes off without a hitch. (Note: If you feel confident in your password strength, type your email address into the site ;– Have I been pwned? to see if your passwords have been compromised).

5 Tips to Pump Up Your Password Strength

  1. Think strength. It’s never too late to put serious thought into creating strong passwords. Begin today. Visualize your password as a superhero. Because of their strength, superheroes like Hulk, Thor, or Optimus Prime can handily protect the world. Strip them of their strength, and each warrior becomes an average Joe vulnerable to the elements of evil. Strength is inherent to password power. Infuse your password with superhero strength by including numbers, lowercase and uppercase letters, and symbols. The more complex your password is, the more difficult it will be for a crook to crack (it’s okay to add a personal touch to your password). A few examples of a secure password might be: myDogisCr@yCr@y!!, Ilov3Gummi3B3ars!! or $oundOfMu$ic_1965.
  2. Get a password manager. If you are driving yourself crazy trying to wrangle a million passwords, a password manager will do the remembering for you. A powerful password manager will:  Generate random passwords that are difficult to guess, require Multi-Factor Authentication (MFA), auto-save and securely enter your passwords on frequented sites.
  3. Use unique passwords and MFA. If taken seriously, these two extra steps could save you a million headaches. 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identityonly after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.
  4. Pay attention and take action. It might be summer, but if you snooze, you will lose — privacy in this case. Be sure to pay attention to the news and know if a data breach affects your family. According to the Identity Theft Resource Center® (ITRC), the number of U.S. data breach incidents in2017 hit a new record high, rising a drastic 44.7 percent over 2016. Popular sites such as Facebook, Netflix, and Twitter have experienced breaches might easily have affected you or a member of your family.
  5. Connect carefully. So you’ve done everything you can to create strong passwords and that’s awesome! What you can’t control is how others protect your account data, which often includes passwords. Make sure that websites, platforms, and companies that have access to your sensitive information take security seriously and have privacy and security plans in place. Google the company before you establish an account to see if it has had a data breach.

What are the potential consequences of a weak password? A determined hacker can track a person’s online activity, identify and hack weak passwords then use those weak passwords to access banking information, credit card numbers, and personal data used to steal a person’s identity. Remember: Just as you go to work each morning to put food on the table for your family, a hacker has similar goals. So, work with equal diligence to protect what’s yours.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Summer Refresh: Take Time to Relax but Not on Password Security appeared first on McAfee Blogs.

Med Associates breach leaves 270,000 patient records at risk

Med Associates has suffered a data breach that may have directed patient names and insurance information into the wrong hands. Hackers could use the data for medical fraud, the company said.

On its About page, Med Associates Inc. describes itself as a manufacturer, software developer, and supplier of products for behavioral psychology, pharmacology, neuroscience, and related fields of research.

On March 22, the company’s staff noticed “unusual activity” at an employee’s workstation, so Med Associates began investigating with its IT vendor and a third-party forensics firm.

“It was determined that the unauthorized party accessed the workstation and through that, may have had access to certain personal and protected information,” reads the press release.

The group said they found no evidence that any patient information was specifically accessed or used in any way, but if an attacker did obtain any information through the privileges assigned to that terminal, it would include patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes and insurance information (including insurance ID Number). Med Associates acknowledges that a bad actor could use this data for fraud.

Times Union, a New York-based publication, reports impacted patients number 270,000.

The company has since implemented higher security standards and has increased staff training on data privacy and security. While the group doesn’t say it was human error that led to the breach, the wording certainly implies it.

To appease any angry customers, Med Associates is providing access to a year of credit monitoring and identity restoration services at no cost to patients. It has also sent out a notice telling all patients what they can do to protect against identity theft and fraud.

The Med Associates case is only the last in a string of data breaches targeting the healthcare industry – a very lucrative vertical for hackers seeking revenue through fraud or blackmail.

Recently, Missouri-based Black River Medical Center released a breach notice telling patients their personal data might have been compromised in a phishing scam that tricked one of its employees into handing over login credentials. It wouldn’t be completely out of the question for the same hacker, or group of hackers, to have committed both attacks.

Black River Medical Center employee falls for phishing scam; breach ensues

Black River Medical Center has issued a notice informing customers that the healthcare provider has learned of a data security lapse that may have resulted in the exposure of some patients’ personal information.

An affiliate of Saint Francis Healthcare System, Black River is a community-owned, not-for-profit hospital in Missouri, US. On April 23, the hospital discovered that a staffer fell for a phishing scam and had his / her email account compromised. From there, the attacker could use those credentials to access sensitive patient information.

“The investigation determined that an unknown, unauthorized third party gained access to the employee’s email account and could have viewed or accessed the information contained therein, which included patients’ names, addresses and phone numbers, and in certain instances, limited treatment information,” the notice reads.

Black River says the attacker fortunately did not get social security numbers or any financial or billing information. It also says there is no direct evidence that patient information was actually accessed or viewed. However, the worst case scenario must always be taken into consideration in situations like these.

“At this time, there is no evidence that the unauthorized party actually accessed or viewed any patient information in the email account, and Black River is not aware of any misuse of patient information,” the hospital says. “The privacy and protection of patient information is a top priority for Black River Medical Center, which regrets any inconvenience or concern this incident may cause.”

Notification letters mailed to patients on June 13 are said to include additional information about the incident, as well as a number customers can use to call the healthcare unit with any questions.

Extortionists demand millions from Liberty; threaten to release ‘sensitive data’ of ‘top clients’

Ransomware and extortion aren’t going away in 2018. A group of hackers has threatened financial services provider Liberty with the leak of “top client” data if they refuse to pay a ransom.

Parent company Liberty Holdings posted a notice on Saturday regretfully announcing it had been subjected to “unauthorized access to its IT infrastructure.”

“An external party claims to have seized data from us, has alerted us to potential vulnerabilities in our systems and has requested compensation for this,” the firm said.

Liberty says it took immediate steps to contain the situation and that it is actively investigating, adding that it will “endeavour to keep all stakeholders fully informed as appropriate.”

The notice reveals Liberty refused to pay the extortionists, and has called upon law enforcement authorities to get to the bottom of the situation.

“We are at an advance stage of investigating the extent of the data breach, which at this stage seems to be largely emails and attachments. At this point there is no evidence that any customer has suffered any financial loss,” the notice says.

Liberty promises to inform any customer that may have been impacted, if such evidence is eventually uncovered.

A report in the Sunday Times says the hackers were sitting on “sensitive data” about “top clients” and were threatening to release it if Liberty doesn’t pay the extortion money. According to the report, the hackers demanded millions from Liberty.

Building Zero Trust networks with Microsoft 365

The traditional perimeter-based network defense is obsolete. Perimeter-based networks operate on the assumption that all systems within a network can be trusted. However, todays increasingly mobile workforce, the migration towards public cloud services, and the adoption of Bring Your Own Device (BYOD) model make perimeter security controls irrelevant. Networks that fail to evolve from traditional defenses are vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand foothold across the entire network.

Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures leverage device and user trust claims to gate access to organizational data and resources. A general Zero Trust network model (Figure 1) typically comprises the following:

  • Identity provider to keep track of users and user-related information
  • Device directory to maintain a list of devices that have access to corporate resources, along with their corresponding device information (e.g., type of device, integrity etc.)
  • Policy evaluation service to determine if a user or device conforms to the policy set forth by security admins
  • Access proxy that utilizes the above signals to grant or deny access to an organizational resource

Figure 1. Basic components of a general Zero Trust network model

Gating access to resources using dynamic trust decisions allows an enterprise to enable access to certain assets from any device while restricting access to high-value assets on enterprise-managed and compliant devices. In targeted and data breach attacks, attackers can compromise a single device within an organization, and then use the “hopping” method to move laterally across the network using stolen credentials. A solution based on Zero Trust network, configured with the right policies around user and device trust, can help prevent stolen network credentials from being used to gain access to a network.

Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the assume breach mindset, but this approach should not be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace using technologies that empower employees to be productive anytime, anywhere, any which way.

Zero Trust networking based on Azure AD conditional access

Today, employees access their organization’s resources from anywhere using a variety of devices and apps. Access control policies that focus only on who can access a resource is not sufficient. To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.

Microsoft has a story and strategy around Zero Trust networking. Azure Active Directory conditional access is the foundational building block of how customers can implement a Zero Trust network approach. Conditional access and Azure Active Directory Identity Protection make dynamic access control decisions based on user, device, location, and session risk for every resource request. They combine (1) attested runtime signals about the security state of a Windows device and (2) the trustworthiness of the user session and identity to arrive at the strongest possible security posture.

Conditional access provides a set of policies that can be configured to control the circumstances in which users can access corporate resources. Considerations for access include user role, group membership, device health and compliance, mobile applications, location, and sign-in risk. These considerations are used to decide whether to (1) allow access, (2) deny access, or (3) control access with additional authentication challenges (e.g., multi-factor authentication), Terms of Use, or access restrictions. Conditional access works robustly with any application configured for access with Azure Active Directory.

Figure 2. Microsofts high-level approach to realizing Zero Trust networks using conditional access.

To accomplish the Zero Trust model, Microsoft integrates several components and capabilities in Microsoft 365: Windows Defender Advanced Threat Protection, Azure Active Directory, Windows Defender System Guard, and Microsoft Intune.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) is an endpoint protection platform (EPP) and endpoint detection response (EDR) technology that provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. It combines built-in behavioral sensors, machine learning, and security analytics to continuously monitor the state of devices and take remedial actions if necessary. One of the unique ways Windows Defender ATP mitigates breaches is by automatically isolating compromised machines and users from further cloud resource access.

For example, attackers use the Pass-the-Hash (PtH) and the Pass the ticket for Kerberos techniques to directly extract hashed user credentials from a compromised device. The hashed credentials can then be used to make lateral movement, allowing attackers to leapfrog from one system to another, or even escalate privileges. While Windows Defender Credential Guard prevents these attacks by protecting NTLM hashes and domain credentials, security admins still want to know that such an attack occurred.

Windows Defender ATP exposes attacks like these and generates a risk level for compromised devices. In the context of conditional access, Windows Defender ATP assigns a machine risk level, which is later used to determine whether the client device should get a token required to access corporate resources. Windows Defender ATP uses a broad range of security capabilities and signals, including:

Windows Defender System Guard runtime attestation

Windows Defender System Guard protects and maintains the integrity of a system as it boots up and continues running. In the assume breach mentality, its important for security admins to have the ability to remotely attest the security state of a device. With the Windows 10 April 2018 Update, Windows Defender System Guard runtime attestation contributes to establishing device integrity. It makes hardware-rooted boot-time and runtime assertions about the health of the device. These measurements are consumed by Windows Defender ATP and contribute to the machine risk level assigned to the device.

The single most important goal of Windows Defender System Guard is to validate that the system integrity has not been violated. This hardware-backed high-integrity trusted framework enables customers to request a signed report that can attest (within guarantees specified by the security promises) that no tampering of the devices security state has taken place. Windows Defender ATP customers can view the security state of all their devices using the Windows Defender ATP portal, allowing detection and remediation of any security violation.

Windows Defender System Guard runtime attestation leverages the hardware-rooted security technologies in virtualization-based security (VBS) to detect attacks. On virtual secure mode-enabled devices, Windows Defender System Guard runtime attestation runs in an isolated environment, making it resistant to even a kernel-level adversary.

Windows Defender System Guard runtime attestation continually asserts system security posture at runtime. These assertions are directed at capturing violations of Windows security promises, such as disabling process protection.

Azure Active Directory

Azure Active Directory is a cloud identity and access management solution that businesses use to manage access to applications and protect user identities both in the cloud and on-premises. In addition to its directory and identity management capabilities, as an access control engine Azure AD delivers:

  • Single sign-on experience: Every user has a single identity to access resources across the enterprise to ensure higher productivity. Users can use the same work or school account for single sign-on to cloud services and on-premises web applications. Multi-factor authentication helps provide an additional level of validation of the user.
  • Automatic provisioning of application access: Users access to applications can be automatically provisioned or de-provisioned based on their group memberships, geo-location, and employment status.

As an access management engine, Azure AD makes a well-informed decision about granting access to organizational resources using information about:

  • Group and user permissions
  • App being accessed
  • Device used to sign in (e.g., device compliance info from Intune)
  • Operating system of the device being used to sign in
  • Location or IP ranges of sign-in
  • Client app used to sign in
  • Time of sign-in
  • Sign-in risk, which represents the probability that a given sign-in isnt authorized by the identity owner (calculated by Azure AD Identity Protections multiple machine learning or heuristic detections)
  • User risk, which represents the probability that a bad actor has compromised a given user (calculated by Azure AD Identity Protections advanced machine learning that leverages numerous internal and external sources for label data to continually improve)
  • More factors that we will continually add to this list

Conditional access policies are evaluated in real-time and enforced when a user attempts to access any Azure AD-connected application, for example, SaaS apps, custom apps running in the cloud, or on-premises web apps. When suspicious activity is discovered, Azure AD helps take remediation actions, such as block high-risk users, reset user passwords if credentials are compromised, enforce Terms of Use, and others.

The decision to grant access to a corporate application is given to client devices in the form of an access token. This decision is centered around compliance with the Azure AD conditional access policy. If a request meets the requirements, a token is granted to a client. The policy may require that the request provides limited access (e.g., no download allowed) or even be passed through Microsoft Cloud App Security for in-session monitoring.

Microsoft Intune

Microsoft Intune is used to manage mobile devices, PCs, and applications in an organization. Microsoft Intune and Azure have management and visibility of assets and data valuable to the organization, and have the capability to automatically infer trust requirements based on constructs such as Azure Information Protection, Asset Tagging, or Microsoft Cloud App Security.

Microsoft Intune is responsible for the enrollment, registration, and management of client devices. It supports a wide array of device types: mobile devices (Android and iOS), laptops (Windows and macOS), and employees BYOD devices. Intune combines the machine risk level provided by Windows Defender ATP with other compliance signals to determine the compliance status (isCompliant) of the device. Azure AD leverages this compliance status to block or allow access to corporate resources. Conditional access policies can be configured in Intune in two ways:

  • App-based: Only managed applications can access corporate resources
  • Device-based: Only managed and compliant devices can access corporate resources

More on how to configure risk-based conditional access compliance check in Intune.

Conditional access at work

The value of conditional access can be best demonstrated with an example. (Note: The names used in this section are fictitious, but the example illustrates how conditional access can protect corporate data and resources in different scenarios.)

SurelyMoney is one of the most prestigious financial institutions in the world, helping over a million customers carry out their business transactions seamlessly. The company uses Microsoft 365 E5 suite, and their security enterprise admins have enforced conditional access.

An attacker seeks to steal information about the companys customers and the details of their business transactions. The attacker sends seemingly innocuous e-mails with malware attachments to employees. One employee unwittingly opens the attachment on a corporate device, compromising the device. The attacker can now harvest the employees user credentials and try to access a corporate application.

Windows Defender ATP, which continuously monitors the state of the device, detects the breach and flags the device as compromised. This device information is relayed to Azure AD and Intune, which then denies the access to the application from that device. The compromised device and user credentials are blocked from further access to corporate resources. Once the device is auto-remediated by Windows Defender ATP, access is re-granted for the user on the remediated device.

This illustrates how conditional access and Windows Defender ATP work together to help prevent the lateral movement of malware, provide attack isolation, and ensure protection of corporate resources.

Azure AD applications such as Office 365, Exchange Online, SPO, and others

The executives at SurelyMoney store a lot of high-value confidential documents in Microsoft SharePoint, an Office 365 application. Using a compromised device, the attacker tries to steal these documents. However, conditional access tight coupling with O365 applications prevents this from taking place.

Office 365 applications like Microsoft Word, Microsoft PowerPoint, and Microsoft Excel allow an organizations employees to collaborate and get work done. Different users can have different permissions, depending on the sensitivity or nature of their work, the group they belong to, and other factors. Conditional access facilitates access management in these applications as they are deeply integrated with the conditional access evaluation. Through conditional access, security admins can implement custom policies, enabling the applications to grant partial or full access to requested resources.

Figure 3. Zero Trust network model for Azure AD applications

Line of business applications

SurelyMoney has a custom transaction-tracking application connected to Azure AD. This application keeps records of all transactions carried out by customers. The attacker tries to gain access to this application using the harvested user credentials. However, conditional access prevents this breach from happening.

Every organization has mission-critical and business-specific applications that are tied directly to the success and efficiency of employees. These typically include custom applications related to e-commerce systems, knowledge tracking systems, document management systems, etc. Azure AD will not grant an access token for these applications if they fail to meet the required compliance and risk policy, relying on a binary decision on whether access to resources should be granted or denied.

Figure 4. Zero Trust network model expanded for line of business apps

On-premises web applications

Employees today want to be productive anywhere, any time, and from any device. They want to work on their own devices, whether they be tablets, phones, or laptops. And they expect to be able to access their corporate on-premises applications. Azure AD Application Proxy allows remote access to external applications as a service, enabling conditional access from managed or unmanaged devices.

SurelyMoney has built their own version of a code-signing application, which is a legacy tenant application. It turns out that the user of the compromised device belongs to the code-signing team. The requests to the on-premises legacy application are routed through the Azure AD Application Proxy. The attacker tries to make use of the compromised user credentials to access this application, but conditional access foils this attempt.

Without conditional access, the attacker would be able to create any malicious application he wants, code-sign it, and deploy it through Intune. These apps would then be pushed to every device enrolled in Intune, and the hacker would be able to gain an unprecedented amount of sensitive information. Attacks like these have been observed before, and it is in an enterprises best interests to prevent this from happening.

Figure 5. Zero Trust network model for on-premises web applications

Continuous innovation

At present, conditional access works seamlessly with web applications. Zero Trust, in the strictest sense, requires all network requests to flow through the access control proxy and for all evaluations to be based on the device and user trust model. These network requests can include various legacy communication protocols and access methods like FTP, RDP, SMB, and others.

By leveraging device and user trust claims to gate access to organizational resources, conditional access provides comprehensive but flexible policies that secure corporate data while ensuring user productivity. We will continue to innovate to protect the modern workplace, where user productivity continues to expand beyond the perimeters of the corporate network.

 

 

Sumesh Kumar, Ashwin Baliga, Himanshu Soni, Jairo Cadena
Enterprise & Security

Cybercriminals Steal the Show! 26 Million Ticketfly Customers’ Data Compromised in Massive Breach

When we find out our favorite artist is coming to town, we immediately head to the web to snatch up a ticket to their show. This where ticket distribution services, such as Ticketmaster and TicketFly, become handy, as they allow us to easily input our information to claim a spot for the show. But as of this week, users of the latter company are unfortunately now dealing with that very information being compromised by a massive data breach. In fact, Troy Hunt, founder of “Have I Been Pwned,” discovered that a hacker posted several Ticketfly database files to a public server online.

This attack first began with an unnamed hacker informing Ticketfly of a security vulnerability and demanding a ransom of one bitcoin to reveal the flaw and help fix it. This threat was met with no response. Following which, the hacker then defaced the site, prompting the company to take it offline, and stole piles of Ticketfly customer data in the process.

In addition to a whopping 26 million email addresses, this stolen data includes users’ names, phone numbers, home and billing addresses. As of now, no financial information has been published publicly by the hacker, but he or she has threatened to post more data if they are not paid their ransom.

So, with this personal information out in the open and potentially more still to come, what can these Ticketfly customers do to ensure they protected their data? Start by following these tips:

  • Keep an eye out for sketchy emails. One way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Set up an alert. Though this hacker has not published financial data, that doesn’t mean he or she may not still have it on hand. Therefore, if you’re a Ticketfly user, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Invest in an identity theft solution. With this breach, Ticketfly users may be faced with the possibility of identity theft. That’s precisely why they should leverage an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Cybercriminals Steal the Show! 26 Million Ticketfly Customers’ Data Compromised in Massive Breach appeared first on McAfee Blogs.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Insider Threat at Coca-Cola Compromises 8,000 Employees’ Information

Cybercrime is often seen as a battle of good versus evil – a hacker tries to infiltrate a system while cyber defenders work hard to fend them off. Sometimes, data breaches are the work of these cybercriminals, and other times they’re caused by an actual employee of the affected company – something we like to call an insider threat. Just this past week, popular soft drink producer Coca-Cola announced that they were facing exactly that: an insider threat in the form of a former employee found carrying a personal hard drive of worker data.

So far, we know that this employee uploaded the data of their fellow coworkers onto an external hard drive, which they took with them when departing the company. According to a company representative, “the type of stolen and exposed data varies per employee.” And though there are no more known specifics around the data, we do know that this theft impacts 8,000 individual Coca-Cola employees.

As of now, Coca-Cola says it’s been working with law enforcement to dig into the details of this insider threat, but in the interim, these employees need to start taking proactive steps to protect their personal information. In order to do just that, follow these basic security tips:

  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Freeze your credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.`
  • Consider an identity theft protection solution. With their personal information floating around, these employees could be faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.


{
"metadata": {
"id": "85576554-caea-4ff0-b59a-9fa580469932",
"version": "1.0",
"ep": "ta",
"lang": "en-us",
"original-url": "https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/insider-threat-at-coca-cola-compromises-information/",
"author": "Gary Davis",
"author-page": "https://securingtomorrow.mcafee.com/author/gary-davis/",
"category": "Consumer Threat Notices",
"draft": "false",
"authordetail": "Gary Davis is Chief Consumer Security Evangelist. Through a consumer lens, he partners with internal teams to drive strategic alignment of products with the needs of the security space. Gary also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Follow Gary Davis on Twitter at @garyjdavis",
"tinyimage": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_400X300.jpg",
"feedimageurl": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/06/img_400X300.jpg",
"pubDate": "Thur, 31 May 2018 12:35:48 +0000"
}
}

The post Insider Threat at Coca-Cola Compromises 8,000 Employees’ Information appeared first on McAfee Blogs.

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy

A huge part of modern-day customer service is the chat functionality, which allows customers to converse easily with representatives of the organization in order to find a solution to their problem. This chat functionality is often a service offered by a third-party provider. And just last week, one of these service providers, [24]7.ai, reported that an unspecified cyberattack affected online payment data collected by a “small number of our client companies.” A few of these companies include Delta Airlines, Sears, Kmart, and Best Buy.

The breach was the result of an unspecified malware attack on the service’s chat tool, which occurred between Sept. 26 and Oct. 12, 2017. The malware permitted cybercriminals to obtain unauthorized access to customer data, including payment card numbers, CVV numbers, and expiration dates, in addition to customers’ names and addresses.

Delta Airlines, Sears, Kmart, and Best Buy all have not yet determined how many customers have been impacted so far. But it is believed to be totaling up to hundreds of thousands. So, for those who have been affected – what are the next steps? Start by following these security tips here:

  • Place a Fraud Alert. If you know your data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account. Then, make sure you correct your credit report by filing a dispute with each of the three credit bureaus.
  • Freeze Your Credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.
  • Consider an identity theft protection solution. With these breaches, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy appeared first on McAfee Blogs.

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

MyFitnessPal, Panera Bread, Saks Fifth Avenue: What to Know About the Recent Data Breaches

This blog has been updated as of 4/4.

Practically everything has become digitized in 2018. We’ve developed thousands of health apps and gadgets to help monitor our fitness, implemented online ordering services for restaurants, the list goes on. And just this past week – two of these very innovations have been breached for customer data, as well as two traditional brick-and-mortar sites. MyFitnessPal, Panera Bread, and Saks Fifth Avenue and Lord & Taylor have all been faced with data breaches, which have compromised millions of customers.

Let’s start with MyFitnessPal. Just last week, it was revealed that 150 million accounts for the health app and site were breached. As of now, few details have emerged about how the attack happened or what the intention was behind it. While the breach did not compromise financial data, large troves of other personal information were affected. The impacted information included usernames, email addresses, and hashed passwords.

MyFitnessPal, which is a subsidiary of Under Armour, has notified affected customers of the breach (see below), and Under Armour has released an official statement making the public aware of the attack as well.

Then there’s Panera Bread. The popular food chain actually leaked customer data on their website in plain text. This data includes names, email addresses, home addresses, birth dates and final four credit card digits. It’s not clear whether anyone malicious actually accessed any of this data yet, which was supplied by customers who had made online accounts for food delivery and other services. What’s more – a security researcher first flagged this error to Panera Bread eight months ago, which did not acknowledge it until just now. And though the initial number of impacted users was said to be fewer than 10,000 customers, security reporter Brian Krebs estimates that as many as 37 million Panera members may have been caught up in the breach.

Finally there’s Saks Fifth Avenue and Lord & Taylor. A group of cybercriminals has obtained more than five million credit and debit card numbers from customers of the two high-end clothing stores. It appears this data was stolen using software that was implanted into the cash register systems at brick-and-mortar stores and siphoned card numbers.

So, for the millions of affected MyFitnessPal, Panera Bread, and Saks and Lord & Taylor customers, the question is – what next? There are a few security steps these users should take immediately. Start by following these pointers below:

  • Change your password immediately. If you are a MyFitnessPal or Panera Bread customer, you should first and foremost change the password to your account. Then, you should also change your password for any other account on which you used the same or similar information used for your MyFitnessPal or Panera Bread account.
  • Stay vigilant. Another way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With these breaches, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

 

The post MyFitnessPal, Panera Bread, Saks Fifth Avenue: What to Know About the Recent Data Breaches appeared first on McAfee Blogs.

Don’t Get Duped: How to Spot 2018’s Top Tax Scams

It’s the most vulnerable time of the year. Tax time is when cyber criminals pull out their best scams and manage to swindle consumers — smart consumers — out of millions of dollars.

According to the Internal Revenue Service (IRS), crooks are getting creative and putting new twists on old scams using email, phishing and malware, threatening phone calls, and various forms of identity theft to gain access to your hard earned tax refund.

While some of these scams are harder to spot than others, almost all of them can be avoided by understanding the covert routes crooks take to access your family’s data and financial accounts.

According to the IRS, the con games around tax time regularly change. Here are just a few of the recent scams to be aware of:

Erroneous refunds

According to the IRS, schemes are getting more sophisticated. By stealing client data from legitimate tax professionals or buying social security numbers on the black market, a criminal can file a fraudulent tax return. Once the IRS deposits the tax refund into the taxpayer’s account, crooks then use various tactics (phone or email requests) to reclaim the refund from the taxpayer. Multiple versions of this sophisticated scam continue to evolve. If you see suspicious funds in your account or receive a refund check you know is not yours, alert your tax preparer, your bank, and the IRS. To return erroneous refunds, take these steps outlined by the IRS.

Phone scams

If someone calls you claiming to be from the IRS demanding a past due payment in the form of a wire transfer or money order, hang up. Imposters have been known to get aggressive and will even threaten to deport, arrest, or revoke your license if you do not pay the alleged outstanding tax bill.

In a similar scam, thieves call potential victims posing as IRS representatives and tell potential victims that two certified letters were previously sent and returned as undeliverable. The callers then threaten to arrest if a payment the victim does not immediately pay through a prepaid debit card. The scammer also tells the victim that the purchase of the card is linked to the Electronic Federal Tax Payment System (EFTPS) system.

Note: The IRS will never initiate an official tax dispute via phone. If you receive such a call, hang up and report the call to the IRS at 1-800-829-1040.

Robo calls

Baiting you with fear, scammers may also leave urgent “callback” requests through prerecorded phone robot or robo calls, or through a phishing email. Bogus IRS robo often politely ask taxpayers to verify their identity over the phone. These robo calls will even alter caller ID numbers to make it look as if the IRS or another official agency is calling.

Phishing schemes

Be on the lookout for emails with links to websites that ask for your personal information. According to the IRS, thieves now send very authentic-looking messages from credible-looking addresses. These emails coax victims into sharing sensitive information or contain links that contain malware that collects data.

To protect yourself stay alert and be wary of any emails from financial groups or government agencies Don’t share any information online, via email, phone or by text. Don’t click on random links sent to you via email. Once that information is shared anywhere, a crook can steal your identity and use it in different scams.

Human resource/data breaches

In one particular scam crooks target human resource departments. In this scenario, a thief sends an email from a fake organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES). 

Using the collected data criminals then attempt to file fraudulent tax returns to claim refunds. Or, they may sell the data on the Internet’s black market sites to others who file fraudulent tax returns or use the names and Social Security Numbers to commit other identity theft related crimes. While you can’t personally avoid this scam, be sure to inquire about your firm’s security practices and try to file your tax return early every year to beat any potentially false filing. Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

As a reminder, the IRS will never:

  • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or e-mail.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

If you are the victim identity, theft be sure to take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS to phishing@irs.gov (and then delete the emails).

This post is part II of our series on keeping your family safe during tax time. To read more about helping your teen file his or her first tax return, here’s Part I.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Don’t Get Duped: How to Spot 2018’s Top Tax Scams appeared first on McAfee Blogs.

Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected

We all love a good getaway, and as we look ahead to spring and summer, most of us are already planning our next vacation. To do that, we’ll tap one of the many online travel agencies out there to help us organize our plans. Only now, some travel-goers may have to stop trip planning so they can start planning for credit monitoring, as one of the most popular travel agencies, Orbitz.com, was hit with a data breach that may have exposed as many as 880,000 payment cards.

The online travel agency reported two separate data disclosures, as an attacker may have accessed customers’ personal information shared on Orbitz.com and a handful of associated websites between Jan. 1, 2016 between Dec. 22, 2016.

What’s more – in addition to the payment cards, hackers may have also stolen customers’ full name, date of birth, phone number, email address, physical and/or billing address and gender information. Now, with all this personal information potentially out in the open, it’s important affected customers start thinking about protecting their personal identities. To do just that, follow these tips:

  • Regularly review your online account info. Things like regularly reviewing transactions online and making sure account contact info hasn’t changed are good for keeping tabs on anyone trying to hijack your account.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With this breach and others before it, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected appeared first on McAfee Blogs.

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.

Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.

On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page appeal that he files March 24, 2011 from his prison cell in Milan, Michigan.

At one point, he claims that he explained to Agent Ward that he owed a Russian criminal $5,000 and he couldn't afford to pay it.  According to his appeal, he claims Ward told him to "Go do your thing, just don't get caught" and that Agent Ward later asked him if he had "handled it." Because of this, Gonzalez (who again, according to his own sentencing memo, likely has Asperger's) claims he believed that he had permission to hack, as long as he didn't get caught.

Over Christmas 2007, Gonzalez and his crew hacked Heartland Payments Systems and stole around 130 million credit and debit cards.  He was also charged with hacking 7-Eleven (August 2007), Hannaford Brothers (November 2007) where he stole 4.2 million credit and debit cards. Two additional data breaches against "Company A" and "Company B" were also listed as victims.  In Gonzalez's indictment, it refers to "HACKER 1 who resided in or near Russia" and "HACKER 2 who resided in or near Russia."  Another co-conspirator "PT" was later identified as Patrick Toey, a resident of Virginia Beach, VA.  (Patrick Toey's sentencing memorandum is a fascinating document that describes his first "Cash out trip" working for Albert Gonzalez in 2003. Toey describes being a high school drop out who smoked marijuana and drank heavily who was "put on a bus to New York" by his mother to do the cash out run because she needed rent money.  Toey later moved in with Gonzalez in Miami, where he describes hacking Forever 21 "for Gonzalez" among other hacks.

Gonzalez's extracurricular activities caught up with him when Maksym Yastremskiy (AKA Maksik) was arrested in Turkey.  Another point of Gonzalez's appeal was to say that Maksik was tortured by Turkish police, and that without said torture, he never would have confessed, which would have meant that Gonzalez (then acting online as "Segvec") would never have been identified or arrested.  Gonzalez claims that he suffered from an inadequate defense, because his lawyer should have objected to the evidence "obtained under torture."  These charges against Gonzalez were tried in the Eastern District of New York (2:08-cr-00160-SJF-AKT) and proved that Gonzalez was part of the Dave & Buster's data breach

On December 15, 2009, Gonzalez tried to shrug off some of his federal charges by filing a sentencing memo claiming that he lacked the "capacity to knowingly evaluate the wrongfulness of his actions" and asserting that his criminal behavior "was consistent with description of the Asperger's discorder" and that he exhibited characteristics of "Internet addiction."  Two weeks later, after fighting that the court could not conduct their own psychological exam, Gonzalez signed a guilty plea, agreeing that the prosecutor would try to limit his sentence to 17 years. He is currently imprisoned in Yazoo, Mississippi (FBOP # 25702-050) scheduled to be released October 29, 2025.

Eventually "HACKER 1" and "HACKER 2" were indicted themselves in April 2012, with an arrest warrant issued in July 2012, but due to criminals still at large, the indictment was not unsealed until December 18, 2013. HACKER 1 was Drinkman.  HACKER 2 was Alexandr Kalinin, who was also indicted with Drinkman and Smilianets.

Shortly after the Target Data Breach, I created a presentation called "Target Data Breach: Lessons Learned" which drew heavily on the history of Drinkman and Smilianets. Some of their documented data breaches included:
VictimDateDamages
NASDAQMay 2007  loss of control
7-ELEVEN August 2007
Carrefour October 2007 2 million cards
JCPenneyOctober 2007
HannafordNovember 2007 4.2 million cards
Wet SealJanuary 2008
CommideaNovember 2008 30 million cards
Dexia Bank BelgiumFeb'08-Feb'09
Jet BlueJan'08 to Feb '11
Dow Jones2009
EuroNetJul '10 to Oct '11  2 million cards
Visa JordanFeb-Mar '11  800,000 cards
Global Payments SystemsJan '11 to Mar '12
Diners Club SingaporeJun '11
IngenicardMar '12 to Dec '12

During the time of these attacks, Dimitry Smilianets was also leading the video game world.  His team, The Moscow 5, were the "Intel Extreme Masters" champions in the first League of Legends championship, also placing in the CounterStrike category.   Smilianets turned out not to be the hacker, but rather specialized in selling the credit cards that the other team members stole.  Steal a few hundred million credit cards and you can buy a nice gaming rig!

Smilianets with his World Champion League of Legends team in 2012

 How did these databreaches work?


Lockheed Martin's famous paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" laid out the phases of an attack like this:

But my friend Daniel Clemens had explained these same phases to me when he was teaching me the basics of Penetration Testing years before when he was first starting Packet Ninjas!

1. External Recon - Gonzalez and his crew scan for Internet-facing SQL servers
2. Attack (Dan calls this "Establishing a Foothold") - using common SQL configuration weaknesses, they caused a set of additional tools to be downloaded from the Internet
3. Internal Recon - these tools included a Password Dumper, Password Cracker, Port Scanner,  and tools for bulk exporting data
4. Expand (Dan calls this "Creating a Stronghold")  - usually this consisted with monitoring the network until they found a Domain Admin userid and password.  (for example, in the Heartland Payments attack, the VERITAS userid was found to have the password "BACKUP" which unlocked every server on the network!
5. Dominate - Gonzalez' crew would then schedule an SQL script to run a nightly dump their card data
6. Exfiltrate - data sent to remote servers via an outbound FTP.

In Rolling Stone, Gonzalez claims he compromised more than 250 networks
In the Rolling Stone article, "Sex, Drugs, and the Biggest Cybercrime of All Time" , Steven Watt, who was charged in Massachusetts for providing attack tools to Gonzalez in October 2008.  Watt's tools were used in breaches, including BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and OfficeMax.  As part of his sentencing, Watt was ordered to repay $171.5 Million dollars.

Almost all of those databreaches followed the same model ... scan, SQL Inject, download tools, plant a foothold, convert it to a stronghold by becoming a domain admin, dominate the network, and exfiltrate the data. 

How did the TARGET Data breach happen, by the way?  Target is still listed as being "Unsolved" ...   but let's review.  An SQL injection led to downloaded tools, (including NetCat, PSExec, QuarksPWDump, ElcomSoft's Proactive Password Auditor, SomarSoft's DumpSec, Angry IP Scanner (for finding database servers), and Microsoft's OSQL and BCP (Bulk Copy)), a Domain Admin password was found (in Target's case, a BMC server monitoring tool running the default password), the POS Malware was installed, and data exfiltration begun. 

Sound familiar???

Justice?

With most of Gonzalez's crew in prison by 2010, the data breaches kept right on coming, thanks to Drinkman and Smilianets. 

Drinkman, the hacker, was sentenced to 144 months in prison.
Smilianets, the card broker, was sentenced to 51 months and 21 days, which was basically "time served" -- he was extradited to the US on September 7, 2012, so he'll basically walk.

Will Smilianets return to video gaming? to money laundering? or perhaps choose to go straight?

Meanwhile, Alexandr Kalinin, of St. Petersburg, Russia; Mikhail Rytikov, of Odessa, Ukraine; and Roman Kotov, of Moscow, Russia, are all still at large.  Have they learned from the fate of their co-conspirators? or are they in all likelihood, scanning networks for SQL servers, injecting them, dropping tools, planting footholds, creating strongholds, and exfiltrating credit card data from American companies every day?

Kalinin (AKA Grig, AKA "g", AKA "tempo") is wanted for hacking NASDAQ and planting malware that ran on the NASDAQ networks from 2008 to 2010.  (See the indictment in the Southern District of New York, filed 24JUL2013 ==> 1:13-cr-00548-ALC )

Mykhailo Sergiyovych Rytikov is wanted in the Western District of Pennsylvania for his role in a major Zeus malware case.  Rytikov leased servers to other malware operators.  Rytikov is also indicted in the Eastern District of Virginia along with Andriy DERKACH for running a "Dumps Checking Service" that processed at least 1.8 million credit cards in the first half of 2009 and that directly led to more than $12M in fraud.  ( 1:12-cr-00522-AJT filed 08AUG2013.)  Rytikov did have a New York attorney presenting a defense in the case -- Arkady Bukh argues that while Rytikov is definitely involved in web-hosting, he isn't responsible for what happens on the websites he hosts.

Roman Kotov, and Rytikov and Kalinin, are still wanted in New Jersey as part of the case 1:09-cr-00626-JBS (Chief Judge Jerome B. Simandle ). This is the same case Drinkman and Smilianets were just sentenced under.

Cyber Security Roundup for December 2017

UK supermarket giant Morrisons, lost a landmark data breach court case in December after a disgruntled Morrisons employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision. If the appeal is lost it could open up the possibility of further class action lawsuits cases by individuals. Pending the GDPR becoming law in May 2018, such a court ruling sets a legal precedent for individuals to claim damages after personal data losses by companies through the courts as well. After May 2018, the GDPR grants individuals the right sue companies for damages following personal data breaches. So we can expect 'ambulance chasers' lawyers to pick up on this aspect of the GDPR, with class action lawsuits following data breaches, it well could become the new "P.P.I. industry"

Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!

Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing. 

The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.

2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.

Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.

Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for October 2017

State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent NHS WannaCry attack (despite North Korea denying it). North Korea was also reported to be implicated in the stealing US War Plans from South Korea, and for a spear phishing campaign against the US Power Grid. The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of Australian F-35 fighter jet, in what is described as an 'extensive' Cyberattack. The finger was pointed at Iran for the recent Parliamentary Emails cyber attacks in the UK, meanwhile, EU governments venting their cyber concern, warning that Cyber Attacks can be an Act of War.

Stephen Hawking caused controversy in both the science and tech industry last year when he said Artificial Intelligence could be a serious threat to human existence, could the plot of The Terminator really come to fruition? Perhaps so, as it was reported that AI had already defeated the Captcha Security Check system. Personally, I believe both AI and Quantum Computing will pose significant new threats to cybersecurity space in the next decade.

A far higher number of personal records were compromised in the Equifax data breach than was previously thought, with millions of UK citizens confirmed to be impacted by the US-based credit checking agency hack. Equifax’s now ex-CEO provided an interesting blow-by-blow account of the cyber-attack at a US government hearing, even though Equifax technical staff were specifically warned about a critical Apache Struts (web server) patch, it was ignored and not applied, which in turn allowed hackers to take full advantage of vulnerability to steal the Equifax data on mass. To make matters even worse, the Equifax consumer breach help website was found to be infecting visitors with spyware.

Yahoo revealed all 3 Billion of its user accounts had in fact been breached, in what is truly an astonishing mammoth sized hack, biggest in all history, so far. Elsewhere on the commercial hacking front, Pizza Hut's website was reported to be hacked with customer financial information taken, and Disqus said a 2012 breach it discovered in October exposed the information of 17.5 million its users from as far back as 2007.

It was a super busy month for security vulnerability notifications and patch releases, with Microsoft, Netgear, Oracle, Google, and Apple all releasing rafts of critical level patches. A serious weakness in the wireless networking WPA2 protocol was made public to great fanfare after researchers suggested all Wifi devices using WPA2 on the planet were vulnerable to an attack called Krack, which exploited the WPA2 weakness. Krack is a man-in-the-middle attack which allows an attacker to eavesdrop or redirect users to fake websites over Wifi networks secured using the WPA2 protocol. At the time of writing most wireless access point vendors and operating system providers had released patches to close the WPA2 vulnerability, and there have been no known exploits of the vulnerability reported in the wild.

BadRabbit is a new strain of ransomware which is emerging and is reported to be infecting systems and networks in Russia and the Ukraine at the moment. BadRabbit is the latest network self-propagating malware, like NotPeyta and WannaCry, to use the NSA EternalRomance hacking tool. A massive new IoT botnet was discovered, its continued growth is fuelled by malware said to be more sophisticated than previous IoT botnet king, Mirai. Russian based threat actor group APT28 is said to be targeting the exploitation of a recently patched Adobe vulnerability (CVE-2017-11292), in using malicious Microsoft Word attachment, so ensure you keep on top of your system patching and always be careful when opening email attachments. 

Finally, the UK National Cyber Security Centre (NCSC) released its first annual report, as it seeks to improve cybersecurity across the UK. Among NCSC achievements cited in the report are:
  • The launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
  • Led UK response to WannaCry
  • Advice website with up to 100,000 visitors per month
  • Three-day Cyber UK Conference in Liverpool
  • 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
  • Produced 200,000 physical items for 190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
  • 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
  • Worked with 50 countries, including signing Nato's MoU
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for September 2017

A massive data breach at Equifax dominated the UK media finance headlines this month, after 143 million customer records were compromised by a cyber-attack, 400,000 of which were UK customer accounts. Hackers took advantage of Equifax’s negligence in not applying security updates to servers. The data breach has already cost the CEO, CIO and CISO their jobs. In the UK Equifax faces investigations and the prospect of significant fines by both the Financial Conduct Authority and the Information Commissioner's Office over the loss of UK customer financial and personal data respectively.

Hackers stole a quarter of a million Deloitte client emails, follow the breach Deloitte was criticised by security professional for not adopting two-factor authentication to protect the email data which they hosted in Microsoft’s Azure cloud service.

September was an extremely busy month for security updates, with major patches releases by Microsoft, Adobe, Apache, Cisco and Apple to fix an array of serious security vulnerabilities including BlueBorne, a Bluetooth bug which exposes billions of devices to man-in-the-middle attacks.

UK government suppliers using Kaspersky to secure their servers and endpoints may well be feeling a bit nervous about the security software after Kaspersky was banned by US Government agencies. The US Senate accused the 20-year-old Russian based security company as being a pawn of the Kremlin and posing a national risk to security. Given the US and UK intelligence agency close ties, there are real fears it could lead to a similar ban in the UK as well. A UK ban could, in theory, be quickly extended to UK government suppliers through the Cyber Essentials scheme, given the Cyber Essentials accreditation is required at all UK government suppliers.

While on the subject of the Russia, the English FA has increased its cybersecurity posture ahead of next year's World Cup, likely due to concerns about the Russian Bears hacking group. The hacking group has already targeted a number of sports agencies in recent months, including hacking and releasing football player's world cup doping reports last month. 

In the last couple of weeks, I was Interviewed for Science of Security, and I updated my IBM Developer Works article on Combating IoT Cyber Threats.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Science of CyberSecurity: Latest Cyber Security Threats

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 5 of 5.

Q. What keeps you up at night in the context of the cyber environment that the world finds itself in?
The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed artificial intelligence and quantum computing are also growing concerns for cyber security, and well worth keeping an eye as these technologies continue to progress.

Science of CyberSecurity: Reasons Behind Most Security Breaches

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 2 of 5.

Q. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?
Simply put insecure IT systems and people are behind every breach, insecure IT systems are arguably caused by people as well, whether it is poor system management, lack of security design, insecure coding techniques, and or inadequate support, it all boils down to someone not doing security right. For many years seasoned security experts have advocated that people are the weakest link in security, even hackers say ‘amateurs hack systems, professionals hack people’, yet many organisations still focus most of their resources and funds heavily on securing IT systems over providing staff with sustained security awareness. Maybe this is a result of an IT security sales industry over hyping the effectiveness of technical security solutions. I think most organisations can do more to address this balance, starting with better understanding the awareness level and risk posed by their employees. For instance, the security awareness of staff can be measured by using a fake phishing campaign to detect how many staff would click on a link within a suspicious email. While analysing the root causes of past cyber security incidents is a highly valuable barometer in understanding the risk posed by staff, all can be used as inputs into the cyber risk assessment process.

When the Press Aids the Enemy

Let's start with this- Freedom of the press is a critical part of any free society, and more importantly, a democratically governed society.

But that being said, I can't help but think there are times when the actions of the media aid the enemy. This is a touchy subject so I'll keep it concise and just make a few points that stick in my mind.

First, it's pretty hard to argue that the media looks for ever-more sensational headlines, truth be damned, to get clicks and drive traffic to their publication. Whether it's digital or actual ink-on-paper sensationalism sells, there's no arguing with that.

What troubles me is that like in the war on terrorism, the enemy succeeds in their mission when the media creates hysteria and fear. This much should be clear. The media tend to feed into this pretty regularly and we see this in some of the most sensational headlines from stories that should told in fact, not fantasy.


So when I came across this article on Buzzfeed called "The Messy Media Ethics Behind the Sony Hacks" it suddenly hit me - the media may very well be playing perfectly into the enemy's hands. The "Guardians of Peace" (GOP) in their quest to ruin Sony Pictures Entertainment have stolen an unfathomable amount of information. As Steve Ragan who has repeatedly written on about this and many other breaches tweeted that's 200Gb or 287,000 documents. That's mind-blowing.

This cache of data has proven to be yet-unreleased movies, marketing presentations, email exchanges between executives and attorneys, financial plans, employees' medical records and so much more. The GOP have made it clear their aim is to "punish" Sony Pictures Entertainment - and while we don't really have an insight as to the true motivations here, I think it's clear that releasing all this data is meant to severely negatively impact the business.

What has followed in the days since the announcement of the hack is a never-ending stream of "news" articles that I struggle to understand. There were articles like this one providing commentary and analysis on internal marketing department presentations. There were articles analyzing the internal and privileged (as far as I know, but I'm not a lawyer) communications between corporate legal counsel and Sony Pictures executives. There were articles talking about the release of SPE employee medical records. The hit-parade goes on and on... and I'm not linking over to any more of the trash because it embarrasses me.

Clearly, clearly, the mainstream media (and hell even the not-so-mainstream) have long lost their ethics. Some would claim that it's the "freedom of the press" that allows them to re-publish and discuss sensitive, internal documents. Others argue that since it's already in the public domain (available on BitTorrent) then it's fair game. Note: This was discussed during the Snowden release - and it was clear that classified information released to the public domain does not suddenly lose its classified status. I'm fairly certain this easily applies to the not-national-security type of assets as well. To be honest, this argument makes me question the intellectual integrity of some of the people who make it.

Anyway, back to my point. If the GOP wanted to destroy Sony Pictures Entertainment then hacking in and releasing secret information and intellectual property was only half the battle. The second half, unfortunately, is being picked up and executed by the media, bloggers, and talking heads putting out "analysis" on all this data. Publishing links to the hacked data, analyzing its contents, and looking for further embarrassing and ugly things to publish- the media should be ashamed of itself.

The hack alone wasn't going to damage SPEs image to where it has fallen now - the media is clearly complicity in this and it's a shame. I'm not an attorney so I question whether publishing and discussing confidential communications between an attorney and executive is ethical. Forget that, is it even legal? Journalists and bloggers continue to hide behind the "freedom of the press", and some folks even to blasting me for daring to question the absolute rights of the press. Except - the freedom of the press isn't absolute, as far as I know.

But whether it's legal, clearly there are ethical problems here. If you're in the media and you're poring over the confidential email communications stolen from Sony Pictures Entertainment systems, I emphasize stolen, and you're commenting on this - to what end? Arguing that the media is releasing this information because (a) it's already in the public domain and (b) it's "for the public good" is ludicrous.

Remember - while you're reveling in someone else's misery that you too may be a coincidental victim one day. Then it'll be your turn to have your private information released and analyzed and attacked as part of the next breach. Your recourse? None... Glass houses, journalists. Glass houses.

The Other Side of Breach Hysteria

In a world where everyone is trying to sell you something, security is certainly no exception. But separating the hype from the truth can easily turn into a full time job if you're not careful.

With all the recent retail data breaches, it would appear as though the sky is falling in large chunks right on top of us. Every big-name retailer, and even some of the smaller ones, are being hacked and their precious card data is bring whisked away to be sold to miscreants and criminals.

Now enter the sales and marketing pitches. After every breach it would seem our mailboxes fill up with subject lines such as-
"Learn how not to be the next , read how our latest gizmo will keep you secure!"
I don't know about you, but the snake-oil pitch is starting to get old. While it's clear that the average buyer is getting the message about data breaches and hackers - I believe there are two other aspects of this which aren't talked about enough.

First there is the notion of "breach fatigue". If you read the news headlines you would have thought that everyone's bank accounts would be empty by now, and everyone in the United States would have been the victim of identity theft by now. But they haven't. Or they haven't been impacted directly. This leads to the Chicken Little problem.

You see, many security professionals cried that security incidents did not receive enough attention. Then the media took notice, and sensationalized the heck out of incidents to an almost rock-star fervor. The issue here is that I believe people are starting to grow weary of the "Oh no! Hackers are going to steal everything I have!" talk. Every incident is the biggest there has ever been. Every incident is hackers pillaging and stealing countless credit card records and identities. The average person doesn't quite know what to make of this, so they have no choice but to mentally assume the worst. Then - over time - the worst never comes. Sure, some get impacted directly but there is this thing called zero fraud liability (in the case of card fraud) that means they are impacted - but barely enough to notice because their banks make it alright. More on this in a minute.

We as humans have a shocking ability to develop a tolerance to almost anything. Data breach hysteria is no exception. I've now seen and heard people around televisions (at airports, for example, where I happen to be rather frequently) say things like "Oh well, more hackers, I keep hearing about these hackers and it never seems to make a difference." Make no mistake, this is bad.

You see, the other side of the awareness hill, which we are rapidly approaching, is apathy. This is the kind of apathy that is difficult to recover from because we push through the first wave of apathy into awareness, and then hysteria, which leads to a much stronger version of apathy where we will be stuck - I believe. So there we are, stuck.

If I'm honest, I'm sick and tired of all the hype surrounding data breaches. They happen every day of every week, and yet we keep acting like we're shocked that Retailer X, or Company Y was breached. Why are we still even shocked? Many are starting to lose the ability to become shocked - even though the numbers of records breached and scale of the intrusions is reaching absurd proportions.

Second point I'd like to make is around the notion of individual impact. Many people simply say that "this still doesn't impact me" because of a wonderful thing like zero fraud liability. Those 3 words have single-handedly destroyed the common person's ability to care about their credit card being stolen. After you've had your card cloned, or stolen online and had charges show up - you panic. Once you realize your bank has been kind enough to put the funds back, or roll-back the fraudulent charges you realize you have a safety net. Now these horrible, terrible, catastrophic breaches aren't so horrible, terrible and catastrophic. Now they're the bank's problem.

Every time someone has a case of credit card fraud the bank covers under zero fraud liability (and let's face it, most cards and banks have this today) - their level of apathy for these mega-breaches grows. I believe this is true. I also believe there is little we can do about it. Actually, I'm not sure if there is anything that needs to be done about it. Maybe things are just the way they're going to be.

There is a great phrase someone once used that I'm going to paraphrase and borrow here - things are as bad as the free market will support. If I may adapt this to security - the security of your organization is as good (or bad) as your business and your customers will support.

Think about that.