thewayne: (Default)
Apparently. In March they brought in the company that is investigating the May-July breech. These seem to be the same intruders.

From Slashdot:
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com)
Posted by BeauHD on Monday September 18, 2017 @05:20PM from the earlier-than-expected dept.
Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report:

Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.


https://it.slashdot.org/story/17/09/18/230234/equifax-suffered-a-hack-almost-five-months-earlier-than-the-date-it-disclosed

The Bloomberg original story has auto-start videos.
https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
thewayne: (Default)
and apparently did not have an IT background. Her LinkedIn profile has been deleted, and apparently an effort is being made to purge her from the internet. It won't be entirely successful, but it'll slow information retrieval down. The article mentions that she spent 14 years in industry, we don't know in what industry, which means she could have picked up a fair amount of IT knowledge, but not as much as if she'd studied IT and gotten a degree and a CISSP cert.

http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15

https://it.slashdot.org/story/17/09/16/0244211/equifax-cso-retires-known-bug-was-left-unpatched-for-nearly-five-months


Also, scammers are calling people at random, claiming to be Equifax, wanting to verify your information. Obviously Equifax has better things to do right now than call you. Just hang up, don't give them your name or the time of day.

https://arstechnica.com/tech-policy/2017/09/ftc-opens-equifax-investigation-says-beware-of-equifax-calling-scams/


ETA:Apparently the Internet Archive Wayback Machine never cached her LinkedIn page, more's the pity. It says it has a page from September 9, but nothing is retrieved when you click on it.
thewayne: (Default)
It is indeed a doozy, perhaps the largest data privacy leak in history. Equifax has been collecting information on people for decades, and they do it without our express permission. But at the same time, they are used for credit scores and to generate bank decisions for our getting loans and such. Yet I never signed a contract with Equifax allowing them to collect information on me.

And they have, through zero fault of my own, personally screwed me over.

A couple of years ago my wife and I decided to shop car insurance. Our current insurer was doing some corporate shenanigans that we didn't care for, and it should have been possible to shave some bucks off our premiums, and it never hurts to shop. I called the car club AAA, we ran through my information, and they told me that they couldn't take me because I had three accidents on my record. I'm accident-free. Equifax had taken three accidents OF MY FATHER, whose name is Andrew Donald, and put them on my record, where my name is Donald Wayne. We lived at the same address some years back, but I was living in New Mexico at the time of the accidents and have never owned a Buick. As it happens, we were born in the same month, but not on the day and clearly not in the same year. No two digits in our birth date or year are the same. There's no reason to conflate us and put the accidents on to my record, except for pure sloppy processes.

So I have a pretty poor opinion of these credit bureaus.

What happened to Equifax is pretty simple. They built their data framework on an open source software package called Apache Struts. Like virtually all software packages, bugs are found and patches are issued. A particularly big problem with Struts was first patched in March, but the intruders were in Equifax's system from mid-March through July - approx 2.5 months. Thus it is perfectly reasonable for Equifax to blame open source software for its breach. [sarcasm off] Struts is a framework for Java programs to run either on servers or web browsers, and after updating the framework you have to recompile literally hundreds of programs, and doing that would be a tremendous PITA, but it MUST be done, otherwise shit like this happens. Apparently some management at Equifax didn't like to pay overtime, and now they have to cope with a tremendous amount of shit.

In some late-breaking news from this afternoon, Equifax's Chief Information Officer and Chief Security Officer are both "retiring", proving that for once, shit started at the top. In "there is occasionally some justice, or perhaps there will be" news, the Federal Trade Commission is investigating the breech. It will be interesting to find out what they learn, assuming they ever issue a report. I wonder if Congress will hold public hearings. The breech is being compared by some news agencies to Enron. According to the Reuter's story, "Shares of Equifax fell 2.4 percent on Thursday and trading volume hit a record high. The shares have lost 32 percent since the company disclosed the hack on Sept. 7.

Senate Democratic leader Chuck Schumer compared Equifax to Enron, the U.S. energy company that filed for bankruptcy in 2001 after revelations of a widespread accounting fraud."


But you see, this is not just a problem for people in the USA. Equifax holds information for people in Canada and Mexico. And Argentine, and possibly other Latin American countries. And the BBC is reporting that 400,000 UKians have information that was compromised in the theft, but their information exposure was minimal and should not lead to identity theft. Well, we'll see about that! In Argentine, apparently Equifax's software used the highly-[in]secure account/password combination of admin/admin.

This is one of my favorite stories, and it may be behind a paywall since it's from the Wall Street Journal. Here's the Slashdot summary:

Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

The title of the story is "Equifax Lobbied for Easier Regulation Before Data Breach", it's by Michael Rapoport and AnnaMaria Andriotis. f you do a little searching, you might be able to find a copy.

Now, the breech itself is extremely bad. If you were compromised, and there's a very good chance that you were, then the information that was stolen includes: your full name, social security number, previous addresses, list of jobs, all sorts of amazing things. Information about you that never changes. Information about you that you use to apply for credit cards, loans, mortgages, JOBS. The best thing you can do is to approach all four credit bureaus and put a FREEZE, not monitor, but FREEZE your credit. That means that no credit can be taken out in your name without postal correspondence going back and forth with your house. No credit reports can be pulled. It's about the best that you can do. Brian Krebs has an excellent post that he has to pull out a few times every year to discuss this. Definitely worth a read. Me? I'm unemployed. Banks would have to be idiots to issue credit under my information, still, I plan on freezing my accounts.

But that's not the worst.

For reasons unknown, Equifax had credit card transaction information, 200,000 transactions worth dating back to last November, sitting on their servers, apparently unencrypted. Massive violation of PCI compliance rules.

And who knows, there may be more yet to come.

I won't bother providing links to the stories about your surrendering your right to sue if you signed up for their monitoring service, that's been rescinded. There were at least two class-action law suits in development, along with a couple of States Attorneys General beginning investigation.

One more thing to mention: an op ed piece by Bruce Schneier, a very well-known and respected expert on encryption and privacy. He has some facts wrong, I think he wasn't as well-versed on the scope of the breech as perhaps he should have been when he wrote it. But at the beginning of the piece he talks about how the public are not customers of Equifax, we are what is being sold, and we have no say in the matter. And there are THOUSANDS of data brokers out there that we can't come close to naming all of them.

Equifax's feet will be in the fire for some time, I imagine.
thewayne: (Default)
Wednesday night I got an email from a friend whom I used to work with. She'd gone to a doctor that afternoon and their office was in a kind of chaos: the office had been hit by at least two different kinds of ransomware attacks. She wanted to know if I could help.

That night I did some research on the particular attacks, found out they were variants of the same core and both were based on exploiting weak Windows RDP (Remote Desktop Protocol) passwords. RDP is a back door to a server that techs use for management. It should NEVER be left open! There are other, more secure, ways to manage servers. If it must be left open, then it should have a VERY secure, i.e. LONG and complicated, password on it.

Obviously it did not.

A friend of the doctor's is their main IT guy, but he's not local, and he's decent but not top drawer. This problem apparently was discovered before Wednesday, and their guy (let's call him Bob) was making a new server for them with the latest version of Windows Server and SQL Server. The software that their clinic uses is mainly based in SQL Server, and here's the really suckie part: it was running Windows Server 2008 R2 and SQL Server 2008. And plugged straight in to a router to the internet. No hardware firewall, vendor-provided router.

*facepalm*

I didn't bother checking to see the patch level on their Windows Server 2008, it was kind of pointless. I did note that their SQL Server 2008 was well below the final patches that were released for it, not that it mattered as all of its databases had been encrypted.

The new router, though consumer grade, is fully patched. The new server is fully patched. A new Cisco firewall is on order. That's the best that we can do right now.

I was there Thursday from 11am to 8pm, then worked at home from 10pm to midnight copying, compressing (7zip), and uploading a big analytics file to a forensics company who sent us a utility to try and figure out what happened. Friday I only put in five hours, finishing up an inventory of all of the computers (which they didn't have) to figure out what should be tossed and what could be upgraded to get them all up to Windows 10 Pro and writing up some reports.

One woman complained to us that her computer was really slow. And it was. It was absolutely horribly slow! I was afraid that it had something nasty running under the covers, then I opened up Control Panel and did some poking around and found that it was a Pentium 4 with 2 gig of memory running Windows 10. The Performance Index, Satisfaction Index, whatever index, was 1.0. So we ordered her a new computer.

I always had a three-step plan when it came to buying computers to make them last longer and save money. When a new OS came out and the original started slowing down: add memory. That usually sped things up. Next OS comes out: install a better video card. Next OS comes out: buy a new computer. All of their computers are running at least 4 gig of memory, odds are they're all running a motherboard-based video card. I'm hoping we might be able to do memory upgrades and install some video cards and upgrade some of these for about $100-150 instead of tossing them. We shall see. I'll do some more inventory work next week now that we have a better idea as to what's out there.

This weekend I'm writing up a report more detailed than the single page invoice that just had bullet points as to what I did, I'm also burning a DVD with bootable malware/virus inspection software that'll look deeper in to the OS than something like Symantec can do, and since you're booting from read-only media, it'll look for boot kits that are otherwise invisible. I'll get to inspect all of the workstations! That'll make everyone oh so very happy to have their computer denied to them for however long it takes.

The tragic thing is that their backups weren't running properly because they had a terrible internet connection that couldn't handle the transfer. The software did a nightly backup to their vendor, but it had been failing. And they weren't doing anything locally, so they didn't really have a fall-back point to recover from. Their practice software vendor was able to restore from an earlier backup, but I don't know how successful that was in terms of how old and was there any corruption in it. I'll be finding that out Monday. This gets their patient information back, which is critical. And their insurance information is also processed online, so that should be safe. But anything stored locally may be lost.

And the horrible thing about that is the way the database is configured! I'm a database guy, I've been working with SQL Server for 25 years, since the first Microsoft version came out running on Lan Man/OS2. And the vendor has a VERY bad configuration. And I won't improve it unless they say it's OK. We're going to set up local backups, I've stressed upon the office manager the importance of rotating backup media and having a fire-proof safe in-house for storing said media. So eventually they'll be in a much better place.

The big question is whether or not they have to notify all their patients. I don't think this represents a HIPAA information spill. These ransomware encryptions are fully automated attacks by bots, I've never heard of data being exfiltrated and used for further extortion, that's a much more targeted attack. I'm going to have to tell the doctor who owns the practice to talk to his attorney and discuss this point because that's far outside of my ability to give him a recommendation.
thewayne: (Default)
Anyone who doesn't expect Trump facilities to NOT get hit more in coming years raise your hand. Bueller? Anyone? It's been documented that Trump's facilities have lousy IT practices and terrible WiFi security, but hotels are particularly problematic. American hotels seem to be stuck with using card swiping technology rather than ECV chip readers, which greatly increase security through strong encryption. Until they upgrade, we'll be seeing hotel breeches regularly.

https://krebsonsecurity.com/2017/07/trump-hotels-hit-by-3rd-card-breach-in-2-years/
thewayne: (Default)
I'd never heard nor I think seen a Buckle Store, though theoretically they have locations at two malls that I occasionally visit. Anyway, same old story: malware in POS terminals, unknown number of cards have information compromised. Terminals were hacked for about six months, from late October last year to mid April '17.

It is important to note two things. All Buckle Stores have EMV readers: they can read the electronic chips in most, BUT NOT ALL, cards. Not all banks have adopted chips in cards. But worse yet, not all EMV readers HAVE THE READER TURNED ON! For example, the Walmart store in my area does not: you still have to swipe your card, which means that my card is vulnerable to compromise.

The reason for this is vendors got greedy: they convinced merchants that they MUST upgrade their card readers to EMV compatibility! So the merchants did. But the vendors didn't tell them that to enable the EMV reader was an additional software upgrade, so many merchants didn't do the second bit.

These hacks target magnetic stripe information because that info is really easy to clone and copy on to new blank cards, then use those cards for online purchases. The fraudsters make their money by making big dollar value online purchases, like iPhones and Xboxes, having them shipped to money mules (those "make big dollars working from home" ads) who return them to physical stores, convert the money to money orders while taking a percentage, then wiring the money overseas. The mules are committing a felony by doing so, and every year many of them go to prison while the overseas contacts just vanish.

KMart was AGAIN recently compromised, which made me pause for some reflection. On the negative side, we get my wife's meds there every few weeks. But on the positive side, they implemented EMV, and we always use that, so our info was probably secure. And probably on the mega-negative side, the store is closing, so lots of jobs are going to be lost locally.

When stores have implemented EMV, and your card has an EMV chip, you usually cannot swipe it. So that's good.

So take a look at your wallet. Do any, and I mean ANY, of your cards not have chips? If they do not, complain to the issuing institution. The USA is the last country in the G20 to NOT REQUIRE EMV chips. And we have to put up with shitty hackers like this CONSTANTLY compromising our information. Banks really need to step up. Every time this happens it costs the banks money to reissue cards. And that means increased fees for bank customers.

https://krebsonsecurity.com/2017/06/credit-card-breach-at-buckle-stores/
thewayne: (Default)
Back in March, Brian Krebs posted an article titled Why I Always Tug On The ATM. It boils down to there being a limited number of ways that your credit card information can be stolen:

1. Financial institution is hacked
2. Malware is implanted on a merchant's network, possibly on point of sale (POS) card scanners
3. Hardware is covertly installed on or in POS card scanners

You can't do anything about #1. The first time my banking information was compromised was about seven years ago. I was at my parent's house in Phoenix, heading to Las Vegas to a convention when I saw a charge on my checking account for $80ish at a truck stop in North Carolina, a state where I hadn't been in five years. Turns out that a check processing company in Albuquerque had been hacked and they managed to create a bank card from that info. That hack never hit the news.

#2 is the classic Target hack, though that was an extreme example where the criminals managed complete subversion of their cash register system. They could have done what North Korea did to Sony over the release of The Interview. Arby's, Wendy's, CiCi's, you name it. And you can't do anything about this, either.

#3 is something that you can attempt a bit of defense with.

Skimming comes in two flavors, an overlay or an insert. The overlays are easy. The criminals somehow manufacture a flimsy plastic module containing electronics, generally a card reader for capturing card information, a camera for capturing PINs, and a Bluetooth radio for transmitting the info. The whole thing can be quickly slipped over a card reader at a cashier station. It's a two or three man job: distract the cashier, obscure the overhead security camera, slip the shell over the reader. The shell is precisely made for specific models of card readers and will only fit on those models. There are a few 'tells' that help identify an overlay. The colors will be slightly off. It will feel like thin plastic. The graphics won't look quite right. The dimensions will be slightly off. If you pay attention to the card terminals that you use, you might notice these.

But the best way to notice is to tug. Give the terminal a squeeze and a pull. It should feel solid and it should be solidly anchored to the pedestal that it's secured to.

Gas stations are a slightly different problem. These will sometimes have overlays, so a visual inspection and a tug test is good, but they also may have internal skimmers. These are tiny circuit boards that are actually slipped in to the card slot that read the inserted card and store the info. They don't collect as much information as an overlay, but it's still enough to cause you problems with card theft, and it's not easy to spot these.

Gas stations have taken some defensive measures. You'll notice there are security tape seals where the panels open on the pumps to show they haven't been tampered with, but let's face it, it wouldn't be hard to make fakes of those. But they've also improved the design of the pump faces to try and make it harder for skimmers to be installed, ATM makers have also tried defensive design with varying success.

Brian Krebs' suggestion is that the best defense is to never use a debit card at a terminal that you don't have absolute confidence in, only use a credit card. The reason for this is that credit cards have legal limits for fraud protection, debit cards do not. Your bank may limit your liability if your debit card is compromised, but they are not REQUIRED to by law. So you can trust your bank if you like, but you need to know that they don't have to back you.

Another way to defend yourself, if you have a fairly recent smartphone with Near Field Communications (NFC) and your merchant supports it, is to use Apple Pay or Google Pay. Microsoft tried to set up a wallet system, but it never gained traction and has been relegated to the dustbin of history. BE WARNED: these payment systems take a little getting used to! I set up Apple Pay last week: I've used it four times, I've been successful ONCE. I know how I failed the first time, and I suspect how I failed the other two times, so I think I have it figured out, but still, be prepared for a learning curve.

Apple has an exhaustive explanation of how their system works, and it is really elegant. From what I understand, even if the POS terminal has malware installed, if you use Apple Pay the criminals will get nothing usable. The information is not just encrypted, it's done with a one-way encryption that cannot be reversed after it's transmitted, so no card information can be recovered by an intercepting criminal. The merchant identifier and transaction amount is appended, the packet is sent to your financial org, which authorizes it, and the bill is paid. Your information is never exposed.

I'm sure Google's system works in a similar fashion, but the info that I easily found didn't go in to nearly as much detail as what I found with a casual search for Apple's system.

And I have to tell you, the Apple method for registering a card was amazingly cool: take a picture of your credit card. I was sitting in my partially demolished computer area, in somewhat poor lighting, and it said to take a picture of your card. So I pulled out my personal debit card, and it read it perfectly. Done. Pulled out the debit card in my name for my wife's checking account. For some reason, within about a month of receiving it the gold paint on the letters is completely gone. There was no strong side lighting to provide contrast for the lettering, yet my iPhone 6S had no trouble reading the card! I was VERY impressed. The third card that I registered was my credit card, and that one also registered fine, except it got the expiration date wrong, and that was easy to correct.

You can also manually enter the card information.

You can also use Apple Wallet for concert tickets! I used them for Jethro Tull, which was convenient because I forgot to take the printouts. It looked to me like 75% of the people in line were using smart phones for their tickets.

iPhone 6 series and later, which includes the SE, have NFC. Apple Wallet can be configured to use a fingerprint to authorize rather than the phone's password, regardless of whether you use a password to unlock the phone. Androids that run version 4.4 of the OS or later should have NFC. I saw that sometimes Android updates can cause headaches for Wallet users.

Anyway, that's enough blathering. The best defense, of course, is to always pay in cash. But that brings up two problems: carrying large sums of cash, and do you get the cash from the bank, which may involve lots of inconvenience, or do you trust the ATM to not have been compromised?

It seems to be never-ending.

https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/
thewayne: (Default)
First, Kmart has once again found malware in their store point of sale systems. This is not a first for Kmart, and apparently does not affect online sales or their stores of their partner, Sears. Kmart is my wife's pharmacy, so I expect we'll be getting new cards from our bank in a month or two, which will mean Amazon resets and all the joy that entails.

https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/


The OneLogin breech is bad. This is a password vault company where you can store logins and passwords for everybody that you do business with online, so with this one violation everyone that you have an online account with is potentially compromised. Bad news. Very bad news for a lot of people and companies.

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/


Now, when it comes to knowing whether or not an online identity has been compromised, it's not easy to know. We use email addresses as logins to numerous web sites, but what gets compromised when a site gets hacked? The valuable information is the login identity and password information. While password information is frequently encrypted, sometimes it's not and it's stored as plain text. And a lot of people commonly use the same password on lots of sites. Thus, a password that was used on Site A might work on Site B.

Even if the password is encrypted, sometimes they don't use what is known as a salt value. In this case, something called a Rainbow Table can be run against the encrypted password list to try and decode passwords. A rainbow table is lists of dictionaries of known words, random words, words in Klingon, phrases from Shakespeare, etc. that are commonly used in passwords. If one of these words matches against an encrypted password, they now know what that password was and can try that matching email address against an Amazon account or bank or whatever.

Salting a password is adding a hidden value to it. For example, if I append the value '123' to your password, the encrypted value is much harder to match against a rainbow table, because the encrypted value of MyPassword vs MyPassword123 are different values. And if you use the password MyPassword, DON'T. It's a ridiculously easy password to hack. But I'm not going to talk about strong passwords right now.

When a web site is compromised, such as OneLogin, frequently the accounts will appear on a web site as a 'dump file'. There are characteristics that let security analysts trace back a dump file to know that File X was taken from Site Y. And there's a web site that will tell you if your email address has ever appeared in a dump - https://haveibeenpwned.com/.

The operator of Have I Been Pwned took it upon himself to collect dumps and suck them in to a cloud-based edition of SQL Server. He doesn't store any passwords, just an email address and information on what dump that address has appeared in. You go to the web site, enter your email address, and you'll learn where your address may have been compromised. It's not a bad idea to check occasionally.

Myself, I have two primary email addresses. My main one has been compromised a number of times, and I don't really care because it's used mainly for email. My more sensitive account has only been compromised once, and that was an Adobe hack. My Paypal email account has never been found in a dump, which is nice. But what I found interesting was that my main email address has been found in lists that "was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password." I'm not concerned because I never reuse passwords on systems where I have credit cards tied. I do reuse passwords on low-value systems OCCASIONALLY, like some message boards that I don't often revisit, but that's slowly coming to an end.

Anyway, you might want to check out this site, it's interesting.

https://haveibeenpwned.com/
thewayne: (Default)
They got hit. HARD. Indications were that crooks were accessing W-2 information and filing fraudulent tax returns between April 17, 2016 and March 29, 2017 -- all but a full year. The records were protected by a four digit pin, which is pretty trivial to get past, and then by knowledge-based questions, which sadly, most people answer truthfully and are thus fairly easy to Google. Where did you attend high school? What was your first car? What is your mother's maiden name? My answers would be Atlantis, Ferrari, and Ozymandius. I then log the answers in an encrypted note program on my iPhone called MSecure, I'm certain there are similar programs for the Android ecosystem. Each site gets different answers as the moment strikes me.

https://krebsonsecurity.com/2017/05/fraudsters-exploited-lax-security-at-equifaxs-talx-payroll-division/
thewayne: (Default)
According to the web site, "True Health is a privately held health services company specializing in “comprehensive testing for early detection of chronic diseases,” according to the company’s Web site."  They had a VERY serious flaw in the way their web site allowed you to display your information: your personal account was an incrementing number, and while viewing your information, you could change the number in your browser and view someone else's information.

Can you spell HIPAA violation?  I knew you could.

I can't believe someone would allow crap like this to continue in this day and age.  I remember a certain credit card company, it might have been Citi, had the exact same company upwards of a decade ago.  Completely inexcusable.  And looking at the account number of the person who tipped Brian Krebs to the problem, they have perhaps two million customers.  Not good.

The flaw has been (supposedly) fixed, they're now in the phase of trying to figure out how many people's information may have been accessed and doing notification.

https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/

thewayne: (Default)
First off, the southern-located fast food chain, Shoney's was hit.  The thieves were able to load malware in to their point of sale systems.  The breach appears to have existed from December '16 to early March.  On April 16 the company Best American Hospitality issued a statement saying that they were the source of the breach, they manage a number of locations that are corporate-owned.  That article points to a press release that lists 37 locations in South Carolina, Tennessee, Louisiana, Georgia, Alabama, Missouri, Virginia, Missouri, Florida, and Arkansas that were hacked, but it doesn't discuss how many cards were compromised.  The list (PDF) shows the earliest date that they know the location was compromised.  Personally I'm curious HOW the location was compromised: physical overlay of the POS card reader, BIOS hack, remote network infiltration, what.  At least they're offering free credit monitoring, which is the absolute least that they can do.


This next one is a biggie.  Sabre Corp's hospitality unit was hacked.  They provide reservation services for 32 THOUSAND properties.  Currently no information has been released as to how long the breech existed or how many cards may have been compromised.  If you do a lot of corporate travel, your employer might want to know about this.

“The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” reads a brief statement that Sabre sent to affected properties today. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”

Sabre’s software, data, mobile and distribution solutions are used by hundreds of airlines and thousands of hotel properties to manage critical operations, including passenger and guest reservations, revenue management, flight, network and crew management. Sabre also operates a leading global travel marketplace, which processes more than $110 billion of estimated travel spend annually by connecting travel buyers and suppliers.

Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted.

thewayne: (Cyranose)
I've kind of stopped posting about these as it's just so damn depressing and never ending, but ADP is different. They handle payroll for SO MANY companies across the USA that it needs to be mentioned.

The method was depressingly simple. ADP had a web portal for its clients, which makes sense. But if a company had not registered on said portal, they were vulnerable: fraudsters were able to siphon confidential info from a variety of sources, create an account for said ADP customer, and all of the client's payroll information was instantly available. And Robert's your mother's brother.

http://krebsonsecurity.com/2016/05/fraudsters-steal-tax-salary-data-from-adp/


In other hacking news, there's a free web site called Have I Been Pwnd that I've mentioned before. I mention it because there was a similar for-profit business called Pwnedlist that did largely the same thing. They just closed their business as they got pwned, and as their business model was that clients would pay subscriptions and get informed if their data ever appeared in a dump, they would be notified. Well, they got notified because Pwnedlist got hacked through a major bad programming vulnerability that gave anyone who wanted it admin access to accounts that didn't belong to them.

By contrast, Have I Been Pwned only stores the compromised email address and what site's hack it was taken from. Nothing of value. And in the case of sensitive dumps, like Ashley Madison users, you have to register at the site to find out if your email was contained in that dump.

For an interesting read, you should take a look at HIBP's Twitter feed. He describes new dumps received as the number of accounts compromised and the number of emails that are ALREADY IN THE SYSTEM. I've been fortunate: I have three active email accounts, the two used regularly for email were both compromised in the Adobe hack, which is no big deal as those accounts didn't have credit card information attached and they were passwords not used elsewhere. My other email account of any importance is only used for Paypal, and it has not been compromised.
thewayne: (Cyranose)
I'm waiting for the rest of the gaggle of clowns to come out with "He wants to secure our borders and he can't secure his credit cards?!" Not that one has anything to do with the other, but it might make for some amusing soundbites.

If for whatever reason you used a credit card at a Trump hotel between May '14 and June '15, you might have been compromised.

http://krebsonsecurity.com/2015/10/trump-hotel-collection-confirms-card-breach/
thewayne: (Cyranose)
This web site is interesting for two reasons.

First, it is operated by a security researcher who downloads all of the major web site dumps that he can get his hands on and extracts email addresses and aggregates them here. You can enter your email address and it will tell you if your email appears in any dump that he's been able to get his hands on, including Ashley Madison.

Two of my regular email addresses have been compromised, both thanks to Adobe. I was happy to see that my PayPal email address has not been compromised. And you can register your email address with him and he'll tell you if it appears in a future dump.

Second, it's a Microsoft SQL Server Azure project and he blogs about how well Azure is working as a platform for him. Interesting if you're in to super geeky stuff.

https://haveibeenpwned.com/

Not to dwell on the Ashley Madison hack, but there are some interesting facets since their entire email server was compromised and published. First, there was email traffic that AM HACKED another online dating site! They pulled all of their subscribers and plugged them in to AM! So even if you didn't register with AM, it's possible that your email address appears there! It'll be interesting to see if the Feds investigate this off-shoot.

There was news that a man, on a spur of the moment thing, looked for his address in the AM dump. And he found it. He immediately went to his wife and said 'I did not do this!' His wife accepted what he said. They dug further and found that someone with a similar name (Smithe instead of Smith, like that) had registered. They had a vaguely similar description but vastly different physical builds. The man who was wronged is going after the other guy to get a certified statement saying that he created the AM account impersonating the first guy. It'll be interesting to see how it plays out.

AM is not the first adult dating site to be compromised, Adult Friend Finder was also hacked a couple of years ago. One thing that was found in both hacks is that an overwhelming majority, like 95%, of the accounts are men. And an overwhelming majority of accounts for women are fronts for people in the company, just to bring the numbers up.

I personally don't know anyone who's used these adult sites for a hook-up, but I did meet my wife on a (now defunct) dating site, so they do have a chance of working.


There are companies preying on people who registered at AM, and as shown above, they might not have registered there in the first place. There are reports of blackmail, people being solicited for class-action lawsuits, etc. So basically the vultures are circling. But the part that I find the most ridiculous is that people registered using GOVERNMENT AND MILITARY EMAIL ADDRESSES! One of the concerns of security clearance background checks is that you have not done things that could make you vulnerable to blackmail by a foreign power. GUESS WHAT. I have a feeling a lot of security clearances are going to be revoked in a few months, and a definite chance of people losing jobs over this. There have already been two reported suicides of people who were uncovered in the dump, but I don't know if they've established a positive link between being exposed and the suicide. It might just be a coincidence.
thewayne: (Cyranose)
Twice in one year. Every store, over a quarter million cards compromised.

The thieves got in through a Citrix portal used by employees on the road.

"...“The attackers somehow had login credentials of a district manager,” Curlovic said. “This guy was not exactly security savvy. When we got his laptop back in, we saw that it had his username and password taped to the front of it.”

ETA: why did a district manager have wide access to the company network? Managers should have access to financial databases. Even IT people should have controls to prevent a single password compromise from betraying the whole network. When I was at the police department in the '90s, we had two computers: one was used for administrative work and had no email or internet access, the other was our normal working computer. (there were no virtual machines back then) If I ever become a manager, I'm going to implement the same thing: your admin work will be done through a VM and won't have email access.

I think this manager who had his username and password taped to the front of the computer is fully deserving of a major demotion or outright firing. That is one of the most boneheaded moves that I've ever heard of.

http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/
thewayne: (Cyranose)
Well, probably not North Korea per se, I doubt they have the expertise but they could have hired a hacker army.

Here's the premise. Little Kim's mad at a movie coming out on 12/25 called The Interview, a Seth Rogen movie, where two guys run a popular TV talk show and score an interview with the leader of North Korea. And are then recruited by the CIA to assassinate said leader.

For some reason this made some people unhappy.

Regardless of who did it, the attackers got deep in to Sony Pictures corporate network, pulling out all sorts of employee information, including health care info, salary info, etc. and posted it all online. Researchers have confirmed that the data looks real by referencing people in the files with Linkedin job descriptions. More than enough to do some pretty serious identity theft. And they dumped it all online. Apparently the hack was so bad that Sony IT advised everyone to turn off WiFi on all devices and don't use any corporate computers.

At least this time it wasn't Sony Online.

http://krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data/
thewayne: (Cyranose)
This goes back to the Vietnamese criminal, who plead guilty when suckered on to U.S. territory and arrested, who had full access to credit and personal information of somewhere on the order of 200 million people and was selling them, making an estimated $1.9 million on it. The company was subsequently bought out by Experian, but he continued to have access for two months after that happened.

At least two states are investigating Experian. This makes me very happy.

The fault really lies in the original company that was bought out by Experian, and I'm sure it takes some time to conduct a full audit when you buy a company. It's possible that they shut the guy down as soon as they detected him, I'd like to think that. But considering how these data aggregaters work with zero oversight and how they've managed to conflate my dad's traffic accidents with my records because we have one name in common, I'm not holding my breath that they're lily-white.

krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/
thewayne: (Default)
*sigh*

I would say that I'm sorry for Sony, but I'm not. They've pulled so much crap over the years, things like their music CD's installing rootkits on people's computers to stop piracy, that they get no sympathy for me.

Most recently, they got hacked. The Play Station Network went down in flames. Sony Online Entertainment was taken offline. Something on the order of 200,000 user accounts were compromised, including a lot of credit cards. People almost immediately started getting strange phone calls from telemarketers who obviously had some of that credit card info.

Sony allegedly fixes their problems and starts bringing their networks back online. It's then discovered that one of their servers (or a server farm, I'm not sure) in Asia is a malware host. They're not allowed to bring up PSN in Japan because of security concerns. It comes out that the re-done and tightened PSN network account passwords can still be reset by using the email and birthdate, said information was compromised in the first round.

Here's the latest: ""As Sony struggles to restore the Playstation Network we receive news today of another breach, this time at Sony Ericsson in Canada. 'Sony Corp. spokesman Atsuo Omagari said Wednesday that names, email and encrypted passwords may have been stolen from the Sony Ericsson Canada website, but no credit card information was taken.' Another group managed to penetrate Sony Entertainment Japan yesterday as well. I almost feel bad for them."

http://it.slashdot.org/story/11/05/25/1337215/Sony-Suffers-Yet-More-Security-Breaches

That's it for me. There's no point in writing anything about Sony. They've become a laughingstock when it comes to network defense, and they're a major international corporation. They made little or no effort to keep their public-facing servers patched for known vulnerabilities even when they were made aware of such problems. They obviously rushed out patches to get the PSN network back online and blew it. It's understandable that they'd want to get it back online ASAP because they're losing a lot of money every minute that it's down, but as serious as this breach is, they owed it to their customers to get it right. And they didn't.

I know I'll continue to see movies made by Sony and maybe occasionally buy music from Sony. But I'm never going to use one of their services or buy any hardware from them again.

I'm also not going to write about their getting hacked again. It's just not worth it. If you use their monthly services and they have your credit card number(s) and you continue using their services, it's your lookout.
thewayne: (Default)
Sony Online Entertainment, the home of MMO games such as the recently launched DC Universe, was also compromised and has been shut down. This is after the PSN network was compromised and Sony assured SOE users that their system was safe.

Sony will offer one month of free play plus one day for every day the network is down.

The estimate is that almost 13,000 credit cards and banking information was compromised out of 25,000 accounts.

http://www.wired.com/gamelife/2011/05/sony-online-entertainment-hack/

http://www.joystiq.com/2011/05/02/sony-hit-with-second-attack-loses-12-700-credit-card-nu/

The official Sony Online announcement: http://www.soe.com/securityupdate/pressrelease.vm

http://yro.slashdot.org/story/11/05/03/0439203/Sony-Breach-Gets-Worse-246-Million-Compromised-Accounts-At-SOE


I believe this takes the number of compromised accounts to over 90,000.

[EDIT] Just read a comment on Slashdot. Guy played EverQuest, dropped it in 2001. Just got a letter from Sony saying that his personal information was compromised. Wow.
thewayne: (Default)
Sony PSN has been down for over a week now. Unknown parties compromised their system and broke in to their billing and authentication database(s), stealing 77 million accounts and credit card information. In a monumental act of stupidity, Sony stored all passwords as plaintext, they were not hashed, with or without a salt value. The bad thing about this is that so many people use the same password for multiple online accounts, and since their email address was also compromised, those people could be compromised all over the interweb.

The only good thing about this is that Sony did ont store the CVN on the back of the card with the card data, so it was not compromised. This makes it much harder to make charges on the stolen cards and greatly reduces their value.

This also affects Sony's Qriocity network, whatever that is. Apparently PSN and Qriocity are operated and managed by an outside marketing company, not that it absolves Sony of any responsibility.

http://cyberinsecure.com/sony-playstation-network-breached-77-million-users-private-data-stolen/

http://yro.slashdot.org/story/11/04/27/142238/77-Million-Accounts-Stolen-From-Playstation-Network


One thing that I find interesting is that the credit card industry has standards that businesses must follow to secure credit card data. (Remember the TJ Maxx hack?) If you're a small merchant and all you have is machines to process in-person credit card purchases, it's no big deal. But if you store credit card data for repeat purchases, i.e. monthly network access, you are expected to have pretty good security. Clearly Sony is in gross noncompliance with these directives. I've read them, it takes a very skilled and serious staff to implement, maintain, and audit them.


Here's an article on Wired theorizing about who might have committed the hack. There's some very interesting comments, possibly indicating that some of the information may already have been sold to telemarketers and scammers.

http://www.wired.com/threatlevel/2011/04/playstation_hack/


The law suits have already begun, and it's guaranteed that they'll seek class action status. And as Sony and the network provider was so grossly negligent, it's going to hurt Sony as they so deserve.

http://tech.slashdot.org/story/11/04/27/2122241/Sony-Sued-For-PlayStation-Network-Data-Breach

September 2017

S M T W T F S
     12
3 4 5678 9
101112 1314 15 16
1718 19 202122 23
24252627282930

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 24th, 2017 11:01 pm
Powered by Dreamwidth Studios