23andMe gets hacked, then tries to screw its customers

Dec. 11th, 2023 03:12 pm
thewayne: (Default)
In October, the gene testing company got hacked. The information on 7,000,000 customers was compromised. From the article, the information compromised includes: "photos, full names, geographical location, information related to ancestry trees, and even names of related family members. The company said that no genetic material or DNA records were exposed. Days after that attack, the hackers put up profiles of hundreds of thousands of Ashkenazi Jews and Chinese people for sale on the internet."

Of course, law suits started popping up immediately. Back to the article: "multiple class action claims” have already been against the company in both federal and state court in California and state court in Illinois, as well as in Canadian courts." No surprise there.

Here's the surprise.

23 sent out an update to its terms of service to all customers. Okay, that's not new, companies do it all the time and usually we ignore them. These were a bit different. Just a wee bit.

First off, unless you notified them in writing within 30 days, you automatically agreed to them.

Second, by agreeing to them, you relinquished your right to participate in class action claims.

GEE, ISN'T THAT SPECIAL?! Company gets hacked, then screws over their customers to try to prevent them from suing the company. Pretty clever. One law professor said that the change in the user agreement would not be enough to prevent claims, but the article did not go into any detail of the reasoning behind the statement. Perhaps some ex post facto going on there?

Myself, while I have had genetic testing performed, it was purely in a medical context and theoretically my genes have never been shared with companies like this. They are far too liberal with sharing their information and with letting law enforcement stroll through their data.

https://www.engadget.com/23andme-frantically-changed-its-terms-of-service-to-prevent-hacked-customers-from-suing-152434306.html
Tags:
  • Add Memory
  • Share This Entry

Interesting attack on smartphone fingerprint locks

May. 24th, 2023 04:55 pm
thewayne: (Default)
This works against both Android and iPhone devices. However, Apple went to facial recognition a few generations ago, so you've got a much older iPhone if you're still using a finger print reader.

The attack is not quick and straightforward. It requires the attacker to have physical control of the devices and can take up to hours to execute. But it is quite clever!

The phone is partially disassembled and a chip is mounted onto the system board. A memory card with a database of fingerprint data is part of this attack system. The basics of the attack is quite simple: while you and I may not have identical fingerprints as far as a fingerprint expert is concerned, they might be similar. This attack exploits a vulnerability in the system and "...manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted."

Meaning that if your fingerprint is similar to mine, and yours is in this fingerprint database, through this system your fingerprint might unlock my phone!

Now, one thing the manufacturers did to prevent multiple attempts at unlocking phones was to code in a hard limit as to how many unlock attempts that you get. This system TRIPLES that limit!

Pretty darn clever.

Now here's the killer: the parts to make this are about $15.

And the database of fingerprints? Biometric database breaches. Not difficult to obtain.

https://arstechnica.com/information-technology/2023/05/hackers-can-brute-force-fingerprint-authentication-of-android-devices/

https://it.slashdot.org/story/23/05/24/0435205/brute-force-test-attack-bypasses-android-biometric-defense
Tags:
  • Add Memory
  • Share This Entry

We need more data breech news!

Nov. 15th, 2020 12:30 pm
thewayne: (Default)
Live in Texas? Have a driver's license? Think the information is held securely?

BWAHAHAHAHA!

A contractor for the state motor vehicle department, Vertafore, said "the data was exposed between March and August and affected licenses issued before February 2019.

Exposed data included driver’s license numbers, addresses, dates of birth and vehicle registration history, according to the company. The group said that no Social Security numbers or financial account information were compromised.

The breach happened after three files were accessed by an unauthorized user after the files were “inadvertently stored in an unsecured external storage service,” Vertafore said in its statement."

"An unsecured external storage device" means they probably put it in an Amazon Cloud or something similar and didn't secure it properly. Because security is hard!

THEN DON'T PUT IT SOMEWHERE THAT YOU DON'T KNOW HOW TO EFFING SECURE PROPERLY!

Oh, but they're going to pay for data monitoring and "identity restoration services", whatever the heck that is. Thoughts and prayers, people, thoughts and prayers.

https://thehill.com/policy/cybersecurity/525923-data-breach-of-software-vendor-exposes-almost-28-million-texas-drivers

https://news.slashdot.org/story/20/11/15/0638241/data-breach-exposes-27-million-texas-drivers-license-records


This next one is a doozy, and definitely involves a misconfigured Amazon storage bucket. Now, Amazon is not to blame: they're selling you a service, YOU are responsible for securing it. It's like people not changing the combination on their brief case or luggage.

Anyway, there's this company that works with major, MAJOR, online hotel/travel reservation systems, like Expedia. Specifically Expedia and others. And 10 MILLION FILES were exposed. Not records of people or reservations. FILES. As in collections of records. So we don't know how many people are affected. August 2020 - by itself! - contained 180,000 records. During the COVID slower travel period!

The company in question, Prestige, is in a whole heap o' trouble, because credit card data was leaked, but also because they fall under the European GDPR regulations. It's quite possible that they're going to be fined out of existence. And because they did not secure their credit card information, they could be stripped of their ability to process credit cards, which would nullify their cashflow. Once they were notified about this exposure, they contacted Amazon and the naked storage bucket was immediately secured.

Here's what was exposed: "The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more.

The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more."

Have you made an online booking since 2013? Your data may have been in there. I know I'm a likely unwilling participant.

Here's some ways that the information could be used against us: "Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers said. For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail and extort them."

https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/

https://it.slashdot.org/story/20/11/15/0422207/credit-card-numbers-for-millions-of-hotel-guests-exposed-by-misconfigured-cloud-database
Tags:
  • Add Memory
  • Share This Entry

A rant about credit card theft

Oct. 16th, 2020 10:26 pm
thewayne: (Default)
What I really hate is the inconvenience for you and me. We have to worry - 'Hey, I ate at that place six months ago!' We have to compulsively check out accounts, we have to decide whether or not to do the credit monitoring (major PITB, especially if your credit history is damaged with incorrect information like mine), we have to go through the hassle of getting our cards cancelled and not being usable until replacements arrive.

The banks really don't care as long as the cash flows. THREE MILLION CREDIT CARDS. One of the security companies brought in to investigate and mitigate the situation said "I never thought in 2005 (or maybe he said 2015) that in 2020 I'd still be seeing magnetic stripe compromises."

But hey - we're the USA! WE'RE NUMBER ONE! In stolen credit cards.

There was nothing preventing these machines from being replaced when we had a booming economy, except MasterCard and Visa didn't push for it. Because? The gasoline retail industry didn't want to have to pay to upgrade all of those gas pumps.

THREE MILLION CREDIT CARDS.

I don't bother to post about a lot of credit card thefts because it just happens so damn often. It's only when there's several million cards or someone outrageously famous that gets clobbered. And now MC/V won't push for replacement terminals - or just fund it themselves - because the economy is going to be in the toilet for several more years to come and merchants won't be able to afford it. Which means there will be more of these thefts in the next 5-10 years.


I've had my banking information compromised precisely ONCE. And it wasn't by one of these credit card thefts. It was 10-11 years ago, I was in Phoenix for a couple of days before going to Las Vegas for a convention, I was checking my bank balance and found a charge for a gas station in one of the Carolinas for $85. I hadn't been there in something like 5 years, it was definitely hinky. Called the bank, they confirmed it was fraud and turned off my debit card.

But it wasn't a card or card processor that got hacked. It was a check processing facility that somehow got ahold of my account information. I have no idea how that happened.

My wife and I have had numerous card replacements, but have never had a dime misplaced. Several friends have been victimized, one lost money from the Target hack before it became public!

It's just so bloody frustrating. It could have been put to an end years ago, but Visa and Mastercard didn't do it. And it's just going to go on and on and on.


Oh, speaking of data breaches: you heard Barnes and Noble got clobbered, didn't you? Someone got in and made off with a bunch of info. "But no customer credit card information was stolen." Yeah, we'll see if that statement rings true in another month or so.


Sorry, I'm just in a bit of a pissy mood. Multiple government administrations have not made the industry fix things. The industry hasn't fixed things. So nothing gets fixed. And it will continue this way while the rest of the world looks on in wonder at yet another weird thing that Americans do.
Tags:
  • Add Memory
  • Share This Entry

Do you like to eat at Dickey's BBQ? 3,000,000 credit cards compromised.

Oct. 16th, 2020 11:12 am
thewayne: (Default)
Mainly in California and Arizona. Dickey's is a franchised operation, and as franchisees can choose their point of sale operation, it is most likely that a downstream credit card operator was compromised.

From the article, one of the consultants brought in said "The financial institutions we’ve been working with have already seen a significant amount of fraud related to these cards,” and "data indicated some 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing malware, with the highest exposure in California and Arizona. Gemini puts the exposure window between July 2019 and August 2020.

Apparently with the emphasis in hardening systems against ransomware, people have been neglecting converting over to chip payment and the swiping of cards is notorious for being vulnerable to card theft.

https://krebsonsecurity.com/2020/10/breach-at-dickeys-bbq-smokes-3m-cards/
Tags:
  • Add Memory
  • Share This Entry

Ransomware attacks have now become data breeches: the criminals are now posting stolen information

Dec. 17th, 2019 08:38 am
thewayne: (Default)
Early ransomware attacks were simple extortion. You open an infected email attachment, and it either contained the malware or downloaded the malware and it exploited your network and encrypted the network and demanded a ransom to get your data back.

Then the attackers got more sophisticated and hands-on involved.

The malware loaded a bunch of zero-day exploits, that is, attacks that were unknown or unpatched by operating system vendors, and thus undefended. This allowed the attackers full access to networks for an extended period of time. So they found valuable data, exfiltrated it to their GQ, THEN encrypted the servers that they had control over and demanded a ransom.

And part of the ransom demand was that you pay us to get your data back or you might not only face loss of your information, but you might also face us posting your data online or selling it to competitors.

The normal defense against ransomware has been good procedures for backups and recovery, and we used to think that was good enough. We could get our systems back: reformat, install a new copy of the operating system, patch, reload the data. Time consuming, but it's actually faster than unencrypting files because encryption/decryption is a very time-consuming process.

But the criminals are now posting internal corporate documents on public web servers, saying Company X didn't pay, they rebuilt their infrastructure without giving us a dime so here's their information.

This is obviously going to have potentially serious GDPR consequences in Europe, we'll see how it plays out over here, especially if no customer notification took place and if credit card information was involved.

https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/
Tags:
  • Add Memory
  • Share This Entry

Do you shop at HyVee grocery stores? Get ready for new credit cards!

Aug. 23rd, 2019 05:05 am
thewayne: (Default)
This is interesting. Their stores didn't get breached, but their peripheral services did: gas pumps, restaurants, drive-up coffee shops.

35 states, 5.3 million credit cards. The breach was announced on the 14th and the investigation is in early phrases, but the store is confident that the check-out lanes and pharmacy terminals were not compromised.

This is what pisses me off about cavalier attitudes when I'm told "just swipe your card". I DON'T WANT TO SWIPE MY CARD! THAT'S WHERE MY CARD INFO GETS STOLEN! I'm just about ready to tell businesses that if I can't use the chip reader, I'm not buying anything and turning around and walking.

https://krebsonsecurity.com/2019/08/breach-at-hy-vee-supermarket-chain-tied-to-sale-of-5m-stolen-credit-debit-cards/
Tags:
  • Add Memory
  • Share This Entry

7-11 in Japan starts app on July 1, by Thursday $500,000 had been stolen from customers

Jul. 7th, 2019 11:37 am
thewayne: (Default)
The article doesn't explain if the app was developed by internal 7-11 IT or they hired an app maker to do it (I'm guessing internal development), but it contained an extremely bad flaw. Here's an excerpt from the article explaining it.

"...in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.

A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve.

Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier..."

Wow. Obviously it's not hard to get ahold of this information if you know where to look, and organized hackers know where to find this information. I wonder, though, how they identified "This person has the app, that person doesn't". Maybe they had sniffers on the store networks looking for identifying information (I wouldn't count on good encryption in the app if they were this stupid about the reset) and then launched the attack against customers.

I'm guessing 7-11 didn't have a tiger team test the app for vulnerabilities. There is some good news: 7-11 is going to pay back all the lost funds, so people won't be out money. Complaints started rolling in the day the app launched, and 7-11 shut the app down on the 3rd. In another article, some fraudulent transactions were traced to China, but it's hard to say if they were the source of the overall fraud. Two Chinese nationals were arrested trying to purchase smokes with someone else's account, unknown if they were connected with the fraud.

Myself, I have credit card info encoded in two apps: Amazon and Apple, both of which I think are trustworthy. Otherwise all shopping is done through my web browser, PayPal, or face-to-face. Amazon was entered in their web site through a browser and not directly in their app: you sign in to the app, and now it's tied to my fingerprint. Slightly more complicated and I believe more layers of encryption in Apple Pay. So I'm (hopefully justified?) more confident that my accounts can't be compromised. Regardless, there ain't much money in my account!

https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/
Tags:
  • Add Memory
  • Share This Entry

Two million credit cards breached at Buca di Beppo's parent company

Mar. 30th, 2019 11:06 am
thewayne: (Default)
I don't post about these anymore because it's so flamin' common and so little is being done to prevent it. Company is breached, credit monitoring is offered, most banks cover their customer losses, wait until the next company is breached.

I only post this because I've eaten there a few times and really like the place. I had my 50th birthday party there in Phoenix with family and friends, we had a really good time.

Anyway, it was a point of sale breach between May 23, 2018 and March 18, 2019 and according to a company press release, the hack was found in "67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles."

https://krebsonsecurity.com/2019/03/a-month-after-2-million-customer-cards-sold-online-buca-di-beppo-parent-admits-breach/
Tags:
  • Add Memory
  • Share This Entry

Yet another major hotel data breech: Marriott-Starwood

Nov. 30th, 2018 12:25 pm
thewayne: (Default)
This time it's only a mere 500 million people whose information was compromised. The breech was detected in September and goes back to 2014! Apparently Starwood found their POS register system was compromised back then, and now it turns out it was a lot more than their registers! The criminals got in to their database and extracted information from it, then they encrypted it on Starwood's servers before extracting it! Starwood had software in-place called data-loss prevention tools, but since the stolen info was encrypted, the tools did not detect it.

VERY clever.

If Starwood had encrypted their entire database, they might have had a better chance of defending themselves, but there's all sorts of risks and problems involved when you do full database encryption.

Krebs quotes a Marriott statement released this morning: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.

Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.

I don't think the thieves would have worked on this for 4+ years without having gotten the keys and being able to decrypt the card information.

The article goes on to say:
Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorized access to the separate Starwood network.

Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program.

...

The breach announced today is just the latest in a long string of intrusions involving credit card data stolen from major hotel chains over the past four years — with many chains experiencing multiple breaches. In October 2017, Hyatt Hotels suffered its second card breach in as many years. In July 2017, the Trump Hotel Collection was hit by its third card breach in two years.

https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
Tags:
  • Add Memory
  • Share This Entry

Equifax Joy++: CEO bailed, and they fought with their security contractor while the hackers ran amok

Oct. 1st, 2017 03:13 pm
thewayne: (Default)
I'm not going to bother linking to an article about the CEO "retiring" with a $90,000,000 plan, it's just not worth it.

Bloomberg has a good breakdown of the structure of the hack. Basically after the Struts exploit became known and some (essentially) script kiddies gained a toehold in to Equifax's network, they handed their penetration off to a skilled team of pros. The pros then did quite a serious number, including installing custom backdoors that ignored the Struts problem and bypassed the firewalls, they then started breaking apart databases. They had so much information that they had to prioritize which databases were more valuable, then they had to break them down in to smaller chunks for exfiltration to avoid tripping monitoring software that watches for just this sort of thing.

Definite experts.

Which points to possibly nation state actors. A lot of people want to point to the Chinese because one of the tools is called China Chopper because it has a Chinese language interface, but it's used by hackers around the world, so that's hardly conclusive. But the thing that really points to nation actors: none of the information on the 143 million people that was stolen, including credit cards, has surfaced on any underground forums that sell stolen information.

Personally, my money for the country most likely to be responsible is Russia or North Korea. We know that Russia has the talent for something like this, and after the DPRK tore apart Sony for The Interview, and the fact that their cyber people were trained by the Chinese, they also have the skill.

Equifax suspected someone was in their system. Their contractor, Mandiant, sent a team over. For whatever reason, Equifax thinks that Mandiant didn't send over their best people. Squabbling ensued for an extended period of time, during which apparently nothing was done to stop the hackers or their theft. This amounts to criminal stupidity as far as I'm concerned. Disagree all you want, but GET THE EFFING JOB DONE and resolve the fight later! JOB ONE IS TO STOP THE BAD GUYS!

The original Bloomberg article:
https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros

The Slashdot article that lead me to the Bloomberg article, complete with some interesting comments:
https://news.slashdot.org/story/17/09/30/207200/squabble-with-contractor-delayed-equifaxs-response-to-data-breach
Tags:
  • Add Memory
  • Share This Entry

We really need more major data breech news: Sonic Drive-In had a major hit

Sep. 27th, 2017 09:30 am
thewayne: (Default)
Sonic has 3,600 locations in 45 states, and this breech looks big, as in millions of cards. No information as to dates, just that a huge number of cards began appearing on the criminal forums where they're sold, and after some test purchases were made verifying that they had all made recent purchases at Sonic, Sonic was approached and it was confirmed that they had been breeched.

Krebs goes on to report that according to Visa, as of March of this year, 58% of Visa cards issued had chips, but only 44% of merchants had chip readers.

https://krebsonsecurity.com/2017/09/breach-at-sonic-drive-in-may-have-impacted-millions-of-credit-debit-cards/
Tags:
  • Add Memory
  • Share This Entry

Equifax suffered a PREVIOUS data breech in MARCH?

Sep. 19th, 2017 09:10 am
thewayne: (Default)
Apparently. In March they brought in the company that is investigating the May-July breech. These seem to be the same intruders.

From Slashdot:
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com)
Posted by BeauHD on Monday September 18, 2017 @05:20PM from the earlier-than-expected dept.
Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report:

Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

https://it.slashdot.org/story/17/09/18/230234/equifax-suffered-a-hack-almost-five-months-earlier-than-the-date-it-disclosed

The Bloomberg original story has auto-start videos.
https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
Tags:
  • Add Memory
  • Share This Entry

More Equifax joy: their Corporate Security Officer was a Music Major. Also, scammers abound.

Sep. 16th, 2017 10:17 am
thewayne: (Default)
and apparently did not have an IT background. Her LinkedIn profile has been deleted, and apparently an effort is being made to purge her from the internet. It won't be entirely successful, but it'll slow information retrieval down. The article mentions that she spent 14 years in industry, we don't know in what industry, which means she could have picked up a fair amount of IT knowledge, but not as much as if she'd studied IT and gotten a degree and a CISSP cert.

http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15

https://it.slashdot.org/story/17/09/16/0244211/equifax-cso-retires-known-bug-was-left-unpatched-for-nearly-five-months


Also, scammers are calling people at random, claiming to be Equifax, wanting to verify your information. Obviously Equifax has better things to do right now than call you. Just hang up, don't give them your name or the time of day.

https://arstechnica.com/tech-policy/2017/09/ftc-opens-equifax-investigation-says-beware-of-equifax-calling-scams/


ETA:Apparently the Internet Archive Wayback Machine never cached her LinkedIn page, more's the pity. It says it has a page from September 9, but nothing is retrieved when you click on it.
Tags:
  • Add Memory
  • Share This Entry

Let's talk about the Equifax hack

Sep. 15th, 2017 04:37 pm
thewayne: (Default)
It is indeed a doozy, perhaps the largest data privacy leak in history. Equifax has been collecting information on people for decades, and they do it without our express permission. But at the same time, they are used for credit scores and to generate bank decisions for our getting loans and such. Yet I never signed a contract with Equifax allowing them to collect information on me.

And they have, through zero fault of my own, personally screwed me over.

A couple of years ago my wife and I decided to shop car insurance. Our current insurer was doing some corporate shenanigans that we didn't care for, and it should have been possible to shave some bucks off our premiums, and it never hurts to shop. I called the car club AAA, we ran through my information, and they told me that they couldn't take me because I had three accidents on my record. I'm accident-free. Equifax had taken three accidents OF MY FATHER, whose name is Andrew Donald, and put them on my record, where my name is Donald Wayne. We lived at the same address some years back, but I was living in New Mexico at the time of the accidents and have never owned a Buick. As it happens, we were born in the same month, but not on the day and clearly not in the same year. No two digits in our birth date or year are the same. There's no reason to conflate us and put the accidents on to my record, except for pure sloppy processes.

So I have a pretty poor opinion of these credit bureaus.

What happened to Equifax is pretty simple. They built their data framework on an open source software package called Apache Struts. Like virtually all software packages, bugs are found and patches are issued. A particularly big problem with Struts was first patched in March, but the intruders were in Equifax's system from mid-March through July - approx 2.5 months. Thus it is perfectly reasonable for Equifax to blame open source software for its breach. [sarcasm off] Struts is a framework for Java programs to run either on servers or web browsers, and after updating the framework you have to recompile literally hundreds of programs, and doing that would be a tremendous PITA, but it MUST be done, otherwise shit like this happens. Apparently some management at Equifax didn't like to pay overtime, and now they have to cope with a tremendous amount of shit.

In some late-breaking news from this afternoon, Equifax's Chief Information Officer and Chief Security Officer are both "retiring", proving that for once, shit started at the top. In "there is occasionally some justice, or perhaps there will be" news, the Federal Trade Commission is investigating the breech. It will be interesting to find out what they learn, assuming they ever issue a report. I wonder if Congress will hold public hearings. The breech is being compared by some news agencies to Enron. According to the Reuter's story, "Shares of Equifax fell 2.4 percent on Thursday and trading volume hit a record high. The shares have lost 32 percent since the company disclosed the hack on Sept. 7.

Senate Democratic leader Chuck Schumer compared Equifax to Enron, the U.S. energy company that filed for bankruptcy in 2001 after revelations of a widespread accounting fraud."

But you see, this is not just a problem for people in the USA. Equifax holds information for people in Canada and Mexico. And Argentine, and possibly other Latin American countries. And the BBC is reporting that 400,000 UKians have information that was compromised in the theft, but their information exposure was minimal and should not lead to identity theft. Well, we'll see about that! In Argentine, apparently Equifax's software used the highly-[in]secure account/password combination of admin/admin.

This is one of my favorite stories, and it may be behind a paywall since it's from the Wall Street Journal. Here's the Slashdot summary:

Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

The title of the story is "Equifax Lobbied for Easier Regulation Before Data Breach", it's by Michael Rapoport and AnnaMaria Andriotis. f you do a little searching, you might be able to find a copy.

Now, the breech itself is extremely bad. If you were compromised, and there's a very good chance that you were, then the information that was stolen includes: your full name, social security number, previous addresses, list of jobs, all sorts of amazing things. Information about you that never changes. Information about you that you use to apply for credit cards, loans, mortgages, JOBS. The best thing you can do is to approach all four credit bureaus and put a FREEZE, not monitor, but FREEZE your credit. That means that no credit can be taken out in your name without postal correspondence going back and forth with your house. No credit reports can be pulled. It's about the best that you can do. Brian Krebs has an excellent post that he has to pull out a few times every year to discuss this. Definitely worth a read. Me? I'm unemployed. Banks would have to be idiots to issue credit under my information, still, I plan on freezing my accounts.

But that's not the worst.

For reasons unknown, Equifax had credit card transaction information, 200,000 transactions worth dating back to last November, sitting on their servers, apparently unencrypted. Massive violation of PCI compliance rules.

And who knows, there may be more yet to come.

I won't bother providing links to the stories about your surrendering your right to sue if you signed up for their monitoring service, that's been rescinded. There were at least two class-action law suits in development, along with a couple of States Attorneys General beginning investigation.

One more thing to mention: an op ed piece by Bruce Schneier, a very well-known and respected expert on encryption and privacy. He has some facts wrong, I think he wasn't as well-versed on the scope of the breech as perhaps he should have been when he wrote it. But at the beginning of the piece he talks about how the public are not customers of Equifax, we are what is being sold, and we have no say in the matter. And there are THOUSANDS of data brokers out there that we can't come close to naming all of them.

Equifax's feet will be in the fire for some time, I imagine.
Tags:
  • Add Memory
  • Share This Entry

Man, Thursday and Friday were nuts!

Sep. 9th, 2017 11:32 pm
thewayne: (Default)
Wednesday night I got an email from a friend whom I used to work with. She'd gone to a doctor that afternoon and their office was in a kind of chaos: the office had been hit by at least two different kinds of ransomware attacks. She wanted to know if I could help.

That night I did some research on the particular attacks, found out they were variants of the same core and both were based on exploiting weak Windows RDP (Remote Desktop Protocol) passwords. RDP is a back door to a server that techs use for management. It should NEVER be left open! There are other, more secure, ways to manage servers. If it must be left open, then it should have a VERY secure, i.e. LONG and complicated, password on it.

Obviously it did not.

A friend of the doctor's is their main IT guy, but he's not local, and he's decent but not top drawer. This problem apparently was discovered before Wednesday, and their guy (let's call him Bob) was making a new server for them with the latest version of Windows Server and SQL Server. The software that their clinic uses is mainly based in SQL Server, and here's the really suckie part: it was running Windows Server 2008 R2 and SQL Server 2008. And plugged straight in to a router to the internet. No hardware firewall, vendor-provided router.

*facepalm*

I didn't bother checking to see the patch level on their Windows Server 2008, it was kind of pointless. I did note that their SQL Server 2008 was well below the final patches that were released for it, not that it mattered as all of its databases had been encrypted.

The new router, though consumer grade, is fully patched. The new server is fully patched. A new Cisco firewall is on order. That's the best that we can do right now.

I was there Thursday from 11am to 8pm, then worked at home from 10pm to midnight copying, compressing (7zip), and uploading a big analytics file to a forensics company who sent us a utility to try and figure out what happened. Friday I only put in five hours, finishing up an inventory of all of the computers (which they didn't have) to figure out what should be tossed and what could be upgraded to get them all up to Windows 10 Pro and writing up some reports.

One woman complained to us that her computer was really slow. And it was. It was absolutely horribly slow! I was afraid that it had something nasty running under the covers, then I opened up Control Panel and did some poking around and found that it was a Pentium 4 with 2 gig of memory running Windows 10. The Performance Index, Satisfaction Index, whatever index, was 1.0. So we ordered her a new computer.

I always had a three-step plan when it came to buying computers to make them last longer and save money. When a new OS came out and the original started slowing down: add memory. That usually sped things up. Next OS comes out: install a better video card. Next OS comes out: buy a new computer. All of their computers are running at least 4 gig of memory, odds are they're all running a motherboard-based video card. I'm hoping we might be able to do memory upgrades and install some video cards and upgrade some of these for about $100-150 instead of tossing them. We shall see. I'll do some more inventory work next week now that we have a better idea as to what's out there.

This weekend I'm writing up a report more detailed than the single page invoice that just had bullet points as to what I did, I'm also burning a DVD with bootable malware/virus inspection software that'll look deeper in to the OS than something like Symantec can do, and since you're booting from read-only media, it'll look for boot kits that are otherwise invisible. I'll get to inspect all of the workstations! That'll make everyone oh so very happy to have their computer denied to them for however long it takes.

The tragic thing is that their backups weren't running properly because they had a terrible internet connection that couldn't handle the transfer. The software did a nightly backup to their vendor, but it had been failing. And they weren't doing anything locally, so they didn't really have a fall-back point to recover from. Their practice software vendor was able to restore from an earlier backup, but I don't know how successful that was in terms of how old and was there any corruption in it. I'll be finding that out Monday. This gets their patient information back, which is critical. And their insurance information is also processed online, so that should be safe. But anything stored locally may be lost.

And the horrible thing about that is the way the database is configured! I'm a database guy, I've been working with SQL Server for 25 years, since the first Microsoft version came out running on Lan Man/OS2. And the vendor has a VERY bad configuration. And I won't improve it unless they say it's OK. We're going to set up local backups, I've stressed upon the office manager the importance of rotating backup media and having a fire-proof safe in-house for storing said media. So eventually they'll be in a much better place.

The big question is whether or not they have to notify all their patients. I don't think this represents a HIPAA information spill. These ransomware encryptions are fully automated attacks by bots, I've never heard of data being exfiltrated and used for further extortion, that's a much more targeted attack. I'm going to have to tell the doctor who owns the practice to talk to his attorney and discuss this point because that's far outside of my ability to give him a recommendation.
Tags:
  • Add Memory
  • Share This Entry

Credit card breech: Trump Hotels hit for the third time in two years

Jul. 20th, 2017 09:25 am
thewayne: (Default)
Anyone who doesn't expect Trump facilities to NOT get hit more in coming years raise your hand. Bueller? Anyone? It's been documented that Trump's facilities have lousy IT practices and terrible WiFi security, but hotels are particularly problematic. American hotels seem to be stuck with using card swiping technology rather than ECV chip readers, which greatly increase security through strong encryption. Until they upgrade, we'll be seeing hotel breeches regularly.

https://krebsonsecurity.com/2017/07/trump-hotels-hit-by-3rd-card-breach-in-2-years/
Tags:
  • Add Memory
  • Share This Entry

The latest credit card breech: Buckle Stores

Jun. 20th, 2017 10:36 am
thewayne: (Default)
I'd never heard nor I think seen a Buckle Store, though theoretically they have locations at two malls that I occasionally visit. Anyway, same old story: malware in POS terminals, unknown number of cards have information compromised. Terminals were hacked for about six months, from late October last year to mid April '17.

It is important to note two things. All Buckle Stores have EMV readers: they can read the electronic chips in most, BUT NOT ALL, cards. Not all banks have adopted chips in cards. But worse yet, not all EMV readers HAVE THE READER TURNED ON! For example, the Walmart store in my area does not: you still have to swipe your card, which means that my card is vulnerable to compromise.

The reason for this is vendors got greedy: they convinced merchants that they MUST upgrade their card readers to EMV compatibility! So the merchants did. But the vendors didn't tell them that to enable the EMV reader was an additional software upgrade, so many merchants didn't do the second bit.

These hacks target magnetic stripe information because that info is really easy to clone and copy on to new blank cards, then use those cards for online purchases. The fraudsters make their money by making big dollar value online purchases, like iPhones and Xboxes, having them shipped to money mules (those "make big dollars working from home" ads) who return them to physical stores, convert the money to money orders while taking a percentage, then wiring the money overseas. The mules are committing a felony by doing so, and every year many of them go to prison while the overseas contacts just vanish.

KMart was AGAIN recently compromised, which made me pause for some reflection. On the negative side, we get my wife's meds there every few weeks. But on the positive side, they implemented EMV, and we always use that, so our info was probably secure. And probably on the mega-negative side, the store is closing, so lots of jobs are going to be lost locally.

When stores have implemented EMV, and your card has an EMV chip, you usually cannot swipe it. So that's good.

So take a look at your wallet. Do any, and I mean ANY, of your cards not have chips? If they do not, complain to the issuing institution. The USA is the last country in the G20 to NOT REQUIRE EMV chips. And we have to put up with shitty hackers like this CONSTANTLY compromising our information. Banks really need to step up. Every time this happens it costs the banks money to reissue cards. And that means increased fees for bank customers.

https://krebsonsecurity.com/2017/06/credit-card-breach-at-buckle-stores/
Tags:
  • Add Memory
  • Share This Entry

Give an ATM a tug!

Jun. 7th, 2017 09:50 am
thewayne: (Default)
Back in March, Brian Krebs posted an article titled Why I Always Tug On The ATM. It boils down to there being a limited number of ways that your credit card information can be stolen:

1. Financial institution is hacked
2. Malware is implanted on a merchant's network, possibly on point of sale (POS) card scanners
3. Hardware is covertly installed on or in POS card scanners

You can't do anything about #1. The first time my banking information was compromised was about seven years ago. I was at my parent's house in Phoenix, heading to Las Vegas to a convention when I saw a charge on my checking account for $80ish at a truck stop in North Carolina, a state where I hadn't been in five years. Turns out that a check processing company in Albuquerque had been hacked and they managed to create a bank card from that info. That hack never hit the news.

#2 is the classic Target hack, though that was an extreme example where the criminals managed complete subversion of their cash register system. They could have done what North Korea did to Sony over the release of The Interview. Arby's, Wendy's, CiCi's, you name it. And you can't do anything about this, either.

#3 is something that you can attempt a bit of defense with.

Skimming comes in two flavors, an overlay or an insert. The overlays are easy. The criminals somehow manufacture a flimsy plastic module containing electronics, generally a card reader for capturing card information, a camera for capturing PINs, and a Bluetooth radio for transmitting the info. The whole thing can be quickly slipped over a card reader at a cashier station. It's a two or three man job: distract the cashier, obscure the overhead security camera, slip the shell over the reader. The shell is precisely made for specific models of card readers and will only fit on those models. There are a few 'tells' that help identify an overlay. The colors will be slightly off. It will feel like thin plastic. The graphics won't look quite right. The dimensions will be slightly off. If you pay attention to the card terminals that you use, you might notice these.

But the best way to notice is to tug. Give the terminal a squeeze and a pull. It should feel solid and it should be solidly anchored to the pedestal that it's secured to.

Gas stations are a slightly different problem. These will sometimes have overlays, so a visual inspection and a tug test is good, but they also may have internal skimmers. These are tiny circuit boards that are actually slipped in to the card slot that read the inserted card and store the info. They don't collect as much information as an overlay, but it's still enough to cause you problems with card theft, and it's not easy to spot these.

Gas stations have taken some defensive measures. You'll notice there are security tape seals where the panels open on the pumps to show they haven't been tampered with, but let's face it, it wouldn't be hard to make fakes of those. But they've also improved the design of the pump faces to try and make it harder for skimmers to be installed, ATM makers have also tried defensive design with varying success.

Brian Krebs' suggestion is that the best defense is to never use a debit card at a terminal that you don't have absolute confidence in, only use a credit card. The reason for this is that credit cards have legal limits for fraud protection, debit cards do not. Your bank may limit your liability if your debit card is compromised, but they are not REQUIRED to by law. So you can trust your bank if you like, but you need to know that they don't have to back you.

Another way to defend yourself, if you have a fairly recent smartphone with Near Field Communications (NFC) and your merchant supports it, is to use Apple Pay or Google Pay. Microsoft tried to set up a wallet system, but it never gained traction and has been relegated to the dustbin of history. BE WARNED: these payment systems take a little getting used to! I set up Apple Pay last week: I've used it four times, I've been successful ONCE. I know how I failed the first time, and I suspect how I failed the other two times, so I think I have it figured out, but still, be prepared for a learning curve.

Apple has an exhaustive explanation of how their system works, and it is really elegant. From what I understand, even if the POS terminal has malware installed, if you use Apple Pay the criminals will get nothing usable. The information is not just encrypted, it's done with a one-way encryption that cannot be reversed after it's transmitted, so no card information can be recovered by an intercepting criminal. The merchant identifier and transaction amount is appended, the packet is sent to your financial org, which authorizes it, and the bill is paid. Your information is never exposed.

I'm sure Google's system works in a similar fashion, but the info that I easily found didn't go in to nearly as much detail as what I found with a casual search for Apple's system.

And I have to tell you, the Apple method for registering a card was amazingly cool: take a picture of your credit card. I was sitting in my partially demolished computer area, in somewhat poor lighting, and it said to take a picture of your card. So I pulled out my personal debit card, and it read it perfectly. Done. Pulled out the debit card in my name for my wife's checking account. For some reason, within about a month of receiving it the gold paint on the letters is completely gone. There was no strong side lighting to provide contrast for the lettering, yet my iPhone 6S had no trouble reading the card! I was VERY impressed. The third card that I registered was my credit card, and that one also registered fine, except it got the expiration date wrong, and that was easy to correct.

You can also manually enter the card information.

You can also use Apple Wallet for concert tickets! I used them for Jethro Tull, which was convenient because I forgot to take the printouts. It looked to me like 75% of the people in line were using smart phones for their tickets.

iPhone 6 series and later, which includes the SE, have NFC. Apple Wallet can be configured to use a fingerprint to authorize rather than the phone's password, regardless of whether you use a password to unlock the phone. Androids that run version 4.4 of the OS or later should have NFC. I saw that sometimes Android updates can cause headaches for Wallet users.

Anyway, that's enough blathering. The best defense, of course, is to always pay in cash. But that brings up two problems: carrying large sums of cash, and do you get the cash from the bank, which may involve lots of inconvenience, or do you trust the ATM to not have been compromised?

It seems to be never-ending.

https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/
Tags:
  • Add Memory
  • Share This Entry

A couple more data breeches: Kmart and OneLogin

Jun. 1st, 2017 09:01 am
thewayne: (Default)
First, Kmart has once again found malware in their store point of sale systems. This is not a first for Kmart, and apparently does not affect online sales or their stores of their partner, Sears. Kmart is my wife's pharmacy, so I expect we'll be getting new cards from our bank in a month or two, which will mean Amazon resets and all the joy that entails.

https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/


The OneLogin breech is bad. This is a password vault company where you can store logins and passwords for everybody that you do business with online, so with this one violation everyone that you have an online account with is potentially compromised. Bad news. Very bad news for a lot of people and companies.

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/


Now, when it comes to knowing whether or not an online identity has been compromised, it's not easy to know. We use email addresses as logins to numerous web sites, but what gets compromised when a site gets hacked? The valuable information is the login identity and password information. While password information is frequently encrypted, sometimes it's not and it's stored as plain text. And a lot of people commonly use the same password on lots of sites. Thus, a password that was used on Site A might work on Site B.

Even if the password is encrypted, sometimes they don't use what is known as a salt value. In this case, something called a Rainbow Table can be run against the encrypted password list to try and decode passwords. A rainbow table is lists of dictionaries of known words, random words, words in Klingon, phrases from Shakespeare, etc. that are commonly used in passwords. If one of these words matches against an encrypted password, they now know what that password was and can try that matching email address against an Amazon account or bank or whatever.

Salting a password is adding a hidden value to it. For example, if I append the value '123' to your password, the encrypted value is much harder to match against a rainbow table, because the encrypted value of MyPassword vs MyPassword123 are different values. And if you use the password MyPassword, DON'T. It's a ridiculously easy password to hack. But I'm not going to talk about strong passwords right now.

When a web site is compromised, such as OneLogin, frequently the accounts will appear on a web site as a 'dump file'. There are characteristics that let security analysts trace back a dump file to know that File X was taken from Site Y. And there's a web site that will tell you if your email address has ever appeared in a dump - https://haveibeenpwned.com/.

The operator of Have I Been Pwned took it upon himself to collect dumps and suck them in to a cloud-based edition of SQL Server. He doesn't store any passwords, just an email address and information on what dump that address has appeared in. You go to the web site, enter your email address, and you'll learn where your address may have been compromised. It's not a bad idea to check occasionally.

Myself, I have two primary email addresses. My main one has been compromised a number of times, and I don't really care because it's used mainly for email. My more sensitive account has only been compromised once, and that was an Adobe hack. My Paypal email account has never been found in a dump, which is nice. But what I found interesting was that my main email address has been found in lists that "was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password." I'm not concerned because I never reuse passwords on systems where I have credit cards tied. I do reuse passwords on low-value systems OCCASIONALLY, like some message boards that I don't often revisit, but that's slowly coming to an end.

Anyway, you might want to check out this site, it's interesting.

https://haveibeenpwned.com/
Tags:
  • Add Memory
  • Share This Entry

Profile

thewayne: (Default)
The Wayne
Spare Brains Games

April 2025

S M T W T F S
   12345
6 78 9101112
13 141516171819
20212223242526
27282930   

Syndicate

RSS Atom

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Apr. 23rd, 2025 03:23 pm
Powered by Dreamwidth Studios