Tag Archives: Breach

Ashley Madison site breached

If you are keeping up with the news you have probably already heard about the breach of the adult site known as Ashley Madison.   Here is a link to one of the articles about it: http://money.cnn.com/2015/07/20/technology/ashley-madison-hack/index.html. Like the breach at Adult Friend Finder (http://money.cnn.com/2015/05/22/technology/adult-friendfinder-hacked/) a few months ago, this type of incident is a little different than the usual breach.   This breach is less about identity information (although at the root has a lot to do with it), financial information, or even health information.   The focus of this type of site/service is on secrecy and discreetness.   It is about sharing sensitive information about an individual’s private life.

As we become more content with the Internet and the freedoms it provides us, we often start to overlook the reality that it creates.  Some people think what they do on a computer isn’t real, rather, more of a game.   That the effects are not real.   We have this notion that everything we do is anonymous, leading us to take more risks than we might have otherwise.  Take a moment and think about some things you might have said or done online that you most likely wouldn’t have done in person.  Think about how quickly that can snowball out of control.  

The breach at Ashley Madison should serve as a reminder that what we do may not be as anonymous as we thought.   That the effects of our actions may turn out to have some real life consequences.   Is it possible someone was just curious and meant no harm signing up on the site?  Maybe they got in a fight with their spouse, had a bad day at work, were just bored.   Of course those may not be acceptable excuses for joining a site that promotes adultery, but it could be something that small that led to the initial curiosity.  There are also people just looking for another relationship.  Anyone who has their name released as being a member has the same potential consequences.  You may be publicly criticized, sorry.. that is what society does now.  Your job or career could be effected. Your relationship with your significant other and/or children can be effected.  The list goes on.

We are all still learning the effects our online actions have on us over time. Our parents didn’t have nearly as much technology so many of us are learning on our own. We need to understand that, just like business, we assume a level of risk when acting online.  There is no 100% secure systems.  It doesn’t matter if we are talking online banking, adult sites, social media, or password managers.  There is always some level of risk.  We must learn to calculate that risk and determine if it is worth it.  We are often quick to blindly accept the risk for the quick reward.  Share your contacts for some coins in a game.  Post atrocious comments for a chance to feel like you stood for something.  

Is there a risk to joining an adult site like this?  Of course there is.  For many, that risk is acceptable for their own personal reasons.  Some members may had not really considered the risks, while others may have given great thought to joining.  Either way, the risk is there.   The big question in this situation is regarding what that risk now means to the individuals involved.

The media hypes this up to be devastating.  However if we look back at Adult Friend Finder, after a few days, you stopped hearing much about it.  This doesn’t mean that there were no consequences suffered by users effected by that breach, but it did quiet down a lot.  Maybe it was because of the personal nature that people didn’t want to put it out for everyone to see.  That makes it difficult to judge the real effect that this breach will have.

It will be interesting to see what types of effects this has going forward.  In the meantime, we should ensure that we are thinking about the risks. Be safe everyone.

Adult FriendFinder Hack: ID Theft is NOT the Only Game in Town

Leave a reply

When a breach occurs that shares our personal information we immediately think about identity theft and credit card fraud. More recently we are seeing more health information compromised as well, but the Adult FriendFinder breach changes that focus. The hack still revolves around personal information, but with the exception of the username/password, it does not include social security numbers or credit card numbers. Rather, this breach is focused on a persons sexual preferences or desires.

According to the story at CNN and other news sources, username and passwords were retrieved. As with any breach like this, it is recommended to change your passwords on other sites if you are reusing them, and definitely change the password for this site. While that can be devastating if your username/password combo work on other sites, especially financial sites, we are seeing a different concern arise here.

There are a lot of different data privacy or data breach notification laws that have been passed throughout the country. Originally the focus was on identity data, then moved to health data. Even more recently, Illinois is trying to include marketing data as well. In this situation, we have sexual preference data. This isn’t used to steal a persons identity or charge up their credit card accounts. This type of data is used for extortion or reputational harm. In our overly judgmental society, this type of data can destroy your livelihood.

It has already been shown that victims of the breach can be identified and that there are bad guys that are already using this data to start attacking them. How could they attack? The easiest way is by using identified social media accounts to send spear phishing attacks about the situation to them. A user clicks on the link in the email attack and is presented with a malicious file that gives the attacker control over their machine. This is probably the most likely attack because it is easy and efficient.

The second option is to extort those victims. Tell them that you have this information and if you don’t pay a large sum of money, that information will go public. Of course that information pretty much is public, and the organization of that may be more costly to the bad guys making this less attractive.

In either case, they are playing off of the victim’s fears of this information being leaked. Unlike a credit card number or a password, you can’t just change this information once it is made public. You can attempt a cover story of “that isn’t me” or “I just made that up” but recovering becomes a nightmare.

Even worse, besides not using the site, there is nothing you could do to prevent this hack. While they haven’t given details of how the site was hacked, it appears as though it was from the server, and not a user’s computer. Of course, there is a chance that this could be wrong, but if not, a user of the site has very little control over this happening. We rely on a site to protect this type of data because when they don’t, it can create a nightmare for the users of the site.

If you think you were a victim of this breach, be on the look out for phishing emails. Emails that claim to be about this breach asking you to go to a site to change your credentials, or input other information. Go to the site directly and change your password. If extortion occurs I would recommend reaching out to the local authorities for assistance on what to do.

What Happens When All SSNs are Breached

Visit any news site or social media outlet and you are bound to see news of some new company getting breached. It is a lot of what we talk about these days. Whether it is passwords, credit card information, health information or social security numbers, if it is breached it is headline news. With the exception of those trying to scam the system and get a quick payday, it is getting to the point where most people outside of the information security industry just write it off and don’t give it much thought.

There is a difference between social security numbers or health information that distinguish them from passwords or credit card numbers. They are much harder to replace. Taking a quick look at passwords we can see that it is easy to change them. If my password gets breached, I create a new one. It is usually a simple process that takes very little time. This is especially true if using different passwords for different sites. Credit cards are also fairly simple to replace and come with zero liability. If my card gets breached and there are fraudulent charges I just report them and they are removed. The bank sends me a new credit card and if I am doing regular monitoring of my statements the biggest hassle is changing the credit card that is stored on the different sites.

With social security numbers it is much more difficult to replace them. While they were not meant to be used as identifiers in all of these systems, they unfortunately are. Countless numbers of sites store your social security number increasing the risk to it. Getting a new number can be very difficult, not just the process of getting the new number but also updating everyplace that has it.

What happens if all of the social security numbers get breached? With under 400 million people in the united states how long will it take with all of these breaches for all numbers to have been breached? I know, we could just create all of the numbers that fit the format of xxx-xx-xxxx, but I am talking number with other identifying information. If all of the numbers get breached, what do we do next? Is it still worth spending so much money trying to protect them in our systems? We can’t get people to encrypt them now, will they continue to do it when they are all in the public domain? Do we finally start moving to a new identifier, albeit probably too late? Maybe it is just a money ticket for identity monitoring and credit monitoring companies. Will the duty to protect this information be removed when it is public domain? As we have seen with other breaches, once something is in public domain, no matter how it got there, it is fair game. It raises an interesting situation when a finite set of data is at risk. Do you know what your company is doing to protect this type of information? Better yet, as a consumer, do you have any concern about your SSN being stolen? Chances are very good it is already out there somewhere.

When Breaches Get Personal

Leave a reply

Unless you have been living under a rock, you have probably heard about the breach of privacy against some celebrities who had some indecent images stolen. It is easy to get caught up in the hoopla that surrounds this latest intrusion due to the racy images that were stolen, but there is a bigger question around all of this. Lets pull away those top layers and see what the deal is.

The story goes that images were taken with mobile devices, and that device then synced the data to some form of cloud storage. You have seen cloud storage before right? DropBox, Sync, Box, ICloud, etc. There are a lot of services that allow storing your data into “The Cloud”. Some of this is just for backup purposes, others help sync data across multiple devices.

Lets start by talking about this mysterious cloud. If you saw the recent movie “Sex Tape” you may have heard it mentioned. You might be shocked that the only thing about the cloud that actually resembles a cloud is its representative image on a network diagram. There are lots of definitions and everyone will tell you something different when describing the cloud. The key point is that these services have servers running in multiple data centers and when you send your data to them it gets stored on those servers. You don’t know where the data actually is, and in most cases it doesn’t matter. It is, in this scenario, an offsite storage mechanism.

Many of these services make it easy to sync files between devices. Wait, you really don’t have more than one device? It is becoming much more common for people to have a phone, tablet, computer, etc. Wouldn’t it be great if when you created a file (photo, document, etc) that it was available on all your devices? The cloud services help with that. Some programs, like the IOS photos feature will automatically sync your pictures to all your devices.

Whether people are aware of how this works, or the implications is hard to really determine. I think most people really don’t think about the mechanism by which the photo made it from their phone to their tablet. They just care that it got there, not thinking about a copy being stored somewhere else. Just like in law, ignorance is no excuse for not knowing what is going on with your devices and services.

As we have seen in the past few years, breaches are an every day occurrence. Usually we see them at big businesses or retailers. These cloud services are also targets due to the types of data they store. Sure, in the most recent case it was nude photos, but think of some of the other stuff that you store from your device. There is a lot of potential for sensitive information being stored.

Do you stop using cloud services because of an incident? Personally, I keep on trucking as usual. I use ICloud, DropBox, and other cloud services all the time. Understand, there is a risk to using any of these services, although I wonder if that risk of the service getting compromised is less than or greater than your own personal device getting compromised. Like everything we do dealing with life, you have to be aware and take responsibility for what you do. Hey, if you want to take nude photos, that is your business. If those images get compromised, and if on an electronic device there is a chance of that, then you determine how to handle the situation. This goes for any data you store, not just photos.

There is so much finger pointing and blame game going around the internet about the recent nude photo breaches. It is the celebrities fault, it is the hackers fault, it is the cloud service provider’s fault. I don’t see how any blame is put on people that take pictures and use a service. We were all given a choice and that doesn’t give anyone else the right to exploit it. Depending on how the accounts were compromised, maybe user, maybe provider. If the provider did something completely negligent, then I can see some problem there. But lets not let any of that detract from the true malicious user here; the attacker that broke in and stole the information. There are going to be people that do this all the time and we are seeing more of it everyday. Lets be clear, there is no way to remove the blame from the attacker in any of these scenarios.

As users, we need to stay focused on doing the right security practices. Strong pass phrases, less password reuse across sites, don’t click stuff you shouldn’t, stay away from shady sites, and think about what you are doing. Don’t get caught up in the hype of news headlines, but rather take in the details and determine what the real issue is. All of the talk about nude photos is not the issue. Data stolen by an attacker is the issue. Be safe and enjoy the internet.

Breaches Happen: Call to Action

Leave a reply

I loaded up Twitter this morning and was bombarded with even more reports of companies getting breached. Latest on the radar include the likes of JPMorgan Chase and some Dairy Queen locations. I won’t even attempt to guess at the number of breaches that have occurred already this year, but at what point to companies sit down and decide to look at their own network and systems?

I am not talking about reaching out to a company to perform a penetration test, or even a risk audit. I am thinking about looking at your actual systems for any signs of compromise like what we are seeing in all of these breaches. Lets just assume that everyone is breached, what would you as a company do? You have an incidence response plan right? Disaster recovery is in place? If any of those above don’t sound familiar, you are already late to the game.

If you are a retailer or have any type of POS system, take a moment and check your systems. There is known malware that may just be sitting on there without your knowledge. You have to go looking for this, rather than just waiting on the Feds to let you know that you have a problem.

If you are a franchise, I recommend you look at your policies for franchisee’s regarding security. Do you have a way to check how they are doing in regards to security? While a breach may occur at an individual location, it is YOUR brand name that will be pasted all over the news. It is debatable whether or not any news is good news, so I don’t recommend taunting that bear.

As an industry we try to put so much effort into defending our systems, which will always be needed. However, we also have to focus on the ability to determine if something has successfully gotten through those defenses. Ordering another Penetration Test will just try to help identify where the gaps are, it will most likely not identify that someone has already exploited it.

I know, I know, we are short on cyber security professionals and we just don’t have the man power. That is excuse for not properly utilizing the resources that you have. You don’t have to be a cyber security professional to understand networking and computer systems. To monitor network traffic looking for anomalies. Network admins and analysts should know what normal traffic looks like and what a normal installation looks like. Changes in that information should spark some interest. We can’t just wait for the network to tell us… we have to start thinking about going and searching for these differences.

We also need to get better at sharing the details of what happened in one breach so the rest of the industry can learn from it. If you are hit by some unknown malware, what are the signs and signatures of it? How did you identify it so the rest of us can go look? We have so many “researchers” testing sites for things like XSS and SQL Injection, lets get some of them researching how the malware can be identified and creating tools to help sniff it out to eradicate it before it effects millions of sites? Crowd sourcing is working great to find things like XSS, why not use it to help snuff bugs quickly.

We need to start digging deep into how we approach security and come up with better ways to protect systems. We need to focus on the ability to identify breaches more quickly. We need to analyze those breaches to get tools available to quickly block the attack methods. Lets start working together to make a difference.

1.2 Billion Passwords… Password Best Practices Again

There is a lot of talk about the recent discovery of what appears to be about 1.2 billion username and passwords stolen. I haven’t seen the list, so I can’t confirm that, but let’s assume it is accurate. Is this something we should be panicking about?

The first question is how many unique people does this actually effect? The chances that it effects 1.2 billion people seems pretty. I haven’t seen any statistics generated but we have to assume that those people that are connected to the internet have more than one user account. The breach says the credentials were pilfered from more than 450,000 sites. Of course that information is not being released, and we don’t need it to protect ourselves.

Practice Good Password Practices

With all the recent breach coverage we can’t help but to continue preaching good password practices. You may ask if it really matters with all the breaches that occur, or what control you really have. It is not like these passwords are stolen from you, the application that stores them is usually the culprit.

As those that create and rely on passwords, we do want to help take care of them as best we can. I can’t control what the developer is doing to protect the password on their end, so I have to assume the worst and do the best I can on my end. At some point, I think we will start to see people actually stop using applications that are not proactively protecting our data, but to do that we need applications that are transparent and show us they are doing things right to gain our business.

Choosing Strong Passwords
We should start off by choosing strong passwords. Unfortunately, a lot of critical applications still don’t support strong enough passwords, but if you can, try to have at least 15 characters in the password. When it comes to password strength it is the length that has the greatest effect. Remember, it is rare that someone is trying to guess Your password, rather they are running software tools to crack large swaths of passwords. I prefer to use pass phrases or sentences to create my password. This makes it easier to remember and more difficult to crack.

Changing Passwords Regularly
Changing your password to critical systems regularly can help avoid your password from being stolen by malicious users. Many corporate systems require password changes every 45-90 days for end users. You should follow that guideline too for personal applications, especially the ones that focus on financial artifacts (such as your bank accounts). Lets hope that a company that has been breached and lost passwords isn’t losing them day after day. We hope it was a one or two time thing. By changing our passwords regularly it increases the chance that the breached data is no longer valid by the time it gets used.

Don’t Reuse Passwords
It is recommended to not use the same password on multiple sites. I understand that this is a pain point because it is difficult to remember that many passwords. Try a password manager, a piece of software to store all your passwords securely, to help solve that problem. The issue with re-using passwords is that many sites allow you to use the same username, or just your email address as the user name. Once your data has been stolen from one application, an attacker may try that password on another site where you use those same credentials. This also includes not using similar passwords. Using passwords like Summer2014 and Fall2014 are not a good idea because if these are identified, it is simple to figure out the pattern and guess the next password in line. This is critical if you do change your password regularly, and an older password got breached.

2 Factor Authentication
If a site offers 2-factor authentication, enable it. Two factor authentication means that the site will prompt you for your username and password and then a secondary piece of information. For example, my bank will send me a token via email that I have to enter. This token is different every time I log in. Many sites are starting to support tools like Google Authenticator, which is an app that runs on your mobile device and provides that 2nd piece of authentication. If you are using sites that do not support 2 factor authentication, write to them and request it. Remember, they are storing your data, you want it protected.

Validate the Hype

When news like this breaks, we often have a tendency to really overreact thinking that it is the end of the world. Credentials got stolen, we are not disputing that, but lets step back and think about what that means. Keep in mind that in this announcement, applications or companies were not named. At this point, it is possible the credentials are for meaningless sites that are not that big of a deal. Due to the nature of the accounts being used to send spam I am guessing many are probably email accounts, but that is just a guess. What has happened in the past can’t really be changed. We change our passwords, we monitor our accounts (like we should be anyway) and we continue reaping the benefits that these applications provide us.

Stay safe, and keep your eyes open.

Ebay Password Breach

Ebay announced today that the had usernames, encrypted passwords, phone numbers, email address, physical address and date of birth stolen during a recent breach.  The key here is encrypted passwords, which hopefully means strong security.  That is just an assumption though.  It is not uncommon by any stretch to see a large company suffering from a breach that includes user credentials.  We often overlook the idea that credentials are actually very valuable.  We spend so much time focusing on social security numbers, credit card numbers, and HIPAA data that we forget about the basics.   Those keys that protect the rest of all of that data.

Ebay believes that no other data (financial, etc) was accessed during the breach.  This is the good news.   The bad news is we now need to change our passwords again.  Look on the bright side, if we used fingerprints as our access we would only change our password a few thousand times before we had to start using toes.  There are a lot of different passwords we can come up with.  I know it is obvious, but if you haven’t stopped reading this post to go change your Ebay password, stop for a moment and go do that.

Managing our passwords can be difficult and we may often feel helpless as the end user because not only do we not have any control of how a company or service stores our passwords, we don’t have any insight into how they do it.  Previously people have mentioned advertising on the site how the password is protected.  It is an interesting idea.  The question is: does it make you more or less of a target?   There are a lot of factors that go into that determination.

If you advertise that you use bcrypt with 10,000 iterations, is good or bad?   Will the bad guys just turn around looking for that easier score or will they accept that challenge.  Now advertise that you are just storing passwords using MD5 with no salt.   The difference between the two is like seeing a wireless network with and without a password.  Of course, the problem we also have is whether or not the description provided would mean anything to the average user.  My mom, even my wife, wouldn’t have any idea what MD5 or bcrypt meant or which one may be more secure.  It is server side, so do users care?   I am not really sure.    I don’t think advertising the details would really help the problem, maybe just satisfy those techies that want to debate over whether the company was following best practices.

Spread the word when you see that a site has been breached.  Let your friends and co-workers know so they too can take the appropriate steps to protect them selves.  We can’t fix a companies vulnerabilities, but we can all respond accordingly to calm the wave of destruction.

Target Breach: Monitor Your Financial Transactions

Leave a reply

On December 18, 2013 news broke that Target had suffered a security breach and in upwards of 40 million credit cards may have been impacted between Nov. 27 and Dec. 15. This information included the customer name, credit or debit card number, the card’s expiration date and the CVV code. This incident does not affect purchases made online and does not include every purchaser during that time frame. Here is a link to the notice from Target to its customers (https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca)

Many people want answers as to “how” this happened. While it is important for Target to get to the root cause of this problem, the “how” doesn’t change the mindset of how the consumer can protect himself.

Inevitably, the information that was accessed will end up in the under ground markets for sale to criminals. The biggest action you (the consumer) can do is monitor your credit card statements on a regular basis. If you notice fraudulent transactions appear then contact your financial institution immediately to take the proper steps to get it taken care of. Time is of the essence when reporting those fraudulent charges.

Often times the credit card transactions are not large purchases, but just small amounts. The criminals will charge a very small amount just to test to see if the credit card or debit card is working. Once they have confirmed this, they will then move forward with using this for a larger purchase.

Target is not the first company to suffer unauthorized access to customer information and it certainly will not be the last. While this incident has been widely publicized, it is no different than any of the other breaches that occur. Consumers should always practice the one key step of constantly monitoring their financial statements. This is the best way to protect yourself from becoming a victim.