Tag Archives: data breach

Adult FriendFinder Hack: ID Theft is NOT the Only Game in Town

When a breach occurs that shares our personal information we immediately think about identity theft and credit card fraud. More recently we are seeing more health information compromised as well, but the Adult FriendFinder breach changes that focus. The hack still revolves around personal information, but with the exception of the username/password, it does not include social security numbers or credit card numbers. Rather, this breach is focused on a persons sexual preferences or desires.

According to the story at CNN and other news sources, username and passwords were retrieved. As with any breach like this, it is recommended to change your passwords on other sites if you are reusing them, and definitely change the password for this site. While that can be devastating if your username/password combo work on other sites, especially financial sites, we are seeing a different concern arise here.

There are a lot of different data privacy or data breach notification laws that have been passed throughout the country. Originally the focus was on identity data, then moved to health data. Even more recently, Illinois is trying to include marketing data as well. In this situation, we have sexual preference data. This isn’t used to steal a persons identity or charge up their credit card accounts. This type of data is used for extortion or reputational harm. In our overly judgmental society, this type of data can destroy your livelihood.

It has already been shown that victims of the breach can be identified and that there are bad guys that are already using this data to start attacking them. How could they attack? The easiest way is by using identified social media accounts to send spear phishing attacks about the situation to them. A user clicks on the link in the email attack and is presented with a malicious file that gives the attacker control over their machine. This is probably the most likely attack because it is easy and efficient.

The second option is to extort those victims. Tell them that you have this information and if you don’t pay a large sum of money, that information will go public. Of course that information pretty much is public, and the organization of that may be more costly to the bad guys making this less attractive.

In either case, they are playing off of the victim’s fears of this information being leaked. Unlike a credit card number or a password, you can’t just change this information once it is made public. You can attempt a cover story of “that isn’t me” or “I just made that up” but recovering becomes a nightmare.

Even worse, besides not using the site, there is nothing you could do to prevent this hack. While they haven’t given details of how the site was hacked, it appears as though it was from the server, and not a user’s computer. Of course, there is a chance that this could be wrong, but if not, a user of the site has very little control over this happening. We rely on a site to protect this type of data because when they don’t, it can create a nightmare for the users of the site.

If you think you were a victim of this breach, be on the look out for phishing emails. Emails that claim to be about this breach asking you to go to a site to change your credentials, or input other information. Go to the site directly and change your password. If extortion occurs I would recommend reaching out to the local authorities for assistance on what to do.

When Breaches Get Personal

Unless you have been living under a rock, you have probably heard about the breach of privacy against some celebrities who had some indecent images stolen. It is easy to get caught up in the hoopla that surrounds this latest intrusion due to the racy images that were stolen, but there is a bigger question around all of this. Lets pull away those top layers and see what the deal is.

The story goes that images were taken with mobile devices, and that device then synced the data to some form of cloud storage. You have seen cloud storage before right? DropBox, Sync, Box, ICloud, etc. There are a lot of services that allow storing your data into “The Cloud”. Some of this is just for backup purposes, others help sync data across multiple devices.

Lets start by talking about this mysterious cloud. If you saw the recent movie “Sex Tape” you may have heard it mentioned. You might be shocked that the only thing about the cloud that actually resembles a cloud is its representative image on a network diagram. There are lots of definitions and everyone will tell you something different when describing the cloud. The key point is that these services have servers running in multiple data centers and when you send your data to them it gets stored on those servers. You don’t know where the data actually is, and in most cases it doesn’t matter. It is, in this scenario, an offsite storage mechanism.

Many of these services make it easy to sync files between devices. Wait, you really don’t have more than one device? It is becoming much more common for people to have a phone, tablet, computer, etc. Wouldn’t it be great if when you created a file (photo, document, etc) that it was available on all your devices? The cloud services help with that. Some programs, like the IOS photos feature will automatically sync your pictures to all your devices.

Whether people are aware of how this works, or the implications is hard to really determine. I think most people really don’t think about the mechanism by which the photo made it from their phone to their tablet. They just care that it got there, not thinking about a copy being stored somewhere else. Just like in law, ignorance is no excuse for not knowing what is going on with your devices and services.

As we have seen in the past few years, breaches are an every day occurrence. Usually we see them at big businesses or retailers. These cloud services are also targets due to the types of data they store. Sure, in the most recent case it was nude photos, but think of some of the other stuff that you store from your device. There is a lot of potential for sensitive information being stored.

Do you stop using cloud services because of an incident? Personally, I keep on trucking as usual. I use ICloud, DropBox, and other cloud services all the time. Understand, there is a risk to using any of these services, although I wonder if that risk of the service getting compromised is less than or greater than your own personal device getting compromised. Like everything we do dealing with life, you have to be aware and take responsibility for what you do. Hey, if you want to take nude photos, that is your business. If those images get compromised, and if on an electronic device there is a chance of that, then you determine how to handle the situation. This goes for any data you store, not just photos.

There is so much finger pointing and blame game going around the internet about the recent nude photo breaches. It is the celebrities fault, it is the hackers fault, it is the cloud service provider’s fault. I don’t see how any blame is put on people that take pictures and use a service. We were all given a choice and that doesn’t give anyone else the right to exploit it. Depending on how the accounts were compromised, maybe user, maybe provider. If the provider did something completely negligent, then I can see some problem there. But lets not let any of that detract from the true malicious user here; the attacker that broke in and stole the information. There are going to be people that do this all the time and we are seeing more of it everyday. Lets be clear, there is no way to remove the blame from the attacker in any of these scenarios.

As users, we need to stay focused on doing the right security practices. Strong pass phrases, less password reuse across sites, don’t click stuff you shouldn’t, stay away from shady sites, and think about what you are doing. Don’t get caught up in the hype of news headlines, but rather take in the details and determine what the real issue is. All of the talk about nude photos is not the issue. Data stolen by an attacker is the issue. Be safe and enjoy the internet.

Ebay Password Breach

Ebay announced today that the had usernames, encrypted passwords, phone numbers, email address, physical address and date of birth stolen during a recent breach.  The key here is encrypted passwords, which hopefully means strong security.  That is just an assumption though.  It is not uncommon by any stretch to see a large company suffering from a breach that includes user credentials.  We often overlook the idea that credentials are actually very valuable.  We spend so much time focusing on social security numbers, credit card numbers, and HIPAA data that we forget about the basics.   Those keys that protect the rest of all of that data.

Ebay believes that no other data (financial, etc) was accessed during the breach.  This is the good news.   The bad news is we now need to change our passwords again.  Look on the bright side, if we used fingerprints as our access we would only change our password a few thousand times before we had to start using toes.  There are a lot of different passwords we can come up with.  I know it is obvious, but if you haven’t stopped reading this post to go change your Ebay password, stop for a moment and go do that.

Managing our passwords can be difficult and we may often feel helpless as the end user because not only do we not have any control of how a company or service stores our passwords, we don’t have any insight into how they do it.  Previously people have mentioned advertising on the site how the password is protected.  It is an interesting idea.  The question is: does it make you more or less of a target?   There are a lot of factors that go into that determination.

If you advertise that you use bcrypt with 10,000 iterations, is good or bad?   Will the bad guys just turn around looking for that easier score or will they accept that challenge.  Now advertise that you are just storing passwords using MD5 with no salt.   The difference between the two is like seeing a wireless network with and without a password.  Of course, the problem we also have is whether or not the description provided would mean anything to the average user.  My mom, even my wife, wouldn’t have any idea what MD5 or bcrypt meant or which one may be more secure.  It is server side, so do users care?   I am not really sure.    I don’t think advertising the details would really help the problem, maybe just satisfy those techies that want to debate over whether the company was following best practices.

Spread the word when you see that a site has been breached.  Let your friends and co-workers know so they too can take the appropriate steps to protect them selves.  We can’t fix a companies vulnerabilities, but we can all respond accordingly to calm the wave of destruction.