In The News: Data Breach

Loading...

Thursday, 2 July 2015

Lessons Learned: June 2015 Data Breaches

data breach, OPM, IRS, Zomato, Japan Pension Service, Houston Astros, LastPass, Kaspersky
Governments, restaurants, cybersecurity firms and even baseball teams made the cyberattack headlines this past June. The 10 data breaches below are recent examples of what to do (take any and all security precautions), what not to do (open phishy email attachments or recycle passwords) and just how bad a breach can be (OPM). Know of a data breach we missed? Add it in the comments below.
  • Employees that opened a phishing email attachment at the Japan Pension Service unleashed a virus that claimed the personal data of 1.25 million people. The pension IDs and names of all were stolen; the addresses and birth dates of some were also compromised. 
  • Anand Prakash hacked into Indian-based restaurant search engine Zomato, accessing personal data such as private Instagram photos, to prove it could be done. Zomato fixed the glitch upon learning about it from Prakash, preventing any (known) wrongdoing.
  • Internal Revenue Commissioner John Koskinen of the United States Internal Revenue Service testified in response to hackers accessing the tax information of 104,000 Americans. He shared that the breach was largely attributed to a lack of multifactor authentication, systems updates and security upgrades—all of which had been suggested prior to the attack.
  • The (most likely) Chinese breach of the Office of Personnel Management has already been labeled one of the worst in United States history. The personnel files and background check information of up to 18 million current and former federal government employees and contractors were compromised, revealing a nearly endless supply of personal information: social security numbers, addresses, arrest and financial records, mental illness history, drug and alcohol use and more. If you’re hoping for a silver lining, here it is: the US has finally committed to using https encryption by default for all federal websites by the end of 2016.
  • Hackers used malware to steal credit card information over a 4 month period from customers at Manhattan’s Eataly. Breaches on small retailers have become a common occurrence, as the security tends to be relatively easy to penetrate, and sometimes serve as a test ground before hacking larger entities. Point of sale breaches have increasingly become an issue in North America, where chip technology has yet to catch up with the rest of the world.
  • Kaspersky Lab, the cybersecurity powerhouse, was breached by hackers in an attempt to learn how to infiltrate systems more surreptitiously. The attack showed that even Kaspersky is penetrable, but also that the company has action steps for such an event. A detailed report addressed user concerns: “Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.” 
  • Personal details in UK-based Brabantia’s customer database were compromised; the company assured customers that financial data such as banking and credit card numbers were stored by an external company and, therefore, safe.
  • User information of password service LastPass was compromised, if not breached, in a much-needed reminder that proper precautions prevent major debacles. In the words of LastPass: Our security and processes worked as designed, and customer data was, and is, protected.”  
  •  Missing Link Networks Inc., a credit card processor and point-of-sale vendor most closely associated with California wineries revealed that customer names, credit and debit card numbers, billing addresses and dates of birth were compromised for all transactions processed in April 2015. The breach motivated Missing Link Networks to move to a token system to avoid storing credit card numbers in the future. 
  • Major League Baseball’s Houston Astros were breached by the St. Louis Cardinals; compromised is private internal database information regarding trades, statistics and scouting reports. The key to the success of this unsophisticated breach? General Manager Jeff Luhnow and other Cardinals-turned-Astros used the same password in both offices.

Tuesday, 30 June 2015

New Social Media Platform Dubbed “The People’s Site” by Anonymous

This article was originally published by theAntiMedia.org on June 18, 2015.

ClaireBernish 
(ANTIMEDIA) Facebook may have finally met its match. By directly targeting the social media behemoth’s lack of messaging encryption, infamously opaque algorithms, and government and advertiser accessibility, Minds.com has earned the attention of privacy advocates, activists, and frustrated Facebook users—and has even garnered active support from Anonymous. By employing many similar features found on Facebook and other social media giants, Minds gives its users a familiar platform without the numerous privacy concerns plaguing the long-established sites.

Users will find the typical status updates, comments, and link-sharing as other social media, but Minds takes the government’s eyes out of the equation by encrypting private messages and using open-source code that any programmer can check. The platform uses a “reward’ system based on points to earn “views” for posts, so the more active you are, the more the network will promote your posts—-without hindrance from advertisers and profit models.

“For every mobile vote, comment, remind, swipe & upload you earn points which can be exchanged for views on posts of your choice. It’s a new web paradigm that gives everyone a voice,” explains the website.

Minds.com founder Bill Ottman told Business Insider, “Our stance is the users deserve the control of social media in every sense.”

As an answer Facebook’s enigmatic algorithm that has contentiously manipulated users’ newsfeeds for years—essentially strangling organic post reach, even for wildly popular pages—Minds has vowed its formula for boosting posts will be transparent and available. Instead of using inexplicable formulas that rely on Orwellian features like how much time a user lurks on a post, the new platform logically bases its system on user interaction.

These features have been so appealing, the site had 60 million visitors before the official launch on Monday—the majority of whom listed an interest in “alternative media” as their primary reason to be there. In fact, the Facebook page Anonymous Art of Revolution—with a following of over one million users—boosted the Minds website when it announced a hackathon. According to the post:

Anonymous is initiating a call to hackers, designers, creators and programmers to unite worldwide. Let us collaborate on the code of Minds.com and build a top site that is truly of the people, by the people and for the people.”

There have been many attempts to build alternatives to Facebook, but Minds.com—with its heavy emphasis on privacy and transparency—appears to be the most promising yet.

Facebook, theAntiMedia.org, Anonymous, digital privacy, minds.com, encryption, social media
[Image: theAntiMedia.org]

Thursday, 25 June 2015

Google Policy Change Limits Revenge Porn; Legislation Still Needed


Revenge porn, nonconsensual pornography, Google, privacy, John Oliver, Last Week Tonight, Cyber Civil Rights Initiative
Google, an entity that believes strongly in the right to know, has found a worthwhile exception to its rule.

Google joined a growing movement last week with the announcement that it would remove revenge porn from Google Search results. The search engine giant follows Reddit, Twitter and Facebook in asserting that revenge porn is an egregious privacy violation, not an expression of free speech.

Google made its rationale explicit: “Our philosophy has always been that Search should reflect the whole web. But revenge porn images are intensely personal and emotionally damaging, and serve only to degrade the victims—predominantly women. So going forward, we’ll honor requests from people to remove nude or sexually explicit images shared without their consent from Google Search results. This is a narrow and limited policy, similar to how we treat removal requests for other highly sensitive personal information, such as bank account numbers and signatures, that may surface in our search results.”

Although a removal from Google Search results will not remove images themselves from the internet, the top search engine’s actions carry significant weight. Within days of the announcement, revenge porn—the conversation topic—found itself all over the internet.

Comedian John Oliver used his Sunday night segment of Last Week Tonight to dispel commonly held myths about revenge porn. The term itself is a misnomer, as it frequently has nothing to do with retribution: the term encapsulates hackers exploiting strangers’ photos for pleasure or profit as well as ex-lovers divulging private photos for payback. For this reason, ‘nonconsensual pornography’ is used as a more accurate term.

Additionally, United States federal laws do not exist to protect against revenge pornography, leaving victims with little in terms of self-defense. Oliver referenced the fact that victims who want to remove their images must first copyright the exploited photos—allow the federal government to closely scrutinize the very pornographic photos they are attempting to remove from circulation—as proof that the law is not on their side. 

Protective federal legislation is much needed and the argument that it will lead to wholesale government censorship of the internet is simply unacceptable. Oliver quipped, “I’m well aware that asking law enforcement to police speech is a dicey proposition. No one wants them patrolling message boards looking for violent language.” Google described its own policy regarding revenge porn as ‘narrow and limited;’ future legislation should be viewed in the same light.

Mary Ann Franks, Legislative and Tech Policy Director of the Cyber Civil Rights Initiative, further reinforced the importance of the Intimate Privacy Protection Act via the Huffington Post. Franks has worked closely with Reps. Jackie Speier (D-CA) and Gregory Meeks (D-NY) to draft the Intimate Privacy Protection Act, which is expected to be introduced in Congress shortly. The bill draws from child pornography legislation and targets photos that are sexually explicit, taken in private and shared without written consent of the subject.

In Franks’ words, “Laws protecting privacy have a long and important history in this country. Privacy is essential to freedom of expression and speech, as well as being fundamental to a democratic society committed to equality and personal autonomy. This is as true for sexual privacy as it is for financial or medical privacy, and a federal bill recognizing this is long overdue.”

National momentum is growing in favor of victim privacy regarding nonconsensual pornography. Google’s onboarding has thrust revenge porn into the limelight, hopefully at the right time to build the support needed to move the Intimate Privacy Protection Act forward.

Wednesday, 24 June 2015

2014 Samsung Vulnerability Still A Threat

Samsung vulnerability VPN insecure Wi-Fi Galaxy NowSecure SwiftKey
[Image: Maurizio Pesce]
Samsung users, beware.

As many as 600 million Samsung phones, including Galaxy S5 and S6, are currently at risk of being hacked. A vulnerability due to the pre-installed SwiftKey keyboard enables an outsider to listen to conversations; explore contacts, text messages and photos; install unwanted apps; change settings; and access GPS, camera and microphone.

Cybersecurity company NowSecure alerted Samsung to the vulnerability in November of 2014, beginning four months of negotiations between the two entities: NowSecure wanted to publicize the issue as soon as possible to protect consumers while Samsung hoped to keep quiet until able to offer a solution. The companies finally reached agreement in March, when Samsung was able to send a fix to wireless carriers, and a decision was reached to go public in June.

In the last three months, carriers’ attempts to patch phones via user downloads have yielded questionable results. According to the WallStreet Journal, NowSecure researchers found the security flaw in new Samsung Galaxy S6s earlier this month, prompting NowSecure CEO Andrew Hoog to state that “there are many, many phones that will never get updated. And that’s why we have to raise this visibility.”

Such is the furtive world of cybersecurity politics. If you don’t talk about it, it doesn’t get fixed; if you talk about it before you fix it, you could make it worse.

So far, going public has motivated Samsung to directly address the glitch. On June 18, Samsung’s blog reported that the company would provide security policy updates in “a few days.” Samsung additionally provided instructions for users to enable their phones to automatically accept all security policy updates, a reminder that ultimately, the success of these updates remains in the hands of users.

To counter NowSecure’s fears, Samsung acknowledged that as of June 16, no users had reported compromised security on their phones and expressed that “the likelihood of making a successful attack, exploiting this vulnerability is low,” largely because it would require a hacker to be on the same unprotected network as a user while the latter is downloading a specific update.

Regardless, if there were a perfect time to take advantage of the Samsung weakness, that time is now. Between Samsung’s blog describing the conditions under which to exploit the vulnerability and NowSecure’s blog providing a step-by-step breakdown of how the glitch was found, hackers currently have a wealth of suggestions at their fingertips.

In the meantime, the most reliable solution—short of abandoning your Samsung phone—is to protect yourself from insecure public Wi-Fi. We couldn’t agree more.

Thursday, 18 June 2015

Unpatched Vulnerability Compromises Chinese Security

China internet hacking VPN JSNOP
[Image: Marc Oh!]
VPNs and Tor, a network that protects anonymity by routing traffic through a series of servers, are considered two of the most trusted methods of digital privacy protection. Regardless, recent findings reveal that hackers in China successfully bypassed the security provided by these services.

Hackers—believed to be the Chinese government—carried out a “watering hole attack” against visitors to websites trafficked by Chinese journalists and Uighurs, a Muslim ethnic minority: they planted code in websites that would in turn plant itself in visitors’ web browsers. Tor and VPN users suffered the same casualties as other internet users. As long as visitors were also logged into Baidu, Taobao or one of China’s 13 other major web services, hackers gained access to their names, addresses, sex, birth dates, email addresses, phone numbers and internet cookies. 

This situation, however, could have easily been avoided. At fault is JSNOP, an unpatched vulnerability in China’s most popular web services, or more accurately, the powers that have allowed JSNOP to continue. JSNOP was made public in 2013—when it was previously used to target Uighur websites—but to this day has not been fixed. It is hard to imagine a reason to keep JSNOP in place unless pressure existed to keep it there.

The New York Times quoted AlienVault security researcher Jaime Blasco’s response to JSNOP’s continued existence: “The equivalent would be if law enforcement was able to exploit a serious vulnerability in Facebook to deanonymize users of Tor and VPNs in the United States. You would assume Facebook would fix that pretty fast.”

This latest hack shows the extent to which the Great Firewall of China plays by its own rules. Most hackers are motivated by money, but as Blasco pointed out, “There’s no financial gain from targeting these sites.” Instead, China targets citizens daring to embrace their rights to freedom of expression and religion. These are the very people that VPNs were designed for, yet no amount of technology has proven to withstand a complex, targeted attack from this government.

VPN and Tor users outside of China are likely happy to be so. However, if we are willing to accept that the JSNOP vulnerability is just a backdoor by another name, the dividing line between China and its neighbors begins to blur. Governments in the United States and the United Kingdom continue to push for backdoor access to encrypted technology; let the latest Chinese hack serve as a reminder of just how dangerous such access could be.