Microsoft Drops Groove Music Pass Sending Customers To Spotify

Groove Music has had a short, troubled life.

It started out as Zune Music, but Microsoft bought it in 2012, promptly rebranding it as Xbox Music before changing its name again to Groove. Now, the company has decided to get out of the music business altogether, and is sending all of its paying customers over to Spotify.

The idea behind Groove music was a pretty solid one. When Windows 10 was rolled out, it included a new music player called Groove, and the music service was to tie into this new platform, allowing users to play either locally stored music files or subscribe to a streaming service, switching between the two seamlessly.

Groove Music Pass was the name given to the subscription service that allowed users to stream music via desktops, mobile devices and gaming consoles.

Although no detailed explanation was given, it seems clear that the service didn’t turn out to be the financial boon that Microsoft first imagined it to be. So, as part of the company’s next Patch Tuesday rollout, all Groove Music Pass customers will receive a notification and instructions on how to move their music collection over to Spotify.

Note, however, that the Groove music player itself lives on, and you’ll still be able to use it to play locally stored music files.

The bottom line is that if you’re a Groove Music Pass user, this may actually be good news. Spotify is an excellent service with a broader selection than that which was available on Microsoft’s service. They’ve been in the business longer and are obviously committed to remaining one of the industry’s top players, so the opportunity to switch, while it does carry some initial overhead and annoyance, is almost certain to be well worth it in the long run.

New WiFi Issue Could Affect Millions Of Users And Devices

Security researchers have found a new critical security flaw dubbed “Krack” (Key Reinstallation Attacks) that affects literally every WiFi router and smart phone in use today. The reason? The security flaw resides in the WiFi standard itself, rather than in a third-party product.

In addition to being vast in scope and scale, Krack is a particularly nasty, versatile flaw, allowing hackers to intercept credit card numbers, passwords, photos and a whole host of sensitive personal information.

It works like this: A hacker finds a vulnerable WPA2 network, and then makes an exact copy of it, including impersonating the MAC address. This clone then serves as a “man in the middle” allowing the hacker who controls it to intercept everything passing through it.

WPA2 encryption requires a unique key to encrypt each block of plain text, but because Krack attacks make a copy that’s indistinguishable from the original, they’re able to use the same encryption key.

As bad as that is, it gets worse for Android and Linux users. Thanks to a bug in the WPA2 standard, these devices don’t force the client to demand a unique encryption key with each use. Instead, they allow the key to be “zeroed out,” literally creating an encryption key containing all zeroes, which interferes with a key part of the handshake process.

In addition to that, hackers can deploy specialized scripts that can cause the connection to bypass HTTPS, which leaves passwords and other normally protected data exposed.

If there’s a silver lining, it is that the attack can’t be used to target routers directly, but honestly, that’s not much of a silver lining, because the potential damage this new vector could cause is virtually without limit.

Unfortunately, until a patch is released, there’s not much you can do, short of turning off WiFi altogether. This may work for smartphone users, but it is simply impractical for routers.

There’s some good news, though. The fix should be relatively easy to implement, although no ETA has been given at this point.

ATMs Continue To Be Huge Target For Hackers

Hackers are the new bank robbers in a very literal sense. Increasingly, hackers have taken to infiltrating bank networks specifically for the purpose of infecting ATMs attached to their network with malicious code that makes stealing from them a snap.

Once the malware has been installed on a target machine, a lower level member of the hacker’s organization can simply walk up and activate the code via a pre-defined numeric sequence, causing it to spit out money.

All the low-level hacker has to do is pocket it, take it back to HQ, and divide the spoils.

It gets even better from the hacker’s point of view, though. The same malware that can be triggered to launch the “Cash Out” style attack described above can also collect debit card information from anyone who uses the machine, enabling them to double dip, stealing not just from the bank, but also from a growing collection of its customers.

Considering the extreme risks involved with “Old School” bank robbing, this is a pretty attractive option, and it’s not at all hard to see why hackers have been increasingly drawn to it.

Thus far, attacks like these have been seen in the Far East, but haven’t yet made their way to Europe or America in any significant way. Given their level of success, however, it’s just a matter of time before we start seeing similar attacks here.

So far, the largest attack of this type occurred in Taiwan, in July 2016, when a group of hackers orchestrated a highly coordinated attack that struck 41 different ATMs and saw the group make off with a hefty $2.7 million in cash.

Again, this is small potatoes compared to some other, more mainstream attacks. Take the malware Carbanak, for instance, which has been tied to bank thefts totaling more than $1 billion dollars in a combination of fraudulent wire transfers and ATM attacks. Even so, the trend is a growing one, and it’s all but inevitable that we’ll start seeing them in the US, probably sooner rather than later.

Equifax Announces Another 2+ Million Were Affected By Breach

Equifax’s problems just keep getting worse.

Not long ago, the company suffered a major data breach that ultimately resulted in the CEO stepping down and a painful congressional grilling. Initial estimates placed the number of impacted users at some 143 million, but as the investigation has continued, it turns out that the numbers are even higher than initially feared. Based on the forensic team’s final report, as many as 145.5 million users were impacted.

In our modern society, there are many who would argue that your credit score is as important, if not more important than your social security number. To arrive at your score, the “Big Three” credit reporting agencies necessarily have to collect a large amount of sensitive information about people, so when they suffer from a breach, it’s bad, and in Equifax’s case, it just keeps getting worse.

Based on the latest information, the compromised data included names, social security numbers, birthdays, and addresses. If that wasn’t bad enough, some 200,000 customers saw their credit card information exposed, along with an unknown number of electronic documents containing PII.

Most of the impacted customers live in the United States, but approximately 80,000 were Canadians.

To put these numbers in full context, Equifax maintains files on more than 800 million people around the world, along with more than 90 million businesses, so the breach, while catastrophic in size, wasn’t nearly as bad as it could have been.

That’s small consolation to the millions who have been impacted, but it’s important to understand that as bad as the breach was, it was quite far from the worst case scenario.

In the aftermath of the breach, the company has come under fire by the US Government, which has charged that the company actually stands to profit from it by selling a credit monitoring service after giving impacted consumers one year free.

In light of the recent congressional hearings on the matter, the future of that program is unclear, but this breach, and its root cause (an unpatched Apache Struts 2 vulnerability) serves to underscore how easy it is for even big multinational companies to fall victim to a determined hacker.

Update: WiFi Security Issue That Could Impact Most Routers, Smartphones

Recently, we wrote an urgent article about a serious security flaw in the current WiFi standard that could impact almost every wireless router and smartphone on the planet.

Dubbed the “Krack Attack,” this flaw allows a hacker to make a carbon copy of your WPA2-encrypted network, spoof its MAC address, change the WiFi channel and reroute all network traffic through the clone that they control.

This, of course, allows them to spy on all network traffic and execute a wide range of “man in the middle” attacks against any traffic passing through, which opens the door to tremendous damage.

Microsoft has been quick to respond to the latest threat and has already released a patch which addresses the issue for Windows-based PCs. If you’re running Windows 8 and above and automatically getting security updates, then you should already have the patch, and you are protected.

That’s good news, given how large a footprint Windows has, but sadly, it does not completely solve the problem.

That’s because Android and Linux-based systems are even more at risk. In those cases, a second flaw makes the problem worse. They do not demand a unique encryption key, which makes it easier, by far, for hackers deploying the Krack Attack to abuse devices running those operating systems.

There’s been no word on an ETA for a Linux fix, but Google has announced that an updated planned for release on November 6 will resolve the issue on that front. For Apple’s part, the company reports that the flaw has been addressed in beta versions of MacOS, iOS, tvOS, and watchOS. They are anticipating rolling out live versions of these fixes later this month, although a specific release date has not been announced at this point.

All that to say, regardless of which platform you’re using, hang tight. Help is on the way, and kudos to Microsoft for being the first tech giant out the gate with a solution.

Whole Foods Reports Credit Card Breach

It seems that hardly a week goes by that we don’t hear about another high-profile data breach. This time in the hot seat, we find Amazon-owned Whole Foods. Specifically, we find Whole Foods Market locations. The company is reporting that hackers were able to gain unauthorized access to credit card information at an undisclosed number of its scores in the US, the UK and Canada.

So far, the company has not released details relating to which stores were impacted, only that POS terminals were targeted, and that some customer credit and debit card data was compromised, though a company spokesperson did stress that the breach did not allow the hackers to access purchase information.

Whole Foods has called in an outside firm to help it investigate the breach, is working with law enforcement agencies and has posted a brief notice on their website.

The company encourages anyone who has shopped at Whole Foods Market to monitor their credit card statements closely to make sure there’s been no unauthorized activity.

As corporate responses go, Whole Foods’ has been less than perfect. So far, the company has not released any details about the exact number of stores impacted, where they were, and how many customers have been affected.

Further, to this point, there’s no indication that the company has made any attempt to reach out to the impacted customers and notify them, or offer them any form of free credit monitoring or related services. Although, to be fair, the situation is still unfolding and the company may take these actions at some point down the road.

The situation is still quite fluid, and if and as additional information becomes available, we’ll have more to say about this. For the time being, the important takeaway is that if you’ve shopped at Whole Foods Market, keep a close watch on your credit or debit card. It may have been compromised.

Even Minimal Exposure Can Result In Huge Fines

Data security is no laughing matter, and even small exposures can lead to hefty fines, no matter the size of your company.

Last year, the federal government sent shockwaves through the industry when they began an aggressive campaign of investigating and punishing companies for HIPAA infractions, logging more than a dozen high profile settlements.

While it’s true that this particular case did not involve a HIPAA violation, it has much in common with the hefty fines the federal government has been levying as of late for even small HIPAA infractions. This particular incident revolved around a spreadsheet which contained personal data on 660 ACA enrollees in the state of Vermont.

The spreadsheet was on a remote server managed by Samanage USA, a small North Carolina-based IT support service, and was improperly secured, allowing for unauthorized access to it.

As it happened, one of the people on the spreadsheet was doing a Google search of her own name and came across the entry in a search result. When she saw it, she immediately notified the state’s Attorney General, which prompted a formal investigation.

The search result was traced back to Amazon’s Web Services platform, and then to Samanage. An Amazon engineer emailed Samanage to inform them that it had PII improperly secured and publicly accessible, and asked them to remove it.

Samanage began an investigation of their own, found the problem and promptly corrected it, but failed to inform their client company, WEX Health about the breach.

Ultimately, this is what got Samanage in trouble. According to the settlement, the $264,000 fine was levied specifically for not notifying the proper authorities that the breach had occurred, which, under Vermont state law, included WEX Health.

The reason that this was not seen as a HIPAA breach was that Samanage was a subcontractor for the information services provider to a health plan offered through the ACA’s marketplace. As such, they were designated as a non-covered entity where HIPAA privacy, security and breach notification rules were concerned.

Imagine how much bigger the fine would have been if they had been in violation. A sobering thought indeed.

New Malware Can Infect Computers, Even With Windows Defender

Researchers at the security firm CyberArk have discovered a new attack vector they’ve dubbed “Illusion Gap.” While it’s somewhat tricky for a hacker to implement, when it works, it can be devastatingly effective, completely bypassing Windows Defender, which is security software that comes pre-loaded on all Windows-based computers.

To successfully execute the attack, the hacker relies on a combination of social engineering tricks and the use of a rogue SMB server. Thanks to the way Windows Defender scans files stored on an SMB share, if he can convince a user to execute a poisoned file hosted on a malicious server, then Windows Defender can be bypassed completely.

This is actually not as difficult as it may first appear. Often, simply presenting the user with a shortcut to the poisoned file is sufficient, and the moment that a user double clicks the shortcut, the damage is done.

Windows Defender does try, because before the file is executed, it requests a copy for scanning purposes, but the hackers can simply substitute a clean copy of the file to hand off to Windows Defender, tricking it into thinking that there’s no problem. That done, the poisoned file executes and can inject whatever code the hacker likes into the target system.

Unfortunately, Microsoft does not view this as a security issue at all. CyberArk contacted Microsoft when they discovered the flaw, and received the following as a response from the company:

“Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group.

Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.”

All that is to say, where Illusion Gap is concerned, you’re on your own, at least for the time being. Be very careful when you click on any file hosted on an SMB server, or any shortcuts to them.

Hackers Infiltrate Deloitte Accounting Firm

Deloitte is not exactly a household name. In fact, unless you use the company’s services, you may not have ever heard of them, even though they’re one of the largest accounting firms in the world.

The company has the distinction of having been named the best cybersecurity consultant company in the world in 2012, and yet, even with that distinction, the company fell victim to a hacking attack that saw their core systems breached.

Company officials became aware of the breach in March, but took great pains to keep their investigation, and details into the matter a closely guarded secret as they monitored the activity of the hackers and worked quietly to solve the problem.

That investigation revealed that the hackers were able to gain access to the company’s data via an email server, all because the admin whose account was compromised had failed to use two-factor authentication, meaning all the hackers had to do to gain access was to acquire a single password. They did so, and the rest is, as they say, history.

Over the span of months that the hacker was active, he was able to gain access to a broad spectrum of information relating to a number of the company’s larger clients, including user names, passwords, IP addresses, health information and architectural diagrams.

So far, six of Deloitte’s clients have been informed of the breach and the potential impact to them. In one of the few public statements made about the matter, a company spokesman reported the following:

• A comprehensive security review has been performed and completed, utilizing assets both inside the company and from third party vendors
• All impacted clients and the appropriate government officials have been contacted
• No disruption to any client’s business has occurred as a result of the breach

As you can see, then, the company has opted for a tight-lipped approach when it comes to releasing details about the breach. This may well work in their specific case, but it is probably not a model to base your own company’s response on in the aftermath of a successful hacking attack.

Several Security Issues Found In Solutions That Use DNSmasq

Open source tools offer a lot of compelling advantages, with one of the biggest and most important being that they tend to have relatively fewer bugs and security flaws. The reason is that they’re open source initiatives, and anyone can dig into the source code and tweak it to make it better.

Unfortunately, there are exceptions to every rule, a fact that was brought into painful focus recently by a group of Google security researchers who found not one, not two, but a total of seven critical security flaws in an open source program called DNSMasq.

DNSMasq comes pre-installed on some Linux machines (Ubuntu and Debian) and is frequently used on home routers, smartphones and a variety of “smart” devices. Worldwide, there are approximately 1.1 million active installations.

Per the research team: “We discovered seven distinct issues over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of DNSMasq, Simon Kelley, to produce appropriate patches and mitigate the issue.”

Since all of the issues have been patched, Google has released the Proof-of-Concept exploit code for each of the bugs they found. Of them, three would have allowed a user to execute code remotely, and three others would have made it possible to commandeer a device so it could be used in a denial of service attack.

If you use DNSMasq, be sure you update your software to version 2.78 or later so that you’re using a version which contains the bug fixes. For Google’s part, they issued an update on Sept. 5, 2017 that fixes the issue on any Android device running the software.