Category: Blog

Coca Cola Breach Proves Employees May Be Significant Threat

<img class=”alignnone size-full wp-image-7918 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/coca-cola-resized.jpg” alt=”” width=”300″ height=”225″ />Coca-Cola is the latest company to fall victim to a data breach.  Unlike some of the others that have recently made headlines, however, this one was conducted from within.

In September 2017, an employee at one of the company’s subsidiaries stole an external hard drive containing personal data belonging to more than 8,000 company employees.  Law enforcement officials notified the company when the drive was confiscated, but urged them not to make a public announcement regarding the incident until their investigation had been concluded.

Coca-Cola complied with this request, which is why we’re only hearing about it now.  Once the company got the green light from law enforcement, they notified all impacted personnel via a letter, which included::

“Our investigation identified documents containing certain personal information for Coca-Cola employees and other individuals that was contained in the data held by the former employee.  We do not have any information to suggest that the misappropriated information was used to commit identity theft.”

As is becoming standard practice in the aftermath of such incidents, the company also announced that it would offer one free year of identity monitoring to the people impacted by the breach.

This latest announcement serves to drive home one of the main points made in a recently conducted survey, “The Global State of Information Security Survey 2018,” which concluded that insider threats are one of business’ top security concerns.

This breach is significantly smaller in both scope and scale than some of the others we’ve seen so far this year.  However, the company is still suffering backlash, which has impacted both the trust of its employees and the company’s stock price.  As of now, the company’s stock price is down nearly 4 percent over the last three months, with additional losses likely in the near term.

Facebook Users Should Assume Their Public Has Been Scraped

First it was 55 million.  Then 77 million.  Now, it’s 2.2 billion, or pretty much every user on Facebook.  That’s how many people should assume that their public profile information has been scraped.

The conversation began when it came to light that Cambridge Analytica (a political research firm) had misused Facebook’s search function to scrap profile data for tens of millions of Facebook’s users to help the Trump campaign win the recent presidential election.

As research into the matter has continued. However, it has become clear that Cambridge Analytica wasn’t the only group misusing the search feature, and that before Facebook disabled it, more than two billion of Facebook’s users had seen their public profile information scraped.

Essentially, Facebook was used to paint a more complete picture of users to build a profile which could be sold on the Dark Web.

Starting with stolen phone numbers or addresses, hackers developed automated routines that fed this information into Facebook’s search function, enabling them to link these bits of information with the names and locations of specific people.  Having a more complete profile in hand made the data that much more valuable on the Dark Web, where it is currently being resold.

At 2.2 billion impacted users, it’s certain that this will be the year’s largest data breach. In fact, this one is likely to hold the world record for quite some time.

Facebook’s CEO, Mark Zuckerberg issued an apology to the company’s massive user base.

Mike Schroepfer, the company’s Chief Technology Officer, had this to say:

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them.  This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name.  However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery…we believe most people on Facebook could have had their public profile scraped in this way.”

Microsoft Helping With Ransomware In Office 365

Microsoft recently made small but significant changes to its Office 365 subscription service and to OneDrive, which are often used in tandem.  The goal is to make it easier for users whose files have been encrypted by ransomware (or otherwise corrupted) to recover them.

The most significant of the changes is a new button that Office 365 users will see a new “File Restore” function in both applications.  If you’ve saved your Office 365 files to OneDrive, you’ll be able to restore files in a thirty-day window.  In the event that your files are accidentally deleted or corrupted, getting them back is as simple as pressing the button and selecting the files to be restored.

That’s a huge win for Office 365 and OneDrive users, but there’s more.

The additional changes include:

  • A mobile alert sent to the phone number you select, which will inform you if your files may have been encrypted or otherwise tampered with
  • Support for end-to-end email encryption in their mail service (Outlook), including the web version of the mail app
  • Office now scans all links embedded in PowerPoint, Excel and Word documents to check if they point to malicious content on the web
  • All file attachments and links embedded in emails are now scanned for known phishing threats and viruses
  • Outlook.com now gives users the ability to prevent email recipients from forwarding your emails
  • The ability to password protect OneDrive shared links

That last one is also significant, and is a feature that OneDrive’s user base has been clamoring on about for quite some time.  OneDrive has made it incredibly easy to share files via a link-based system, but unfortunately, never offered users a way to secure those links.  That, thankfully, has now changed.

Individually, all these changes are quite good, but taken together, they represent a significant step in the right direction.  Kudos to Microsoft for taking the threat of ransomware so seriously, and adding specific features to help protect their users.

Passwords May Be Dead Soon If Microsoft Gets Its Way 

Karanbir Singh (a program manager at Microsoft) is on a mission:

Kill the password.

As he said in a recent blog post:

“Nobody likes passwords.  They are inconvenient, insecure, and expensive.  In fact, we dislike them so much that we’ve been busy at work trying to create a world without them–a world without passwords.”

The company’s stated goal is to make it possible that an end user will never have to bother with passwords on a day to day basis and would instead provide credentials that are virtually impossible for hackers to crack or breach.

To accomplish this goal, the company is looking at a number of options, including biometrics and multi-factor authentication schemes.

Singh notes that this isn’t just blue-sky thinking, either.  Already, more than 47 million users and more than five thousand businesses are utilizing “Windows Hello for Business.”  Another solution currently in use is the Microsoft Authenticator app, which allows users to access their Microsoft accounts via their smartphones.

Additionally, as part of the Windows 10 update issued in April (2018), any user with a Managed Service Account or Azure Active Directory can now access their Windows 10 PC without having to enter their password, via the authenticator app and Windows Hello (provided that S-mode is enabled).

The company is also taking advantage of the newly ratified Fast Identity Online (FIDO2) security protocol, and is in the process of updating Windows Hello to enable secure authentication across a wider range of scenarios.  For example:  The company is currently working on a proof of concept for shared PCs that will allow users to log on via FIDO2 security keys, which will allow employees to carry their credentials with them.

They envision a scenario in which any user can simply walk up to any device the organization controls and authenticate without ever having to enter their username or password. This would be especially useful for analysts, help desk personnel, and anyone working in the medical profession.

Obviously no firm timeframes have been given, but as mentioned, some of these technologies are already in use and will be refined in the months ahead.

No Spectre Fix For Certain Intel Processors

The bad news just doesn’t seem to stop where Intel and the Speectre vulnerability are concerned.  The latest bit of news comes directly from Intel, as the company admits that it’s just not possible to address the Spectre vulnerability in some of its older hardware. This means that nine families of chips and more than 230 models of computers (mostly manufactured between 2007 and 2011) will remain vulnerable to Spectre forever.

The company has stopped Spectre mitigation development on the following families of chips:

  • Bloomfield
  • Clarksfield
  • Gulftown
  • Harpertown Xeon
  • Jasper Forest
  • Penryn
  • SoFIA 3GR
  • Wolfdale
  • Yorkfield

A company spokesman had this to say about the recent announcement:

“We’ve now completed the release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google.  However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”

It’s unfortunate, but not entirely unexpected.  If you have any older Intel equipment still in service at your company, have your IT group check the processor family. If it’s one of the above, it’s well worth marking those systems high priorities for upgrades, and limiting their use until you can.

Spectre is a devastating flaw, and it’s just not worth the risk to leave exposed systems connected to your network and in service. This is especially true now that it’s official that no help is coming for certain older systems.

Even worse, AMD chips, which are not impacted by Spectre and Meltdown, have since been found to have their own critical security flaws.  While not as bad or as pervasive as the two Intel is facing, they will nonetheless require the company to issue its own microcode updates, which they are currently scrambling to do.

The long and the short of it is that there really are no safe harbors anymore.

Latest IPhone Update Syncs Messages Across All Devices

If you use Apple products, you may have noticed an annoying “feature”.  If you’re using the messaging app on your phone and texting someone and then you move to your Mac and access the same program there, the conversation you were having on your phone isn’t present.  The two devices are messaging islands that can’t reliably communicate with each other. Since they can’t, you can’t start a conversation on one device and then pick it up later on another.

True, Apple fans have found workarounds for the issue, but these are far less than perfect.

There’s good news, though.  As of the latest iPhone update, your phone will now synchronize your messages across all Apple devices you own.

It’s a small thing, but you’d be amazed at how often it matters.  Back in the “good ol’ days” most people just had one computer they used for everything.  We no longer live in that world.  Today, there are more active smartphones than there are people living on the planet, and the smartphone is just one of the many computing devices we use.

The advent of cloud-based technologies made accessing data across multiple devices possible, allowing you to work seamlessly on the same project with whatever device you have in hand at the moment. However, some things (like messaging) have been impossible, or at least highly inconvenient to access across multiple devices. That is, until now.

Granted, this improvement won’t change the world, but it will serve to make your world more seamless, convenient, and efficient. That makes it worth talking about.

In a lot of ways, the upgrade is like tabbed browsing.  Until you start using it, you cannot fully appreciate just how awesome it is. By the time you realize how great it is, you’re hooked and can’t imagine messaging any other way.  Kudos to Apple for an excellent enhancement!

Panera Bread Customer Accounts Exposed To Threats

Panera Bread company is the latest to find itself in hot water.  Recently, security researcher Dylan Houlihan discovered that the company had failed to encrypt (or otherwise protect) a file containing usernames, email addresses, physical addresses, phone numbers and loyalty account numbers for a staggering thirty-seven million of its customers.

The file was found stored as plain text, and accessible to anyone who bothered to go looking for it. The good news is that no one appears to have absconded with the data, so odds are that even if you’re a Panera customer, you’re not at risk. The bad news is that Panera’s handling of the incident to this point has been dreadful, to say the least.

First, the company was slow to even acknowledge that there was a problem, and when they did, they attempted to downplay the number of users the oversight impacted.  Second (the truly disturbing part of the ongoing story), even when the company did acknowledge the scope and scale of the incident, they left the plain text file on the website. It was completely unsecured until the security professional (Houlihan) contacted them a second time.

To date, their most detailed response has been that the investigation into the matter is ongoing.

There’s a harsh lesson here for any business owner.  This is a textbook example of how not to respond to an incident like this.  There are so many different things Panera could have done to make this a non-issue. The first of which would have been to immediately take the file down or secure it. Next, to immediately notify all the customers on the list (just in case the file had been downloaded by hackers). Lastly, issue a detailed action plan that assured customers that the company was taking steps to make sure something like this would happen in the future.  Sadly, exactly none of that has happened.

Microsoft Surpasses Google In Latest Valuation

<img class=”alignnone size-full wp-image-7941 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/microsoft-stock-valuation-resized.jpg” alt=”” width=”300″ height=”225″ />Microsoft’s stock price is surging, putting the company’s total valuation at $753 billion. This makes it the third most valuable company on the planet, behind Amazon (782 billion), Apple ($923 billion) and leaving Google in fourth place, valued at $739 billion.

Google first overtook Microsoft in 2012, and since that time, the two companies have traded places repeatedly. So Microsoft’s current 3<sup>rd</sup> place position is expected to be relatively short-lived.

It’s worth noting, however, that since Satya Nadella took over for Steve Ballmer, Microsoft’s stock price has more than doubled, the company has moved decisively into some new areas, and has been dramatically refocused.

<strong>Some of those changes include:</strong>
<ul>
<li>A big emphasis on cloud-based technologies</li>
<li>A heavy emphasis on artificial intelligence</li>
<li>Big investments in quantum computing</li>
<li>Equally large investments in mixed-reality headsets</li>
<li>An emphasis on cross-platform technologies</li>
</ul>
Even more significantly, the company has veered away from two areas that had long been Microsoft staples.  The company has abandoned efforts to develop a Windows-based smartphone, and has moved away from the strategy of putting Windows at the center of everything Microsoft.

Although Google is likely to regain its #3 market cap position in the near future, Microsoft has some important strategic advantages over both Google and Apple that will serve it well in the long run.  The most significant of these is the fact that it has a much more diverse revenue stream.

Google gets some 90 percent of its income from advertising, and Apple gets some 60 percentof its income from the venerable iPhone. Microsoft, based on the most recent quarterly report, is generating 35 percent of its income from the Surface and its gaming division, another 30 percent from its cloud-based services, and a similar percentage from Office and the company’s various productivity tools.

Be Careful, Searches May Provide False Download links

If you’re downloading software from the web, be careful.  Take the extra step of verifying that you’re on the developer’s website, because the hackers have a new trick up their sleeve.  It’s actually a deceptively simple one.

Hackers are buying ads on Google and Bing’s search engines, with the links in their ads pointing to malicious sites they control.

This is an almost shockingly simple technique, and broadly speaking, it works like this:

Searches are keyword-based.

Anyone can bid for advertising space on the major search engines.  The higher you bid on any given search term, the more often your ad gets displayed.

Ads are always displayed at the top of the search results, with the organic results coming below them.  Bid high enough on a high traffic keyword, and your ad gets seen by lots of people.

The danger, of course, is that people tend to trust search engine results to take them where they want to go. Often, users won’t pay much attention to the site URL they’re being directed to.  Hackers take advantage of that fact, putting poisoned sites literally right under the noses of unsuspecting users.

Recently, researchers discovered that if you search the term “Chrome download” on Bing, the ad that most commonly gets displayed doesn’t take you to Google’s download area. It takes you to a poisoned site that offers malware disguised as Chrome, and a high percentage of users are clicking the link and downloading without paying attention to where they are.

This kind of campaign is possible because hackers are making tons of money elsewhere, stealing personal information and reselling it.  They’ve got money to spend, and are spending it to further extend their reach.

The lesson here is simple: Even if you’re on a popular search engine, pay close attention to where the links are leading on the search results page.  Failing to do so can have tragic and expensive consequences.

T-Mobile Site Leaked Data On Millions Of Customers

<img class=”alignnone size-full wp-image-7947 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/t-mobile-site-resized.jpg” alt=”” width=”300″ height=”225″ />ZDNet Researcher Ryan Stevenson recently found a big problem on T-Mobile’s website regarding an unprotected API.  As a result of the flaw, untold millions of T-Mobile’s customers’ account information was left exposed and completely unprotected.  Literally anyone who stumbled across the site and tried to abuse it could access a wide range of customer information with no password required.

<strong>This includes, but is not limited to:</strong>
<ul>
<li>Customer name</li>
<li>Phone number</li>
<li>Mailing Address</li>
<li>Account Number</li>
<li>The status of the account (current, past due, suspended, etc.)</li>
</ul>
In an unknown number of cases, tax IDs and PINs were also exposed.

T-Mobile has a bug bounty program and pays a bounty to anyone who discovers a flaw that impacts the company.  Stevenson received a $1,000 reward for discovering the issue, and subsequent research revealed that the flaw had been present on the company’s website since October, 2017 or prior.

T-Mobile’s handling of the incident has been less than stellar so far.  Although they have acknowledged the existence of the issue and have already moved to correct it, the company has issued no information relating to how many customer records were exposed.

There is no evidence that any of the exposed records were inappropriately accessed. Typically, when an incident like this occurs, the company in question provides details relating to the scope and scale of the incident, informs all potentially impacted customers and usually provides a year of free credit and identity monitoring.  So far, none of that has occurred.

While it’s certainly possible that the company may take these steps in the future, we were both surprised and disappointed that they had not already done so, especially given the fact that this was essentially a self-inflicted wound.  Here’s hoping that in the days ahead, they do something to earn back the lost trust.