Tag: General Interest

Top Subject People Fall Victim To Is – Data Breach Notification

For hackers around the world, success breeds more success, it seems.

A company called KnowBe4 has released a report entitled “Top Ten Global Phishing Email Subject Lines For Q3 2017.” To prepare it, they analyzed email subject lines from simulated phishing tests to determine what the most effective approach was.

Their findings were that “Official Data Breach Notification” was the hands-down winner, generating far more click-throughs than any other.

Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer had this to say about the report:

“Phishing attacks are responsible for more than 90% of successful cyber-attacks and the level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats.

We see urgency and fear of a breach as the drivers. We have over 1400 templates and a concentration of themes so we know what is highly effective. Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders, and their clients to prevent phishing schemes.”

Wise words, and the first step on the path to prevention is knowing what triggers are the most effective, which makes the KnowBe4 report especially valuable to data security teams, regardless of what business your company is in.

The irony, however, is inescapable.

The reason that “Official Data Breach Notification” is such a devastatingly effective phishing headline is simply that the hackers have been devastatingly effective. Barely a day goes by that we are not greeted by some grim headline and a news story recounting the woes of yet another company suffering from yet another massive breach resulting in hundreds of thousands, millions, or more consumer data files stolen.

They are, in a very real sense, leveraging the power of their own success to become even more successful, and that’s sadly not likely to change anytime soon.

New Facebook Messenger App For Kids Raises Privacy Questions

On the surface, the new Facebook For Kids messenger app looks like a solid win that should put the minds of parents all over the world at ease.

The company conducted extensive interviews and assembled a Blue-Ribbon panel of experts to help them craft the new tool, aimed at children ages 6-12. The app itself is user friendly and filled with bright, cheerful primary colors that appeal to kids, but there are problems, or, at the very least, valid concerns.

For one thing, Facebook has made no mention of how it plans to monetize its new app, other than to say that it won’t contain any advertising. It’s not difficult to imagine some possibilities, however and none of them good.

For another, the company essentially used scare tactics to get parents to sign their kids up for the service, saying essentially that kids are going to chat online anyway, and if they don’t use Facebook’s new offering, they are at greater risk of talking to a child predator.

Then, there’s the issue that Facebook requires the child’s full name, and behind the scenes, the app is busily mapping out the child’s social network – who his parents are, the friends of both the children and their parents and so on.

According to the company, it has no plans to turn children’s accounts into full-fledged Facebook profiles, but given the amount of data being collected, it’s not hard to imagine them offering a one-click export function that would turn these accounts into regular Facebook accounts on the day the child turns 13.

What’s most disheartening of all is the fact that the company could have chosen another, far less intrusive route. Rather than requiring the child’s full name and the establishment of a familial relationship, the app could have been nested directly under the parent’s account, with a nickname or even a colorful symbol used to denote the child. This approach would have been far less data intensive and far less intrusive.

How well the new app will be received remains to be seen, much like the long-term consequences of its launch.

Latest Store With Payment Breach Is Forever 21

Unfortunately, another high-profile data breach has surfaced. The latest company to fall victim is US-based fashion retailer Forever 21, operating more than 800 stores in 57 countries.

The company became aware of the breach when they were notified of “unauthorized access to data from payment cards that were used at certain Forever 21 store locations.”

The investigation into the incident is ongoing, and we don’t have full details yet, but here’s what we know so far:

• Although the company had attempted to bolster security by implementing a token and encryption-based system that was designed to protect transaction data on the company’s point-of-sale system, an implementation issue at some store locations left POS equipment vulnerable, and these were the devices the hackers gained access to.

• Anyone who shopped at a Forever 21 location between March and October 2017 may have been impacted.

At this point, three significant pieces of information are missing. We do not yet know exactly which stores were impacted, nor how many of Forever 21’s customers may have seen their credit card information exposed, or what level of access the hackers may have had to the transaction data. We also don’t yet know if the group responsible got any personally identifiable information from the affected terminals.

The company’s official announcement regarding the breach included the following statement:

“Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist. We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter.”

If you’ve shopped at any Forever 21 location during the timeframe mentioned above, be aware that your payment data may have been compromised. For now, the best thing you can do is monitor your credit card statements closely for any unusual activity and report it immediately if you find it.

Data On 123 Million US Households Leaked Online

Security researchers at UpGuard recently made a terrifying discovery in finding an unprotected Amazon S3 server containing several databases belonging to a data analytics provider called Alteryx.

While the server contained a variety of databases, the two that are of biggest concern belonged to Alteryx’s business partners, Experian and the US Census Bureau.

Of these, far and away the most damaging database was the one belonging to Experian. As a credit reporting agency, Experian has access to just about everything that relates to your personal finances. In addition to your address, they’ve got details on how many credit cards you have, what your average balances on each one are, what your credit limit is, the state of your mortgage and more. All of that information was sitting on a completely unprotected server that literally anyone could access.

The scope and scale of the database is almost beyond comprehension, containing more than 3.5 billion financial details of more than 123 US households. That’s almost every household in the country.

It’s not much of a silver lining, but the database did not contain any names. Having said that, since address information was present, linking an address with the name of the current occupant is a trivial task for any hacker.

At this point, it’s unclear if anyone other than the UpGuard researchers downloaded the databases, but ultimately, it doesn’t matter. The simple fact that so much information on so many American households was left unguarded means that virtually every person in the country is now at risk of identity theft.

At the root, this is a problem of standards. Contractors like Alteryx simply do not adhere to the same security standards as the company or agency charged with the responsibility of safeguarding the data in the first place (Experian and the US Census Bureau, in this case). Given that, it was only a matter of time before a mishap of this scale occurred.

At this point, there’s really nothing you can do but be mindful that your personal information may have been compromised, and stay vigilant.

Uber Paid To Hide Massive Data Breach From Public

It has recently come to light that the company was hacked in 2016 in a massive breach that exposed the personal information of more than 57 million Uber users and drivers. A wide range of data was stolen. Where users were concerned, names, email addresses and phone numbers were compromised.

As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.

Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.

Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.

The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.

In a formal statement, Khosrowshahi had this to say:

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.

File this away under how not to handle a data breach.

Researchers Find Malware Targeting Industrial Systems

In the malware ecosystem, few strains are more terrifying than those that target industrial control systems. Think Stuxnet, Industroyer and IronGate. Recently, security researchers from FireEye have identified a new threat in this class of malware. Alternately called “Triton” or “TRISIS,” this new code targets Triconex Safety Instrumented Systems (SIS) controllers, which are manufactured by Schneider Electric. These control systems are found in a wide range of industrial equipment. They are, in effect, the gears that keep the machine of modern industry moving.

So far, there’s suggestive evidence that at least one state-sponsored attack has been carried out using the new strain of malware, although neither the identity of the target of the attack, nor the organization responsible for it have been disclosed. All we know for sure is that the attack was launched against an industrial concern in the Middle East.

The code base of the new threat utilizes the TriStation Protocol, which is a proprietary tool used by Triconex SIS products. There is no public documentation available for the protocol, which suggests that the hackers who developed the malware must have reverse engineered it.

A spokesman for FireEye had this to say about the code in general and the recent attack:

“The attacker gained remote access to an SIS engineering workstation and deployed the Triton attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation.

The attacker deployed Triton shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool, which would require access to hardware and software that is not widely available.”

The real danger of software like this is that it can reprogram control systems to ignore when equipment begins operating beyond normal operating parameters, which can lead to physical damage to critical infrastructure.

If deployed against a power station, for instance, it could result in widespread blackouts. If deployed against a nuclear installation, it could send the reactor into a meltdown.

Threats like these are becoming more common by the day, and with hundreds of millions of controllers deployed around the world, it’s just a matter of time before the hackers succeed at hitting close to home.

2017 List Of Most Used Passwords Released

SplashData has released their latest annual report on the most commonly used passwords. Unfortunately, the more things change, the more they stay the same.

By now, everyone knows that the number of hacking attempts and high-profile data breaches are on the rise. Everyone has heard, on more than one occasion, how important it is to not use the same password across multiple web properties, to enable two-factor authentication if and where it is offered and to use passwords that contain a combination of letters, numbers and symbols in order to make them more difficult to crack.

Although these are things that everyone knows, the wisdom embedded in the advice above often goes unheeded. According to the data collected by aggregating passwords leaked in data breaches over the past year, the most commonly used password for 2017 is “123456,” followed closely by the ubiquitous “password.” These are unchanged from last year.

The rest of the top 25 list contains a mix of the old and the new, including:

  • 12345678
  • Qwerty
  • 12345
  • 123456789
  • Letmein
  • 1234567
  • Football
  • Iloveyou
  • Admin
  • Welcome
  • Monkey
  • Login
  • Abel123
  • Starwars
  • 123123
  • Dragon
  • Passw0rd
  • Master
  • Hello
  • Freedom
  • Whatever
  • Qazwsx
  • And Trustno1

If you make use of any of these passwords, we urge you to change them immediately. As important as data security is and as much as is at stake, you’re putting yourself, your friends and your coworkers at grave risk by using such easily cracked passwords.

SplashData’s CEO Morgan Slain had this to say on the topic:

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use. Hackers are using common terms from pop culture and sports to break into accounts online because they know how many people are using those easy-to-remember words.”

A Million Imgur Users Affected By Breach

<img class=”alignleft size-medium wp-image-7149″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/AXMillion-300×195.jpg” alt=”” width=”300″ height=”195″ />Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:
<ul>
<li>Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.</li>
<li>At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.</li>
<li>In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.</li>
</ul>
All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Older iPhones Are Being Purposefully Throttled, According To Apple

Not long ago, observant Reddit users noted and began discussing a curious phenomenon. It appeared that older iPhones were unexpectedly slowing down, and no one could name the reason why.

It caught the attention of a number of security researchers who delved more deeply into the issue, including a man named John Poole, who confirmed the Reddit claims. His tests confirmed that on iPhone 6s and 7s, Apple made tweaks to iOS versions 10.2.1 through 11.2.0.

These changes are designed to throttle the phone’s performance when the battery degrades beyond a certain point. While the company itself has subsequently confirmed the findings, they didn’t offer much in the way of a detailed explanation other than to say:

“Our goal is to deliver the best experience for customers, which includes overall performance and prolonging the life of their devices. Lithium-ion batters become less capable of supplying peak current demands when in cold conditions, have a low battery charge or as they age over time, which can result in the device unexpectedly shutting down to protect its electronic components.

Last year we released a feature for iPhone 6, iPhone 6s and iPhone SE to smooth out the instantaneous peaks only when needed to prevent the device from unexpectedly shutting down during these conditions. We’ve now extended that feature to iPhone 7 with iOS 11.2, and plan to add support for other products in the future.”

If you have an older iPhone, you may find yourself in disagreement that throttling its performance optimizes your user experience, and admittedly, it isn’t an optimal solution. On the other hand, having your phone power down unexpectedly when the battery life still reads 40 percent can be worse than annoying.

The only way around it is to replace your battery, which will not trigger the throttle built into the OS.

Virus Spread Through Facebook Messenger Mines For Cryptocurrency

Facebook scams are fairly common occurrences, owing to the sheer size of the platform’s user base. It’s no surprise that there’s a new one making the rounds that you should be aware of.

This latest threat was discovered by researchers at Trend Micro, and makes use of Facebook Messenger. If you get a message containing an embedded video file saved as a zip (the file name usually appears as “video_xxxx.zip”), don’t click on it, even if it’s from someone you know.

This file is a modified form of a legitimate piece of software called “XMRig”, an open source project that allows users to mine the cryptocurrency called Monero.

When the user clicks on this poisoned version, it will direct them to a website controlled by the hackers, in addition to quietly installing the corrupted software in the background. Once installed, the hackers put the infected PC’s processor to work for them, creating a distributed network of hash power to solve advanced cryptographic puzzles and generate new Monero “coins” for themselves.

The hackers have gone to some lengths to mask their true intentions. The site appears to be a video streaming service, and users who click on the embedded file will actually see a video playing. Of course, the website is also part of the C&C structure.

There are several intriguing things to note about this new threat:

  • It only affects people who use the Google Chrome web browser
  • It only affects PCs and Laptops. Smartphones are not impacted in any way
  • The miner software is actually controlled via the C&C server, meaning that the hackers can upgrade their malware, adding new functionality in the blink of an eye

So far, the virus has been spreading mostly in south east Asia, but has also begun appearing in the Ukraine and Venezuela. Given the global nature of Facebook’s user base, this is wholly unsurprising, so be on the lookout for it. Don’t click embedded files in Messenger, even if you think you know the sender.