The #DataInsecurity Digest | Issue 22

/by

Issue 22 | June 8, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: In this era of #DataInsecurity, it is perhaps not a surprise that SEC Chair Mary Jo White recently described cybersecurity as the greatest threat to our finance system. White’s comments are especially prescient given the record-setting mega-breach at Myspace, which reportedly resulted in 360 million account credentials being put up for sale on the dark web. Another big breach this week occurred at the popular dating site Badoo, resulting in 127 million passwords being compromised. To make matters worse, mega-breaches are apparently causing breach “aftershocks,” as hackers take advantage of reusing passwords to hack other sites. For example, significant numbers of Teamviewer and Dropbox accounts were hacked using compromised login information from previous breaches. Both Mark Zuckerberg and Katy Perry’s Twitter accounts were briefly hacked, most likely with previously breached passwords.

And now, on to the clips!

—————– 

SEC: Cybersecurity is the biggest risk to the financial system. U.S. Securities and Exchange Commission (SEC) Chair Mary Jo White described the finance industry as unprepared for the great risks it faces. White recently told @reuters that the SEC has “found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced. White also stated that, ‘What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks.’” (Source: Reuters)

Hacker Peace strikes again: 360 million Myspace records for sale on the dark web. Remember that Myspace account you tended to religiously back in 2006? If you never got around to deleting it (or even if you did), your old account’s credentials could be coming back to bite you. Peace, the same hacker that sold 167 million LinkedIn records on the web last week, is behind possibly the largest password and username breach in history. Users who created their Myspace accounts prior to the website’s 2013 relaunch are believed to have had their usernames, passwords, and email addresses compromised. Writes @lorenzofb, “The passwords were originally ‘hashed’ with the SHA1 algorithm, which is known to be weak and easy to crack. … LeakedSource’s operator told me they expect to crack 98 or 99 percent of them by the end of the month.” In response to the breach, Myspace has invalidated all user passwords that have been affected. Affected users will be required to authenticate their account and change their password upon logging in. (Source: Motherboard and Myspace)

Check out Fraud.org for official info on the Myspace breach. When big breaches make news, phishing attacks that seek to capitalize on public fear about the breach are never far behind. These phishing attacks often take the form of fake data breach notification emails. To help fight back, NCL’s Fraud.org is offering a new “Latest Breaches” resource about specific breaches, including links to official info, when available, from the breached entities. Check it out here.

Badoo hacked? 127 million dating site accounts may be compromised. @Josephfcox reports that many sources are claiming that Badoo, a popular British dating site with 300 million users, has had 127 million users’ info – including email addresses, dates of birth, and passwords – compromised. Details of the breach are still murky. Badoo has denied that such a breach took place, stating that “Badoo has not been hacked and our user records/accounts are secure. We monitor our security constantly, and take extreme measures to protect our user base. We were made aware of an alleged data breach, which upon a thorough investigation into our system, we can confirm did not take place.” However, writes @Josephfcox, “[U]sers can’t rely on waiting for a hack to go public, or for a company to acknowledge it. With that in mind, users should be thinking proactively, and taking steps to protect all their online accounts, even if one site they use does happen to be breached. One way of doing that is with a password manager, which generates strong, unique passwords and stores them either locally or online.” (Source: Motherboard)

Grindr hack reveals user’s exact location. Three researchers at @KyotoU_News have found a way to determine a user’s exact location in the popular gay social networking app, Grindr, even when the privacy setting that hides a user’s location is turned on. The researchers warned that their hacking tactic could be replicated on similar dating sites such as Hornet, Jack’d, and Tinder. Notes @a_greenberg, “Grindr and Jack’d both fail to encrypt data that reveals the user is running the app by name, leaving that sensitive data open to any snoop on the same Wi-Fi network. Grindr, according to their paper, fails to even encrypt the photos it transmits to and from phones.” One researcher, Nguyen Phong Hoang, cited the possible safety ramifications such a breach could have in the LGBTQ community stating that, “In Islamic countries or in Russia, it can be very serious that their information is leaked like that.” (Source: Wired)

EU data protection chief advocates for “right to encrypt.” @wirelesswench reports on European Data Protection Supervisor Giovanni Buttarelli’s recent condemnation of backdoors and his call for stronger cybersecurity infrastructure: “‘Backdoors are not the solution to cybersecurity; they would be a new and dangerous part of the problem, said Buttarelli. ‘What we need instead is to reinforce the global infrastructure, not to weaken it, to ensure that not only citizens but governments also are secure against attacks. … A trojan horse or built-in vulnerability in all smartphones, tablets and PCs would allow collection and retention of personal information on a much greater scale than ever before. It would set a precedent for the emerging Internet of Things where a whole range of everyday devices and objects will be connected.’” (Source: Infosecurity)

On a related note…Apple doubles down on encryption fight. In the wake of Apple’s high-profile clash with the FBI over encryption, the tech giant appears to be doubling down on its encryption stance with its recent rehire of renowned encryption expert Jon Callas. Apple would not comment on what role Callas would play at the organization, but if his previous projects at Apple are any indication (he designed Apple’s encryption systems) it will most likely be to beef up their backdoor protections. (Source: Reuters)

Twelve percent of Bank CEOs are not sure whether they have been hacked. In the midst of news about the epic $81 million Bank of Bangladesh cyber heist and the call by world finance leaders for financial entities to beef up their cybersecurity, a new and disturbing @KPMG survey found that 12 percent of banking CEOs were not sure if they were hacked in the last two years. Perhaps more disturbing, the survey also found that, “The lack of awareness only grows when compared to the next level of executives. Approximately 47 percent of banking executive vice presidents and managing directors reported that they didn’t know if their bank had been hacked, and 72 percent of senior vice presidents and directors stated that they didn’t know.” (Source: PR Newswire)

Majority of Americans would choose improved security over better Internet speed. In light of the numerous record-setting breaches, the findings of @SecureAuth survey are perhaps not that surprising. It is however concerning that the same survey found that 15 percent of Americans gave their Social Security numbers out over public Wi-Fi, suggesting that more educational efforts need to be taken. (Source: Secure Auth)

Dropbox: The breach that never was. Earlier this week, reports surfaced that Dropbox, the Internet file sharing/storing service, was the latest victim of a breach. This, however, turned out not to be the case; reports now suggest that this breach was the result of hackers using stolen Tumblr passwords (Tumblr was the subject of an earlier breach) to gain access to Dropbox. @briankrebs took this opportunity to remind us that, in the era of mega-breaches, aftershocks may occur as hackers use breached information to gain access to other sites and that “re-using passwords across multiple sites that may hold personal information about you is an extremely bad idea. If you’re guilty of this apparently common practice, please change that.” (Source: KrebsonSecurity)

TeamViewer “hacked,” not “breached.” This week, reports surfaced that TeamViewer, the service that allows IT workers and consumers to control their computers from remote locations, was hacked as several users reported having their computers taken over and their PayPal and bank accounts drained. In an interview with @dangoodin001, TeamViewer denied that a breach occurred: “The vast majority of the cases that we see have to do with there being a lot of data breaches lately, and whenever we’re pointed to potential TeamViewer account abuses, we check internally to determine what we can see. And in virtually every case we see that the passwords and account credentials have been used elsewhere.” (Source: Ars Technica)

More LinkedIn fallout: Zuckerberg’s Twitter and Pinterest accounts hacked. The hacker “OurMine Team” briefly took over Facebook chief Mark Zuckerberg’s dormant accounts, apparently using information garnered from the LinkedIn password dump. The password, “dadada,” lacked the security features one would expect from the co-founder of Facebook. (Source: Ars Technica)

Katy Perry’s Twitter gets hacked, used to troll Taylor Swift. Pop star @katyperry, owner of the largest following on Twitter, was hacked last week. The hacker appeared anxious to mend the famous rift between @taylorswift13 and Katy Perry by tweeting “Miss u baby @TaylorSwift13,” before launching into a diatribe of ethnic and homophobic slurs. It may be a safe bet that in the future, Perry will turn on multi-factor authentication for her social media accounts. (Source: Telegraph and NBCNews)

Thousands of NFL player medical records stolen. A laptop containing the unencrypted medical records of thousands of NFL players and combine participants – 13 years’ worth – was recently stolen from an NFL employee. @barryap1 predicted that this breach will most likely open the NFL up to long and costly litigation, which the U.S. Department of Health and Human Services has vigorously pursued (particularly when data was stored on an unencrypted laptop) in the past. (Source: Deadspin)

Upcoming events

June 15 – FTC Start with Security – Chicago – Chicago, IL
The FTC’s fourth “Start With Security” event will take place on Wednesday, June 15, 2016, in Chicago, Illinois, and will be co-sponsored by Northwestern Pritzker School of Law. During this one-day event, the FTC will bring together experts who will provide businesses with practical tips and strategies for implementing effective data security.

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, technological measures can be taken to prevent a ransomware attack.

National Consumers League
Published June 8, 2016