Information Technology & Security

network-cables-494648_1280Goodbye Sensitive Info?

Posted: 2/25/2017

Please check out this article from Gizmodo about the shady actions of our new Federal Communications Commission leadership: FCC Picks Worst Day Possible to Block Rules Protecting Personal Info

“Until today, March 2 marked the date that internet service providers would be required to adopt “reasonable” measures to protect sensitive customer info like browsing histories, location data and Social Security numbers. Thanks to the Federal Communications Commission’s new leadership, however, that deadline will now be extended indefinitely, and we have no idea if or when those rules will be enacted.”

#Privacy, #FCC, #Pai, #PersonalData

 

cloudbleed
Another Internet Security Disaster: Cloudbleed

Posted: 2/24/2017

Maybe you missed the news, but a new vulnerability has been discovered and it is a huge deal.  The flaw was first discovered by Google’s Project Zero vulnerability researcher Tavis Ormandy on February 17, but could have been leaking data since as long ago as September 22. The vulnerability has been identified as Cloudbleed.

Basically, a bug in the Internet infrastructure company Cloudflare’s code has led to an unknown amount of data (passwords, personal information, messages, cookies, and more to be exposed.  According to Wired.com , what happened is under certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.

The good news is that Cloudflare acted quickly to address the bug.  They pushed a preliminary fix less than an hour after discovering the issue, and within seven hours permanently patched the flaw across all of its systems around the world.  While this is good news, the damage has already been done.

#Cloudbleed, #Vulnerability, #Dataloss

 

camera-1651459_1280Using Surveillance to Make Life Easier?

Posted: 2/23/2017

Are you willing to give up your right to privacy in exchange for convenience?  Is there a line that you are not willing to allow the government or even private companies to cross?  Your privacy is constantly invaded in some form or fashion every day.  Data is collected on you whether you know it or not, whether you give your permission or not.

Here are just a few instances of how surveillance and data collection are currently being implemented without your knowledge:

New York – New recognition technology is counting every single pedestrian in New York.  Check out this video about how traffic cameras and algorithms are revealing amazing data about millions of pedestrians in New York City: http://www.cnn.com/videos/tech/2014/05/25/cot-nyc-surveillance.cnn/video/playlists/city-of-tomorrow/ 
Do you have concerns about the data that is being collected without your permission?  Who is collecting the data?  How is the data being protected?  Is the data being sold, and if so, to whom and for what purpose?

LAPD – The LAPD (and other jurisdictions) is using license plate readers and data mining technology with CIA roots (Palantir).   Check out this video about how license plate readers are gathering data and the issues surrounding it: http://www.cnn.com/videos/tech/2014/05/25/cot-la-license-plates.cnn/video/playlists/city-of-tomorrow/
Does the fact that data is being collected on you whether you know it or not, whether you are a criminal or not, concern you?

Baltimore – Baltimore’s “Secret Cameras” record every move from the sky: https://www.bloomberg.com/features/2016-baltimore-secret-surveillance/
Since the beginning of 2016, the Baltimore Police Department has been using a small Cessna airplane equipped with a sophisticated array of cameras to circle Baltimore. The plane’s wide-angle cameras capture an area of roughly 30 square miles and continuously transmit real-time images to analysts on the ground. The footage from the plane is instantly archived and stored on massive hard drives, allowing analysts to review it weeks later if necessary.to investigate all sorts of crimes, from property thefts to shootings. The Cessna sometimes flies above the city for as many as 10 hours a day, and the public has no idea it is there.

Bloomberg Businessweek Surveillance Cover
Featured in Bloomberg Businessweek, Aug. 29-Sept. 4, 2016.

 

Related imageCredit Card Theft/Skimmers

Posted: 2/21/17

Are you aware of the many ways hackers are stealing your data on a daily basis?  Here are just a few common examples:

  1. Fast Food Restaurants (employee stealing credit card information/skimming).
  2. Gas Pump Skimmers (internal & external) [Gas pump skimmer videos]
  3. Store POS (Point of sale) skimmers [Skimmer on store POS machine]
  4. Store POS (Point of sale) malware [such as the Target store breach]

Check out this Nightline | ABC News report about some of these: ABC Nightline Skimmer Report

Please take this information seriously and protect yourself going forward.  Pay attention to what happens after you hand over your credit card.  Walk to the cashier’s window or  go inside when stopping to get gas.  Credit cards information is stolen all day, everyday.  Don’t be the next victim.

Microsoft Windows Privacy Concerns

Posted: 2/7/2017

Did you know that Microsoft is spying on you and monitoring what you do on your PC?

Did you know that even if you are smart enough to turn off the settings that allow Microsoft to spy on you, Microsoft turns them back on when you download updates?

Check out these two links to start protecting yourself and your privacy:

  1. Stop Windows 10 Spying – Privacy & Security Matter 
  2. Windows 10 is Spying on You Even When you Turn Privacy Settings to Off!

Don’t say that I didn’t warn you…#privacy

 

navigation-2049641_1280

Google Maps

Posted: Jan 14, 2017

I’m sitting in my office, finishing up for the day and all of a sudden I get an alert on my phone…What was that!?

My phone proceeded to let me know that if I left then and there, it would take me 33 minutes to get to my house…wait, what the hell is going on here?

First of all, how does it know what time I leave work?
How does it know where I’m going?
How does it know how long it will take to get there??

I am completely freaked out.  Anyone who knows me will tell you that my level of paranoia is high already (take a CISSP or an Ethical Hacking course or pick up some books on hacking and you will be too) and now my phone has magically turned into Miss Cleo on me?  We can’t have this.

It turns out, having Google Maps combined with having Location Services enabled, allows the Google app to anonymously send real-time data back to Google.

Google uses this information being collected by every person who has this app and this service enabled to calculate the number of cars on the road, how fast they are moving, where the traffic is, etc.  The more people with the app, the more accurate the data.

They also incorporate data from the Waze app (which Google purchased for $1 Billion in 2013) to paint a more complete picture of the traffic in the area that you are in.  They use the data and create a history of traffic patterns as well to predict future traffic at specific times.

Personally, I am uncomfortable with having my movements monitored and recorded especially without my knowledge or consent (although I likely consented by using the app without reading anything).

So what is the solution?: Opt out by simply turning off Location Services.

shutterstock_418359946_argus-623x410Again??

Posted: Jan 14, 2017

Recently it seems like data breaches are occurring so often that we are becoming desensitized to the news.

In 2016 you may have noticed a few high profile data breach stories appear on the news.  Companies like LinkedIn, Snapchat, and Yahoo! (twice) were some of the most high profile stories, but there were many more.

Here are a few that you may have missed:

FACC

January 25, 2016: FACC, an Austrian-based aerospace parts manufacturer (with clients like Airbus and Boeing), announced they fell victim to hackers in January 2016. The criminals, however, seemed to ignore the company’s data and intellectual property, opting to instead steal approximately €50 million — which is equivalent to about $54.5 million U.S. dollars. FACC says that while they are investigating the extent of the damage and how it happened, their normal operations have not been affected.

University of Central Florida

February 8, 2016: At the beginning of February 2016, the University of Central Florida announced a data breach that affected approximately 63,000 current and former students, faculty, and staff. The breach was discovered in January, but before making the incident public, the university reported it to law enforcement and conducted an internal investigation. Unknown cyber criminals compromised the university’s computer system and stole a variety of information including Social Security numbers, first and last names, and student/employee ID numbers.

U.S. Department of Justice

February 9, 2016: Hackers angry about U.S. relations with Israel tried to call attention to their cause in February 2016 by breaching the U.S. Department of Justice’s database. CNN reported the hackers released data on 10,000 Department of Homeland Security employees one day, and then released data on 20,000 FBI employees the next day. Information stolen included names, titles, phone numbers, and e-mail addresses; the Department of Justice does not believe that any sensitive information, like Social Security numbers, was obtained. Tweeting from the account @DotGovs, the hackers said it took one week for the Department of Justice to realize that their systems had been compromised.

Internal Revenue Service

February 29, 2016: The Internal Revenue Service (IRS) announced that the data breach they uncovered in May 2015 was much larger than initially believed. In May, the IRS said over 100,000 American taxpayers had their personal information compromised when the agency’s “Get Transcript” system was hacked. However, in February 2016, those numbers have been increased to over 700,000. The IRS thinks a sophisticated Russia-based criminal operation is responsible for the data breach and that identities were stolen to file fraudulent tax returns in the future.

UC Berkeley

February 29, 2016: The financial data of more than 80,000 University of California, Berkeley students, alumni, employees, and school officials was compromised around December 2015 and announced to the public in February 2016. The school says that although it was clear their system was hacked, it does not appear that any information was stolen. Those who may have been affected were notified and encouraged to keep an eye on their personal information.

Snapchat

March 3, 2016: 700 current and former Snapchat employees had their personal information stolen when hackers used a phishing scam to trick an employee into e-mailing them the private data. Posing as Snapchat chief executive Evan Spiegel, the attackers simply requested — and received — sensitive employee information including names, Social Security numbers, and wage/payroll data. It is presently unclear who is responsible for the attack or how they may use the information they stole.

21st Century Oncology

March 10, 2016: 21st Century Oncology, a Fort Myers-based company offering cancer care services, revealed in a statement on their website that 2.2 million patients may have had personal information stolen when the company’s system was breached in October 2015. The breach was discovered in November 2015, but the FBI discouraged the company from making a public announcement until March, as the investigation was ongoing. Though there is no evidence that the data has been used in any way, hackers did have access to patient names, Social Security numbers, doctor names, diagnosis and treatment information, and insurance information.

Premier Healthcare

March 10, 2016: A data breach was reported by Premier Healthcare, a multispecialty provider healthcare group, after a laptop computer was stolen from the billing department of their Bloomington, Indiana headquarters. The laptop was protected by a password, but it was not encrypted and contained sensitive data pertaining to more than 200,000 patients. Most victims affected had their names, dates of birth, and other basic information compromised, but Premier Healthcare says that 1,769 individuals may have had their Social Security numbers or financial information taken as well.

Verizon Enterprise Solutions

March 25, 2016: Verizon Enterprise Solutions, a division of Verizon known for providing IT services and data breach assistance to businesses and government agencies around the world, was hit by hackers who stole the information of about 1.5 million customers. The data was found for sale in an underground cybercrime forum by cybersecurity journalist Brian Krebs. Verizon acknowledged the breach, saying that they’ve found the security flaw, and are working to contact affected customers.

Systema Software

March 28, 2016: A data breach at California-based Systema Software was not the result of hackers, but an internal error during a system upgrade in which data storage was set up improperly and made publicly available on the Internet. Chris Vickery, a white-hat hacker, found the information online and reported it to the proper authorities — by that point, customer information had been exposed for 75 days. Affected customers include the Kansas State Self Insurance Fund, the CSAC Express Insurance Authority, American All-Risk Loss Administrators/Risico, Millers Mutual Group, Crosswalk Claims Management, and Salt Lake County. Currently, it is not believed that any of the personal information has been used illegally.

Tidewater Community College

March 28, 2016: Current and former employees of Tidewater Community College (TCC) in Norfolk, Virginia had their personal information stolen in a tax season phishing scam. An employee in the school’s finance department received a request from a fake TCC e-mail address asking for all employee W-2 information. The individual, not realizing the e-mail was fake, responded with sensitive information including names, earnings, and Social Security numbers. TCC’s spokesperson has said that at least 16 TCC employees have reported false tax returns filed under their Social Security numbers.

MedStar Health Inc.

March 30, 2016: The FBI is investigating a computer virus that paralyzed MedStar Health-operated hospitals in Maryland and Washington. Officials are trying to determine whether the virus was ransomware, which holds a company’s systems “hostage” until a specific dollar amount is paid. It is not immediately clear whether any patient information was stolen, but with the popularity of medical identity theft among hackers, it is certainly possible that personal data was compromised.

Philippine Commission on Elections

April 11, 2016: A breach of the database for the Philippe Commission on Elections (COMELEC) prompted Infosecurity Magazine to say it “could rank as the worst government data breach anywhere.” It is believed that the personal information of every single voter in the Philippines — approximately 55 million people — was compromised on March 27, 2016 by Anonymous; LulzSec Pilipinas published the database online a few days later and those private details are now available online for anyone to steal and engage in all different types of identity theft. Anonymous’ actions were allegedly an effort to push COMELEC to turn on security features in the vote counting machines before the national elections on May 9.

Multiple Major E-mail Providers

May 5, 2016: Milwaukee-based Hold Security discovered more than 270 million e-mail usernames and passwords being given away for free in the Russian criminal underground. It is unknown how all of the accounts were stolen, but Hold counted about 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts, and 24 million Gmail addresses. There were also hundreds of thousands of German and Chinese email providers, along with username/password combinations that seem to belong to employees of major banking, manufacturing, and retail companies.

Wendy’s

May 11, 2016: In January 2016, Wendy’s began investigating a potential data breach after receiving reports of unusual activity involving payment cards at some of their restaurant locations. The details of that investigation became public in May, as the fast food chain revealed that less than 5 percent of its restaurants were affected. The company believes that malware infiltrated one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015. Security expert Brian Krebs said many bank and credit unions “have been grumbling about the extent and duration of the breach” and that it seems some breached Wendy’s locations were still leaking customer card data as late as the end of March 2016 into early April.

June 16, 2016 Update: In June 2016, Wendy’s announced that their data breach was worse than they originally thought. The company did not provide much additional information — only that “additional malicious cyber activity has recently been discovered in some franchise-operated restaurants.” They said that they disabled the newly discovered malware, but that “the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.” Wendy’s is continuing to work with security experts and federal law enforcement who are investigating the breach. Customers with questions can call 888-846-9467 or email PaymentCardUpdate@wendys.com

LinkedIn

May 17, 2016: A 2012 data breach came back to haunt LinkedIn when 117 million email and password combinations stolen by hackers four years ago popped up online. At the time the breach occurred, members who had been affected were told to reset their passwords. That information then became publicly available in May 2016. LinkedIn acted quickly to invalidate passwords of all LinkedIn accounts that were created prior to the 2012 breach and had not undergone a reset since the breach. It is not clear who stole the information or published it online, but LinkedIn is actively working with law enforcement officials.

Newkirk Products

August 12, 2016: In August 2016, Newkirk Products, a service provider that issues healthcare ID cards, announced a data breach that may have affected up to 3.3 million people. Unknown hackers were able to gain access to a server that contained sensitive member information, including names, mailing addresses, dates of birth, and details about health insurance plans. At this time, it does not appear that any of the stolen information has been used maliciously.

Oracle

August 12, 2016: The company that owns the MICROS point-of-sale system, used in more than 330,000 cash registers around the world, became the victim of a data breach, which was announced to the public in August of 2016. At the time the breach was uncovered by security expert Brian Krebs, it was unclear as to the size and scope; Krebs did say that a large Russian cybercrime group was likely to blame and that they had placed malware on company computers and on the MICROS customer support portal to steal usernames and passwords. Many experts also believe the hackers were probably able to plant malware in the MICROS point-of-sale systems and that they could be responsible for major data breaches at retailers around the country.

Dropbox

September 2, 2016: The popular file-hosting service was forced to confront a data breach from four years ago that affected more users than originally believed. In 2012, Dropbox helped a small amount of users secure their accounts after some usernames were stolen. At the end of August 2016, however, it was revealed that more than 68 million Dropbox users had their usernames and passwords compromised in that initial breach. It does not look like the accounts have been illegally accessed at this time, and all Dropbox users who have not reset their passwords since 2012 have been prompted by the company to do so.

Yahoo!

September 22, 2016: In what may be the most expansive data breach of all time, Yahoo announced that a hacker had stolen information from a minimum of 500 million accounts in late 2014. The thief, believed to be working on behalf of a foreign government, stole e-mail addresses, passwords, full user names, dates of birth, telephone numbers, and in some cases, security questions and answers. At the time of the breach announcement, Yahoo was still working with law enforcement and the FBI on an investigation.

Weebly

October 20, 2016: Over 43 million Weebly users were notified about a data breach that happened in February, but was just discovered in October. Stolen data included usernames, passwords, e-mail addresses, and IP information, but Weebly does not believe any type of financial information was stolen because it does not store full credit card numbers on its servers. Hackers were not able to log directly into customer websites because passwords were protected by bcrypt hashing.

National Payment Corporation of India

October 20, 2016: The National Payment Corporation of India (NPCI) was notified by international banks, primarily in the U.S. and China, that some of its customers’ debit cards were being used illegally. Experts believe the breach began with a malware attack that originated at an ATM. The NPCI said that 32 lakh debit cards across 19 Indian banks were compromised, but customers were contacted to change the debit card PINs and customers they couldn’t reach had their cards canceled and were issued new ones.

Cisco

November 3, 2016: An incorrect security setting on the mobile version of Cisco’s “Professional Careers” website created a privacy hole that exposed the personal information of job-seekers. Discovered by an independent researcher, the security vulnerability made sensitive data available between August and September 2015, and again from July to August 2016. That data included names, addresses, e-mails, phone numbers, usernames, passwords, answers to security questions, resumes, cover letters, and voluntary information such as gender, race, veteran status, and disability.

At this time, there is no evidence that any other parties accessed the job-seekers’ information, other than the independent researcher. Cisco did say, however, that “there was an instance of unexplained, anomalous connection to the server during that time, so we are taking precautionary steps.” Those steps include alerting all Cisco job-seekers to the breach, requiring all users to reset their passwords, and offering to put 90-day fraud alerts on accounts for interested users.

AdultFriendFinder.com

November 13, 2016: AdultFriendFinder, an X-rated website, was targeted by hackers for the second time in two years. This time, though, the amount of accounts compromised was immense — approximately 412 million users had personal information stolen and published in online criminal marketplaces. The breached data included e-mail addresses, passwords, VIP member status, browser info, last IP address to log in, and purchases. LeakedSource is responsible for finding and reporting the breach to the public; AdultFriendFinder has only admitted to finding a vulnerability and has not confirmed the attack yet.

San Francisco Municipal Transportation Agency

November 25, 2016: San Francisco’s public railway system, known as Muni, was infected with malware over the Thanksgiving weekend; this resulted in locked kiosks and computers and two days of free rides for passengers until the system went back online on Sunday, November 27. Fortune reached out to the hackers, who said the attack was not targeted — it was an automated attack, also known as a “spray and pray.” In this type of attack, an automated system sends links to malware out to many prospective victims; an IT admin at the transportation agency allegedly clicked on the link and unknowingly downloaded the malware files.

The hackers claim to have 30GB of stolen data, which includes the personal information of employees and riders. They want the agency to fix its vulnerable systems and pay a ransom of 100 Bitcoins, or about $73,000 — if their demands aren’t met, they say they will release all of the personal information. The agency’s systems are back online, but as of now, it does not appear that they have paid the hackers.

Yahoo

December 14, 2016: Less than three months after announcing a 2014 data breach that affected 500 million users, Yahoo did it again — and even bigger than before. In December, the company discovered another breach from 2013 that may have compromised the personal information of one billion Yahoo accounts, making it the largest data breach in history. At the time of the breach announcement, Yahoo did not have much additional information to share with the public, as it was still unclear who was responsible, how they got into the system, and what they stole.

Source: Identity Force

It is imperative that you stay vigilant, and not only protect yourself against the constant threat of hackers, but pay attention to what is happening and the trends in Cybersecurity.  It is easy to become a victim when you aren’t paying attention to what’s happening around you.

Everyone is at risk.  We are using technology to make our lives more and more convenient, but we are also making the jobs of those who wish to do us harm easier as well.

 

 

 

 

© The Contrarian, 2013-2017. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to The Contrarian with appropriate and specific direction to the original content.