Categories
Computer & Network Security>Adobe|Information Security>Data Breach|Compliance>Privacy

Breach Alert! Yahoo user data stolen

As evidence to why users should not use the same usernames and passwords across sites, it appears that data collected from recent breaches was used to massively hack into user email accounts at Yahoo.  Yahoo recognized the attack and has taken steps to reset passwords.  Their Security Update was posted on Tumblr today.

According to Yahoo they are taking steps to protect users:

  • We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
  • We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
  • We have implemented additional measures to block attacks against Yahoo’s systems.
Categories
Computer & Network Security|Information Security>Data Breach|Social Engineering>Phishing|Compliance>Privacy

Scammers take advantage of Target Breach victims

Can you recognize a phishing email?  Target recently sent out an email to those affected by the data breach with information about the breach and steps to take if your information was involved.  That email can be viewed on Target’s website.

target

Scammers are also taking advantage of the situation and sending their own Target breach notification emails.  Can you spot the differences in a real and fake email?

Honestly, I am surprised that Target sent their email the way they did.  One of the first ways to identify a suspicious email is whether or not you recognize the sender.  In the case of the legitimate Target email it came From: Target.com (TargetNews@target.bfi0.com).  This immediately raises a red flag in my head because I don’t know the domain bfi0.com.  This is a standard tactic of scammers to try and trick users into trusting the Target part of the email and ignoring the next part.  bfi0.comThis was an oversight on Target’s part to instill trust in their constituents.  I would not trust this email if I had received it.  I dug a little more and a WHOIS lookup shows that the bfi0.com domain is registered to an Epsilon Data Management who tracks email marketing campaigns.  I now know this is the real Target email.

The biggest items to notice in the real email are that they are not asking you to click on anything, except the Target.com website,  and they do not ask you for any information.

Scammers will try and make you feel compelled to click on links and divulge personal information.

If you have already received one of the fake emails, you should immediately delete it.  If you clicked on anything, you need to make sure your antivirus is up to date, and it would probably be a good idea to change the passwords on your online accounts.

If you divulged personal information from the scam email, you need to immediately contact your bank and or credit company and notify them to be vigilant of fraud activity.

Finally, Target is offering free credit monitoring to anyone affected by their breach, and I recommend signing up for it immediately.  You can see the details on Target’s website.

As a general rule, if you don’t recognize the sender, don’t trust the email.

 

Categories
Compliance>PCI|Compliance>Privacy

Top 25 Passwords from 2013: 123456 reigns supreme

2013 crowned a new champion of the #1 password based on passwords collected from data breaches.  The top password for 2012 was ‘password,’ but 2013 announces that ‘123456,’ reigns supreme.

SplashData, a security firm, releases their findings each year of the top passwords discovered from breaches.  This year, due to the size of the Adobe breach, you’ll see some Adobe passwords make the list.

  1. 123456 (+1)
  2. password (-1)
  3. 12345678 (0)
  4. qwerty (+1)
  5. abc123 (-1)
  6. 123456789
  7. 111111 (+2)
  8. 1234567 (+5)
  9. iloveyou (+2)
  10. adobe123
  11. 123123 (+5)
  12. admin
  13. 1234567890
  14. letmein (-7)
  15. photoshop
  16. 1234
  17. monkey (-11)
  18. shadow
  19. sunshine (-5)
  20. 12345
  21. password1 (+4)
  22. princess
  23. azerty
  24. trustno1 (-12)
  25. 000000

So what can you glean from this?  First, if your password is in this list, change it immediately.  It is literally one of the first passwords someone will try if you are targeted.  Second, it shows why users should not use the names of the application they are protecting in their passwords nor easy to remember letter and number combinations.

Securit360 recommends using a password manager to store complex and unique passwords for as many situations as you can  Where you can’t use a password manager, we recommend using passphrases made up of letters, numbers and symbols.  The longer the word the better, preferably 10 or more characters.  If you have to choose between long or complex, choose long.  Don’t use common words or phrases, don’t be predictable.  Don’t share passwords among accounts, but find a way to make a unique password for each account. Don’t use real information in your security questions, but if you do, use a phrase and not just a single word.  Turn on 2 factor authentication if it is available.  

 

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Microsoft January Security Bulletin

Today Microsoft released four security bulletins. All five have a maximum severity rating of Important.

Source:https://technet.microsoft.com/en-us/security/bulletin/ms14-jan

Categories
Information Security>Data Breach|Computer & Network Security>Malware|Compliance>PCI|Research

Target Data Breach Timeline

Updated: Originally posted by the WSJ, and sourced here from Business Insider, Target had warning last spring about a new emerging threat against POS systems.  Internal analysts requested additional scrutiny.

Updated: According to an article posted on Krebsonsecurity “the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.”

The recent retail breaches show that compliance is not enough.  Cyber security needs to be an organizational wide initiative:   

Initial Target Data Breach

Breach: Target, sometime between Thanksgiving and December 15th, 2013.  Estimated 40 million records.

Discovered: Sometime around mid December 2013.

Reported: Target confirms breach of 40 million records on December 19th, 2013.

Notes: Wed, December 18th, data from the theft had already flooded underground markets.

Neiman Marcus Confirms Breach

Breach: Scope unknown UPDATED: included credit card and debit cards dated back to July 2013. UPDATED: approximately 1.1 million credit and debit cards affected

Discovered: Sometime around mid December 2013. UPDATED: The breach was not confirmed until January 1st.

Reported: Jan 10th 2013, Neiman Marcus reports breach.

Second Target Data Breach

Breach: On Jan 10th, 2013 Target confirms a second breach, which included names, emails, and phone numbers of up to 70 million additional records.  This occurred sometime between Thanksgiving and December 15th, 2013.  Estimated 70 million records for a total of 110 million records.

Discovered: Two to five weeks after the initial breach.

Reported: Over a month after the initial breach.

Jan 12th, 2013 Reuters reports more well-known retailers have been breached.

Source: http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112

UPDATE: The malware known as  KAPTOXA has been reported to be involved in the Target breach and suspected to be involved in the Neiman breach.  The article linked here is from firm, iSight Partners, a global cyber intelligence firm that works with the U.S. Secret Service and the Department of Homeland Security.  They claim that the malware has probably infected a large number of POS terminals throughout the retail industry.  We still don’t know who the other retail companies are that were breached around the same time as Target, but it is safe to consider that they were all linked somehow.

Retailers are extremely vulnerable during during the holiday season simply due to the high amount of customer volume.  They try to get as many customers in and out as possible during peak times, and they neither want, nor have the ability, to inconvenience their consumers with any increased scrutiny.  In these recent attacks the attackers had access to customer data for several weeks, as the breaches weren’t even discovered until at least 3 weeks after they initially started, and they weren’t reported until about a month later.  Additionally, even after the breaches were discovered, all of the information was not available, so the scope was incomplete.  It took Target over a month to understand the full scope of their breach, which is currently the largest breach in history, surpassing the TJ Max breach by over 60 million records.

This begs the question, is compliance enough?  Retailers, such as Target, are required to be PCI-DSS compliant to handle credit cards, but does that mean the organization is secure?  Security is a top down, cultural and organizational mind set.  If security doesn’t start from the top, with financing and initiative, and bubble down to scrutiny and diligence, then security holes will exist and there will never be a completely secure organization.  People make mistakes, systems will be compromised, and ultimately data will be breached.  The question is, how quickly can an organization recognize and respond to the breach?

Categories
Information Security>Data Breach|Compliance>Privacy

Target Breach now affects 110 million users

Joshua Carter, public relations manager at Target, said, “This theft is not a new breach; these are two distinct thefts as part of the same breach and this development was uncovered in the course of the ongoing investigation. The 70 million guests impacted by this new development are separate from the 40 million number that was previously shared.”

This goes to show how easily a data breach can get out of hand.  Not only has it taken months for all of the information come out, the breadth of the breach continues to grow.  The Verizon breach report says that it typically takes seconds to hours for attackers to exploit a breach and that it can take month’s for organizations to find out let alone deal the issue.  Can your business recognize a breach if it happened?

We have managed security services that can help your organization correlate events and configure alarms to detect anomalies in the regular behavior.

Source: http://www.scmagazine.com/separate-info-on-70m-stolen-in-target-breach/article/328827/

[av_button label=’Managed Cyber Security Services’ link=’page,29′ link_target=” color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’ size=’small’ position=’right’ icon_select=’yes’ icon=’ue8c5′ font=’entypo-fontello’]

Categories
Computer & Network Security|Information Security|Social Engineering>Phishing|Compliance>Privacy

LinkedIn Profiles: Ripe for phishing recon

The author notes that LinkedIn has “…more than 259 million members—many who are highly paid professionals in technology, finance, and medical industries—LinkedIn holds a wealth of personal data that can prove highly valuable to people conducting phishing attacks, identity theft, and similar scams.”

Many times there are legitimate business reasons to post identifiable information such as email, phone, etc on LinkedIn.  Is it necessary to add things like date of birth or address?  Users must keep in mind the type of information they make available and what it could be used for.

Additionally, do you ‘know’ each of your contacts?  How many times do you get a connection request from someone you don’t really know, but feel like it could be beneficial to connect to?  A previous post references a targeted phishing attack through LinkedIn.  These situations continue to emphasize the need for users to become aware of what information they make available regardless of the perceived trust of the system in use.

Source: http://arstechnica.com/security/2014/01/hackers-use-amazon-cloud-to-scrape-mass-number-of-linkedin-member-profiles/

Categories
Research|Computer & Network Security>Vulnerabilities

OWASP Top 10 For Developers

Troy Hunt wrote a great series on the OWASP top 10 for developers.  This series is a few  years old, but still completely relevant since the OWASP top 10 has remained the same for a while.

OWASP Top 10 for .NET developers series

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
Categories
Computer & Network Security>Malware|Computer & Network Security>Viruses

Hackers announce ramsomware toolkit

Two hackers, going by ‘gyx’ and ‘Porphyry’, have released what they are calling Prison Locker, a toolkit for customizing your own ramsomware.  They are apparently selling it for as little as $100.  This is not good news for users who have yet to protect their systems.  Given that this can now come through many different avenues and with many different customizations it makes this malware much more dangerous.

Read more: http://thehackernews.com/2014/01/power-locker-ransomware-upcoming_3.html