Yahoo Archives - L2 Cyber Security Solutions Ltd.

Data Breaches Everywhere

Liam — Wed, 05 Dec 2018 16:30:02 +0000

It’s beginning to look a lot like Christmas … has come early for the evil doers. There just seems to be a relentless tale of data breach after data breach in recent weeks and it has been really bad in the last week. It really does look there’s data breaches everywhere you look. The worry about this, is that people may just think that this is the new normal and put up with it.

Updated 05/12/18: To include the Dell, potential breach.

Last Wednesday, Dell announced a potential cybersecurity incident. This was followed on Friday when it was revealed that Marriott International Hotels had a massive 500m records stolen. These were all forgotten by Monday for most normal people and then later on Monday Quora, an online question and answer forum had 100m records stolen. A couple of weeks ago, Amazon notified an unknown number of customers that their name and e-mail address were exposed. Earlier in the month, VisionDirect in the UK had lost payment card data for an undisclosed number of customers.

That’s just 5 companies that you probably have heard of. I covered the NUI Galway breach separately a couple of weeks ago. There were lots more breached last month. I’ll give a synopsis on each one of the five and then discuss what can happen.

Quora have some questions to answer

So Quora had ~100m records accessed by persons unknown. They detected the issue on Friday 30th November and on Monday 3rd December they endeavoured to contain the issue. They logged out the impacted individuals and forced them to reset their passwords when they log back in. What was taken by the bad guys?

Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
Public content and actions, e.g. questions, answers, comments, upvotes
Non-public content and actions, e.g. answer requests, downvotes, direct messages

They claim not many subscribers used the direct messages features, so really the most important items lost here was the account information.

Marriott reserve second place in the data breach tables

I actually missed this story on Friday the 30th November, as I had promised a customer a security assessment report by the end of the week. So I stayed off social media for the day, while I completed it. There were a LOT of tweets to get through that night! ? This is currently the second biggest data breach in history after Yahoo!’s almost impossible to match record breaking 3 billion accounts breach as revealed in October 2017. So what did Marriott lose? The contents of the Starwood guest reservation database, going back as far as 2014, containing:

For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.
For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

Some of the data lost is genuinely concerning. Particularly the payment card information.

Bad guys try to ding dong Dell

This may or may not have been a breach. Dell haven’t given away too much information. Their security measures detected unauthorised activity that was …

… attempting to extract Dell.com customer information, which was limited to names, email addresses and hashed passwords.

Dell couldn’t say at this point whether these details were actually extracted from their systems by the bad guys. But even if they were unsuccessful in taking data, this just demonstrates that even massive companies like Dell can be broken into. Massive companies like … ⬇⬇⬇

Prime example of poor communication from Amazon

The Amazon data breach on 21st November doesn’t seem too bad. All that might have been compromised was name and e-mail address. However their notification to affected customers was pretty poor.

A lot of security professionals have said that this looks very “scammy”. While I would tend to agree as it’s very light on any details, there’s no suggestion that the recipient should take some urgent action. If that had been the case, I would fully agree.

Is there short-sighted security in place at VisionDirect?

Back on the 19th November, VisionDirect in the UK issued a statement about a data breach. The breach affected customers who updated their details or placed orders between the 3rd November and 8th November. What data was accessed by the evil doers?

The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.

In fairness to them, they were very specific about the timeframe when the website was compromised. “Between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November 2018.” This was repeated ad nauseam.

What can happen when there are data breaches everywhere?

A common feature of all the above breaches are names and email addresses. While you might not think these are worth anything, 50,000 valid email addresses can be sold for up to $50 on criminal exchanges on the “dark web”. I hate that term by the way. It’s so “hackery”. Anyway, your email address has a small, but material value.

Payment card data is the next thing that is of immediate value, particularly where the bad guys have the CVV/3 digit security number. These can be immediately put to work purchasing vouchers which are then immediately spent. The card numbers are also valuable on their own and sell for up to $60 each. While Marriott had the credit card numbers encrypted, they were not sure if the required information to decrypt them again was also exposed. So I would assume that it was.

Passwords are the next concern. Quora had “hashed” passwords which is good. These are hard (but not impossible) to crack. They also forced a password reset on affected subscribers, so that’s another mitigation. With VisionDirect, the password was totally compromised. This is because it was captured when a user was signing on to the site. They forced password changes on people who were impacted. However, if the password is used on ANY other account, particularly email, banking and social media, then you must change them all.

The rest of the data that was breached is still incredibly useful to the criminals. In particular from the Marriott breach. They have reservation details, probably into the future. So they know the future likely movements of people. They have loyalty card information, which, along with other data points, can be used to compromise a person’s Starwood’s Preferred Guest account and re-direct the rewards elsewhere.

The amount of data leaked, over such a long time at Marriott is pretty bad. This can be merged with lots of other data breaches and the evil doers can build quite a profile on each individual. I’ve discussed before how breached data from multiple sources can be put to evil use.

Data breaches everywhere indeed.

How can we help?

As the saying goes, preparation is half the battle. If you’ve not prepared to handle a data breach, it will be a much bigger struggle. We can help you prepare, both for a breach and handling the aftermath.

If you want to discuss further, please call on 087-436-2675 or send an e-mail to info@L2CyberSecurity.com and somebody will get in touch. We will make it straightforward and easy for you to be ready for an incident.

Lets be careful out there.

#SecuritySimplified

#GDPR #SimpleGDPR

The post Data Breaches Everywhere appeared first on L2 Cyber Security Solutions Ltd..

Review of my 2017 predictions.

Liam — Thu, 28 Dec 2017 15:02:53 +0000

I don’t see many people who make predictions for the coming year actually come back to review what they predicted. I’m not one of those though, so here is my review. I’ve included the original text below in blue, but the full article for my 2017 predictions is here.

1. Ransomware levels will plateau, but constantly change

This might be an easy one to get right. Ransomware is already embedded in over 90%+ of all phishing e-mails, so there’s hardly any further room to keep growing. We’ve already started to see the way it is changing though. As was reported earlier this month, you could get your files unlocked if you infected two friends with this Ransomware rather than paying money over to the hackers.

I haven’t seen the stats yet, but I suspect Ransomware is still as big a problem as it was 12 months ago. And as noted, the evil doers have started using new methods to get money out of people by hijacking the victims computer processing power to mine crypto-currencies (i.e. create new currency for them). We also had the scary prospect of Ransomware worms thanks to WannaCry and Petya/NotPetya. So I’m going to say I got this one right.

2. Smart Device Botnets will target the big service providers

We’ve seen record breaking botnets created this year by poorly designed and poorly secured smart devices (also referred to as IoT, e.g.- internet connected cameras, digital video records, internet routers, etc.). I suspect the evil doers are building a massive army, much bigger than anything we have seen to date. I believe that they will then carry out a coordinated attack on one of the big service providers (e.g.- Google, Amazon or Microsoft). The attack won’t be fully successful, but will have caused sufficient disruption to make smart device security a focus for all manufacturers of such devices, as insecure devices will be banned from accessing the web.

This was a miss. While attacks did take place, there was nothing on the scale that we saw in 2016.

3. There will be an even bigger data leak than 2016’s revelation of the Yahoo! world record leak

Yahoo! has really had a bad year, setting a world record, having already had an even bigger world record. I believe bigger leaks have already happened and will be revealed next year. I reckon the bad guys are already combing through the data, cracking passwords and will then create tools that will take the IDs and passwords they have and try these against other services (e-mail, social media, etc.) to generate a list of compromised accounts, which are extremely valuable on the dark net.

I got this one right. It was Yahoo! that did it again, with over 3 billion records breached.

4. Russia will be accused of interfering in elections occurring across Europe

Russia has shown form this year, interfering with the US Presidential Election. With elections happening in the bigger European Countries (Germany, France and The Netherlands) in 2017, I would not be very surprised to discover that the Russian state hackers tried to influence the results of these.

While the German and Dutch elections were not outwardly (at least) subject to the same issues as affected the US elections, there was an incident during the French elections which looks likely to be an attempt to influence the voters. A dump of campaign documents including emails and accounting records for Emmanuel Macron’s campaign was released just before a moratorium on communications came into effect. So I’ll take a partial on this one.

5. More Irish people will be protecting themselves from Cyber Threats

I’ll be a bit selfish with this one as I will be the one helping these people to protect themselves. People knowing how to stay safe on-line will be the least likely to be affected by a Cyber Threat.

While I did protect more Irish people in 2017 by educating them, it wasn’t as many as I would have liked. So, again I will take a partial on this one. A little something called the GDPR became more important to people so, in conjunction with Molly O’Neill, we created training and awareness programmes for businesses.

Results for my 2017 predictions

2 correct, 2 partials and 1 incorrect. Not too bad. I may give this another go for 2018.

The post Review of my 2017 predictions. appeared first on L2 Cyber Security Solutions Ltd..

Malicious e-mail from Yahoo! breach.

Liam — Tue, 10 Oct 2017 14:46:57 +0000

I’ve received the first malicious e-mail as a result of a compromised Yahoo! e-mail account. I’ve warned the individual and hopefully he still has control of the account and can secure it again.It’s a typical “phishing” e-mail, which attempts to get you to carry out some action (e.g.- open an attachment or click on a link) and this will then lead to some attempt to compromise your computer. Google’s spam filters picked it up, so I was nice and safe. It is quite likely that this e-mail account was compromised as a result of the Yahoo! data breach back in 2013. Yahoo! have admitted that details of every single e-mail account they had, was leaked to evil doers.

These details included weakly protected passwords, so it is likely that the bad guys have accessed this individual’s account and downloaded his contacts. Here is the malicious e-mail in question, I’ve redacted the name portion of the e-mail address to protect the individual:

So the Subject of the e-mail is “Statement from <compromised e-mail address>”.
The individual’s e-mail address is buried in the “From” address in the e-mail.
Also the last line of the e-mail is the name part of the e-mail address.
However this malicious e-mail did not actually come from that person’s Yahoo! account, but rather that “rimports.hostpilot.com” domain that Google picked up on. This e-mail originated in the Philippines.

The use of the address is all an attempt to make it look like this e-mail is from somebody you know and perhaps trust and you may therefore be inclined to click on the link, as in this case. I’ve also redacted a part of the link in case any of my curious readers attempt to go to that address. I don’t want you to compromise yourselves. ?

Even without Google’s spam filters, I would have been suspicious of this e-mail, as I had only ever exchanged 2 e-mails with him 3 years ago. So I would have abided by Commandment 5, I was not expecting that e-mail from that individual, so I certainly wouldn’t have clicked on the link.

So please watch out for any unusual e-mails that come to you from people with Yahoo e-mail addresses.

Let’s be careful out there.

The post Malicious e-mail from Yahoo! breach. appeared first on L2 Cyber Security Solutions Ltd..

Yahoo breach – Round 3 … Billion! ?

Liam — Wed, 04 Oct 2017 09:31:58 +0000

If you had a Yahoo!, BT or Sky e-mail account (also AT&T, Frontier.com and Rogers) back in 2013, well you are definitely part of the latest and greatest Yahoo breach.It’s a record that will be hard to beat, but they have now confirmed that all 3 BILLION Yahoo! based customers had their account information stolen. They are all being contacted now with information on the compromise.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.

That’s an absolute world record number of accounts to have been compromised. Only Google or Microsoft would have more e-mail accounts than Yahoo!

As I’d indicated at the time of the first Yahoo breach notice, they also provide e-mail services to a number of other internet service providers such as BT and Sky in Ireland and the UK. These accounts will have been compromised too. I provided a number of helpful tips in my second Yahoo! post when they went and set the previous world record for accounts breached, I’ll include them again here for you.

Two-factor authentication:

This will absolutely improve your on-line account protection by a huge amount. Particularly if you use an authenticator app like Google Authenticator. There is even an entire commandment dedicated to it, because it is that good!

Use unique passwords on every site:

Yes, we know it’s difficult to do this, but this is where the bad guys win. If you haven’t received the excellent training available from L2 Cyber Security Solutions, then use a Password manager.

Check auto-forwarding settings:

If the evil doers have compromised your e-mail account, they may have done this in a very sneaky fashion by logging on once, and setting your account to automatically forward all received e-mail to them. This is a particularly stealthy way for them to spy on you. Go to your account settings now and check if there is any forwarding of mail going on.

Don’t save welcome e-mails or password resets:

When you sign-up to services or accounts, you provide your e-mail address and that service or account sends you a “are you the person who just signed up to us” type e-mail, followed by a “welcome to our service” type e-mail. You might also have forgotten your password for such accounts and requested a password reset which they helpfully send to you in an e-mail.

Well you really should delete all such e-mails after you have read them, because these will lead the evil doers to these accounts, where they will do another password reset and then compromise that account too. If they don’t know what services you subscribe to, they can’t do anything to them.

Lets be careful out there.

The post Yahoo breach – Round 3 … Billion! ? appeared first on L2 Cyber Security Solutions Ltd..

Data Breach Handling – 3 recent examples.

Liam — Tue, 25 Jul 2017 11:08:50 +0000

You might remember that last year, Yahoo! were shown to have suffered a data breach not once, but twice which led to the personal data associated with ~1.5 billion accounts being stolen by evil doers. This was a pretty massive story at the time and it was widely reported.

Data breaches occur on a frighteningly regular basis, which may not necessarily make it into the mainstream press and is simply discussed among cyber security and data privacy types, but with the impending EU General Data Protection Regulation (GDPR) coming into force in May 2018, all organisations will need to be aware that they will be bound by the breach reporting aspects of the GDPR, specifically Articles 33 and 34.

So in this post I take a look at 3 data breaches that have been reported on this month, which occurred to some well known organisations.

The AA Shop data breach:

First up is the Automobile Association (AA) in the UK. They were notified back in April that backup copies of their customer databases were publicly available on a cloud service, which they took down fairly promptly. However they did nothing more at that time. They were subsequently notified that details of over 100,000 user accounts from their on-line Accessories Shop had been exposed, which they did acknowledge, blamed a third party service provider, but claimed that no sensitive data or credit card information had been leaked as a result.

However security researchers begged to differ and provided evidence of partial payment card information being exposed as well. By 7th of July the AA had to make a grovelling apology and properly set out their position. Interestingly this apology does not show up on Google searches, but is buried in their website. ?

The Information Commissioners Office (ICO) in the UK have now become involved in the matter and, while I can’t pre-judge the outcome, I would expect the AA to get some sanction for such awful handling of such a serious matter. If the GDPR were in force, the financial penalty for this handling would likely be much more significant, because they would be in breach of Articles 33 and 34.

Bupa’s rogue staff member causes a data breach:

Next was Bupa, the health insurance provider in the UK (and formerly of the Irish Market). An employee of their international health insurance division Bupa Global had made a copy of personal data belonging to 108,000 insurance policy holders and removed this copy from their offices. In their notification to their customers, Bupa states:

The information does not include any financial or medical data, and relates to a portion of customers with international health insurance. …

We are contacting those policy holders who are affected to apologise and advise them as we believe the information has been made available to other parties. The data includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.

On discovery of the breach, they immediately dismissed the employee, then at some point notified the ICO, the Financial Conduct Authority and the Police. They also state they’re tightening up procedures. Their website gives a full, clear outline of what happened, what steps customers can take to protect themselves, an e-mail and dedicated phone line for more advice. This even shows up on a Google search. ?

Bupa handled this incident extremely well and were upfront and honest about what happened. From a GDPR perspective, the only area of concern is the timeframe for them to notify the ICO? This is not clear from my research. It seems that Bupa became aware of the incident in or around the 23rd of June, but customers were not notified about it until the 12th of July. It’s possible they did notify the ICO in good time, but when the GDPR rolls into town, they will need to have done so within 72 hours of discovery, in a case such as this. This is definitely an example of how a data breach should be handled … kudos to Bupa. ?

The Swedish Government’s data breach:

You read that right – a Government has had a data breach and this one is significant, deeply embarrassing and potentially life-threatening ?. The Swedish Government is desperately trying to keep this under wraps, but it’s such an omnishambles they can’t even do that right. Expect to hear more on this in due course, here is some initial reportage.

The background to this is that back in 2015, the Swedish Government’s transport agency outsourced the managing of it’s databases and networks to IBM, who placed all of this in the “cloud”. These databases contain the details of every vehicle in the country, including those of:

Private citizens
Police
Military
Special Forces*
Individuals in Witness protection/relocation programmes*

*This is the reason I said that this breach was potentially life-threatening – their identities must be kept secret.

The non-secret parts of these databases are considered public information and are regularly provided to marketing companies who subscribe to receive the lists.

So what happened was that somebody in IBM sent an e-mail with a copy of the entire database (secret and not-secret) to the marketers. This was a huge mistake on it’s own. What they should have done next , was e-mail a copy of the database with the not-secret information in it and instruct the recipients to destroy/wipe the previous e-mail (perhaps throw in a threat of national security, etc.) But what they actually did was much, much, much more dangerous.

An IBM agent sent an open, clear text (i.e. not encrypted) e-mail, which could potentially be intercepted, to the marketers pointing out and identifying the secret records and asking the marketers themselves to remove them from the database. ? THIS is why this has got to be the most embarrassing and dangerous data breach imaginable at this time.

Other databases that were outsourced include ones that contain the weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields) and another which stores the type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a great deal about the structure of military support units.

The very fact that these databases were outsourced to IBM, who stored them in data centres in Eastern Europe (Czech Republic and Serbia) without any apparent security controls, means that Swedish military secrets have been exposed to foreign entities. This is simply intolerable.

If this happened after May 2018 when GDPR is in place, I’m not sure what would happen to the transport agency, but IBM, as a data processor, would certainly be likely to be severely sanctioned by being hit with a big financial penalty. They could also be exposed to being sued by individuals for distress, as a result of their secret identity being revealed. It simply boggles the mind how awful a service they provided here.

Conclusion:

Give data breaches some consideration in your organisation before the GDPR comes into effect. Come up with a plan to handle them in keeping with Articles 33 and 34 and be sure to test that the plan works for you. You don’t want to be like The AA or worse, like the Swedish Government/IBM.

You can find out more about the GDPR here and if you want to contact us to learn how we can help you then simply send an e-mail to info@L2CyberSecurity.com or call us on +353-87-436-2675.

The post Data Breach Handling – 3 recent examples. appeared first on L2 Cyber Security Solutions Ltd..

Yahoo! tries for new world record and wins … but it already had the world record!

Liam — Tue, 20 Dec 2016 23:42:45 +0000

You all heard the headlines during the year about the massive Yahoo! hack, where in late 2014, hackers had stolen the names, addresses, mobile telephone numbers, dates of birth, security questions and passwords of 500+ million accounts. This was a new world record for the amount of user accounts stolen on the internet.

Well bless their cotton socks, Yahoo! had actually already done even better and they didn’t even realise it. In 2013 over 1 billion accounts had the same type of information stolen, including poorly protected passwords. Yahoo! had no idea that this had happened. It wasn’t until somebody provided the authorities with details that they had come across on the web. The authorities brought this to Yahoo! in October/November, which was when they were still thrashing around after the the September revelations about the 500m accounts, and I can just imagine their response…

Seriously though, this went further than just a huge amount of normal e-mail addresses. It would seem that 150,000 US Government and Military accounts may be at risk as they used Yahoo! mail accounts as backup e-mail addresses.

This is simply beyond embarrassing for Yahoo! and I wonder how much Verizon will knock off the purchase price after this doozey.

Enough with the Yahoo! bashing … What can you do to help protect yourself:

Two-factor authentication:

Use unique passwords on every site:

Check auto-forwarding settings:

Don’t save welcome e-mails or password resets:

I’m a BT or Sky e-mail subscriber. I’m not at risk from Yahoo:

Ahhhh … No you’re not. As mentioned in our earlier post, BT and Sky (and many others) used Yahoo! as their back-end e-mail provider. If you had a BT or Sky account back in 2013, then these may be at risk. Refer to the steps above and secure your account now.

Conclusion:

Yahoo! have some serious, serious questions to answer. but you need to protect yourself, So take the above steps at the very least.

Brian Krebs has an excellent Q&A about this mess available here. It’s worth a read.

If you need advice, you can call us on 087-436-2675 or e-mail us on info@L2CyberSecurity.com … and of course:

The post Yahoo! tries for new world record and wins … but it already had the world record! appeared first on L2 Cyber Security Solutions Ltd..

Here is a worrying aspect of the Yahoo breach.

Liam — Fri, 23 Sep 2016 16:48:06 +0000

Everyone has heard about the personal information related to 500 million Yahoo accounts being stolen from Yahoo in 2014. There’s lots of helpful tips out there (and some here too), but some people may not realise that they have a Yahoo account.

Yahoo provides e-mail services to some big internet service providers (ISPs), over in the US AT&T, Rogers and Frontier.com. Over on this side of the Atlantic Sky and BT are large ISPs operating in Ireland and the UK. Their e-mail services are powered by Yahoo.

There are reports that Sky and BT are contacting their customers, so that at least should hopefully highlight to those people that, yes, you do have a Yahoo account too, it’s just by a different name.

Helpful tip #1

A large amount of the Yahoo accounts will no doubt be dormant and no longer in use by their owners. I certainly had a Yahoo account quite some time ago, but I never associated it with myself (shock/horror – I lied on the Internet ?) or with any other account. The bad guys are welcome to it, as I know it can’t connect to me.

However if you used the same user name on a Yahoo account (dormant or not) on some other accounts (GMail, Facebook, LinkedIn, Microsoft, etc.) then the Yahoo account details could be tried by the evil doers against these other services.

Of course, you will have used the same password on them all, so that’ll make their life so much easier to ruin yours. ?

So the first tip is to change your Yahoo account password now. You should also change this password on all of the other online accounts that you use it on. However this time you might take the sensible decision and give every account a unique password. You can learn how to do this easily at the Internet Safety Training which L2 Cyber Security Solutions deliver. However if you struggle to come up with the means to do this, then you should invest in a Password Manager. This can do the hard work for you.

Helpful tip #2

On any on-line service that you use, if it has a means to implement, what is called, Two Factor Authentication, then turn it on NOW! I cannot stress how much this improves your security position just by turning this feature on.

I go into in more detail here, but briefly, if you are using Facebook or Dropbox (to name but two, there are dozens that subscribe to this method) you can download the Google Authenticator App onto your smart phone (available on Android and Apple). Then inside in the account security settings of your on-line service, activate the Two Factor Authentication, telling it you use Google Authenticator. It will put up a QR code on screen, which you show to the App and it will then start generating a 6 digit code that changes every 30 seconds.

So now what happens is that if you (or some evil doer) tries to sign on to your account from a different device or location, even if they have your password they will also now need the 6 digit code that is showing up on your Google Authenticator App. Without it, they get nowhere.

If the on-line service does not support Google Authenticator, then they might send you a text message instead. This is not quite as secure as the App, but it is better than nothing.

Helpful tip #3

It wasn’t just user name and passwords that were stolen, but details like date-of-birth, mobile phone number and answers to security questions.

Details like date-of-birth and mobile number are kinda hard to change, but the security questions are another concern. If you have some other on-line accounts that use the same security questions, now would be a good time to go and change these.

A much simpler solution would be to implement Two Factor Authentication, as outlined above.

Conclusion

The internet is a wonderful but dangerous place and there are a lot of bad guys who are making a lot of money from your accounts. So …

The post Here is a worrying aspect of the Yahoo breach. appeared first on L2 Cyber Security Solutions Ltd..