Security Central: The NSA Is Hacked*:
- The NSA was compromised by the shady hacker group who calls themselves the Shadow Brokers.
- The breach leaked America’s tip-top secret, highest-valued security data and cyber-weapons and flooded the dark web with the information.
- This is not the first time this has happened – in 2013 Edward Snowden blew the lid on a bevy of secret, highly classified information from the NSA.
- Another breach happened 15 months ago when the NSA’s internal hacking group, known as Tailored Access Operations (TAO), was compromised.
- The damage from Shadow Brokers is vastly different from that caused by Snowden; it did not expose illegal surveillance, but it made the NSA’s own hacking tools completely worthless – at least to them.
- The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.
- This raises truly existential questions for contemporary firms, which now find themselves in the crosshairs of the very weapons meant to protect them.
- We may have reached a turning point, in which traditional security methods are no longer enough to prevent cyberattacks.
*Source: Channel Futures, November 17, 2017
ID Card Security: Spain Is Facing Chaos Over Chip Crypto Flaws*:
- Security researchers discovered last month that secure hardware made by Germany's Infineon Technologies was not so secure.
- There are a lot of smartcards and other devices out there with Infineon's chips in them, and the 'ROCA' flaw in Infineon's key pair-generation algorithm made it possible for someone to discover a target’s private key just by knowing what their public key was.
- There are around 60 million identity smartcards in Spain, though Spaniards were only using theirs in 0.02 percent of public-service engagements when surveyed a few years back.
- Exploitation of the flaw could allow attackers to revert or invalidate contracts that people have signed.
- The cost of an individual attack has rapidly decreased – the assumption used to be that an attack cost between $20,000 and $40,000, but now it's "realistically $2,000".
- Each card has a chip that contains two certificates, one for identification and one for electronically signing things.
- The authorities have stopped letting people sign things with the card at the self-service terminals found at many police stations.
- There is no indication of when the affected cards will be updated.
*Source: ZD Net, November 17, 2017
Medical College of Wisconsin Hit By Data Security Breach*:
- The Medical College of Wisconsin has notified thousands of patients their confidential information may have been compromised – the information includes addresses, bank accounts, and Social Security numbers.
- The Medical College has disclosed 9,500 of its patients are now victims of a targeted attack that happened sometime in late July.
- An unauthorized third party accessed employee email accounts, which contained private patient information.
- Medical College officials said that the Social Security numbers of fewer than 50 patients and the bank account information of one person were also compromised.
- Credit monitoring assistance and identity theft services are available to patients whose Social Security numbers were accessed.
- Impacted patients can call a toll-free number if they have further questions that number is 844-666-7416.
*Source: MSN, November 22, 2017
Aadhaar May Add Security Layer With Dummy Numbers*:
- The top team of Unique Identification Authority of India (UIDAI) is exploring the possibility of introducing dummy numbers that would add an extra layer of security to every Aadhaar cardholder.
- Such a framework would require an individual to share dummy or pseudo numbers (and not the real Aadhaar number) to government agencies, private utilities and banks.
- Besides the cardholder, the original Aadhaar number would be known only to UIDAI.
- Two senior persons in the industry reported that the concept has been discussed at senior levels in UIDAI but is yet to be finalised.
- The creation of dummy numbers and the frequency at which it can be generated and used would depend on the design architecture of the system.
- The primary job of Aadhaar is authentication to ensure whether the right person is using the services.
- There are no details available on UIDAI’s final stand on such a proposal – whether and in what form it could be brought in.
- The idea may be useful from the point of data security, but one has to think how convenient the use of dummy numbers would be for various kinds of users.
- The UIDAI currently finds itself in a situation where the provisions of the law under which it was established has been challenged in the country’s highest court of law.
*Source: The Economic Times, November 20, 2017
Uber Paid Hackers to Delete Stolen Data on 57 Million People*:
- Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year.
- Compromised data from the October 2016 attack included names, email addresses, and phone numbers of 50 million Uber riders around the world; the personal information of about 7 million drivers, including some US driver’s license numbers, was accessed as well.
- Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken, but instead the company paid hackers to delete the data and keep the breach quiet.
- Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers, and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.
- From there, the hackers discovered an archive of rider and driver information and later emailed Uber asking for money.
- A patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur, and Uber said it was obligated to report the hack of driver’s license information but failed to do so.
- The U.S. has opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property.
- The new CEO said his goal is to change Uber’s ways, and learn from past mistakes.
- Finally the company plans to release a statement to customers saying it has seen “no evidence of fraud or misuse tied to the incident,” and will provide drivers whose licenses were compromised with free credit monitoring and identity theft protection.
*Source: Bloomberg, November 21, 2017
UK Shoppers Lost £16m to Fraud Last Christmas*:
- The City of London police has warned UK consumers to stay vigilant this Christmas after new stats revealed they lost a staggering £16m during the busy shopping period last year.
- That figure represents a 45% increase on 2015 and the police force wants to avoid a repeat this year.
- It claimed 15,423 shoppers were hit in 2016, with online auction fraud accounting for the vast majority (65%) of cases.
- Fraudsters typically offer high value goods such as mobiles phones, clothing and accessories, and footwear.
- It was men in the 20-29 age group that were most likely to be taken in online – they accounted for 13% of all cases reported to Action Fraud last Christmas.
- UK shoppers are predicted to spend £10bn during the Black Friday period alone, with ThreatMetrix warning retailers to expect upwards of 50 million fraud attempts this week.
- Security experts have also warned of a glut of fake Black Friday themed apps spoofing the branding of top retailers.
*Source: Info Security, November 24, 2017
Fraudulent Black Friday Apps Spread Malware*:
- Security researchers discovered more than 32,000 fraudulent Black Friday apps in the wild, many of which use the branding of the top five U.S. online retailers to spread malware and steal customer credentials.
- One list pointed out that about 1 in 25 Black Friday apps available in global app stores are malicious.
- In 2016, 154 million consumers did their Black Friday shopping online, spending $5.27 billion, which represented a 17.7 percent increase year over year.
- Mobile revenue alone totaled $1.2 billion, representing a growth rate of 33 percent year over year.
- The Google Play store hosted the largest number of fraudulent apps, while Apple’s App Store contained 85 legitimate apps that had been infected with malware despite rigorous security testing.
- RiskIQ advised users to avoid downloading applications that request questionable permissions to access data such as contact lists, text messages, administrative features, stored passwords and credit card information.
- Users should also be wary of app developers who use free email services such as Gmail.
- The most obvious and important takeaway from the report is that consumers must be particularly proactive about their online security during the bustling holiday season.
*Source: Security Intelligence, November 20, 2017
Mozilla to Build Have I Been Pwned Function Into Firefox*:
- Mozilla has announced an integration of the breach alerting service Have I Been Pwned to alert users about data breaches through the Firefox UI and offer educational information.
- According to updates from Mozilla and Github, this will offer users a notification when they visit a site known to have recently been breached, and offer a way for interested users to learn about and opt-in to a service that notifies them when they may be affected by breaches in the future.
- With regards to privacy concerns, Mozilla developers said that it is understanding the concept of who the custodian of data would be, how can data avoid being sent to HIBP, and can useful functionality be offered to users who opt-out of subscribing their email address.
- While the project is still in infancy, the idea is to offer as much utility as possible while respecting the user’s privacy.
Source: Info Security, November 24, 2017