by Bob | Sep 23, 2016 | Views
YAHOO! today confirmed that the personal details of ‘up to 500 million users’ may have been stolen, back in 2014, by a data breach that Yahoo believes initiated by “state-sponsored actor”. That’s a stunning data breach, potentially compromising one in fifteen people worldwide. Rumours of the breach started back in August when a hacker called ‘Peace’ claimed to be selling data from 200 million Yahoo clients. At that time Yahoo dismissed the claims, saying that the data probably related to a 2012 data breach when a mere 400,000 of its user accounts were compromised. In 2012 Yahoo said “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” The timing of the announcement of this breach couldn’t be worse for Yahoo!, as they negotiate sale of their core business to Verizon for $4.8 billion. Nordic cybersecurity expert Per Thorsheim – who broke the news of the 2012 LinkedIn data breach – described the latest Yahoo! data breach as “massive” adding “It will cause ripples online for years to come.” Perhaps more telling are the comments from U.S. Senator Richard Blumenthal who is calling for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.” Senator Blumenthal said in a statement “If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.” Yahoo! Were at pains to point out that no payment card data was compromised...
by Bob | Aug 23, 2016 | Views
Anybody with an interest in the internet or blogging will be aware of WordPress; it’s now estimated that that over 26% of websites use the WordPress ‘engine’. The underlying content management system (based on a MySQL database) is free and relatively simple to deploy, and some unexpectedly large corporate websites run on the WordPress platform. Indeed this website runs on WordPress, albeit using a proprietary ‘theme’. Another advantage of the WordPress platform is the number of plugins that have been and continue to be developed to enhance the publishing or reading experience. Best estimates suggest that there are over 30,000 plugins available, many of them free. And sometimes, free can prove costly. As Robert E Heinlein famously wrote (in ‘The Moon is a Harsh Mistress’ in 1966) “There ain’t no such thing as a free lunch.” – often acronymised as ‘TANSTAAFL’. Which brings is to reading the small print. Recently the WordPress security firm ‘Wordfence’ – who offer both free and premium WordPress security plugins – reported some dubious code in a popular plugin; they’d been called in to investigate a ‘hacked’ WordPress site that was displaying links to payday loan companies. The plugin in question had been installed on over 70,000 WordPress sites. In common with many similar plugins, the T&Cs used text from the standard GNU public licence, but had hidden at the bottom of the text “By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.” Now while, as Wordfence suggest, ‘no sane webmaster would sign up to that‘,...
by Bob | Jul 26, 2016 | Views
Now here’s an interesting data breach, it’s perhaps indicative of changing approaches by hackers. As companies thankfully become more savvy about protecting data, so hackers are having to become more creative. They augment stolen data by accessing more publicly available data sources – such as social media – to create more robust data sets that they can sell on to the criminal fraternity on the ‘dark net’. We reported here earlier in July that fraudster are harvesting details from social media accounts to create fraudulent duplicate identities; a technique known as ‘credential stuffing’. The BBC claimed on the Victoria Derbyshire programme on July 26th that “O2 customer data is being sold by criminals on the dark net” (here) However O2 deny that they’ve suffered a data breach. The initial credentials are likely to have been stolen in a data breach back in November 2013 from the gaming website Xsplit and the hackers have subsequently ‘stuffed’ those credentials with information sourced elsewhere. Those new ‘stuffed’ credentials would then be tried against various online services. The BBC reported that some victims have had accounts hacked on multiple sites – such as Gumtree and eBay. The message for consumers is a familiar one, don’t use the same password for multiple accounts – tempting though it might be – as hackers will try any passwords they acquire against any and every online services. And the message for businesses is equally familiar, you have a responsibility to your customers if you store their personal or payment data. Compliance3 can help businesses meet their personal and payment data obligations, get in touch and see how we...
by Bob | Jul 11, 2016 | Views
We read constantly of data breaches and of sensitive data being made available for sale on the ‘dark web’ – indeed as I reported here in February sometimes not even on the dark web. While we at Compliance3 tend to concentrate on the security of, and potential threats to, card data; the recent report from CIFAS suggested that any personal data can be used by criminals in creating identity theft profiles. For example, we learned recently that the online dating site ‘Muslim Match’ has been breached and some 150,000 log-ins have been made available for sale online, along with nearly 800,000 potentially very private messages between users. The data, which has been confirmed as genuine, includes Skype handles. And, given the sensitivity of some of the breached data, along with potential religious and cultural taboos, the risk of hacked users receiving blackmail threats are potentially higher than for other similar compromises at more ‘western’ sites like Ashley Madison, Match.com or Plenty of Fish. That said, the Daily Mail reported back in August 2015 (here) that some leaked Ashley Madison clients had been driven to commit suicide. And, once again, the breach at Muslim Match doesn’t look to have been too sophisticated, possibly a relatively simple SQL injection. One user of the site told the website Motherboard “I feel disappointed, but the site didn’t seem to be secure in the first place. They never used https.” At the time of writing, the Muslim Match site is down showing a message “We have been made aware of an alleged security breach and are reviewing our systems as we work to remedy the situation...
by Bob | Jul 7, 2016 | Views
Further to my post about identify theft the other day (here), the National Crime Agency this week published their 2016 Cyber Crime Assessment, and it makes sobering reading. The NCA reports that there were 2.46 million “cyber incidents” last year, including 700,000 frauds, with the biggest threat coming from “a few hundred” criminals. Furthermore “Data breaches are the most common cyber crimes committed against businesses and the NCA estimates that cyber crime costs the UK economy billions of pounds per year.” and that “Under-reporting continues to obscure the full impact of cyber crime in the UK.“. A study conducted by PWC in 2015 suggested that ‘90% of large companies and 74% of small companies had experienced some kind of breach in the previous 12 months, and most had experienced more than one – the average was four’. When you add these statistics to our own most recent consumer research – available here – which found that 97% of people alter their behavior as a result of a data breach and 30% of those respondents stated that they wouldn’t do business with the company again – there’s a clear message. And unfortunately that message is that businesses will be hacked, and data breaches will continue to take place – despite the best efforts of the NCA, and the UK government promising to spend £1.9bn on cyber defences over the next five years. Surely the safest path for any business – to quote Stephen Orfei of the PCI Standards Council – is to “take risk off the table“. If you’re not storing card or sensitive data then, even if your organisation is breached,...
