Compromises in 2015 affecting an unknown number
Compromises in 2015 affecting 10,000 or more
Compromises in 2015 affecting less than 10,000
01/02/2015 Chic-Fil-A
a business other than retail at 5200 Buffington Road Atlanta, Georgia
1/2/2015 Chick-fil-A released a statement on January 2nd confirming that it is investigating a possible data breach at its restaurants first reported to the company on 12/19/2014. Chick-fil-A has more than 1,850 locations as stand-alone restaurants and mall locations.
http://www.eweek.com/security/chick-fil-a-may-be-the-latest-retail-data-breach-victim.html#sthash.JLp7Xcee.dpuf
01/02/2015 LaJolla Group
a retail business in California
On 12/3/2014 LJG learned of potential access to a website checkout page. The breach was confirmed on 12/29/2014. Scope: Exposed information included name, address, telephone number, email address, charge card number, CVV2 data, and expiration date.
https://oag.ca.gov/system/files/CA%20Exhibit%20A%20revised_0.pdf?
01/05/2015 Art of Tea
a retail business in California
A cyber attack was discovered about 12/3/2014 and later confirmed that payment card information from web site purchases from 10/16/2014 through 11/28/2014were compromised.
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Art%20of%20Tea%20SBN%20to%20Consumer.pdf
01/06/2015 Cridex, ZeuS, now Dridex
The attacks, largely against users in the United Kingdom, are leveraging macros in Microsoft Office documents to infect users. The Dridex banking malware is being used in a malicious spam campaign that is generating 15,000 emails a day, according to security firm Trustwave. The attacks, largely against users in the United Kingdom, are leveraging macros in Microsoft Office documents to infect users.
The way the attack works is that a user receives an infected Office document that includes a macro that triggers a download of the Dridex banking malware. Dridex steals user banking information and attempts to generate fraudulent financial transactions. [ more… for the 15,000 email each day see this. highlighting ours -ed ]
10/13/2015 Update on Dridex
Some more good news on Cops vs Crooks – Dridex, a banking scheme that works via macros in Microsoft Office (think weaponized Word documents) has had its botnet taken down and its alleged operator taken into custody. Department of Justice announcement. Is that the end of Dridex? Probably not. Dridex was farmed out (either sold or leased) to other crooks. Taking down the one command and control facility only affects those activities that use that facility. There are others. The alleged operator is believed to be one of several. More at the source: Sophos.
Don’t open Microsoft Office documents from people you don’t know. Make sure your system is set up to ASK for permission to execute macros. Do NOT give approval for macro execution for documents you might suspect. Security is in YOUR hands.
01/06/2015 NVIDIA Corporation
a business other than retail at 2701 San Tomas Expressway Santa Clara, California
Hackers compromised their network and stole an unknown or undisclosed number of employee usernames and passwords. (source)
01/07/2015 Lokai
a business other than retail at 170 Varick Street, 12th Floor New York, New York
Hackers accessed the web site host July 18, 2014 to October 28, 2014 and installed a program that was designed to record customer information. Scale: unknown or not disclosed. Scope: Exposed information included name, address, payment card information, expiration dates, verification codes, user names and passwords. Question? Call 1-800-981-7571 M-F 9am to 9pm Eastern Time.
01/07/2015 Fast Forward Academy
a retail business in Florida
12/2/2014 FFA was notified that an unauthorized person attempted access to with customer information including names, addresses, payment account numbers, and/or email addresses. There was no evidence the access attempt was successful.
https://oag.ca.gov/system/files/Notification%20Letter%20Fast%20Forward%20Academy_0.pdf?
01/07/2015 American Airlines
a retail business in Texas
Unauthorized access to AAdvantage account exposed name, email address, phone number, postal address, birth date, the last 4 digits of charge card, its expiration date, the last 4 digits of your passport, as well as information about the points, millage and other program information.
https://oag.ca.gov/system/files/CA%20AG_Customer%20Letter%20-%20C2014070234_0.pdf?
01/08/2015 Libbey Inc.
a retail business in Ohio
A spreadsheet containing name, address and Social Security numbers was improperly sent to two distributors in December 2014.
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Libbey%20Inc%20Letter%20to%20Consumer%20Security%20Breach.pdf
01/09/2015 Inland Empire Health Plan/Children’s Eyewear Sight
a healthcare provider or servicer at 11940 Foothill Boulevard Rancho Cucamonga, California
A desktop computer was stolen in October 2014 from Children’s Eyewear Sight. The theft was discovered in November 2014. Exposed customer information included name, birth date, gender, address, contact phone number, email, Inland Empire Health Plan Member ID number, appointment dates, purchase dates, and doctor names. The crook was caught and the data recovered, but it isn’t known if the data was copied. (source)
http://oag.ca.gov/ecrime/databreach/reports/sb24-47991
01/14/2015 One Stop Parking
a retail business in Florence, Kentucky
A patch to Joomla from September 2014 had not been applied because it interfered with some site functionality. That patch fixed a vulnerability that hackers exploited in December 2014. The hackers obtained charge card information, but the scope and scale are not yet disclosed.
http://krebsonsecurity.com/2015/01/park-n-fly-onestopparking-confirm-breaches/
01/14/2015 Park ‘N Fly
a retail business in Atlanta, Georgia
Company confirmed a breach of its web site which exposed charge card information. Scale: remains undisclosed. Scope: Potentially exposed data include name, billing address, card number, expiration date, CVV, email address, telephone numbers and web site password. numbers.”
http://krebsonsecurity.com/2015/01/park-n-fly-onestopparking-confirm-breaches/
01/15/2015 Oppenheimer Funds
a Financial or Insurance Services firm in Denver, Colorado
A representative of brokerage firm mistakenly released information about Oppenheimer clients. How many were affected was not disclosed. Scope: Exposed information included name, address, Social Security number and Oppenheimer Fund account numbers. Oppenheimer is offing credit protection from Equifax 1/888-766-0008 or call Oppenheimer 1-800-225-5677 M-F 8am to 8am Eastern time.
http://oag.ca.gov/ecrime/databreach/reports/sb24-48071
01/16/2015 Grill Parts
a retail business in Santa Rosa, California
A data breach exposed information for consumers who used their web site between January 2014 and October 2014. Scope: Compromised information included full name, address, charge account number, expiration date and security codes. The company is providing a year of Kroll identity theft protection at no cost. kroll.idMonitoringService.com Contact GrillParts.Com for a membership ID if you may have been compromised.
http://oag.ca.gov/ecrime/databreach/reports/sb24-48107
01/21/2015 Sunglo Home Health Services
a healthcare provider or servicer in Harlingen, Texas
A company laptop computer was stolen from a company facility. Scope: Exposed information included patient information Social Security numbers and personal health information. Scale: unknown or not disclosed.
[ http://www.krgv.com/news/local-news/Computer-with-Patients-Personal-Information-Stolen/30850638 ]
01/22/2015 Starwood
a business other than retail worldwide
Members of the Starwood Preferred Guest (SPG) programs apparently use the same userid/password combination for multiple purposes. A special purpose hacker tool was unleashed that allowed easy confirmation that credentials compromised from breaches function for SPG’s StarPoints. If successful, hackers could transfer StarPoints to another account and then take gift cards to sell or use. Starwood includes Sheraton, Westin, and other hotel brands (source)
01/29/2015 Riverside County Regional Medical Center
a healthcare provider or servicer at 26520 Cactus Avenue Moreno Valley, California
An employee laptop was stolen. Scope: Exposed information included patient information including name, phone number, address, date of birth, Social Security number, medical record number, physicians, diagnosis, treatments received, and other medical information on patients of the Opthalmology and Dermatology clinics. Experian ProtectMyID 1-866-313-7993
http://oag.ca.gov/ecrime/databreach/reports/sb24-48266
01/30/2015 CICS Employment Services, Inc
a business other than retail at 2941 U.S. 101 Lincoln City, Oregon
Unauthorized user(s) gaining access to employment application information including name, address, date of birth and Social Security number. AllClearID call 1-855-865-4453. The company 1-888-593-5379.
http://oag.ca.gov/ecrime/databreach/reports/sb24-48292
02/02/2015 Book2Park
a retail business on the Internet
This is an online reservation service for airport parking. The company name is Hospautology, LLC (possibly in Leesburg, VA 20177) Security researcher Brian Krebs found a batch of cards on an underground web site. Banks had acquired a few of these cards and found that all of the cards had been issued to consumers who recently used the parking reservation service of Book2Park.com. The company was unaware of any breach.
http://krebsonsecurity.com/2015/02/target-hackers-hit-third-parking-service/
01/12/2015 Value Pet Supply
a retail business in Tennessee
About 11/25/2015 a cyber attack allowed the installation of malware that exposed personal information entered into their website.
https://oag.ca.gov/system/files/Sample%20Breach%20Letter_0.pdf?
01/12/2015 Law Offices of David A. Krausz, P.C.
a retail business in California
A laptop computer was stolen that contained the name, Social Security number, and birth date for clients.
https://oag.ca.gov/system/files/Security%20Breach%20Notice_0.pdf?
01/13/2015 Alin Machining Company
a retail business in Illinois
An independent contractor have have compromised employee information between 11/7/2015 and 12.4.2014. Scope: Exposed information included name, address, Social Security number and bank account number,
http://doj.nh.gov/consumer/security-breaches/documents/alin-machining-company-inc-dba-power-plant-services-20150112.pdf
01/15/2015 American Express
a retail business in Alabama
An unnamed merchant detected unauthorized access to their web site which exposed account number, name, expiration date and more.
https://oag.ca.gov/system/files/CA%20AG_Customer%20Letter%20-%20C2014070234_0.pdf?
01/15/2015 Six Red Marbles, LLC
a retail business in Massachusetts
SRM provided 1099 tax information to a third party who placed that information on an unprotected FTP site since September 2014. That information included names, address, birth dates, and Social Security numbers.
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Six%20Red%20Marbles%20Security%20Breach%20Notice%20to%20Consumer.pdf
01/16/2015 Metropolitan State University
an educational institution in Minnesota
The university learned of a breach that might expose personal information of faculty, staff and students. The compromised server is not believed to contain financial or charge card information, buy several databases included Social Security numbers for employees.
01/16/2015 Visteon Corporation
a retail business in Michigan
Fidelity Investments is Visteon’s record keeper for the Supplemental Executive Retirement Plan. On 12/1/2014 Fidelity accidentally sent information ti another client firm.
http://doj.nh.gov/consumer/security-breaches/documents/fidelity-20150116.pdf
01/17/2015 Wingstop
a retail business in Texas
Point of Sale systems may have been compromised at four locations which could have exposed payment card information.
01/20/2015 California State University – Dominguez Hills
an educational institution in California
At least several hundred email addresses and passwords in plain text were placed on an unsecured section of the internet.
http://datalossdb.org/incidents/14886-747-student-email-addresses-and-clear-text-passwords-dumped-on-the-internet
01/21/2015 Rentrak Corporation
a retail business in Oregon
9/12/2014 a password protected laptop computer was stolen from the car of a human resources employee. In violation of several company policies the laptop contained name, address, Social Security number, title and salary information. This was reported because ONE of those employees was a resident of Maryland. Otherwise …
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 American Athletic Conference (AAC)– Blue Zebra
a retail business in Rhode Island
On 10/22/2014 the AAC was informed that two unauthorized third parties used stolen credentials to access the websites the AAC uses to manage officiating basketball games. Exposed information for officials and others included name, address, telephone number, date of birth, Social Security number, email address and information on assignments.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 Harvard Pilgrim Health Care
a healthcare provider or servicer in Massachusetts
A laptop was stolen from an employee’s home on 12/10/2014. Although company policy is for all laptops to have encryptions software, this laptop didn’t have operational encryption due to complications during attempted installation. HPHC evaluated all their 2,000+ computers and found almost 40 in the same condition. All were updated to include the encryption software and server-based automatic detection was created to test for the existance of operating encryption.
http://doj.nh.gov/consumer/security-breaches/documents/harvard-pilgrim-health-care-20150121.pdf
01/21/2015 University of Oregon
an educational institution in Oregon
A “significant” number of archived records containing confidential information about faculty, staff and students were unlawfully released. The information is believed NOT to contain Social Security Numbers or financial information.
http://media.oregonlive.com/education_impact/other/an%20email.pdf
01/21/2015 Azusa Pacific University
an educational institution in California
A password-protected (but un-encrypted) laptop computer containing name and Social Security numbers was stolen from an employee’s locked vehicle on 11/17/2014. Special software was activated which remotely deleted all the data when the computer was activated and connected to the internet. Confirmation was received on 11/21/2014 that the data was deleted. 2 Maryland residents were affected (and how many others were exposed?)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 Allied-Barton Security Services, LLC
a retail business in Pennsylvania
On 11/20/2014 attorneys for AB notified the Maryland AG that one employee who was authorized to receive personal information for job applicants forwarded that information to another employee who was not. Scope: Possibly exposed information included name, address and driver’s license number. Approximately 25 residents of Maryland were affected. (and how many others??)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 PineBridge Investments / Benefit Express Services
A bank, credit union or mortgage firm in Illinois
BES provides administration of benefits for PineBridge. On 9/4/2014 BES discovered it had inadvertantly forwarded a data file with PineBridge employee and former employee information to another BES client. Scope: exposed information may have included name, address, date of birth, Social Security number and other information. The URL indicates that 3 residents of Maryland were affected and notified on 10/25/2014, almost two months later. ITRI indicates 379 were affected. (How many in Maryland? How many others?)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 Polish Falcons of America
a retail business in Pennsylvania
The Falcons are a non-profit fraternal benefit organization. On the weekend of 6/14/2014 crooks stole several office computers containing personal information on members and non-members including Social Security numbers and some charge cards. 1 Maryland resident was notified 8/6/2014. (how many others were exposed???)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 Alexandria VA Fire Department / ADP
State or Local Government in Virginia
ADP is a payroll processing company whose employee improperly obtained information and used it to file false tax returns as early as October 2012. 88 Maryland residents were affected. (and how many others???)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 Columbia Southern University
an educational institution in Alabama
9/18/2014 an employee accidentally attached the wrong document to an email to 14 people. That documents exposed personal information for at least 59 residents of Maryland. (and how many others???)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/21/2015 Asset Marketing Services
a retail business in Minnesota
Between 9/18/2014 and 10/2/2014 the website GovMint.Com was hacked which resulted in unauthorized access to personal information of persons completing the ordering process. 30 Maryland residents were affected (How many others?)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Worldwide Insurance
a retail business in Arizona
10/9/2014 There was unauthorized access to Experian customers including name, address, Social Security number, birthday and account number
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Pulte Mortgage
A mortgage firm in Colorado
An employee encrypted laptop was stolen but the password may have been with the computer. Compromised information may have included names, addresses, phone, email, Social Security numbers or financial account numbers.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 c3controls
a retail business in Pennsylvania
10/9/2014 a potential breach was identified which may have compromised payment card information information provided via their website.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Primerica
a retail business in Georgia
About 10/12/2014 a password-protected laptop belonging to a contractor of Primerica was stolen. Some of the insurance documents may not have been encrypted. The Maryland AG notification cited 4 Maryland residents were affected, but how many others was not disclosed.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 TREMEC
a retail business in Michigan
A company issued computer and personal belongings were stolen from an employee’s vehicle. There may have been sensitive information on that computer, but no details were provided. No disclosure was made if the computer drive was encrypted or the computer was password protected.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Nationstar Mortgage
A mortgage firm in Texas
8/5/2014 an employee forwarded an email containing the name, address and mortgage loan number to an outside company.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Wyndham Vacation Resorts
a retail business in Florida
Between 8/15/2014 and 9/22/2014 a Wyndham employee had improperly used payment card information.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Sinclair Institute / Townsend Enterprise
a retail business in North Carolina
Townsend supports a web site for Sinclair. Weak administrator credentials allowed user name and passwords to be compromised along with charge card information including card number, expiration date, and security code.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Booking.Com
a retail business in Connecticut
The company learned on 9/2/2014 that an external party compromised customer information including name, billing address, and charge card details during 6/2/2014 and 9/15/2014.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/22/2015 Metropolitan Life Insurance
a retail business in New York
(The disclosure on the Maryland disclosure is a model form containing no information on what happened, how many were affected, or even the name of the person making the submission.)
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 Corday Productions
a retail business in California
Corday maintains personal information on behalf of Sony Pictures Entertainment. A cyber attack compromised personal information of Corday employees, contractors, and employees of contractors who were providing services to Corday.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 Aarow Equipment & Services
a retail business in Maryland
A company laptop was stolen from a vehicle. The laptop contained personal information including name, birthday, Social Security number, and Driver’s License number.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 Conference USA
a retail business in Texas
There was unauthorized access to men’s college basketball officials.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 Cultivan Ventures
a retail business in Indiana
A compromised email account was used to transmit information including names, addresses, birthdates, Social Security numbers, driver’s license number, passport numbers, account numbers, and financial positions.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 Fairway Independent Mortgage Corporation
A mortgage firm in Wisconsin
Email accounts were improperly accessed exposing name, Social Security information and financial information of Maryland residents.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 Citibank, N. A.
A bank in New York
A number of mailing labels had Social Security numbers in plain view.
http://doj.nh.gov/consumer/security-breaches/documents/citi-20150120.pdf
01/23/2015 Dutch Bros. Coffee
a retail business in Oregon
A breach of a website was discovered 12/6/2014. That breach exposed payment card information for some customers.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 M&T Bank
A bank in New York
A vehicle break-in exposed name, address, telephone number, Social Security number and account numbers for an unknown, or undisclosed, number of bank customers.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/23/2015 API Group, Inc.
a retail business in Minnesota
11/17/2014 the home office sent an email to the administrator of the employee benefit programs at each location. Some forwarded that email to employees without remiving the attachment which listed personal information including name, birthdate, Social Security number, and some benefit information.
[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]
01/24/2015 University of Chicago – Biological Sciences Division
an educational institution in Illinois
A URL was subjected to a SQL exploit and exposed payroll, employee identification and other information.
http://www.databreaches.net/u-chicago-hacked-by-teamcarbonic-claim/
01/26/2015 Greers Professional Fabricare
a retail business in Vermont
Their server was breached exposing payment card information for customers between 4/1/2014 and 1/16/2015.
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Greers%20SBN%20to%20Consumer.pdf
01/27/2015 Citibank, N. A.
A bank in New York
Apparently a Sioux Falls, SD employee improperly accessed information relating to one New Hampshire resident. Why “Unknown” was reported to ITRC is unknown.
http://doj.nh.gov/consumer/security-breaches/documents/citibank-20150127.pdf
01/28/2015 Dartmouth-Hitchcock Medical Center
a healthcare provider or servicer in New Hampshire
On 11/23/2014 D-H discovered a phishing incident generated unauthorized activity in the Employee Self Service Direct Deposit Payroll System.
http://doj.nh.gov/consumer/security-breaches/documents/dartmouth-hitchcock-20150210.pdf
01/29/2015 Operon Resource Management
a retail business in Massachusetts
A vehicle was stolen while employee records in paper form were contained therein. Information included applications, contact information, resumes, W4 forms containing Social Security numbers, and voided checks showing account numbers to be used for direct deposit
http://doj.nh.gov/consumer/security-breaches/documents/operon-20150121.pdf
01/29/2015 Otsuka America, inc.
a retail business in California
A backup tape in transit was stolen. Otsuka America, Inc. is the US holding company of Otsuka Pharmaceutical Co., Ltd., Japan.
http://doj.nh.gov/consumer/security-breaches/documents/otsuka-america-20150129.pdf
02/02/2015 Liberty Tax Service
a retail business at 27214 Base Line Highland, California
Computers, tax returns and other documents were stolen from this preparer exposing name, address, Social Security number and other information.
http://www.sbsun.com/general-news/20150201/fraud-risk-for-clients-of-highland-tax-business-after-documents-stolen
02/05/2015 Intuit (Turbo Tax)
a Financial or Insurance Services firm in California
There was unauthorized access in late January 2015 which may have exposed tax returns and all the personal information contained therein. More on 2/17/2015 from KOS (source) More on 2/22/2015 from KOS Did Intuit profit from processing knowingly fraudulent returns? (source) Update 3/5/2015 Some of what Intuit did wrong from KOS (source)
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Intuit%20SBN%20to%20Consumer.pdf
02/06/2015 Blue Sky Casino
a retail business in Indiana
On 1/19/2015 the French Lick Resort learned that malware had been installed on some card readers used by guests, visitors and employees.
http://doj.nh.gov/consumer/security-breaches/documents/french-lick-resort-20150131.pdf
02/06/2015 Ameriprise Financial Services, Inc.
a Financial or Insurance Services firm in Minnesota
A burglary forced open file cabinets exposing financial documents which can include name, birthdate, medical information, driver’s license, Social Security number, and account numbers.
http://doj.nh.gov/consumer/security-breaches/documents/ameriprise-financial-services-20150206.pdf
02/07/2015 Mesa del Sol Golf Club
a retail business in Arizona
Charge card numbers generated at least 40 known improper transactions between 1/12 and 1/28/2015 all from outside Yuma County, location of the club.
http://www.yumasun.com/news/credit-card-data-stolen-from-golf-facility/article_936ff6b0-af51-11e4-aca0-2fbd5e8f35f0.html
02/08/2015 Shorter University
an educational institution in Georgia
In September 2014 student files were stolen which may have been used to generate fraudulent tax returns. Exposed information included names, Social Security numbers, dates of birth and medical information.
http://www.northwestgeorgianews.com/rome/news/local/shorter-students-claim-to-be-victims-of-identity-theft/article_fb4bbcde-af50-11e4-a64c-bf47e7ccd6e1.html
02/09/2015 Jefferson National Parks Association
a retail business in St. Louis, Missouri
Malware was found on point-of-sale devices at Levee Mercantile shop and the Museum Store at the Gateway Arch. The malware may have been installed as early as November 2013 when those POS were in service at the Old Courthouse and U.S. Grant National Historic Site. How many charge cards were compromised are not known. The Parks Association did not discover the malware themselves. On 12/27/2014 they were notified by federal authorities.
http://www.scmagazine.com/pos-malware-threatens-payment-cards-used-at-gateway-arch-shops/article/397201/
02/09/2015 White Lodging (Marriott)
a retail business in Indiana
See (source) for details. This is the second time in a year that White Lodging has been compromised.
02/11/2015 BigFishGames.Com
a retail business in Washington
Malware was installed on their website which intercepted customer payment information for those who entered new payment information between 12/24/2015 and 1/8/2015. Scope: Exposed information included name, address, payment card number, expiration date, and CVV2 code. See the link for protection offer.
https://oag.ca.gov/system/files/BFG%20-%20MULTI-STATE%20NOTIFICATION%20LETTER_Proof_1.pdf?
02/11/2015 Kaplan University
an educational institution in Iowa
On 6/24/2014 Kaplan was alerted to an information theft exposing the personal information of students including the full name and Social Security number.
02/12/2015 Partners Health Care System
a healthcare provider or servicer in Massachusetts
11/25/2014 it was discovered than some users of the system had revealed their access credentials in response to a phishing email.
http://doj.nh.gov/consumer/security-breaches/documents/partners-healthcare-system-20150212.pdf
02/13/2015 State of Franklin Healthcare Associates
a healthcare provider or servicer in Tennessee
A security breach at a third party payroll processor exposed personal information which has already been used to file fraudulent tax returns.
http://www.scmagazine.com/tennessee-healthcare-group-notifies-employees-of-payroll-breach/article/398240/
02/16/2015 Philadelphia Common Pleas Court
State or Local Government in Pennsylvania
Court documents with personal information were found strewn on the ground. What: The courts don’t shred because of the daily volume of material disposed. The material are picked up by the Sanitation Department which should destroy them off-site. Apparently “during the tipping process some of the recycling materials got trapped in a wheel well of one of our recycling trucks and became dislodged as the truck left the plant.” Scope: Exposed information included Social Security numbers, signatures and perhaps more.
http://www.databreaches.net/pa-hundreds-of-court-documents-found-scattered-in-philadelphia/
02/17/2015 trueEX
a retail business in New York
The email box of a single employee had been improperkly accessed exposing name, Social Security number and 2013 compensation.
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/trueEX%20SBN%20to%20Consumer.pdf
02/18/2015 Office of Catherine Steinborn DDS
a healthcare provider or servicer in California
A burglary on 1/5/2015 netted the crooks a server containing patient information.
02/21/2015 Lime Crime
a retail business in California
A vegan makeup company was hacked exposing customer information.
http://jezebel.com/lime-crimes-website-is-hacked-customer-information-sto-1686744501
02/21/2015 Bulk Reef Supply
a retail business in Minnesota
The web site server was hacked to expose information from users between 6/30/2014 to 1/30/2105
http://www.databreaches.net/bulk-reef-supply-web-site-compromised-between-july-2014-january-2015/
02/23/2015 Percheron LLC
a retail business in Texas
On 1/15/2015 an unknown person stole a computer hard drive containing tax forms some of which contained personally identifiable information. Scope: Including name, seocial security number, address and telephone number. The hard drive was not password protected and the data was not encrypted.
02/24/2015 Urban Institute
Charitable Organization in Washington, D. C.,
Thr Urban Institutes’s National Center for Charitable Statistics (NCCS) had unauthorized access to Form 990 on line and the e-Postcard systems for non-profit organizations. Scope: Compromised information included email addresses, usernames, passwords, the first and last names of users, telephone numbers, IP addresses and the names and addresses of non-profit organizations.
02/24/2015 AAAA TV
a retail business in Colorado
Hundreds of paper documents containing personal information, bank account records, and charge card information was found in a dumpster behind the store.
http://www.databreaches.net/watch-dumpster-confrontation-fox31-investigator-finds-customers-personal-info/
02/26/2015 Suburban Lung Associates
a healthcare provider or servicer in Illinois
A dumpster diver found medicate records and CBS Chicago started an investigation
02/27/2015 Socorro Independent School District
an educational institution in Taxas
A student attempted to install malware on hundreds of computers with the intent of identity theft. Only 16 were found to have the malware. The student was arrested.
02/27/2015 Ziprick & Cramer LLP
a retail business in California
Around 1/25/2015 Cryptolocker ransomware infected a workstation which then allowed the infection of an in-house server. The data appears to be locked up and not necessarily exported.
02/28/2015 Benecard
a healthcare provider or servicer in New Jersey
A prescription benefit company apparently failed to notify employees and customers of a recent data breach. Employees sayd that fraudulant tax returns were filed as a result of the breach and have filed a class action suit on 2/28/2015.
03/01/2015 Medical College of Wisconsin
an educational institution in Wisconsin
A document and a laptop with information on patients were stolen from a doctors car exposing about 400 patients.
03/02/2015 Pioneer Bank
A bank in New Jersey
An employee laptop was stolen 2/26/2015 and contained customer names, Social Security numbers, addresses, and charge account numbers.
03/02/2015 Natural Grocers
a retail business at 12612 West Alameda Parkway Lakewood, Colorado
Natural Grocers announced a possible breach of its customers payment cards . A pattern of fraud on customer credit and debit cards was found suggesting that hackers accessed registers among its 93 stores in 15 states. The attack was just prior to the 2014 Christmas season by exploiting a weaknesses in database servers. Once established within the network the crooks were able to plant malware on point-of-sale systems. Store locations:SRS-http://www.naturalgrocers.com/store-locations”>source)
http://krebsonsecurity.com/2015/03/natural-grocers-investigating-card-breach/
03/03/2015 Toys “R” Us
a retail business at One Geoffrey Way Wayne, New Jersey
Between January 28th and January 30th, 2015, the company discovered a number of “illegal login attempts made to its Rewards “R” Us accounts.” The company said: “Out of an abundance of caution, we are therefore treating your account password as compromised and taking appropriate steps to address the situation.”
http://www.welivesecurity.com/2015/03/03/toys-r-us-resets-account-passwords-counter-stolen-reward-points/
03/04/2015 Mandarin Oriental Hotel Group
a business other than retail at 250 West 57th Street, Suite 1917 New York, New York
The Mandarin Oriental hotel chain announced that their point-of-sale systems were hacked and infected with malware that stole customer credit card data. The exact number of locations hacked was not disclosed, but is limited to hotels in the U.S and Europe.
http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/
March 2015
In addition to others shown here, in March 2015, ITRC reported 40 incidents where the number affected was unknown or undisclosed.
April 2015
In April 2015, ITRC reported 28 incidents where the number affected was unknown or undisclosed.
05/01/2015 Eataly NY, LLC
Eataly NYC Retail Marketplace, at 200 5th Avenue, New York, NY 10010.
What: It appears that malware was installed by unauthorized individuals to capture payment card information on the computer systems used to process payment card transactions at one location. When: Any who used a payment card at the NYC Marketplace between January 16, 2015 and April 2, 2015 may have been compromised. Scope: The malware could have compromised all payment card information including name, account number, card expiration date, and the CVV security code. Scale: the number of exposed accounts was not known or not disclosed. Source: [ https://www.eataly.com/resources/eataly/files/LegalNotice.pdf ] Company Notice dated 5/01/2015.
May 2015
In addition to others shown here, in May 2015, ITRC reported 23 incidents where the number affected was unknown or undisclosed.
06/08/2015 US Army Website Hacked
U.S. Military / Federal Government
The publicly accessible web site for the U. S. Army was defaced in 6/8/2015. The website was taken off line, repaired and restored by mid-day 6/9/2015. The Syrian Electronic Army has claimed credit for defacing the website with propaganda. (source). No personal accounts or information appears compromised.
06/10/2015 Missing Link Networks Inc.
MLN is a credit card processor and point-of-sale vendor serving wineries.
What: MLN disclosed 6/10/2015 that a breach of its networks exposed card data for transactions it processed in the month of April 2015. Scope: Exposed were customer names, charge card numbers, billing address, and any dates of birth during April 2015. Scale: The number exposed is unknown or undisclosed. (source)
06/10/2015 NoMoreClipBoard.Com
What: This company provides a service where your personal health record (PHR) is online and available to doctors faster than gathering that historical information at the time of care. Access can be by computer, tablet or smartphone. They were hacked. (Source: Company Notice via RICIS) When: Suspicious internal computer activity was noticed on 5/26/2015. Forensic analysis found evidence that unauthorized access started as early as 5/7/2015. If you have questions call (866) 328-1987. Scope: Compromised information may include name, home address, Social Security number, username, hashed password, name and potentially date of birth for a spouse, security question and answer, email address, date of birth, health information, and health insurance policy information. Scale: Although the number of patient records exposed was not revealed the company provides services for over 140 businesses and 40+ individual doctors.
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery)
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children’s Clinic of Owasso, P.C.
Children’s Health Place, The
CMMC
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart & Vascular Specialists, The
Heart and Vascular Center of Sarasota, The
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
Imaging Center, The
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart
Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
Jewell County Hospital
Johnson Center for Pelvic Health, The
Jubilee Community Health
Kardous Primary Care
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medical Foundation, The / My Lab Results Portal
Medicine Lodge Memorial Hospital
MedPartners
MHP Cardiology
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc.
myhealthnow
Naples Heart Rhythm Specialists
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George’s County Health Department
Relief Center
Republic County Hospital
River Primary Care
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD’s Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists,PLC
Stafford County Hospital
Texas Childrens Hospital
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
Wyoming Total Health Record Patient Portal
Dr, Claude E. Younes M.D., Inc.
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Brian Griner M.D.
Dr. Buchele
Dr. Carl Gustafson OD
Dr. Clara A. Lennox MD
Dr. Clark
Dr. David A. Wassil, D.O.
Dr. David M Mayer
Dr. Floyd Trillis Jr., M.D.
Dr. Harvey
Dr. Howard Stierwalt, M.D.
Dr. James E. Hunt, MD
Dr. Jasmine K. Leong MD
Dr. John Hiestand, M.D.
Dr. John Labban
Dr. John Suen
Dr. Jonathan F. Diller, M.D.
Dr. Keith A. Harvey, M.D.
Dr. Kenneth Cesa DPM
Dr. Kristin Egan MD
Dr. Michael Mann, MD, PC
Dr. Nancy L. Carteron M.D.
Dr. Nate Delisi DO
Dr. Norman G. McKoy, M.D. & Ass., P.A.
Dr. Pareshchandra C. Patel MD
Dr. Puleo
Dr. Rajesh Rana
Dr. Rebecca J. Kurth M.D.
Dr. Ricardo S. Lemos MD
Dr. Richard A. Stone M.D.
Dr. Richard Ganz MD
Dr. Rolando P. Oro MD, PA
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Dr. Stephen Helvie MD
Dr. Stephen T. Child MD
Dr. Susan A. Kubica MD
Dr. William Klope MD
Dr. Yovanni Tineo M.D.
Dr. Zack Hall M.D.
06/15/2015 LastPass
In an announcement today LastPass, a password management facility, announced that on Friday, 6/12/2015 they discovered discovered and blocked suspicious activity on our network. LastPass is “confident” that no passwords were taken. Hackers did access email addresses and password reminders which is useful in targeted attack sending a fake email to the user asking them to reset their password and using a crooked URL. (more at NY Times)
06/16/2015 Cardinals Hack Astros
What: Federal investigators have evidence that employees of the St. Louis Cardinals hacked into the Houston Astros’ network and compromised multiple databases containing internal trade discussions, statistics and scouting reports. Was it a crime? Maybe, maybe not, but the FBI is investigating. Scale: The number affected was unknown or undisclosed. Scope: What was compromised was described in a general way and may, or may not, include personally identifiable information. (Source)
01/12/2016 Update: Former Cardinals Exec: Guilty
Back in July 2015 the St. Louis Cardinals fired their scouting director, Chris Correa, even before an investigation was completed. At the time Correa’s attorney said “Mr. Correa denies any illegal conduct.”
Friday 1/8/2016 the US Department of Justice issued a press release titled Former St. Louis Cardinals Official Pleads Guilty to Houston Astros Computer Intrusions which included “the former Cardinals official then entered a guilty plea to all counts as charged.” What he did and how he gained access is described in the press release and this article from Sophos.
07/20/2016 Update: Former Cardinals Exec: Jail Time
Chris Correa, formerly scouting director for the St. Louis Cardinals, on Monday was sentenced to 46 months in jail. This is more than a year after hacking the Astros’ player-personnel database and email from 2013 to at least 2014. It is also more than six months after pleading guilty to five counts of computer hacking per Computer Fraud and Abuse Act (CFAA). More at Naked Security / Sophos.
06/18/2015 Apple Mac & iPhone Users
Apple has Keychain, special password software that lets people securely store passwords on their Macs. Apparently not so secure as apps can gather the passwords from a Keychain or even from other apps. Possibly exposed are passwords to access banking, email iCloud accounts, social media, notes, photos just about everything.
XiaoFeng Wang, a professor of computer science at Indiana University, and his team of researchers found multiple ways an app could be designed to affect other apps. An interesting twist: malicious software could delete old Keychain passwords and grab them as you to reentered them. Apple categorizes Mac programs with BID, theoretically a unique identifier. Hackers could assign a “trusted” BID to malware and become part of a “trusted” program group. Wang & Team found 89% of the top 1,612 Mac apps were susceptible. As part of their proof that Apple was vulnerable they created a joke-a-day app named “Joke Everyday” that could steal passwords. It was uploaded into Apple’s “heavily guarded” App Store.
The research team said it went public with its findings today because Apple was notified in October 2014, Apple tweaked the operating system in January 2015 but that didn’t stop the capability for Keychain password compromise. As of June 2015 there is no solution. From the abstract:
Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data. More specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Ever-note. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing …. (the entire paper is a 13 page PDF)
According to The Register Google’s Chromium security team has already removed Keychain integration for Chrome noting “it could likely not be solved at the application level”. AgileBits reported “it could not find a way to ward off attacks … some four months after it was warned of the vulnerabilities.” There are several short videos on the Register site showing the attacks in progress.
In response for going public and the “Joke” app upload Apple may revoke their developer credentials for violating the terms of service. Back in November 2011 Apple did the same to security researcher Charlie Miller for doing the same thing and proving that malicious code could get into the App Store. Almost 4 years later that appears to still be true. (more at the source)
[ Something wrong there when serious bugs are uncovered, communicated, not fixed, proven to exist, and the people who are protecting the users receive discipline and nothing happens to those who visit the security holes on us. -ed ]
Update: 06/19/2015 Apple Addresses XARA vulnerability
Apple addressed cross-app resource access (XARA) in a comment to iMore.
Security researcher Brian Krebs discusses the XARA problem as well as a discovery by NowSecure (a mobile security firm) in a third-party keyboard app segment that was pre-installed on more than 600-million Sansung mobile devices include the Galaxy S6. If hacktivated hackers can access the camera, microphone, listen on incoming or outgoing voice calls, read incoming or outgoing texts, access stored images and more.
[ Do we count that as 600,000,000 exposed accounts or wait until the reports come in? -ed ]
June 2015
In addition to others shown here, in June 2015, ITRC reported 79 incidents where the number affected was unknown or undisclosed.
07/01/2015 Trump
What: Multiple Trump hotels and other properties in resort and convention cities appear to have suffered a breach exposing charge card information. When: The executive vice president of development and acquisitions confirmed the breach on 7/1/2015, but it appears exposure started months earlier in February 2015 or earlier. Where: Affected Trump properties appear to include those in Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York. Scope & Scale: As of 7/28/2015 details were not available. (Source: KrebsOnSecurity)
Update 09/29/2015 Trump Confirms
Who: The breach affected the Trump Hotel Connection which includes Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto. What: On the Trump Hotel Connection web site there is an undated breach announcement indicating that malware may have infected both the front desk terminals and the payment card terminals in restaurants and other point-of-purchase locations. When: Initial reports of a breach were reported on 7/1/2015. Confirmation of the breach came on 9/29/2015. The malware was reportedly in operation between 5/19/2014 and 6/2/2015, more than a year. Even after that time the company has not reported the name of the malware. Scope: The malware may have exposed charge card account number, expiration date and security code. For some properties the cardholder name may have also been exposed. Scale: The companies are either unable or unwilling to disclose the number of compromised accounts.
Was the data exfiltrated or not?: The sample notice (2 page PDF)
to the California Attorney General includes “… the independent forensic investigator did not find evidence that information was taken from the Hotel’s systems …” which does not mean it was or it was not, just that no evidence was found that it was. Yet, back on 7/1/2015 security researcher Brian Krebs reported “Contacted regarding reports from sources at several banks who traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels, the company declined multiple requests for comment.” which indicates information was exfiltrated.
07/08/2015 The Zoos / SSA
What: CBSDetroit reported that the gift shops of the Detroit Zoological Society had been hacked. When: Charge cards used between March 23 and June 25, 2015 were exposed. Scope: Exposed were names, account numbers, and CVV security codes. Scale: The number exposed is unknown.
Detroit may have been the first to realized the compromise, but they were not alone. The next day, KrebsOnSecurity reported that the servicer, Service Systems Associates (SSA), acknowledged a breach of its systems by malware at the point of sale (POS) systems. Although SSA did not release specific scale information they provide similar services to zoos in more than twenty cities.
07/28/2015 Stagefright on Android
What: Introduced in Android 2.2 (called Froyo), Stagefright is the media playback service for the Android operating system used in many smart phones. Exposure: Multiple vulnerabilities may allow a remote attacker to access files or execute code on the device. This includes direct access to the phone’s audio and camera feeds. How: a multimedia messages (MMS) which may crafted to be improperly parsed by the Stagefright tool to expose the phone. Other vectors include infection by web browsers, file downloads, or email. Other vectors include near-proximity communications such as NFC or Bluetooth. Non-near-communication vectors include USB connections and infected memory cards. Is my phone infected?: The Zimperium and Lookout links below lead to downloadable detectors. (Sources: Ars Techica DHS|CERT Vulnerabilities Notes Database Zimperium Mobile Security Lookout)
Update 08/05/2015 Stagefright is Scary Code
A paper Stagefright: Scary Code in the Heart of Android (86 page PDF) was presented at Black Hat | USA, August 1-6, 2015 at the Mandalay Bay in Las Vegas, NV by Zimperium Mobile Defense. The conference general briefing materials are a also good read.
Stagefright has multiple attack points, some of which require no under intervention including browser auto download that happens in the background. 11+ vectors were found in almost every way the device touches external media. The scariest part might be on receipt of a multi media message (MMS, an email with something attached). The media is processed during the notification to the user. GAK! Even rotating the screen invokes the vulnerable code! The presentation ranges from the general to the very detailed on how the MPEG4 attack surface was located.
Update 10/01/2015 Stagefright “new” weaknesses
The original Stagefright exploited multiple weaknesses to allow remote code execution by sending a specially crafted MMS attachment. There are two newly uncovered bugs take advantage when processing MP3 (audio) or MP4 (video) files with malicious attributes in the metadata. More than one billion Android devices are at risk. The vulnerability in libutils has been in nearly every Android device since version 1.0 in 2008. The libstagefright vulnerability has existed since version 5.0 in 2014. Zimperium Mobile Security Post and an article in SCM.
July 2015
In addition to others shown here, in July 2015, ITRC reported 30 incidents where the number affected was unknown or undisclosed.
08/04/2015 VPN Army for Hire
China has a large industry in virtual private networks (VPN) selling tunnels through the “Great Firewall of China” for their residents who want to reach the outside world without government interference. The exit end of that tunnel is a computer someplace outside the barriers.
RSA Research has discovered some 1,500 end points, many at ordinary internet service providers in the US and elsewhere. Some are compromised computers which can also serve as a launch pad for future exploits. These are Windows servers, compromised without the owner’s knowledge and located at a hotel chain; a manufacturer; a law firm; a doctor’s office; a county government of a US state and other places. RSA contacted many of these involuntary nodes and confirmed.
The RSA report was scrubbed a bit to make it not-so-obvious to where those nodes, dubbed The Terracotta Army, exist. Security Researcher Brian Krebs (article at KrebsOnSecurity) took the limited information from the RSA report and continued it to find domains and some of the nodes themselves.
It appears this army is mercenary and available for hire. How many exploits were launched? How many were compromised? We’ll probably never know.
08/12/2015 Totally Promotional
What: An unauthorized individual accessed customer information. When: The access was between 6/23 and 7/10/2015. The company was unaware of the compromise until customers called on July 6 to complain about unauthorized charges. Scope: Exposed information includes names, mailing address, email address, charge card account numbers, charge card expiration dates and verification codes. Scale: 14 residents of New Hampshire were affected according to a required notification to the New Hampshire attorney general (source) but Totally Promotional, an online distributor of promotional products in Celina, Ohio, either is unwilling, or unable, to reveal the total numbers of compromised accounts.
08/14/2015 Fred’s
What: Two servers that route payment card information after those cards were used at hundreds of Fred’s Super Dollar stores in Alabama, Arkansas, Florida, Georgia, Illinois, Kentucky, Louisiana, Missouri, Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, and Texas were infected with malware to store, and later exfiltrate, card information. When: Both servers appear to have been infected on March 23. One servers’s malware stopped operating on April 8 and the other stopped on April 24. Scope: Exposed were including card numbers, expiration dates, verification codes and what is called Track 2 data. Scale: Fred’s is either unwilling, or unable, to reveal the total numbers of compromised accounts. Source From Fred’s
08/20/2015 Flash Exploit Targets WordPress sites
Zscaler Threat LabZ reported that the Neutrino Exploit Kit appeared back in March 2013 and has made a major re-appearance in July 2015 when NEK reportedly incorporated the exploit described in CVE-2015-5119 in multiple versions of Adobe Flash Player in Windows and Linux to allow remote users to execute arbitrary code or other mischief. WordPress sites at version 4.2 and lower in more than 2,600 sites have been compromised (see chart for how) Once a site is compromised visitors to that site may have ransomware run on their system. The code targets Internet Explorer and other browsers won’t be affected. A cookie prevents the exploit from being executed multiple times for the same victim. (Source: Secure Computing Magazine) How many people were affected? Who knows?
08/29/2015 Google Play Store App targets Android Certifi-gate
Certifi-gate allows an attacker to take over devices using the Android operating system. Once infected a device, typically a cell phone, can be remotely controlled or monitored. It was well described at Black Hat USA 2015 in Las Vegas and the vulnerability comes from the design of popular mobile Remote Support Tools used by device manufacturers and network service providers. See movie 5m 34s at SCM. A popular app on the Google Play store successfully exploited Certifi-gate. That app has since been removed, but no report as to how many Android devices were affected. (source)
August 2015
In addition to others shown here, in August 2015, ITRC reported 37 incidents where the number affected was unknown or undisclosed.
09/01/2015 Brunswick Hotel & Tavern
What: Malware was discovered on a computer at the front desk where payment card information was processed. When: The malware have been active between November 29, 2015 and July 21, 2015. Scope & Scale: Details of what information and for how many people was not disclosed. Source: Sample letter (4 page PDF) from Olympia Hotel Management, who manage Brunswick Hotel & Tavern, to the Office of the Attorney General in Vermont and SCM
So how many were affected? Are they unwilling, or unable, to say?
09/02/2015 ReverbNation
What: ReverbNation, a service to grow artists by networking them other partners in industry and growing their fan base, was apparently unaware that an individual had accessed some customer user data during January 2014 through May 2014. Law enforcement made the notification and has identified and charged the individual. Scope: Exposed information included name, Social Security number, date of birth, employee identification number, mailing address, email address, encrypted password, telephone number and possible any other information that may have been provided. Although the exposure of sensitive personally identifiable information was extensive, ReverbNation didn’t retain charge card information. Scale: ReverbNation is either unable, or unwilling, to disclose the number of affected persons. Sample Notice to Consumers from California’s Office of the Attorney General and Article at Secure Computing Magazine
Update: 9/04/2015 ReverbNation Tweeted back
“The incident originated on an outside vendor’s system, not on-site. Affected users were notified promptly after we were notified.”
09/03/2015 HFFCU
What: The email account of an employee of Hawaii First Federal Credit Union, may have been improperly accessed by an unauthorized individual and exposed personally identifiable information. The credit union learned of the incident on June 1, 2015. No information on how they learned (internal discovery, law enforcement notification, other) was provided. Scope: The exposed information included names, Social Security numbers, mailing address and bank account numbers. Scale: HFFCU is either unable, or unwilling, to disclose the number of affected persons. Sample Notice to Consumers from the Vermont Attorney General’s Office and Article at Secure Computing Magazine
09/09/2015 DOE
Since late 2010 the United States Department of Energy reported over 1,100 cyber attacks for the four years ending in October 2014. The objectives were sensitive data about the power grid, nuclear weapons and energy laboratories. 159 attacks were successful. In 53 of the 159 attacks attackers obtained “root” privileges giving them administrator access. More at USA Today
09/11/2015 MultiVendor ATM attacks
New malware aimed at Diebold and NCR ATM machines has surfaced. Detectors have identified it as Backdoor.ATM.Suceful (SUCEFUL for short). Like much malware before it SUCEFUL can read all track data, read the chip on the card and suppress ATM sensors. A new capability is to retain the inserted card. The malware apparently hasn’t been distributed and may still be in development. (Source: Secure Computing Magazine article)
09/15/2015 Venmo/Braintree/PayPal P2PP not B, scammers know
Venmo is a person-to-person payment (P2PP) system that was acquired by Braintree which was then acquired by PayPal. Venmo has fewer consumer protections than its parent and the EULA includes “Business, commercial, or merchant transactions may not be conducted using personal accounts.” What constitutes such transactions is rather murky. If your roommate uses Venmo to send you their share of the rent, that seems acceptable. If you send your rent to your landlord, maybe not. Selling to people you don’t know is highly likely to be unacceptable. Venmo appears oriented toward financial transactions among people who already know each other well enough to resolve a financial dispute arising from a Venmo transaction. An e-acknowledgment from Venmo of funds received isn’t quite accurate. Venmo has received the instruction to transfer funds from the sender, but the funds have not cleared, like a check. Some receivers take action based on the acknowledgment (like sending expensive sports tickets) only to learn a few days later that the funds never arrived.
Scammers take advantage by enticing people they don’t know to send value and not making good on their Venmo transfer. Or, senders make partial “teaser” payments then close their financial accounts so the remainder never arrives. Venmo customer service is … limited. (More at the source: Slate)
[ Think financial safety – would you take a $5,000 personal check from a stranger for a purchase then deliver the goods or would you wait until the check cleared? If yes, why take a virtual check from a stranger and deliver right away? Hat tip of thanks to Megalomania Intergalactic Supreme Dictator and Poo-Ba Plenipotentiary for the lead. -ed ]
09/15/2015 Holiday Inn
Who: Guests at the Holiday Inn Harrisburg/Hershey, managed by Milestone Hospitality Management. What: Malware may have compromised their credit card information. When: The incident was discovered 7/22/2015 and investigation determined malware was present between 6/2/2015 to 7/10/2015. [ Why did the malware stop being “present” almost two weeks before it was discovered? -ed ] Scope: Exposed information included name, address, charge card account number, expiration date and security code (CVV). Scale: The company is either unwilling, or unable, to report the number of persons whose information was compromised. [ Considering they reported 15 residents of New Hampshire (see below) were affected it appears more “unwilling” than “unable” -ed ] See 8/14/2015 Notice to the New Hampshire Department of Justice (6 page PDF) and SCM article.
09/16/2015 Cisco PCA
Some versions of Cisco Prime Collaboration Assurance software contain vulnerabilities allowing a bypass, information disclosure, and privilege escalation to allow an attacker to “create an additional administrative user or access information from another domain if the system is used in multiple tenants environment”. See 9/16/2015 Cisco Security Advisory and SCM
9/16/2014 Cisco router break-ins bypass cyber defenses
Security researchers say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected.
In the attacks, a highly sophisticated form of malicious software, dubbed SYNful Knock, has been implanted in routers made by Cisco, the world’s top supplier, U.S. security research firm FireEye said on Tuesday.
Routers are attractive to hackers because they operate outside the perimeter of firewalls, anti-virus, behavioral detection software and other security tools that organizations use to safeguard data traffic. Until now, they were considered vulnerable to sustained denial-of-service attacks using barrages of millions of packets of data, but not outright takeover.
“If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router,” FireEye Chief Executive Dave DeWalt told Reuters of his company’s discovery. “This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool,” DeWalt said. The attacks have hit multiple industries and government agencies, he said. [ highlighting ours – ed. Affected models and more at the source: Reuters ]
09/18/2015 VMWare
Network traffic can be intercepted by a remote user who successfully executes a man-in-the-middle attack between the LDAP server and the target system because “VMware vCenter Server does not validate the certificate when binding to an LDAP server using TLS”. VMware has released an update that addresses this LDAP certificate validation vulnerability in vCenter Server. See VMWare Security Advisory VMSA-2015-0006, CVE-2015-6932 and SCM.
09/18/2015 Outback Steakhouse/CA
Who and What: T-Bird Restaurant Group reported that a point-of-sale computer terminal and a back office computer were stolen from an Outback Steakhouse the evening of 8/8/2015. The POS computer contained personally identifiable information (PII). Scope: Exposed information includes names, Social Security numbers, current and prior time sheets. [ who keeps SSNs in a point-of-sale terminal? -ed ] Scale: The company is either unwilling, or unable, to report the number of persons whose information was compromised. See notice from T-Bird Restaurant Group to California Office of the Attorney General (4 page PDF) and article from SCM
09/25/2015 Hilton Hotels
In August 2015 VISA reported a breach extending from April 21, 2015 to July 27, 2015. The name of the affected entity was not revealed. Multiple banks have determined that the affected accounts (which were revealed) had one common point-of-purchase, Hilton properties. This includes the Hilton named properties and Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts. The point of compromise appears to be the point-of-sale devices in restaurants, coffee bars and gift shops, not the reservation system.
In March 20, 2013 through December 16, 2013 multiple locations of the White Lodging Services Corporation had a similar breach affecting Holiday Inn, Marriott, Radisson, Renaissance, Sheraton and Westin hotels as did the Mandarin Oriental Hotel Group in March 2015. The number of affected accounts was unknown, or undisclosed. (Source: KrebsOnSecurity)
11/20/2015 Adware disables virus checkers
Popup adware is annoying. One adware family are using certificates, originally intended to authenticate web sites as ok-to-access, to disable anti-malware and anti-virus software. How much does “Vonteera” affect a system? Let Malwarebytes (makers of anti-virus software) count the ways:
1) V adds multiple scheduled tasks for particular times of the day, when any user logs on, when the computer is idle and more. When a scheduled event occurs malware operation is initiated. Operations include the display of advertisements, the start of services and the loading/reloading of the malware.
2) V installs objects in the browser. In Internet Explorer a “Browser Helper Object” is installed.
3) V alters the shortcuts on the desktop, in the taskbar and in the start menu for browsers IE, FireFox, Chrome, Opera and Safari. The shortcuts redirect users to a site that randomly sends the user someplace else.
4) V targets Chrome users with a special “silent” operation where applications and browser extensions are installed completely bypassing any user notification.
5) V adds certificates – in a malevolent manipulation of the browser security certificate system Vonteera adds certificates to the “Untrusted” category. This means when a user goes to one of the sites the browser will block the user from that site. Sites blocked were anti-virus including AVAST, AVG, EST, Malwarebytes, McAfee, Panda, TrendMicro, and more. The “untrusted” certificate also blocks any attempt to download software from those sites. Easy solution: deleted the untrusted certificate, right? Yes right, but not so easy. Remember in step 1 the malware is reloaded. You need to delete the untrusted certificate, download and run the anti-virus, all between reloads. Or, delete, download, disconnect from the internet, then run the anti-virus. Disconnecting means the reload can’t occur. In any case, check after the untrusted certificate has been deleted and the malware removed to confirm the untrusted certificate has not been reloaded.
Source: Malwarebytes Blog. Click- > Malwarebytes to download/install the no-charge version from the source, not some re-packaged version that has additional bloatware installed or offered.
11/25/2015 Update Hilton Hotels Confirms
Two months after the Hilton breach was reported by security researcher Brian Krebs, Hilton has confirmed the security lapse. In a quietly delivered statement after markets closed Tuesday 11/24/2015, Hilton disclosed the breach exposed charge cards used during November 18, 2014 to December 5, 2014, or from April 21, 2015 to July 27, 2015. (Source: KrebsOnSecurity followup article)
[ The statement says Hilton “… has identified and taken action to eradicate unauthorized malware …” which inspires us to ask about the status of authorized malware? (Thanks to StuartC) The number affected is still unknown, or undisclosed. -ed ]
09/25/2015 PadLocks4Less
Who: The Frank J. Martin Company of Lynnwood, Washington operates the Padlocks4Less web site. What: The company was notified by the FBI that information on the web site may have been improperly accessed. When: The FBI reported the access may have been between 6/3/2015 and 8/26/2015. Scope Compromised information may include name, physical address, phone number, email address and payment card information. Scale: The company is unwilling, or unable, to report the number of possibly compromised persons. Source: Notice letter filed with the Vermont Attorney General on 9/22/2015 (2 page PDF) and SCM.
09/28/2015 2 new POS Malware
Katrina and CenterPoS are two new point-of-sale (POS) malware identified by security researchers at Trend Micro in their security roundup. Both are variants of the Alina POS malware with minor changes. The first infection was observed on 8/25/2015 and, so far, 87 small and medium sized businesses have been infected. The number of accounts compromised is not known.
09/30/2015 Mac Anti-Malware “Gatekeeper” Bypassed
“Gatekeeper” helps Mac users to neutralize tricks users into installing malware. Code-signing requirements ensure that an installer app hasn’t been improperly modified from creation, through download, and installation. Even when the protection is set to its strictest setting, a researcher found a design flaw allowing a complete bypasses of Gatekeeper, by using a file already trusted by Apple to do bad things. Clear drawings and more at Ars Technica.
September 2015
In addition to others shown here, in September 2015, ITRC reported 24 incidents where the number affected was unknown or undisclosed.
10/01/2015 Bank Malware appears as PayPal app
Trend Micro reported that users in Germany were being targeted with malware appearing as a PayPal app requesting users click on a link to upgrade their installations. The “upgrade” is malware that attempts to make itself a system administrator, change the screen locking password and more. Even if the users declines to grant administrator status the app disappears from the home screen and continues to run in the background. It disappears from the launcher screen and is almost impossible to remove. Once the real PayPal app is running an overlay will be applied so when the user enters their credentials the malware will capture them.
Although the initial detection was for a German language version of this malware, adapting the language is not a major task. This could be a trial run so users beware. See also Secure Computing Magazine.
10/04/2015 iOS Malware
Palo Alto Networks has identified a new Apple iOS malware which is significantly different from previous iOS malware in that it can attack both jailbroken and non-jailbroken devices. They name it YiSpector and it abuses private (non-Apple) application programming interfaces (API) to implement malicious functionalities. Although it has been observed in the wild for more than 10 months of the 57 security vendors in VirusTotal only ONE detected the malware.
YiSpecter spreads, not only by passing malware laden applications or messages, but also by hijacking traffic from ISPs, a social networking service (SNS) worm on Windows, and an offline app installation and community promotion.
Once resident on an infected device YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps, hijack other apps’ execution to display advertisements, modify browser settings and upload device information to its host. Even if a user “deletes” the malware it will re-appear.
YiSpector combines enterprise certificate abuse shown by WireLurker in 2014 and private API mal-functionality. This dual vector is a significant threat to Apple’s security mechanisms. Much more …
10/12/2015 America’s Thrift Stores (ATS)
Who and Where: ATS has headquarters in Birmingham, Alabama and stores in Alabama, Georgia, Tennessee, Mississippi and Louisiana. What and When: ATS was breached exposing charge card transactions 9/1 to 9/27/2015. Scope: According to a statement by ATS. “The U.S. Secret Service tells us that only card numbers and expiration dates were stolen. They do not believe any customer names, phone numbers, addresses or email addresses were compromised.” Scale: ATS is unwilling, or unable, to disclose the number affected. Source: KrebsOnSecurity
10/14/2014 Browser Padlock, not so locked
The padlock icon shows a site has a security certificate. It used to be “Secure Sockets Layer” (SSL), but is now the “Transport Layer Security” (TLS, sometimes SSL/TLS) certificate. Before issuing a certificate the one of over 200 certificate authorities (CA) are supposed to confirm that the requester is who they are supposed or purport to be. Yeah, well, not so much.
“Typosquatters” register a domain often accessed by the thumb-fingered among us. A few days ago Netcraft reported that “hundreds” of certificates were issued in just one month to domains that appear to be for Apple, Bank of America, Paypal and more. More at the source: Sophos and Secure Computing Magazine.
These domains are often used in emails where a quick glance does not alarm the consumer and they click on it starting a chain of events with a malware ending. Think for a moment, does a link to bankofamerica.com/youraccount look right? How about banksofamerica.com/youraccount or banskofamerica.com/youraccount? A padlock alone does not mean the site can be trusted.
10/16/2016 Peppermill Resort Spa Casino
What and Where: Charge cards were compromised at the Peppermill Resort Spa Casino in Reno, Nevada. When: The breach affected cards used between October 2014 and February 2015. Scope: Exposed were name, card number, expiration date and CVV security code. Scale: The company is unwilling, or unable, to disclose the number affected. Source: SCM
10/19/2016 Malvertising & The Daily Mail
Malvertising (malvert for short) is malware embedded in on line, or email, advertising. Some ads do not provide their own content, but link to other sites for the content. Any place along the chain that ends in your in-box or on your browser can be infected. Sadly the electronic version of the Daily Mail, called Mail Online, was so infected. This affected more than Britain, a lot of their traffic comes from the USA. The malware laden ad you see may not occupy the same place from viewing to viewing. Or, the same place have have different ad content when someone goes to track down the malware. Practice safe hex. Use real time virus blockers or consider an ad-blocker. More …
10/21/2016 EyeBuyDirect
What & When: Sometime between February 9, 2015 and May 30, 2015 crooks with an IP address in the Russian Federation gained unauthorized access. EyeBuyDirect learned of the incident on June 16, 2015, two weeks to four months later. Scope: Personal information exposed included name, mailing address, shipping address, telephone numbers, email address, charge card numbers and CVV codes. Scale: In a notification to New Hampshire Department of Justice (5 Page PDF) the company reported 22 New Hampshire residents were exposed. The total was undisclosed. [ So why are they unable or unwilling to tell us how many in total were affected? -ed ] Source: Secure Computing Magazine article.
10/22/2016 Online Pharmacy Sold Data
Why bother with the expense of protective technology if a company is just going to sell the private information of its customers anyway? UK pharmaceutical provider Pharmacy2U has just been penalized by the UK’s Information Commissioner’s Office (ICO) for doing just that and not telling their customers about it. So who bought the data? See Sophos.
10/27/2015 Bank Scam nets over $90M
The Metropolitan Police issued a [ http://news.met.police.uk/news/nine-arrested-following-fraud-134343 ] bulletin [ see ] last week describing an arrest of nine people in an organized criminal network that defrauded about 91.6 million US dollars (about 60 million British pounds) from an unknown number of bank customers across the UK. The fraud was a mix of technology (spoofing caller ID to appear to be calling from a bank) and social engineering (to obtain banking information from their victims). The funds were transferred to intermediaries (money mules) who withdrew funds from ATMs and bank branches. Think your bank is calling you? See this for several simple ways to be sure.
Aside: The Metropolitan Police Service (MPS) has law enforcement and national responsibilities. MPS is responsible for law enforcement in Greater London, but not within the “City of London”. About 1.1 square miles in land area, the “City” is city and county within London and has its own “City of London” police. A similar entity is the adjacent “City of Westminster”. National duties of MPS include counter-terrorism and protection of the British Royal Family and senior government officials.
10/28/2015 Marks & Spencer’s
An internal website error allowed customers to see personal of other customers including names, dates of birth, contacts and previous orders were shown. Financial information was not disclosed. The company was unwilling, or unable, to disclose the number affected. BBC
October 2015
In addition to others shown here in October 2015, ITRC reported 19 incidents where the number affected was unknown or undisclosed.
11/03/2015 Triangulation Fraud is … ?
Triangulation fraud involves four parties: two victims, one crook, and one customer who thought they were just buying something and not participating in a crime. What is it? Stolen cards are used to purchase merchandise won at auction by other persons. Say what? How does that make money for crooks?
A crook sets up a sellers account and lists products for sale, but they don’t really have any. A customer buys the item from the crook-seller and sends funds to the crook’s account. The crook takes the order information and buys the same item from another seller (about to become a victim) and pays with stolen charge card information. The crook-seller tells the victim-seller to send the item to the customer. The customer gets the item, is happy and maybe notices the shipper isn’t the one they remembered.
The crook-seller is ahead the real funds received from the customer and out … no funds. The “funds” used to pay the victim-seller come from another victim, the person whose stolen charge card information was used to pay the victim-seller. (Diagram at KrebsOnSecurity) Want to really twist your mind? Read about Quad Fraud at KrebsOnSecurity.
11/04/2015 PageFair Analytics Hacked / Great Response
What happened? PageFair provides web site analytics. Their code was compromised to prompt users to install a fake Adobe Flash update spurring them on with a warning that anyone wasn’t protected by anti-virus software was at risk. The compromised code was served up for 83 minutes and affected 501 publishers of that code. How many were infected? 501 publishers were infected, but how many millions, or tens of millions, of users were infected? No one can know.
Kudos to PageFair In praise of PageFair they spotted and stopped the problem very quickly compared to some companies who were hacked for years before being told they were exposed. PageFair also avoided the all-to-common pablum of “we’re sorry” in favor of useful information blogged in near real time. Sean Blanchfield, CEO of PageFair, is a great leadership example for other executives when similar problems strike their users.
How did the compromise start? A targeted email (spearphishing) attack against PageFair yielded access to a key email account which they used to reset the password on PageFair’s Content Delivery Network (CDN) and replaced PageFair’s original code with their own malicious code.
What can you do? General guideline: NEVER click on ANY popup link for an update. Go to the creator’s web site and check for an update. A growing standard is to click Help which contains About. About brings up a window showing the installed version and a link to “check for updates”. More at Sophos
11/06/2015 New ransomware insults you
Ransomware – if you know it, the words chill you. Ignorance avoids the chill, but if you get it, you get desperation in the extreme. It is a particular form of malware essentially taking all the data on your computer hostage, scrambling it, encrypting it, and demanding a ransom to get it back. Do you pay? Will the crooks return your information, your memories, your tax return?
This scourge has been with us for years. Earlier versions included Reveton, CryptoLocker, CryptoWall, and Los Pollos Hermanos. Despite the catchy names they were all designed to get paid, usually with anonymous Bitcoin, from your pocket. In addition a recent variant insults you for getting infected in the first place.
What can you do? Start with three things: backup, Backup and BACKUP! Also make the backups disconnected from your system. If ransomware can reach it via your system connections and shares those might be held for ransom too. Adopt
safe hex practices; be proactively cautious about attachments; disable auto-preview mode in email; never update from a popup; and update only from sites to which you direct access.
Read also what Kipling had to say about this practice in 1907. Consider too what happened to ProtonMail, an encrypted email provider. Paying does not always get your data returned.
If you need a quick virus removal tool at no charge see the bottom of this page at Sophos.
11/13/2015 Gmail bug lets you be any sender
It is pretty easy to change your email name to anything you want. Get an email from “Ming the Merciful” and you can see the sender’s real email address. So what if you could block the display of the real email address and successfully pretend to be anyone? This is called spoofing.
Security researcher Yan Zhu (@Bcrypt) discovered changing the e-name just does that. Yan (quote)(quote)TerrorismAlert@FBI.Gov(quote) will cause the message to show an email name of “Yan” and an email address of “TerrorismAlert@FBI.Gov”. Yan’s real email name and address will not display. Imagine the concern when the message says something similar to “click here for an urgent message about terrorism in your area”, or an email from Payroll@OfficeMain.com that you are being docked half your pay causes you to click on a link leads to malware or worse.
Gratefully this problem only appears to exist in the Android version of Gmail. Less than great, after Yan reported this to Google with multiple screen captures and narrative, they replied “Thanks for your note, we don’t consider this to be a security vulnerability”.
Yep, so wrong. There is an email administration tool called DomainKeys Identified Mail (DKIM) which matches a signature and a domain. So, an email from Bill@SomeDomain.com that was sent as Director@NASA.gov would fail. In its strongest mode DKIM sends email like this directly to the great bit-bucket before a user ever sees it. Unhappily, emails using the Yan format do not get caught by DKIM.
Lastly, in one of Yan’s screen captures is this emoticon
¯\_(ツ)_/¯
which perfectly captures the feeling “what are you going to do when Google says it isn’t a bug?”
Google might be able to track and count the number of messages that took advantage of this malformation to spoof email, but we’ll probably never know the number of affected persons.
11/17/2015 Update Google is working on it
After initially considering a name change to not be a security issue Google is working on it.
11/18/2015 Update Google is still working on it
Sophos recaps the situation.
11/16/2015 Pre-infected CopCams
Conficker was a major pain in 2009. Each infected computer sent 10 to 20,000 spam emails per day. At one point an estimated ten million computers were infected for a spam load of 200 billion messages a day.
Someone has resurrected Conficker and infected body cameras destined for police use. Most modern anti-virus scanners detect it, but the real concern is how items are being infected along the supply chain. Back in 2013 the German Ministry of Education received 170 brand new, but infected, computers. Based on the cost estimate to clean and install the computers the servers were salvaged and the desktop computers scrapped! (original post in German. English translation)
This supply chain security issue means that, somewhere along the line, technology is diverted, altered, then sent on its way, ready to compromised systems. In 2011 testimony before Congress, the Department of Homeland Security said they had known about this “for quite some time”. Back in 2010 IBM (yes, Big Blue) handed out infected USB sticks at (are you ready?) a security conference.
So, fresh from the box or not, be aware!
11/16/2015 Chipotle Fake Domain
Did you ever receive email that says “do not reply”? Apparently that was a real problem for Chipotle Mexican Grill as many people were replying anyway. So the people in human resources started referred to a domain “ChipotleHR.com” which does not exist. Email sent there never arrives in their in-box so mission accomplished … right? Ah, not so much. Let this be clear: “ChipotleHR.com” is a domain that Chipotle Mexican Grill (CMG) never owned, controlled or had someone else maintain it.
So, people who improperly sent their resumes to that domain never had it delivered, what is the problem? Well, anyone could have registered that domain, set up a web site, and received the email. You know, email from job applicants just chock full of names, physical addresses, telephone numbers, email addresses, dates of previous employment, all sorts of personally identifiable information (PII) that identity thieves just love!
The good news is that Michael Kohlman, an information technology professional discovered the situation after applying for a job. It wasn’t that Mr. Kohlman really wanted to work for CMG. He is between jobs and needed documentation to support his unemployment benefits. He submitted his information and … pay attention … received an email from “Chipotle Careers” that purported to come from ChipotleHR.com. He replied to the message and investigated the subsequent email non delivery message. So, he registered the domain, arranged for web hosting and was soon receiving all that PII.
Mr. Kohlman offered the domain to CMG at no charge and the company declined indicating it “wasn’t a problem”. It might not be CMG’s problem, yet. Someone at CMG, not a small organization, decided to use a fake domain name to move the problem off their desk without considering how many people were going to be exposing their PII. Even worse: someone could use that domain to email applicants with “we’re doing a background check, please send us your social security number, your charge card number ….” and really damage the applicants. source: Brian Krebs at KrebsOnSecurity
This isn’t a new problem. Many companies use DoNotReply@DoNotReply.com to discourage replies. Given the above you can guess … some enterprising person registered the domain DoNotReply.com and received millions of emails each week destined for Fortune 500 companies, bank customers, government personnel, contractors and more. That was reported by Brian Krebs at TheWashingonPost in an article from 3/21/2008. The load may have been too much and as of 11/22/2015 the DoNotReply.com domain appears to be for sale.
Nor is CMG the only company who has problems with domain management. Google.com was owned by someone else for about a minute earlier this month and back in 2003 Microsoft forgot to renew registration of a HotMail domain.
11/16/2015 POS Malware, rising
Cherry Picker and AbaddonPOS were both revealed the last week. They are stealthy and capable point of sales charge card slurpers.
Since about 2011 Cherry Picker has targeted at the retail sector. Enhancements include counter analysis, persistence mechanisms, and improved card ripping functionality. The malware cleans up after itself leaving little evidence. Abaddon is apparently unrelated to earlier incarnations and also includes counter analysis, hiding parts of itself in multiple locations, and cleaning up leaving little trace.
See eWeek and TheRegister/UK for more.
11/19/2015 Bad Barcode!
A security researcher wrote a paper on hacking a starship with a piece of paper. What? Yep, in the 2009 remake of Star Trek, the bridge of the USS Enterprise sports a pair of bar code readers, prominently displayed on the bridge. To be fair, they are rather cool. (see slide 5 of the 49 slide presentation)
Network connected bar code readers are among the eldest on the internet of things and HyperchemMa (the author’s non-de-researcher) points out this makes them just as vulnerable to miscreants as Spying Barbie or any of the other millions of devices. Many bar code readers support Code 128 which supports ASCII control characters and with that HyperchemMa was able to demonstrate using bar codes to do bad things while operators thought they were scanning a patient ID bracelet, checking people in at airports, scanning groceries and more. How many were affected? No one knows. For more see the Sophos article.
11/16/2015 UPDATE: more POS Malware
Embraced a licensing model for malware shows again, crooks are not dummies. A new point-of-sale attacker (ProPoS) has a smaller footprint, polymorphic anti-anti-virus and other enhanced capabilities justifies its higher price. More …
11/20/2015 More hotel warnings
Malware to steal charge card data has been found at point of sale systems at Starwood Hotels & Resorts in North America. The breach started as early as November 2014, a year ago. A letter from the president is dated November 20, 2015. A list (2 page PDF) of the known affected sites includes Sheraton, Westin, Walt Disney World Dolphin and other brands. More at the source: KrebsOnSecurity [ What took a year to discover and make notification? Was it the pending purchase by Marriott? -ed ]
11/24/2015 MagSpoof
Little device forces EMV terminals to revert to swiping, then spoofs the swipe itself.
The prolific social hacker Samy Kamkar (web site and YouTube Channel) has created MagSpoof (page and 5m 19s video) which
Allows you to store all of your credit cards and magstripes in one device
Works on traditional magstripe readers wirelessly (no NFC/RFID required)
Can disable Chip-and-PIN
Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
Easy to build using Arduino or other common partsMagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.
Now Kamkar is clearly telling you this is a service for you. You are not allowed to use any cards that you are not legally authorized to use. There is good reason for him to say so.
You have to have the magnetic stripes themselves, not just the information. Sadly magnetic stripe information is available for purchase as is the machinery to imprint that information on blank cards. If you want, you can actually read the magnetic stripe information by dipping your card into a bag of iron oxide. (see MagSpoof web page linked above). The MagSpoof device is a little larger than a quarter and is non-contact. It just has to be near the point of sale terminal. The magnetic stripe has a few bits that describe if the card has a chip. If those bits say the card does not have a chip the EMV reader will request a swipe instead and because the MagSpoof works wirelessly, you don’t even have to do a swipe.
Were these devices used to monetize illegally obtained charge card magnetic track information? If so, how many were affected? No one knows!
11/25/2015 LANDesk
LANDesk recently sent a letter employees warning of a compromise that exposed personally identifable information (PII) including name and Social Security number for current and former employees of LANDesk and Wavelink (LANDesk acquired Wavelink in June 2012) In the statement LANDesk reports it discovered the breach recently. That is true, but it is reported by KrebsOnSecurity that system logs show the breach started in June 2014, more than 16 months ago. There is evidence that the attackers were doing “builds” of the LANDesk software. There is a possibility that the software was altered to allow unauthorized access to thousands of customer systems.
11/26/2015 Spying Barbie?
The new “Hello Barbie” arrives with an easily hijacked internet connection becoming a spy-bot focused on children. Just in time for the holidays!
There is no notice to the owner and, according to security researcher Matt Jakubowski, it was easy to compromise the home network and all that implies. As designed, Hello Barbie only listens when a button is pressed. The recorded audio is encrypted before being transmitted over the internet. The recording is interpreted, a response sent to the doll, then “spoken” to the human. All these features can be altered once control is established. The doll can become a live microphone hearing and transmitting everything. According to Matt, “It’s just a matter of time until we are able to have her say anything we want”. (The Guardian)
[ How many have already been compromised? No one knows. The Inherent Dangers to the Internet of Things (IDIOT) have been known for several years. See related article about light bulbs that exposed WiFi credentials in mid-2014. -ed ]
12/22/2015 Update to Spying Barbie
Almost a month after it was discovered, Kim Kommando / USA Today / CNBC have recommended you not have this intrusive “toy”.
11/26/2015 Windows 10, still slurping
Major Win10 update pulled because it removed privacy settings and slurped data. Update restored, data slurper removed, new one with a kinder name does the same thing. Privacy? You don’t need no …
Two days ago the November 2015 update (also called Threshold 2) for Windows 10 was made unavailable but mandatory. [Think on that for a moment. – ed] Some users were told they needed to apply it from Windows Update, but for some that update wasn’t visible. Why is explained. The update was eventually made available.
It also appears the update was removed because it deleted user privacy settings allowing app developers and advertisers to obtain the user’s identity. Windows 10 Threshold 2 also deleted third-party data monitoring and cleanup tools. That included like Spybot and CCleaner. It disabled Cisco’s VPN software. Just a bug, said Microsoft. Hmmmm.
Hello DiagTrack: Microsoft Diagnostics Telemetry Service (DTS) was added to Windows 8.1 installations and Windows 10 beta arriving quietly in patch KB3022345. What did it do? DiagTrack collected data without additional permission or announcement. The only evidence of it running was process in Task Manager. What did it slurp? What was said: “Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage.” What was slurped? Who really knows?
DTS disappeared in recent Windows 10 builds. Really, it was gone. Hello: “Connected User Experiences and Telemetry Service” which does … exactly the same thing with a more palatable title. According to Forbes’ Gordon Kelly “It is this kind of overriding desire for control and a disregard for user choices which is harming Windows 10”. Windows 10 is bad for your privacy, and it is damaging Microsoft’s reputation as a trusted consumer brand. (Source: TheRegister/UK)
11/28/2015 EPub reader installs adware, invisibly
and the adware isn’t a benign thing
Affected: FSS Video Downloader, FSS Google Books Downloader, FSS ePub Reader and more all from FreeSmartSoft. Also installed is FSSUpdaterService, sounds like an update checker, but it is more. No permission is asked and, other than manually terminating the service, there seems no way to turn it off. Annoying, but aside from sucking up some CPU cycles, not too bad. It gets worse. Even if you uninstalled the applications the updater remains. Still annoying, but apps that don’t clean up after themselves isn’t anything new. It gets even worse. FSSUpdaterService.exe tried to access an “infected web resource”, the “Gen.Variant.Kazy.771294” a Trojan. For more see this BetaNews article. How many were affected? No one knows!
[ We are unhappy with automatic update elements as brand new updates often bring brand new problems and we prize stability in the tools we use. Ever see a hammer ask for an update? If it ain’t broken … – ed ]
12/17/2015 Update: Three weeks later …
There have been some updated versions but surprise (not) the same back door. It still does not get uninstalled even when the application is removed. The program was changed … to bury the malware even deeper. “FSSUpdaterService” renamed to “UpdaterSrv.exe” so you can’t even tell the application being updated. More at this BetaNews article
[ Think you’ve got some application automatically running? The authors pointed us to Autoruns a utility from Microsoft so the URL above is to Microsoft not someplace else. -ed ]
11/30/2015 Millions of IOT devices, 100s of keys
As we’ve mentioned before there are Inherent Dangers in the Internet Of Things (IDIOT). SEC Consult reports on a new danger, recycled “private” keys. Quick review of “public-key cryptography” which consists of a “key pair” which is
A public key used to encrypt transactions
A private key to decrypt data locked with the public key.
As the names indicate the private key is closely held. Even if the public key is shared with someone who should not have had it, the nature of “asymmetric encryption” means they can’t use it as a private key to decrypt data.
SEC Consult found found a set of 580 unique keys contains the private keys for more than 9% of all secure http (HTTPS) hosts on the web. That is about 150 keys for more than three million hosts. The same set contains the private keys for more than 6% of all secure shell (SSH) hosts on the web. That is about 80 keys used by 900,000 hosts. Worse this means that just 230 keys will reveal the content of almost four million “secure hosts”. See also the Sophos article which may be easier to understand than the original article.
11/30/2015 Reader’s Digest joins the club
Sadly Reader’s Digest (rd.com) has joined the “We take your security seriously” crowd.
To be fair, they were probably unprepared for the Angler EK exploit of Adobe’s Flash Player 19.0.0.207 (patched October 16, 2015). The exploit delivered different payloads but one case observed the Angler EK deliver the Bedep trojan which loaded another trojan onto the computer viewing the website. This affected a number of WordPress sites, turning them into malware servers.
After being notified of the problem by Malwarebytes the company has not taken action. www.rd.com is still delivering malware. “Reader’s Digest spokesperson Pauli Cohen told SCMagazine.com in an email Tuesday, We became aware of the malware attack last week and have been working with our security provider, technology partners and platform provider to investigate the issue and perform extensive security checks on our website. At this point, we are addressing all known vulnerabilities of the site. We take security very seriously and are taking every step to ensure the integrity of our site.” Source: SCM [ Yeah? How about taking the site down so as not to infect your readers with malware? -ed ]
November 2015
In addition to others shown here in November 2015, ITRC reported 44 incidents where the number affected was unknown or undisclosed.
12/07/2015 POS Bootkits
Point of sale devices compromised before they even boot up!
Crooks are not dummies and absent moral inhibitions, legal restraints, and especially without committee meetings they are generally more efficient. Sadly, they can also be very clever.
Security researchers at FireEye / Mandiant found files and utilities that were part of what the malware developer named the “Nemesis” bootkit. Installed at such a low level generally available anti-virus software won’t find it and a complete re-installation of the operating system won’t remove it.
Nemesis’ tools include file transfer, keystroke logging, process injection, process manipulation, screen capture, and task scheduling. It communicates over a wide variety of network protocols and channels to reach back to the command and control systems. Once a system is infected the malware can be updated to provide more tools and additonal functionality.
How many systems have been compromised by Nemesis? No one knows, but we’re coming up on a major buying season. (Source: TheRegister/UK)
12/07/2015 Gas Detectors – remotely hackable
Industrial gas detectors can be hacked to ignore fatal/flammable gas concentrations. Fixes available.
Honeywell Midas (v1.13b1 and prior) and Midas Black (v2.13b1 and prior) gas detectors are urged to patch their firmware to protect against a pair of critical, remotely exploitable vulnerabilities. These test air for specific toxic, flammable, and ambient gases and are in general, worldwide, use in several sectors including Chemical, Commercial Facilities, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems.
There are Inherent Dangers in the Internet Of Things and another one was discovered. As reported to the Industrial Control System Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security (DHS), advisory ICSA-15-309-02 was posted to the secure library on November 5, 2015 and released to the public on December 3, 2015.
Maxim Rupp, an independent researcher, identified the vulnerabilities which could allow a remote attacker to bypass the authentication process, potentially allowing configuration changes. The National Vulnerability Database Common Vulnerability Scoring System (CVSS) scores rate vulnerabilities as low (0.0 to 3.9), medium (3.0 to 6.9) and high (7.0 to 10.0). These vulnerabilities were assigned CVE-2015-7907b with a base score of 8.6 and CVE-2015-7908e with a base score of 9.4.
Patches are available under the Honeywall products page for Midas gas detectors. (look under the software tab)
As for the incredulity that such a device could be altered remotely to ignore fatal or flammable gas concentrations .. see the Sophos article.
12/07/2015 Yahoo Mobile – oops!
The good news, it is fixed. The bad news, it happened in the first place and could happen again.
The mobile interface for Yahoo Mail could infect a mobile system and the user didn’t even have to open the email! Penetration tester Ibrahim Raafat reported the bug on November 11, 2015 and Yahoo had it closed just ten days later. The bug was a cross site scripting (XSS) attack, common, and easily prevented. All it takes is code, supplied by a user, in a place where code isn’t expected such as forum post, blog comments or … email. The code is run and the exploit launched.
Need a demo? Here is a video (look lower on the page) where he composes an email with some code to open a popup, then sends it to himself. When he goes to look for new messages the popup appears with no further prompting. How many were infected via this exploit? No one knows. For more see the Sophos article.
12/08/2015 Bloatware Bugs … spreading!
Preloaded software exposes computers to remote hacking, hundreds of millions of computers.
Sometimes the computer you bought comes with preloaded software. Some you might want, most people don’t and try to get rid of it. It is derogatorily called bloatware because it often has a negative impact on the overall performance of the computer.
A security researcher has found three original equipment manufacturers (OEMs Dell, Lenovo and Toshiba) have installed bloatware that makes those computers vulnerable to multiple remote exploits even more so than a computer with a plain vanilla operating system installation. The researcher has published proof-of-concept code so examples are available for crooks to model. CERT has issued a vulnerably note 294607 (revised 12/8/2015) citing three problems with Lenovo. “Emergency” patches to brand new hardware are not silver bullets, some introduce more problems. Source and more at the DataBreachToday article.
12/09/2015 McAfee
A specially crafted username can gain master user (NGCP) status and access the McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM), and Enterprise Security Manager/Receiver (ESMREC) by having their password not validated while using Active Directory or LDAP authentication. Description and patches available via this link from McAfee. Reported as CVE-2015-8024 in this National Vulnerability Database entry. How many were exposed because of this? No one knows.
12/09/2015 XBox Certificate Exposed
“private” certificate XPosed.
Yesterday Microsoft reported Inadvertently Disclosed Digital Certificate Could Allow Spoofing in a posting on its technet. Bad news: The certificate for *.xboxlive.com could be used in perform man-in-the-middle attacks and affects all supported releases of Windows. Good news: the exposed certificate cannot be used to create other certificates, used to authenticate other domains or to authenticate program code. Recommendations, suggested actions, lists of affected software, an advisory FAQ, and other information is available via the link above. How many were affected by this exposure? No one knows.
12/10/2015 Easily/UK Webhost hacked
“Easily” web hosting joined the growing ranks of hacked providers.
In an email Thursday December 10, 2015 they reported: “We have found no evidence that your account details, passwords or any personal information which could identify you was accessed”. NetNames Group (Easily’s parent company) spokesperson: “unauthorised access was gained to our internal systems and a list of domain names registered on behalf of our clients was accessed. This information is already publicly available on the WHOIS database which is a public listing of domain names. There is no evidence that any account details, passwords or personal information which could identify individual customers was accessed.” Easily/UK hosts web sites, email and facilitates registration of domain names. They report 100,000 customers in 150 countries. The number exposed is unknown, or undisclosed. Source
12/10/2015 Quis custodiet ipsos custodes?
Who will guard the guards themselves?
One of several translations, this one is used to ask who watches over the cyber-guardians who watch over us, protecting us from malware, adware and others that interfere with our use of computers. With an estimated 400 million users and a market valued in the billions of dollars, that is worth watching. A vulnerability could affect millions.
In this case it was researchers at enSilo who recently posted about a vulnerability in allocating memory that allowed attackers to inject malicious code. (See post link for details). In March 2015 they discovered that an attacker could exploit other vulnerabilities to affect the underlying operating system. They disclosed the vulnerability and AVG had it fixed in less than a week. Following up, the researchers evaluated other security suites and found other major manufacturers equally vulnerable.
Affected were
AVG Internet Security 2015
Kaspersky Total Security 2015
McAfee VirusScan Enterprise version 8.8
Source: TheRegister/UK article
[ Is your anti-virus system vulnerable? If you update regularly, probably not. Visit this GitHub link for a downloadable tester. How many were exposed? No one knows! – ed ]
12/11/2015 Who pushed porn to the kids?
Kids app toy serves porn ads.
Adults generally trust television not to serve up porn to kids because, in the United States, we have the Federal Communications Commission (FCC) saying that is bad and punish offenders, severely.
The Talking Tom Cat is an application (app) for Android and Apple’s iOS. As of 2012 it had already passed 100 million downloads as one of a dozen-plus talking, virtual friends. As with many “free” apps it is advertising supported. In August 2015, several clearly-inappropriate ads were displayed to children as young as three years old. In the UK they have the Advertising Standards Authority (ASA) which on 12/9/2015 upheld complaints from parents about those inappropriate ads.
So who is responsible? Out Fit 7 Ltd has a subsidiary Outfit7 Inc that provided the app. Outfit7 engaged Plymouth Associates Ltd. to provide the advertising. Plymouth denied responsibility and suggested a “malicious third party” was responsible. Absent evidence, the ASA smacked Plymouth. Details on the ads and more can be found in this Sophos article.
[ Regardless of who actually placed the ads in the kids app, the ads benefited someone. That someone should be a target of investigation. As with any complex or confusing issue ask cui bono?, or to whom the good? (sometimes shortened to follow the money) The same concept applies to spam. Regardless of who sent it, the person, or company, that benefits is suspect. While smartphones are not exactly things on the internet, adults should be aware of the Inherent Dangers on the Internet Of Talking toys where there are few editors of myth-information or regulators of miscreants. How many kids were exposed to these ads? No one knows! -ed ]
12/11/2015 Paying for Parking with Smartphone?
Maybe not such a good idea.
The UK office of NCCGroup tested six applications used for parking payment. Summary: ALL had security weaknesses, some worse than others.
Android being the focus of their practice these are all Android applications. Some were small scale between 5,000 and 10,000 others on a larger scale of up to one million registered users. Five encrypted transmitted information with Transport Layer Security (TLS), but none verified the server certificate. This means an interception could spoof the connection using a man in the middle (MITM) exploit which could lead to compromising all the information on the phone. One vendor made their own encryption. Might be better, but without significant experience, probably not. In this case, definitely not. One vendor confirmed username and chose password via unencrypted email. More weaknesses are in the article linked above. How many were compromised by these apps? No one knows!
12/14/2015 Comcast exposes users to NuclearPack
Comcast cable broadband customers visiting just one page might get hit with ransomware and a tech-support scam.
An ad link that appears on Comcast’s Xfinity referred to “DirectTV compared to Comcast TV,” which led to a page on the apparently legitimate SatTVPro website. Unfortunately someone hadn’t kept up with security patches. That page had been infected with the dangerous Nuclear Pack browser exploit kit. The users were sent to a fake Comcast Xfinity site, got a popup informing the victim that their computer was infected, and to call a provided toll-free number to speak to “Microsoft security technicians.” It won’t be Microsoft on the line. It will be someone trying to sell you computer-security software.
The problem has been fixed, but the wider question of how did it get that way in the first place remains unanswered. How many were compromised? No one knows. See more at the article in TomsGuide.
12/14/2015 Microsoft Word delivers … something bad
We’ve discussed how the power inside some word processors can treat what is supposed to be a data file as a program launch pad to attack your computer. One example is the Dridex banking scheme that works via macros in Microsoft Office making it a weaponized Word document. Someone has made a weaponization toolkit, easy for crooks to use to get malware into your computer. Read more at this Sophos article and remember:
Don’t open Microsoft Office documents from people you don’t know. Make sure your system is set up to ASK for permission to execute macros. Do NOT give approval for macro execution for documents you might suspect. Security is in YOUR hands.
12/15/2015 More than Santa knows what you want
Researchers find apps expose holiday lists
Avast researchers found retailer apps collect more information apps than you might realize and don’t guard that information well. Apps examined were from Home Depot, J.C. Penney, Target, Macy’s, Safeway, Walgreens and Walmart. Target’s database includes wish lists (entries in a gift register), the type of register, names, shipping addresses, email addresses, and phone numbers. How did they find out? The Target app’s Application Program Interface (API) is easily internet-accessible and it does not require authentication. All the data is served on a silver platter in a JavaScript Object Notation (JSON) file.
The researchers retained no data, but from a 5,000 entry sample they made some interesting observations. They also found that Walgreen’s app requested much more permission than it needs to fulfill what you think they are doing. Why do they need to prevent your phone from sleeping or control the flashlight? For more see this Avast blog entry
[ It appears that institutional memory is failing again. Security is not an add-later, but a build in. -ed ]
12/17/2015 Juniper finds odd code
Juniper found code in their networking equipment that they didn’t put there. The software had been modified to allow secret access, posing a huge threat to companies and organizations using the equipment. How did modifications get been made years ago without the company knowing until recently? See this Computerworld article. How many systems and users were compromised? No one knows
12/18/2015 PayU & Hashing
Or, how to bumble a hash function allowing consumers to get more for less.
“Cryptographic hash” a versatile tool that can be used, abused and confused. Quick review: A hash function accepts a parameter and creates a signature generally considered unique to the parameter. It is impractical to take that signature to generate the parameter. For example: Hash(ABC)=1 so Hash(CAB) is something other than 1. The hash function has no understanding of the parameter, just that it is a bunch of symbols in some order.
Among other things in a purchase PayU collected quantity and total price. The price was shown in cents so 100 is really one dollar. So two items totaling $5.25 would be represented as “2525”. That sequence would be hashed and the order processed. If you were to magically change the price to $4.25 it would be represented as “2425”, the hash would not compute and the order be flagged. So far so good. What if you changed the quantity to 25 and the price to a quarter each? That would also be represented as “2525”, the hash would compute and you’d get 23 more for $5.00 less. Cyber or not this is still theft! All this because it was presumed no one could change the elements. They were wrong. How many times was PayU a victim? No one knows!
[ Note to future programmers: For the few additional characters use delimiters in the single parameter. In this case try “2/525” with a slash to separate quantity from price. -ed ]
12/21/2015 Utilities Exposed
Large scale hacks of utilities unreported to public or Congress.
A security researcher trailing hackers of a California university’s housing files and found cyberattackers had hacked networks running the United States power grid. Already compromised were passwords, engineering drawings for dozens of power plants so detailed skilled attackers could have used them knock out electricity flowing to millions of homes.
The Associated Press has found about a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control these operations networks. “The public almost never learns the details about these types of attacks — they’re rarer but also more intricate and potentially dangerous than data theft. Information about the government’s response to these hacks is often protected and sometimes classified; many are never even reported to the government.”
As part of a yearlong examination AP conducted more than 120 interviews and examined dozens of sets of data, government reports and private analyses. All this to gauge whether the industry is prepared to defend against cyberattacks. More at AP
Yesterday the Wall Street Journal reported that Iranian hackers infiltrated a dam in New York back in 2013. [ we didn’t hear about that one either -ed ]
3/24/2016 Update Dam Attackers Indicted
An indictment against “experienced computer hackers” who “performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps” was unsealed today. They are thought to be those responsible for denial-of-service (DDoS) attacks against several banks, the NYSE, AT&T and one attempt to control a dam in Rye, New York. As none of the indicted are in the United States, or located in a country with extradition, their appearance is court is doubtful. More at The New York Times.
12/21/2015 Airbnb has spycams?
At least one person found a spycam in a rental. Were there more?
A couple rented an Airbnb place in California for a month. On the third day they noticed a light coming from a shelf in the living room. According to the complaint that light was from a hidden remote-controlled camera. More at this Sophos article including other rental horror stories where the guests and the hosts have been victims. The case was filed 12/14/2015 Yvonne Edith Maria Schumacher v. Airbnb, Inc. et al 3:15-cv-05734 Civil (SF/OK- 3-Personal Injury) JCS in the Northern District of California. The claim is against Airbnb for negligence and against the hosts for privacy violations and intentionally inflicting emotional distress.
12/23/2015 Hyatt Hacked
Today the Hyatt Hotels Corporation announced malware was found on computers for payment processing systems. That was about all they posted in this news release. More: According to the New York Post Chicago based Hyatt knew about the breach in late November, more than a month before disclosing it. Given that Hyatt Hotels has over 600 properties in more than 50 countries the exposure could be huge, but as of 12/31/2015 no additional information had been made public.
1/15/2016 Update Hyatt Reports
Hyatt reports that malware infected 250 of its locations across 50 countries potentially affecting anyone who used a charge card between July 30, 2015 through December 8, 2015. Hyatt Notice (includes instructions for TransUnion’s CSID Protector services) List of Affected Properties by Country, FAQ. [ For all this information the “how” and “how many” questions are unanswered -ed ]
12/28/2015 Who has the keys to your new computer?
New Windows devices have built-in encryption turned on by default. That is the good news.
If you log in to Windows 10 using your Microsoft account, your computer automatically uploaded the key which can unlock the encrypted disk. That means Microsoft has your key and that is bad news. More, including how to generate new keys that don’t wind up at Microsoft, at TheIntercept. [ So, how many people have had their keys compromised this way? No one knows! -ed ]
December 2015
In addition to others shown here in December 2015, ITRC reported 46 incidents where the number affected was unknown or undisclosed.
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended as are The Identity Theft Resource Center (ITRC).
View the 2015 summary
Return to References page
Return to Year links page
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.