Tag Archives: data breach

Email Data Breach Exposes Over Two Billion Personal Records – Has Cyber Security failed?

20 April 2019

Scott Ikeda’s report(1) on the Verifications.io data breach makes one thing clear: The incurable disease named cyber-security carelessness that leads inevitably to data breaches caused also this incident.

First of all, the company misjudged the criticality of the data. Although the exposed information is publicly accessible the compilation in few data sets simplifies the job of cyber criminals. Phishing emails are just more credible if high quality data(1) is used.

Secondly, the information in the MongoDB was accessible for everyone with internet access. This is not an isolated case. As of today, about 64,000 MongoDB(2) are visible in the internet, thereof about 18,000 with authentication not enabled.

MongoDB accessible to the internet.

MongoDB accessible to the internet.

The system developers ignored the vendors security advice provided in section ‘Limit Network Exposure’ of the MongoDB security checklist(3):

“Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.”

This is easy to implement, at low cost.

Cyber security is about people, processes and technology. In this case, lack of cyber security awareness and missing security processes caused the incident. Nevertheless, security solution vendors advice(1) to implement new security technology for preventing such incidents:

“Security tools that automatically protect your data such as data loss prevention (DLP) and digital rights management (DRM) help secure your sensitive information. In the event that an important cloud vendor doesn’t have the right data protection, you can wrap their applications with a cloud security broker to provide the necessary cloud security and protection for your data.”

The big question is: Are such solutions effectively mitigating the risk if the system is accessible from the internet, without authentication?

I very much doubt because the number and extent of data breaches is continually growing, despite annually increasing investments into cyber security. Technology does just not cure cyber-security carelessness.

Have a great weekend.

References

  1. Ikeda S. Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal Records [Internet]. CPO Magazine. 2019 [cited 2019 Apr 14]. Available from: https://www.cpomagazine.com/cyber-security/largest-leak-in-history-email-data-breach-exposes-over-two-billion-personal-records/

  2. The Shadowserver Foundation. The Shadowserver Foundation: MongoDB NoSQL Server Scanning Project [Internet]. 2019 [cited 2019 Apr 19]. Available from: https://mongodbscan.shadowserver.org/

  3. mongoDB. Security Checklist — MongoDB Manual [Internet]. https://github.com/mongodb/docs/blob/v4.0/source/administration/security-checklist.txt. [cited 2019 Apr 19]. Available from: https://docs.mongodb.com/manual/administration/security-checklist

Senators accuse Yahoo of ‘unacceptable’ delay in hack discovery

4 October 2016

Six Senators demanded that Yahoo should explain why it took about 2 years before the massive data leak came to light.

In Reuters Technology News of 27 September 2016 Dustin Volz and Lisa Lambert wrote:

The lawmakers, all Democrats, said they were “disturbed” that the 2014 intrusion, which was disclosed by the company on Thursday, was detected so long after it occurred.

“That means millions of Americans’ data may have been compromised for two years,” the senators wrote in a letter to Yahoo Chief Executive Marissa Mayer. “This is unacceptable.”

This is a very interesting turn on events, but entirely justified.

In report ‘Yahoo breach calls into question detection and remediation practices’ published on SearchSecurity on 28 Sep 2016, Michael Heller discussed the question about Yahoo’s detection and response practices. I haven’t seen any discussions about missing preventive controls, although these are the foundation for the rapid detection of cyber-attacks.

The goal of prevention is to force the attacker to make errors by isolating him from his and our environment. A well-tuned SIEM system should then rapidly detect such anomalies and create incidents from them. A good mixture of detection and prevention is required for the rapid detection of cyber attacks.

For a comprehensive discussion on prevention and detection see post Cyber Security Investments: Experts Discuss Detection vs. Prevention published in the Digital Guardian blog.

In briefing document ‘The Strategic Game of ? and ?’ John Richard Boyd shows the direction to cyber security:

The Strategic Game is one of Interaction and Isolation. A game in which we must be able to diminish adversary’s ability to communicate or interact with his environment while sustaining or improving ours.

Have a good week.

Is ‘Encryption of Everything’ the new savior in the Cyber War?

26 September 2015

Data breaches in 2015 are at record level. By September 22, 2015 the Identity Theft Resource Center (ITRC) identified 563 data breaches with 150,196,896 records compromised in total. The number of compromised records is nearly twice as high as in 2014, where 85,611,528 records were breached in total.

Encryption is recommended as a means of choice for protection against data breaches and theft of intellectual property as well. Friday evening, I attended the SC Magazine WebCast “Creating an Encryption Strategy for Modern Risks Mitigation”. David Shackleford and Charles Goldberg are drafting a “Encryption Everything” strategy for all company internal information irrespective of whether it is stored on premise of in a cloud.

The idea of ‘encryption of everything’ has a certain charm and, if well implemented, will avoid that internal information is useable outside the encryption key perimeter of a company. But it is dangerous to assume that encryption of everything will prevent data breaches.

The problem with encryption comes always from the users who are authorized to access the information. And the big question is always how an authorized user can be uniquely identified.

It’s not easy to answer the question, whether an authorized user is signing in to your system or a cyber attacker with the credentials of an authorized user because in both cases the event log will only show a successful sign-in attempt of a user.

Encryption plays an important role in a company’s security strategy. If used as isolated protection measure, it’s just waste of money.

Have a good weekend!

11 Million Ashley Madison Passwords Already Cracked

14 September 2015

This LIFARS post from last Friday should shake up every service provider. It’s definitely time to make Two Factor Authentication (TFA) obligatory for all services which process personal details.

Microsoft Authenticator App

Microsoft Authenticator App

TFA is no longer a matter of technology. For example, Authenticator Apps are available for all phone operating systems and, really easy to use. Combined with even a weak passwords the one-time passcodes generated by the authenticator apps form a nearly unbreakable authentication method.

In my opinion it’s high time for service providers to make procedures for the use of TFA for their services technically available. And they should force users in their own interest to switch to TFA, if necessary by proper terms of use for their services.

With this, news like Ashley Madison Breach Reveals Ridiculously Weak Passwords are a thing of the past.

Take care! And learn how-to protect yourself against identity theft.

Excellus BCBS Breached, 10 Million Customers’ Records Affected

12 September 2015

When I read the headlines of this LIFRAS post my first thought was:  “2015 is going to be an annus horribilis for the US healthcare insurers”. Anthem, Premera, and now Excellus, what organization will be the next?

One paragraph in the Excellus announcement of the data breach is really interesting:

‘On August 5, 2015, Excellus BlueCross BlueShield learned that cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems.  Our investigation further revealed that the initial attack occurred on December 23, 2013.’

It took 590 days to identify the breach! That are 8 days more than the maximum Mean Time To Identify (MTTI) of 582 days the latest Ponemon cost of data breach study found for 2014.

This is really remarkable because it makes clear that a ‘very sophisticated’ cyber-attack is hard to identify, even with latest security technology in place. And I bet, Excellus has such technology installed. I am really curious about the details of the attack.

Take care! If you like to do some further reading please take a look at the latest issue of the Cyber Intelligencer ‘You can’t detect what you can’t see’.

Criminals use IRS website to steal data of 104,000 people

30 May 2015

On 10 June 2014 I wrote my first post on this blog about the eBay data breach, which was published on 21 May 2014. This Thursday, nearly a year later, the Internal Revenue Service (IRS) data breach was made public. Cyber attackers used personal information mined from other attacks, even perhaps from the eBay attack, to breach the “Get Transcript” accounts of more than 100,000 taxpayers.

Jose Pagliery wrote on CNN Money on May 26, 2015: “The IRS said criminals were able to use the Get Transcript service, because they plugged in personal data they had already stolen: Social Security numbers, birthdays, physical addresses and more. They even answered correctly those personal identity verification questions — the ones we all know as being too specific, annoying and difficult to answer ourselves.”

FIDO U2F Security Key

FIDO U2F Security Key

Well said, those identity verification questions are really annoying. And inherently unsafe, as we learned from a Google study published this week.

And yet the obvious solution would be to discard all those questions and to use Two Factor Authorization instead. For example a FIDO U2F security key in combination with a one-time PIN or fingerprint would be a nearly unbreakable and cheap solution.

How many data breaches must still take place before organizations seriously start securing their customers personal data?

Have a good weekend!

How to Mitigate the Risk of Cyber Attacks? The Principle of Least Privilege shows the Direction!

21 March 2015

Lysa Myers writes in ‘Premera Breach: Healthcare businesses in the crosshairs‘, published on 18 March 2015 in welivesecurity.com about ‘five things businesses should be doing to help decrease risk and mitigate damage in case of a breach.’

I find it most remarkable that one of her recommendations is to enforce the Principle of Least Privilege in daily business. In my opinion this is the right step in the right direction.

Enforce the principle of least privilege across the entire IT infrastructure and application stack and you will gain back control.

For example, access to the company network should be granted only to those people who need this to do their job. In addition, access should only be possible during standard working hours, and, in the best case, from a single computer at a time.

This will prevent attackers from accessing the company network outside the working hours and from using an account during working hours from another computer.

From this example it becomes clear that to enforce the Principle of Least Privilege changes have to be applied to all sides (People, Processes and Technology) of the Golden Triangle of IT security.

In addition, the principle of Separation of Duties should be enforced for access to business critical information. In any case, access to critical information should be approved by the information owner. In the best case, access should only be possible if the information owner and the employee are logged in at the same time in the application system.

Enjoy Lysa’s post, and have a good weekend.

Anthem hacked – company says five employee’s credentials phished and used

26 February 2015

In his report ‘Anthem: company says five employee’s credentials phished and used’ posted on IT Security Guru at 12 February 2015, Dan Raywood gives us some background details about how the hack occurred.

The attackers used a phishing attack to steal the credentials of employees. To be honest, I’m relieved to hear that. No rocket science! Phishing is and remains the #1 attack vector.

Awareness training and Two Factor Authentication are the preferred preventive protection measures. Anthem did the right thing. In report ‘Anthem’s IT system had cracks before hack’ we read: ‘Then on Feb. 7 and 8, Anthem reworked all its IT accounts that have privileged access to sensitive information to now require three layers of authentication—a permanent login, a physical token, and a temporary password that changes every few hours.’

If Two Factor Authentication could not be implemented, SmartScreen Filtering in Internet Explorer or the Reported Attack Site Blocker in Firefox could be helpful. The error messages can hardly be ignored:

SmartScreen Warning Phishing Attack

SmartScreen Warning Phishing Attack

Some anti-malware packages, e.g. Trend Micro Maximum security, will also block access to malicious sites. But the above options are of limited use in the case of zero day exploits, although it’s amazing to see how fast the filters are updated.

Have a good day! … And,  don’t forget to activate SmartScreen Filtering as soon as possible.

Anthem hacked – 80 Million data sets lost

11 February 2015

This was a really long winter break. The Sony hack is all water under the bridge now. The hackers have gone back to work, with a bang. 80 Million data sets lost. Anthem was hit particularly hard, and Anthem’s customers are hit by a wave of phishing emails.

The main question is always: How could it happen? And, what can be done to prevent such thefts in the future?

I found an interesting statement in a report published 2/4/2015 by Steve Ragan at CSO-Online:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

This makes it clear: The attackers got access to at least the database login information of some database administrators. In addition, they had to steal some at least standard user credentials for access to company computers. This is required to start the database queries. The rest is easy!

Remind: Attackers can read in company networks like in an open book.

Once they got access to some computers, social engineering could be used to find information about the business critical databases. With an e.g. Oracle client and Microsoft Access as front end, they are able to read all data, even if the database is fully encrypted. In the case of an SQL-Server backend you do not even need a database client software installed because the ODBC driver is part of the Office installation.

The big problem is that any company workstation could be used to launch a query. Even if e.g. an Oracle client is not installed, an instant client, which could be installed by the user, is absolutely enough for access to the business critical data.

The attack surface is enormous. But it’s easy to shrink it. Most database providers offer whitelisting technologies to restrict access from computers to the database server. In the best case, only some application servers, backup systems and admin workstations must have access to the database. Include only this systems in the white list, and exclude all other computers in the black list. That’s it.

For Oracle, parameter TCP.INVITED_NODES specifies the white list, TCP.EXCLUDED_NODES the black list in the SQLNET.ora configuration file.

The only question remaining is: How could the attackers get access to the login credentials of the database admins and the standard users? Unfortunately I haven’t found any hints so far…

That’s it for today.