Monthly Archives: August 2016

Dropbox employee’s password reuse led to theft of 60M+ user credentials

Drop_Box
Dropbox disclosed earlier this week that a large chunk of its users’ credentials obtained in 2012 was floating around on the dark web. But that number may have been much higher than we originally thought.

Credentials for more than 60 million accounts were taken, as first reported by Motherboard and confirmed by TechCrunch sources. The revelation of a password breach at Dropbox is an evolution of the company’s stance on the 2012 incident — the company initially said that user emails were the only data stolen.

Here’s the exact phrasing from the 2012 blog post:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.

According to a Dropbox source, in addition to the user emails initially disclosed in 2012, a batch of hashed passwords associated with those emails was also taken. At the time of the breach, Dropbox was moving away from using the hashing function SHA-1, a standard algorithm at the time, and replacing it with the more robust standard called bcrypt. Some of the stolen passwords were hashed with SHA-1, while 32 million were hashed with bcrypt, Motherboard reports. The passwords were also secured with a salt, a random data string added to strengthen the hash. Even though these passwords have now been dumped online, it does not appear that the hash protections have been cracked.

In a November 2012 interview with Forbes, Dropbox CEO Drew Houston said the service had drawn around 100 million users, double from the same a year prior. The company most-recently said it now has 500 million registered users, though it won’t say exactly how many of those are monthly active users. If Dropbox had roughly 100 million users at the same time the hack occurred, this breach represented a staggering three-fifths of the company’s user base.

Hackers who used an employee’s password, re-used from the LinkedIn breach, to access Dropbox’s corporate network and steal the user credentials, sources said. So the fault doesn’t 100% rest on Dropbox, though it’s still a breakdown of security standards within the company and emphasizes the perils of password re-use that can extend into a corporate environment.

Dropbox has taken steps to ensure that its employees don’t reuse passwords on their corporate accounts, Patrick Heim, head of trust and security for Dropbox, told TechCrunch. The company has licensed the password management service 1Password for all employees, in an effort to encourage the use of unique and strong passwords. Dropbox also requires two-factor authentication for all internal systems, Heim said.

Given that Dropbox has continued to grow and there have been no colossal security snafus (that we know about) the company appears to have gotten by largely unscathed. Online cloud storage services are frequent targets for hackers because of the variety of content stored. One of the most poignant examples is the massive private celebrity photo leak that happened in September 2014. Dropbox was not linked to that hack, and sources stress that the passwords contained in the 2012 breach do not appear to have been cracked.

And again, this happened in 2012, when Dropbox was still a young company (worth only $4 billion, compared to its $10 billion valuation now). Security breaches like this occur, though for Dropbox to be so light on the details can be frustrating given the necessity of transparency during security breaches.

 

Scary iPhone malware that steals your data is a reminder no platform is ever safe.

Iphone_IOS

If you haven’t done so already, go and update your iPhone, iPad or iPod touch to iOS 9.3.5 right now. To update, go to Settings > General > Software Update.

It may not seem urgent because it’s only a “point release,” but the update is crucial or you risk having all of your data secretly stolen by invisible malware that can install itself on your device and even uninstall itself without leaving any traces behind.

Two reports from the New York Times and Motherboard published on Thursday detail how three major security holes, patched via the update, could be exploited by hackers to track and steal practically all of the private data on your iOS device.

According to both reports, Ahmed Mansoor, a human rights activist from the United Arab Emirates, discovered the vulnerabilities when he received a suspicious text message with a link that would have provided “new secrets about torture of Emiratis in state prisons.”

Had Mansoor clicked on the link, he would have been directed to a website that would have exploited all three security holes and installed malware onto his iPhone, giving remote hackers full access to his device.

Thankfully, Mansoor didn’t click the link. Instead, he alerted Citizen Lab, an interdisciplinary lab based at the Munk School of Global Affairs at the University of Toronto that focuses its research on the intersection of human rights and security.

Citizen Lab identified the link as belonging to NSO Group, an Israel-based “cyberwar” company reportedly owned by American venture capital firm Francisco Partners Management, which sells spyware solutions to government agencies.

Along with additional research from cybersecurity firm Lookout, it has been revealed the three exploits (dubbed “Trident”) are “zero-day” level, meaning the malware kicks in immediately as soon as it’s activated (in this case, once the link is opened, the malware automatically installs itself and starts tracking everything).

“Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” writes Bill Marczak and John Scott-Railton, two Citizen Lab senior researchers.

According to Lookout, the software is highly flexible and can be configured in a number of ways to target different countries and apps:

The spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.

Upon discovery, the two organizations immediately notified Apple and the iPhone maker immediately got to work on iOS 9.3.5, which was released on Thursday.

Though Trident and the type of malware NSO sells (called “Pegasus”) is mainly used by governments to target dissidents, activists and journalists in volatile countries like United Arab Emirates, Mexico, Kenya, Mozambique, Yemen and Turkey, it can be used to target any iOS device.

The very idea of having all your data stolen without any real effort should scare everyone into updating their iOS devices.

As we’ve entrusted our smartphones and tablets with more and more of our personal data, it’s more important than ever to always be running the latest software with the most up-to-date security patches to prevent digital spying and theft.

Quicker to protect iOS than Android

It took 10 days for Apple to release an update to close the holes after Citizen Lab and Lookout alerted the company.

Ten days may seem like a long time, but when you compare it to how long it would take for Android devices to get updated for such a critical patch, it’s like hyper speed.

One of the benefits of iOS is its tightly-integrated software and hardware. Because there are fewer devices and they all run the same core software, Apple can test and deploy security updates quickly and easily with fewer chances of something going wrong.

Android, on the hand, is fragmented into tens of thousands of distinct devices, and customized in too many versions for even the most diehard Android fan to remember. This makes it extremely challenging for phone makers to test and release updates to plug up dangerous security holes quickly.

Google’s Nexus devices are quicker to get software updates because they all run stock Android and Google can push them out in a similar way to Apple. Same goes for Samsung and its Galaxy phones.

But there’s often little incentive for Android phone makers to update their devices. Software maintenance is costly and that’s why you’ll see many Android devices from lesser-known brands either update their phones months or years later or never at all.

No platforms are ever truly secure

The publishing of the security flaws and how serious it could be if you were to fall victim invites another conversation: media portrayal.

Android bears the brunt when it comes to being portrayed as the less secure platform, but as this revelation has revealed, no matter which platform is really more secure, all platforms are susceptible to hackers.

Security is an ongoing and never-ending battle between phone makers like Apple and Google and hackers. It’s a constant cat-and-mouse game where each side is always one step ahead or behind the other.

Had Mansoor not alerted Citizen Lab, the Trident exploit would have continued to exist without anyone knowing. Lookout believes the malware has existed since iOS 7. NSO Group’s Pegasus malware can also be used to target Android and BlackBerry devices, too.

While no platform will ever be truly secure, updating to the latest version of your phone’s software is the best way to remain safe.

 

Could Criminals Make A Billion Dollars With Ransomware?

Cybercrime_UnicornCould Criminals Make A Billion Dollars With Ransomware?

Bitcoin has not only changed the economics of cybercrime by providing crooks with an encrypted, nearly anonymous payment system autonomous from any central bank. It’s also changed researchers’ ability to track how much money criminals are making.

“Bitcoin is based on Blockchain, and Blockchain is a public ledger of transactions. So all Bitcoin transactions are public,”  “Now, you don’t know who is who. But we can see money moving around, and we can see the amounts.”

Every victim of Ransomware — malware that encrypts files and demands a payment for their release — is given a unique wallet to transfer money into. Once paid, some ransomware gangs move the bitcoins to a central wallet.

“We’ve been monitoring some of those wallets,” Mikko says. “And we see Bitcoins worth millions and millions. We see a lot of money.”

Watching crooks rake in so much money, tax-free, got him thinking: “I began to wonder if there are in fact cybercrime unicorns.”

A cybercrime unicorn?
CyberCrimeUnicorn_Bitcoin

(View this as a PDF)

A tech unicorn is a privately held tech company valued at more than a billion dollars. Think Uber, AirBNB or Spotify — only without the investors, the overhead and oversight. (Though the scam is so profitable that some gangs actually have customer service operations that could rival a small startup.)

“Can we use this comparison model to cybercrime gangs?” Mikko asks. “We probably can’t.”

It’s simply too hard to cash out.

Investors in Uber have people literally begging to buy their stakes in the company. Ransomware gangs, however, have to continually imagine ways to turn their Bitcoin into currency.

“They buy prepaid cards and then they sell these cards on Ebay and Craigslist.” “A lot of those gangs also use online casinos to launder the money.”

But even that’s not so easy, even if the goal is to sit down at a online table and attempt to lose all your money to another member of your gang.

“If you lose large amounts of money you will get banned. So the gangs started using bots that played realistically and still lose – but not as obviously.”

Law enforcement is well aware of extremely alluring economics of this threat. In 2015, the FBI’s Internet Crime Complaint Center received “2,453 complaints identified as Ransomware with losses of over $1.6 million.”

In 2016, hardly has a month gone by without a high-profile case like Hollywood Presbyterian Medical Center paying 40 Bitcoin, about $17,000 USD at the time, to recover its files.  And these are just the cases we’re hearing about.

The scam is so effective that it seemed that the FBI was recommending that victims actually pay the ransom. But it turned out their answer was actually more nuanced.

“The official answer is the FBI does not advise on whether or not people should pay,” “But if victims haven’t taken precautions… then paying is the only remaining alternative to recover files.”

What sort of precautions? The answer is obvious.

“Backups. If you get hit you restore yesterday’s backup and carry on working. It could be more cumbersome if it’s not just one workstation, if your whole network gets hit. But of course you should always have good, up to date, offline backups. And ‘offline’ is the key!”

What’s also obvious is that too few people are prepared when Ransomware hits.

Barring any disruptions to the Bitcoin market, this threat will likely persist, with even more targeted efforts designed to elicit even greater sums.

If you end up in an unfortunate situation when your files are held hostage, remember that you’re dealing with someone who thinks of cybercrime as a business.

So you can always try to negotiate !!!  What else do you have to lose?

 

HIPAA/HITECH Compliance – What Is the HITECH Act?

hitech

Not sure what the HITECH Act is all about? If you’re new to HIPAA compliance and related concerns, here’s a quick overview.

Summary of HITECH Act

HITECH stands for the Health Information Technology for Economic and Clinical Health. The HITECH Act was created in 2009 to encourage the adoption and “meaningful use” of electronic health records (EHR) and supporting technology in the U.S. This act was part of the American Recovery and Reinvestment Act (ARRA) economic stimulus bill. The HITECH Act initially offered financial incentives to providers who demonstrated “meaningful use” of EHRs. Later stages of the implementation of the act included penalties for providers who did not meet these requirements.

The HITECH Act also modified HIPAA. One of the ways it did so was by requiring covered entities to notify individuals whose protected health information (PHI) has been compromised. Additionally, it increased the fines that could be applied for noncompliance (up to $1,500,000); it authorized state Attorney Generals to bring actions to enforce violations of HIPAA; and it expanded portions of HIPAA to apply to business associates of covered entities and required the federal Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to audit both covered entities and their business associates.

Present and Future of HITECH Act

Many features affected by the HITECH Act are currently under debate, including changes to the definition of “meaningful use” of EHRs, cybersecurity issues, and interoperability issues.

As of April of this year, proposed new federal regulations may bring an end to the electronic health records “meaningful use” incentive program portion of the HITECH Act. This portion would be replaced with a simplified program. Concerns raised about these proposed changes state that they fail to address threats to cyber security from hackers and ransomware, a topic of real concern as healthcare providers have been under increased attack this year.

The proposed changes would also affect payment mechanisms for physicians, attempt to fight both information blocking, and would replace the current “meaningful use” program with the “advancing care information” category. As the HHS explains, this category would focus on interoperability and information exchange, and in contrast to the existing program, would not require and all-or-nothing approach to measuring the quality of EHR use. (For more on the proposed changes, see Healthcare Info Security’s in-depth article on the impact on security of Medicare’s new physician payment plan.)

Check out some of the technology that is coming your way for HEALTH:

The medical community really needs to pay attention to the new HIPAA/HITECH compliance rules.  This new rule is really going to affect the smaller healthcare groups that do use compliance today.

 

Happy Birthday Internet: 25 years ago today the World Wide Web opened to the public

WWW
Above: Tim Berners-Lee, creator of the World Wide Web, speaks at LeWeb 2014
Image Credit: Chris O’Brien

On this day back in 1991, a British researcher working in Switzerland suddenly opened a little thing called the World Wide Web to the public.

And now, 25 years later, it’s safe to say that the WWW has changed just about every aspect of our lives — for better and for worse.

The child of Tim Berners-Lee, who was then working at CERN, it has had an impact so profound and complicated that it’s difficult to even know how to make sense of it all. For some entrepreneurs, it has created vast wealth. It has toppled industries and given rise to others. It has created unprecedented power to publish and bolstered free speech, even as it has coarsened public dialogue and allowed hate groups to organize.

But one thing we can marvel at today is its sheer size.
Consider:
There are 1.07 billion websites, though an estimated 75 percent are not active, according to Internet Live Stats.

The are 4.73 billion webpages.

And while the internet is more than just the World Wide Web, it’s worth noting that there are 3.4 billion people on the internet.

Finally, if you really want to go all nostalgic, be sure to check out the very first website, which went live a couple of weeks earlier on August 6. Or look at cat GIFs.

All U.S. and Canadian Eddie Bauer stores infected by point-of-sale malware

It happens again: The clothing chain said payment card information of customers was stolen.
credit_card-100594349-large

Clothing retailer Eddie Bauer has informed customers that point-of-sale systems at its stores were hit by malware, enabling the theft of payment card information.

All the retailer’s stores in the U.S. and Canada, numbering about 350, were affected, a company spokesman disclosed Thursday. He added that the retailer is not disclosing the number of customers affected. The card information harvested included cardholder name, payment card number, security code and expiration date.

The retailer said that information of payment cards used at its stores on various dates between Jan. 2 and July 17, 2016 may have been accessed, but added that not all cardholder transactions were affected. Payment card information that was used for online purchases at its website was not affected.

The company is the latest in a long list of retailers, hotels and other establishments that were hit by point-of-sale malware that skimmed payment card information.

Eddie Bauer learned during the investigation that the malware found on its systems was “part of a sophisticated attack” directed at multiple restaurants, hotels, and retailers, besides its own operations, CEO Mike Egeck said in a statement. “Unfortunately, malware intrusions like this are all too common in the world that we live in today,” he added.

The company said it has been working closely with the FBI, cybersecurity experts, and payment card organizations, and wanted to reassure customers that it had fully identified and contained the incident. Customers would not be responsible for any fraudulent charges to their accounts, it added.

Eddie Bauer said it had taken measures to strengthen the security of its point-of-sale systems to prevent a similar hack in the future. Kroll, a provider of risk mitigation and response, would provide 12 months of complimentary services to affected customers, it added.

Businesses need to be able to watch more closely  the data passing through a corporate network to have a better chance of preventing breaches or at least minimizing the damage by stopping them soon, said John Christly, chief information security officer of Netsurion, a provider of remotely-managed security services for multi-location businesses, in an emailed statement.

“Some of these breaches may look like normal web traffic coming out of the firewall, and other attacks can even seem like legitimate DNS traffic, which may pass right by the typical un-managed firewall,” he added.

Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide, Hilton Worldwide Holdings, Omni Hotels & Resorts, HEI Hotels & Resorts and Neiman Marcus have also reported previously data breaches through their point-of-sale systems.

NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online

It seems like the NSA has been HACKED!

NSA_Hacked

An unknown hacker or a group of hackers just claimed to have hacked into the “Equation Group” — a cyber-attack group allegedly associated with the United States intelligence organization NSA — and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.

I know, it is really hard to believe, but some cybersecurity experts who have been examining the leak data, exploits and hacking tools, believe it to be legitimate.

Hacker Demands $568 Million in Bitcoin to Leak All Tools and Data
Not just this, the hackers, calling themselves “The Shadow Brokers,” are also asking for 1 Million Bitcoins (around $568 Million) in an auction to release the ‘best’ cyber weapons and more files.

Widely believed to be part of the NSA, Equation Group was described as “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades,” according to a report published by security firm Kaspersky in 2015.

Equation Group was also linked to the previous infamous Regin and Stuxnet attacks, allegedly the United States sponsored hacks, though the link was never absolutely proven.

Two days back, The Shadow Brokers released some files, which it claimed came from the Equation Group, on Github (deleted) and Tumblr.

Exploits for American & Chinese Firewalls Leaked:

The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.

According to the leaked files, Chinese company ‘Topsec‘ was also an Equation Group target.

The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like “BANANAGLEE” and “EPICBANANA.”

“We follow Equation Group traffic,” says the Shadow Broker. “We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is.

I haven’t tested the exploits, but they definitely look like legitimate exploits,” Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.

While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.

“If this is a hoax, the perpetrators put a huge amount of effort in,” security researcher The Grugq said “The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use.”

However, if NSA has successfully been hacked, the hack would be a highly critical cyber security incident.
Lets watch and see what the response to this allegation is from the NSA.