breach

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Mozilla Wants to Drop WoSign as Trusted CA

September 27, 2016 , 2:51 pm

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

WordPress Update Resolves XSS, Path Traversal Vulnerabilities

September 8, 2016 , 12:23 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

The Yahoo sign in front of the company's campus in Sunnyvale, Calif.

Yahoo's announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale -- it's the largest data breach ever -- and the potential security implications for users.

That's because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users' online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

An email compromise is one of the worst data breaches that a person could experience online, so here's what you should know:

Fifty shades of hashing

Yahoo said that the "vast majority" of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation -- this is called a hash.

Hashes are not supposed to be reversible, so they're a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.

This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.

Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking "the vast majority" of Yahoo passwords is very low.

But here's the problem: Yahoo's wording suggests that most, but not all passwords were hashed with bcrypt. We don't know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn't been specified in Yahoo's announcement or FAQ page suggests that it's an algorithm that's weaker than bcrypt and that the company didn't want to give away that information to attackers.

In conclusion, there's no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.

Don't keep emails just because you can

Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won't ever have to worry about deleting messages.

Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.

If you're among the people who don't delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.

Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

Be careful when asked for your personal details

Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.

There are very few cases when a website should have your real date of birth, so be judicious about providing it.

Also, don't provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn't even recommend using security questions anymore, so you can go into your account's security settings and delete them.

Check your email forwarding rules regularly

Email forwarding is one of those "set it and forget it" features. The option is buried somewhere in the email account settings that you never check and if it's turned on there's little to no indication that it's active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.

Two-factor authentication everywhere

Turn on two-factor authentication -- this is sometimes called two-step verification -- for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.

It's an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.

Don't reuse passwords; just don't

There are many secure password management solutions available today that work across different platforms. There's really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Here comes phishing

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of "verifying" their accounts and so on.

Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.


InfoWorld Security

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Repercussions of the massive Yahoo breach
Yahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.

Review: Boxcryptor
Storing your data in the cloud comes with both positive and negative aspects. Boxcryptor is a solution that helps with this by encrypting your data on your device before it gets synchronized to the cloud storage provider of your choice.

(IN)SECURE Magazine issue 51 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

How ransomware is impacting companies in six major industries
BitSight analyzed the security ratings of nearly 20,000 companies to identify common forms of ransomware and to determine which industries (amongst Finance, Healthcare, Education, Energy/Utilities, Retail, and Government) are most likely to experience attacks.

Why DNS shouldn’t be used for data transport
Malicious DNS tunnelling is a big problem in cybersecurity.

Basic file deletion increases exposure to security risks
The use of improper data removal methods and the poor enforcement of data retention policies have created the perfect storm for confidential, oftentimes sensitive data to be lost or stolen.

US elections and the hacking of e-voting machines
As the day when US citizens cast a vote for their preferred presidential nominee quickly approaches, the issue of whether the actual voting process can be tampered with is a topic that interests many.

Malicious torrents management tool uncovered
Researchers have uncovered Raum, a tool that is used by Eastern European organized crime group “Black Team” to deliver malware to users through malicious torrents.

Xiaomi smartphones come equipped with backdoor
If you’re a computer science student with an interest in cybersecurity like Thijs Broenink, you can reverse-engineer pre-loaded apps and discover for yourself what they do.

Chinese researchers hijack Tesla cars from afar
Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

We have to start thinking about cybersecurity in space
With all the difficulties we’ve been having with securing computer systems on Earth, the cybersecurity of space-related technology is surely the last thing on security experts’ minds – but it shouldn’t be.

HDDCryptor ransomware uses open source tools to thoroughly own systems
HDDCryptor (aka Mamba) is a particularly destructive piece of ransomware that encrypts files in mounted drives and network shares, locks the computers’ hard disk, and overwrites their boot disk MBR.

Biometric skimmers: Future threats to ATMs
Kaspersky Lab experts investigated how cybercriminals could exploit new biometric ATM authentication technologies planned by banks.

US gets federal guidelines for safe deployment of self-driving cars
The public is welcome to comment on the new policy, and the Department of Transportation intends to update it annually.

880,000 users exposed in MoDaCo data breach
Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

UK: Financial fraud soars
More than 1 million incidents of financial fraud – payment card, remote banking and cheque fraud – occurred in the first six months of 2016, according to official figures released by Financial Fraud Action UK. To compare, in the first six months of 2015 there were a little over 660,000 cases.

Should you trust your security software?
Recently, Google’s Project Zero security research team uncovered a bunch of critical vulnerabilities in two dozen enterprise and consumer antivirus security products from Symantec and its Norton brand.

BENIGNCERTAIN-like flaw affects various Cisco networking devices
The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products – and they found one.

Connected devices riddled with badly-coded APIs, poor encryption
Ignoring cybersecurity at the design level provides a wide open door for malicious threat actors to exploit smart home products.


Help Net Security

Yahoo officially acknowledged it was the victim of one of the largest data breaches in history in which data from at least 500 million user accounts was stolen.

The Yahoo breach took place in late 2014 but it wasn't confirmed until a "recent investigation." Yahoo didn't provide a specific timeline of events, but Flashpoint confirmed it recently found 200 million Yahoo accounts for sale on the deep web.

"On August 2, 2016, Flashpoint became aware of an advertisement posted on TheRealDeal Marketplace by actor "peace_of_mind" (otherwise known as "peace") for the sale of some 200 million Yahoo account credentials," Vitali Kremez, cybercrime intelligence senior analyst at Flashpoint, told SearchSecurity via email. "Peace_of_mind is the same actor whom Flashpoint previously reported as selling leaked MySpace and LinkedIn account credentials in May 2016. This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible based on past activity and feedback from customers."

Various new outlets have reported that the sale of the Yahoo accounts on the deep web  first prompted Yahoo to investigate a potential mega breach in the first place. The Yahoo breach follows other high profile data breaches at companies such as LinkedIn and Dropbox that have exposed user emails and information.

Keatron Evans, senior security researcher and principle of Blink Digital Security, said Yahoo needs to provide more details about the attack. "What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?" Evans said. "This slow response could become a PR nightmare that damages the company's reputation, and it goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools."

In a statement, Yahoo said it believes the attack was state-sponsored, though no specific nation was named. Yahoo also attempted to reassure users that their most valuable data had not been compromised.

"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo wrote. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."

J. Paul Haynes, CEO of eSentire, said it was good to see Yahoo not jumping to conclusions with attribution.

"The timing of this breach is curious, given Yahoo's pending sale; however it's a bit premature to place blame with a state-sponsored attacker," Haynes said. "Attribution is a slippery slope and nearly impossible without a complete case file, which Yahoo nor the investigators have at this point."

Complicating matters further, Verizon is in the process of purchasing Yahoo for $ 4.8 billion. The deal is still under regulatory review. A Verizon spokesperson said the company only learned of the mega breach at Yahoo this past Tuesday, but said Verizon only has "limited information and understanding of the impact" of the breach.

Adam Levin, chairman and founder of IDT911, said data breaches should be considered a new certainty in life along with death and taxes. "All users of Yahoo email must immediately change not only their Yahoo user IDs and passwords but also any duplicate login information used to access other accounts," Levin said. "As we live in an environment where breaches have become the third certainty in life, it is essential that consumers protect themselves by using long and strong passwords, which are never shared across their universe of social, financial, retail and email accounts and updated routinely; enable two-factor authentication; and are always on guard against phishing attacks."

Yahoo suggested users review their online accounts for any suspicious activity, change account details, avoid clicking suspicious links and use the Yahoo Account Key two-factor authentication tool.

Brett McDowell, executive director of the FIDO Alliance, said this should be a warning to everyone that strong passwords alone may not be enough. "Cyber criminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud. We need to take that ability away from criminals and the only way to do that is to stop relying on passwords all together," McDowell said. "The frequency and severity of these data breaches is only getting worse year-over-year, and this trend will continue until our industry ends its dependency on password security and adopts un-phishable strong authentication."

Vishal Gupta, CEO of Seclore, said the fallout from this attack could be devastating. "This nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn't difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously," Gupta said. "Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes."

Next Steps

Learn more about the merits of encrypting and hashing passwords

Find out how to build strong passwords and prevent data breaches

Get info on best practices for conducting information security assessments


SearchSecurity: Security Wire Daily News

Yahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.

Yahoo breach

The stolen data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” but not “unprotected passwords, payment card data, or bank account information,” nor Tumblr user data.

Yahoo attributed the hack to a state-sponsored actor, and says that there is no indication that they are still present in Yahoo’s network. As the investigation continues, users are getting notified of the breach through their Yahoo and alternate email accounts, and advised to change their passwords and adopt alternate means of account verification, change the password and security questions for any other accounts on which they used the same information, and to be on the lookout for phishing attempts.

The company has provided a page with more details, including instructions on how to spot phishing emails impersonating the company and how to surely tell that an email comes from Yahoo.

How did the Yahoo breach happen?

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice,” Yahoo has noted in the announcement.

The company has not offered any explanation on how they have managed to miss the intrusion for so long. It’s also possible that they did known about it but chose to remain silent until they no longer couldn’t. Last month’s public offer for sale of account details of some 200 million Yahoo users was apparently the result of a previous breach, but forced the company into starting a new investigation.

“Yahoo, like many other large companies, has huge and sprawling networks with hundreds of thousands of hosts. That’s a lot of attack surface for anyone to effectively protect all the time. So, it’s unsurprising when breaches, even of this magnitude, take place,” noted Jeremiah Grossman, Chief of Security Strategy at SentinelOne, and former infosec officer at Yahoo (late 1999-mid-2001).

“Due to Yahoo’s size, they often have to rely on homegrown technology solutions because historically there has been limited products on the market that can scale to meet the demands of their system. It could be that this issue created gaps in their security program because they’re unable to use cutting-edge security products designed to thwart modern threats that most everyone else can,” he added.

Who’s behind it?

“There are a lot of unanswered questions here—the biggest one being that while we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story,” says Grossman.

Why would a nation-state target Yahoo in the first place (if indeed it has)?

“There are some parallels between this and the Google Aurora attacks in 2010,” he noted. “I’d argue that nation-state sparring is playing out on networks like Yahoo because they’re a valuable source of information on your opponent’s strategy. If you are a nation state and want to determine if any of your domestic spies have been discovered, you put taps on Google, Yahoo, Microsoft, etc. rather than government networks. Of course, there is always the motivation to deanonymize political dissidents.”

“The fact that the Yahoo breach is being tied to state-sponsored actors is extremely alarming. With the potential to be the largest breach in history (at 500 million users were affected), the fallout from this attack could be devastating, says Vishal Gupta, CEO of Seclore.

“For example, this nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn’t difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously. Imagine getting a call from a presidential campaign, except the information being shared by the caller isn’t factual, and is actually intended to sway you towards a different candidate. We haven’t seen this sort of activity yet, but it’s within the realm of possibility. Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes.”

Repercussions for users

If you’re an affected user, you might want to do all the things Yahoo has advised you to do to protect yourself and your other accounts.

I argue that the advice might have been good if it came right after the breach, but it’s now just an illusion that you can control the situation. If this information was stolen in 2014, who knows how many time it has been sold and misused since then?

“One of the more egregious errors in this disclosure was the fact that date of birth (DOB) information was exposed,” notes Todd Feinman, founder of Spirion.

“Companies like Yahoo have an obligation to their customers to protect their privacy and classify personally identifiable information. DOBs are a perfect example of data that should be classified and protected so that, in the event of a data breach, personally identifiable information (PII) is not exposed,” he explained.

“DOB can be used in conjunction with other data to steal an identity or compromise the victim in other ways. They’re sometimes used as secondary validation and should be classified as confidential and kept encrypted just like social security numbers and health record numbers.”

“Data breaches are now a common occurrence but should not be taken for granted. When we see 200 million DOBs, password hashes, and usernames floating around, it is critical those users become aware and cognizant of any identity theft alerts and change their passwords that were the same as those on Yahoo. Hashes will slow criminals down but not stop them,” he concluded. I would add: especially if they are a well-resourced nation-state actor, and they’ve has two years to work on breaking them.

Repercussions for Yahoo

The timing of the revelation of the breach could scarcely be worse, as Yahoo has recently announced that Verizon is going to acquire the company for $ 4.8 billion.

“Mergers are complicated endeavors, and the scrutiny under which both companies will reside during the course of the transaction only increases the stress to keep what should be sensitive information protected. Verizon certainly took on a calculated level of risk in acquiring Yahoo!, particularly because of its massive user base,” says Kevin Cunningham, president and founder at SailPoint.

“The question of whether this breach will affect the sale price depends on how extensively it performed due diligence on Yahoo’s security controls. It’s a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls, because as we’ve seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials.”

“What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?” notes Keatron Evans, Senior Security Researcher and Principle of Blink Digital Security.

“This slow response could become a PR nightmare that damages the company’s reputation. As this story continues to unfold, it is likely that even more damaging news is revealed. The one thing that is clear at this point is that all enterprises need to learn from Yahoo’s mistakes by putting in place a robust post-breach remediation plan that has the tools to investigate breaches faster. There are already appliances in the market that help to automate and speed up the forensics process, so no company of Yahoo’s size has the luxury of leaving customers hanging for months without adequate information or a plan for corrective action.”


Help Net Security

Original release date: September 22, 2016

The Federal Trade Commission (FTC) has released a step-by-step video to users whose personal information may have been exposed in a data breach. This video provides instruction on how to report an incident and develop a personal recovery plan after a data breach has occurred.

US-CERT encourages users to review the FTC blog and US-CERT Tips on Avoiding Social Engineering and Phishing Attacks, Safeguarding Your Data, and Protecting Your Privacy for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No


US-CERT Current Activity

Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

MoDaCo

But not all subscribers have been notified, and that’s because the alert didn’t come from the site admins, but from the Have I Been Pwnd? service. The service allows users to submit their email address, and notifies them when it’s found in data batches stolen in breaches.

According to the notification, MoDaCo suffered a data breach in January 2016, and the attacker made off with email and IP addresses, and usernames and passwords (stored as salted MD5 hashes) of nearly 880,000 subscribers.

The reason why MoDaCo hasn’t notified users of the breach is still unknown. MoDaCo founder Paul O’Brien promised to post an official statement about the incident later today, and reassured subscribers that all passwords are hashed and salted.

Security researcher Troy Hunt, who runs Have I Been Pwnd?, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.

“With data that includes email and IP addresses, passwords and usernames, there’s nothing out of the ordinary there,” Mark James, IT Security Specialist at ESET, commented for Help Net Security.

“To be honest data breaches happen all the time, this particular one is causing a bit of a storm on their own forums as the users would like to have received notification from the owners first not through a third party site. Looking through the forum posts many of the users have not used the site for a while and were looking for means to delete their accounts. The problems of course are that when we create usernames and passwords on sites that reflect our current interests if we then move on or stop using those sites it’s sometimes difficult or almost impossible to delete those redundant accounts. This breach apparently happened in January 2016 (that needs to be confirmed officially) but at least the passwords were stored as salted MD5 hashes and not in plaintext.”


Help Net Security

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Fallout Over OPM Breach Report Begins

September 9, 2016 , 9:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm


Threatpost | The first stop for security news

An investigation into the OPM breach has been completed by the House Oversight and Government Reform committee and although the report is more than 200 pages long, experts said there were details missing.

The report paints a grim picture.

"The government of the United States of America has never been more vulnerable to cyberattacks. No agency is safe. In recent data breaches, hackers took information from the United States Postal Service; the State Department; the Nuclear Regulatory Committee; the Internal Revenue Service; and even the White House," the report begins. "None of these data breaches though compare to the data breaches of the U.S. Office of Personnel Management (OPM)."

The breaches of OPM came to light in June 2015 and the report said they involved "personnel files on 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals" as well as fingerprint data for 5.6 million of those individuals.

The report said the loss of this data was "deeply troubling and citizens deserve greater protection from their government."

"The damage done by the loss of the background investigation information and fingerprint data will harm counterintelligence efforts for at least a generation to come," the report read. "The intelligence and counterintelligence value of the stolen background information for a foreign nation cannot be overstated, nor will it ever be fully known."

Michael Lipinski CISO and chief security strategist at Securonix, said the report lacked more detailed breakdowns of the risks to the data lost for the individuals affected.

"People will pay a price for this into the next generation. The risk to government and private organizations from the lost fingerprints alone has huge potential impacts. Security risks from the biometric use of these fingerprints are possible," Lipinski told SearchSecurity. "Does the existence of these fingerprints in the wild undermine the validity of fingerprint identification in everyday court cases? The state actors that possess the exfiltrated data will be able to create very sophisticated, very targeted phishing campaigns. I think there is a lot of potential fallout from this data loss that hasn't been well communicated to the public yet."

Richard Helms, CEO of Ntrepid, said the monitoring services offered to the affected individuals months after the OPM breach were not enough.

"The missing piece is a discussion of the fact the breach was not a theft of credit card data at a point of sale; rather it was an attack on our national security community personnel by a foreign state to benefit further collection of intelligence on them. The millions spent on credit monitoring in response are of zero benefit," Helms said. "The national security community needs to extend its security perimeter to include employees' online activity. Follow-up collection efforts or attacks from these adversaries will logically be most effective through the Internet browsers of these employees and their families. That protection can be had for a lot less money than is being spent on ineffective credit monitoring."

The report provides a detailed timeline of the attack, and reports that the first attacker (referred to as Hacker X1 in the report) gained access to the OPM network in July 2012. On March 20, 2014, US-CERT notified OPM of data exfiltration on its network and OPM. At the same time, US-CERT decided to monitor the attacker to gather counterintelligence with a fail-safe plan to shut down the compromised systems if needed to remove the hacker.

However on May 7, another hacker (Hacker X2) "established their foothold into OPM's network" using credentials stolen from a contractor to install malware and a backdoor. OPM did not identify this second hacker despite actively monitoring the first.

"As the agency monitored Hacker X1's movements throughout the network, it noticed Hacker X1 was getting dangerously close to the security clearance background information," the report reads. "The agency was confident the planned remediation effort in late May 2014 eliminated Hacker X1's foothold on their systems. But Hacker X2, who had successfully established foothold on OPM's systems had not been detected due to gaps in OPM's IT security posture, remained in OPM's system."

The gaps in OPM's security were quite wide, according to the report. The OPM Inspector General (IG) had been warning about cybersecurity deficiencies since 2005, but the report said the "absence of an effective managerial structure to implement reliable IT security policies" meant fundamental weaknesses remained. And, a 2015 IT security report from the Office of Management and Budget said OPM was one of the agencies with the "weakest authentication profiles."

"Had OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft," the report read. "Importantly, the damage also could have been mitigated if the security of the sensitive data in OPM's critical IT systems had been prioritized and secured."

Igor Baikalov, chief scientist at Securonix, said this shows the OPM breach was not due to technical problems.

"What the audit shows is a systematic pattern of negligence and total disregard for information security principles and practices. Since 2007, OIG repeatedly reported grossly inadequate security management and weak governance as a foundational cause of numerous security problems at OPM," Baikalov said. "Any information security program starts with standards to adhere to, policies to comply with, and procedures to follow -- all of that was missing at OPM, and that has nothing to do with how outdated their systems were or what technology they had deployed."

Beth Cobert, acting director of OPM, who took over after the resignation OPM director Katherine Archuleta following the OPM breach, wrote in a blog post that the report "does not fully reflect where this agency stands today."

"While we disagree with many aspects of the report, we welcome the committee's recognition of OPM's swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies, and processes. We also appreciate the panel's willingness to work with us on these important issues and find many of the final recommendations to be useful for OPM and the Federal Government at-large," Cobert wrote. "Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture, and reestablish confidence in this agency's ability to protect data while delivering on our core missions."

Cobert went on to detail steps the agency has taken to improve security and accountability, including the implementation of multifactor authentication (MFA) in the agency, the continuous diagnostics and mitigation program developed by the Department of Homeland Security (DHS) and DHS's Einstein 3a and the ongoing process of rebuilding and enhancing the web app system used for background investigations. Other initiatives Cobert cited included strengthening legacy systems while modernizing IT infrastructure and working with the Department of Defense "who are designing, building, and will operate the IT infrastructure for the new National Background Investigations Bureau, the OPM-based entity that will conduct background investigations for the Federal Government in the future."

The report focused heavily on how the OPM breach could have been prevented if the agency had implemented multifactor authentication and experts agreed.

"Implementation of multifactor authentication is a good suggestion, but also really just a baseline that everyone should have adopted. An attacker with control of a desktop can still leverage credentials even with two factor authentication," Lance Cottrell, chief scientist of Passages at Ntrepid, told SearchSecurity. "It is like saying an organization should patch their software and keep good backups -- it is totally generic and entry level advice, which makes it somewhat shocking that this is what they are telling an organization handling sensitive government information."

Sam Elliott, director of security product management at Bomgar, said the recommendation could have gone farther.

"I am glad to see the report make this recommendation, but I would also recommend a strong password management policy which includes frequent rotation of privileged credentials, as well as employing technology to control, facilitate, and monitor direct access to sensitive infrastructure," Elliott said. "With those three areas in place, a bad actor with stolen credentials, who is trying to gain persistence in an environment, will face significant challenges. The hacker won't be able to use traditional mechanisms to access a target in the first place, and lastly with MFA in place, even if they are able to get to a target, standard authentication will do them almost no good."

Lipinski said the recommendation of MFA, although important, "grossly misses the remaining issues."

"This was a people, process and technology failure. There was no executive level responsibility watching over security. It fell under the CIO who was not credentialed as a security professional. The people failure led directly to the process gaps," Lipinski told SearchSecurity. "The report concluded that additional talent is needed. Poor logging, insufficient tools, lack of internal hunting capability, no vulnerability management, no penetration testing and incident response activities were grossly lacking."

Lipinski added: "This was a failure at every level, people, process, technology and governance. Instead of striving for a continuous improvement model, I saw an excuse driven, 'not my fault because we have old equipment' model. The government failed to hold itself to even the lowest level of standards it places on the private sector. Lack of basic controls, lack of any discernable policies or processes, lack of incident response capabilities and lack of executive ownership over data protection all need to be addressed to prevent another occurrence. "

Next Steps

Learn more about the alleged OPM hackers being arrested by the Chinese government.

Find out how the Cybersecurity Strategy and Implementation Plan aims to improve government security.

Get info on the costly changes needed for the Einstein government cybersecurity system.


SearchSecurity: Security Wire Daily News

A report published this week by the U.S. House of Representatives Committee on Oversight and Government Reform said the data breaches disclosed by the Office of Personnel Management (OPM) last year were a result of culture and leadership failures, and should not be blamed on technology.

The OPM reported in June 2015 that hackers had accessed the personal data of more than 4 million federal employees. The next month, officials provided an update saying that the details of roughly 21.5 million additional people who underwent background checks had also been compromised. An investigation revealed that attackers had also stolen fingerprint data associated with 5.6 million individuals.

Threat actors based in China are believed to be behind the attacks and officials are concerned that, given the sensitivity of the compromised data, the incident will have a long-term impact on national security and counterintelligence.

According to the report published by the Oversight and Government Reform committee, the OPM inspector general had warned since at least 2005 that the agency’s systems were highly vulnerable to hacker attacks.

The report reveals that OPM learned of one breach in March 2014, after US-CERT informed the organization that a third-party had observed threat actors exfiltrating data from its networks. The agency monitored the hacker’s activities until late May, when it decided to kick it off its network as it had been getting too close to systems storing security clearance background information.

In the meantime, starting on May 7, a different hacker breached OPM’s systems using credentials stolen from one of the agency’s contractors. This second hacker went undetected for nearly a year, during which they exfiltrated background investigation files (July-August 2014), personnel records (December 2014) and fingerprint data (early 2015).

The second attacker’s presence was only discovered in April 2015. The authors of the report believe this hacker may have leveraged manuals and other information collected by the first hacker.

The report says OPM could have potentially prevented the incident had it implemented basic, required security controls, such as two-factor authentication, and expedited the deployment of more advanced security solutions after learning about the first breach.

Apparently, the agency used a product from Cylance, which consistently detected threats, but the solution was only deployed after the second hacker was detected in April 2015. OPM leadership allegedly ignored recommendations from the organization’s director of IT security operations to deploy the Cylance product after the initial attack was detected in March 2014.

The oversight committee has accused OPM officials of misleading Congress and the public, and attempting to downplay the incident.

“The longstanding failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology,” the report reads. “As OPM discovered in April 2015, tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency’s extensive vulnerabilities.”

In response, OPM Acting Director Beth Colbert pointed out that the agency disagrees with many aspects of the committee’s report, but did not provide any clarifications. Colbert also highlighted several steps taken by the organization since the incident, including use of multi-factor authentication, rebuilding web-based applications, implementation of the DHS’s Einstein security system, and migration to a modern IT infrastructure.

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed