Recent Breaches Show Companies Don’t Give a Damn About Your Security

First up is a breach that was four years long and resulted in 500,000,000 people impacted. What the Marriott Breach Says About Security.

Krebbs talks at length about “clueful” companies and companies with “mature security posture.” I think it’s clear that Marriott doesn’t fall into either category.

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

“How many resources you expend…” translation: it is going to cost more than you want to spend on security. But as for the downside costs…. talk to Maersk Lines, or Federal Express.

How about exposing customer information to the public internet? No password required! SKY Brasil Exposes 32 Million Customer Records

SKY Brazil is a subsidiary of DirecTV Latin America.

“The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client ip addresses, personal addresses, payment methods,” Castro told BleepingComputer. “Among other information the model of the device, serial numbers of the device that is in the customer’s home, and also the log files of the whole platform.”

They were able to fix this IN A FEW MINUTES by adding a password. These servers had been indexed by Shodan search. But hey, THEIR information hasn’t been made public. (I take it that “Payment Methods” means the credit card numbers of customers were available.)

The fact that “only” 32 million records were exposed makes this seem less important. Probably doesn’t seem that way to anyone who is impacted.

You would think an internet company would do better. And they have. Somewhat. Quora Hacked – 100 Million User’s Data Exposed.

“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” stated Quora’s security update. “We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing. We have notified law enforcement officials. We are notifying affected Quora users.

These guys seem to be reacting appropriately. And indications are that they discovered the breach fairly quickly. (Not 4 years anyway.)


Yet Another Data Breach

This is not surprising, not even a little. Records of 114 Million US Citizen and Companies Exposed Online.

Researchers from HackenProof, a penetration testing company based in Estonia, found the massive cache of data via the Shodan search engine, in two Elasticsearch indices.

They couldn’t determine who owned that data, only that Shodan had indexed it on November 14th. It was likely sitting there, available to all, for a considerable period of time. (And Shodan probably isn’t the only web-crawler that found it.)

One of the instances contained personal information of 56,934,021 US citizens, including sensitive details like full name, employer, job title, email and street address, ZIP code, phone number, and an IP address.

Because actually securing all of that data that companies are so eager to Hoover up is time consuming and expensive.

“What we do best is to stand there and look ugly.”

This situation around the fires in California reinforces something that many have known, but the majority seems to blissfully deny. Civilization is a fragile thing, and most are unprepared for even a partial collapse. Hellbent bikers provide security to Camp Fire evacuees at Chico church.

These evacuees aren’t street savvy, [Hellbent 823 chapter President Matt “Straws” Strausbaugh] said, “Two weeks ago their lives weren’t going in a direction that involved living in tents on the street.”

So the first task for the Hellbent club was to remove anyone who was threatening victims, causing trouble or scaring the children. Then, Strausbaugh said, “We switched from eject mode to protect mode.”

They had never contemplated the fact that they might have to stand up to addicts, and people threatening them or their children. And they were completely unprepared to do so when the situation arose. Enter the bikers, who take pride in standing up to people.

Craig Dunbar, with Hellbent 82 North, rattled off some of the dozen-plus clubs that have been volunteering their time and protection services. Their names are as colorful as their jackets; a few include the Jus Brothers from Oroville and Stockton, Sons of Hell out of Redding and the Street Outlaws from Red Bluff, Notorious from Chico, Henchmen and Hessians from San Joaquin, Curb Crawlers from Yuba City, Hells Angels from Sacramento and Dunbar’s fellow Hellbent brothers from Vallejo and Sacramento.

And he makes care to mention the Resurrection Motorcycle Club from Paradise, who nearly all lost their homes but have still been assisting with security.

Prepping for a disaster is as much about the idea as it is about having supplies. The “good citizens” mentioned in this piece are mostly unprepared – no supplies, no plans, no grit.

They didn’t know to try and keep the IV drug users away from their kids. The bikers found people shooting-up and discarded needles near where that kids were playing. The good citizens aren’t used to thinking about security; they take the security offered by society for granted.

People say that Thomas Hobbes was an unrealistic pessimist. But I think the state of that church/shelter before the bikers reestablished some level of order was exactly described by Hobbes’ State of War.

During the time men live without a common power to keep them all in awe, they are in that conditions called war; and such a war, as if of every man, against every man.

To this war of every man against every man, this also in consequent; that nothing can be unjust. The notions of right and wrong, justice and injustice have there no place. Where there is no common power, there is no law, where no law, no injustice. Force, and fraud, are in war the cardinal virtues.

No arts; no letters; no society; and which is worst of all, continual fear, and danger of violent death: and the life of man, solitary, poor, nasty, brutish and short.

Hat tip to Wirecutter.

Just Because They Say They Have Security…

Doesn’t mean that you can believe them. Police decrypt 258,000 messages after breaking pricey IronChat crypto app.

“Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat,” Tuesday’s statement said. “Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time.”

Snowden’s name came up, but he says he never endorsed this product. He endorsed Signal, from Whisper Systems and Moxie Marlinspike. (Actually it looks as if Open Whisper Systems is now just signal…) Signal makes secure communication easy. Messages are encrypted and decrypted by the phones, not stored on servers.

IronChat phones weren’t cheap. On the order of €1500. You don’t always get what you pay for.

IronChat isn’t the only chat system to ever have problems of course. Apple originally did the encryption for Messenger itself. They got it wrong. So they implemented the Signal protocols in the past few years. (Hat Tip to Claire Wolfe)

What’s The Price of Not Paying Attention to Security?

That depends on what business you are in. Dozens of US spies killed after Iran and China uncovered CIA messaging service using Google.

The cost?

“Dozens of people around the world were killed because of this.”

The cause?

The internet-based communications platform was first used in the Middle East to communicate with soldiers in war zones and had not been intended for widespread use but due to its ease of use and efficacy, it was adopted by agents despite its lack of sophistication, the sources claimed.

Security is hard – or so we are told. And it is so convenient to use this simple system. Who wants to think about security? No one wants to learn a new system!

The people who authorized the use of the “easy but not secure” system should have been fired, but they are civil servants. “There has been no accountability for the failure.” (Actually, I think the penalty should be criminal negligence, or maybe manslaughter, but they haven’t even been fired.)

The government had already been warned about the hackability of the system by a defence contractor named John Reidy.

In the standard “shoot the messenger mode” they fired him some time later.

The French Are Apparently Clueless About Phishing

And the Chinese are taking advantage. The word “naive” was used by French officials. Chinese spies fooled ‘hundreds’ of civil servants and executives, France reveals.

So phishing is a thing. You should be aware of it. Even if you are in France. And apparently it is especially a thing on LinkedIn.

According to a note leaked to Le Figaro newspaper by the DGSI and DGSE, the Gallic equivalent of MI5 and MI6, French businesses and state administration have been guilty of “culpable naivety” over the foreign spy threat via the popular online CV website despite clear warnings from UK intelligence as early as 2015.

And since they hold some of our secrets, it isn’t just French interests that are at risk.

Some 4,000 individuals have been targetted in recent months and “hundreds” have been bamboozled by offers of jobs or collaboration from fake LinkedIn accounts run by Chinese spies masquerading as “head hunters, consultants or think tanks”

Google+ Hack Convinces Google to End Google+

Or maybe it was the backlash after they covered up a data breach. Google+ to shut down after coverup of data-exposing bug.

A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world. When a user gave permission to an app to access their public profile data, the bug also let those developers pull their and their friends’ non-public profile fields.

They didn’t admit to any of this because – according to a company memo – they didn’t want the Cambridge-Analytica-style publicity. OK, now they have their own bad publicity.

Now Google+, which was already a ghost town largely abandoned or never inhabited by users, has become a massive liability for the company.

When will companies take security seriously? When an executive who makes a boneheaded decision – like either not funding security, or covering it up – is held accountable in a court of law. Nothing else is going to get it done.