The Lie That Accompanies EVERY Data Security Breach

Corporate PR hacks need more original material. Stop saying, “We take your privacy and security seriously”.

About one-third of all 285 data breach notifications had some variation of the line.

It doesn’t show that companies care about your data. It shows that they don’t know what to do next.

Companies don’t care about your security. You have to care about your security. Companies collect data about you, and use that data to make money. Actually putting security in place, keeping systems up-to-date, removing old data, and in general being responsible doesn’t make them money and in fact costs a fair amount. They can’t be bothered.

So they get hacked. Then they deflect, defend and deny. Case in point: OkCupid.

Instead, OkCupid’s response was to deflect, defend, and deny, a common way for companies to get ahead of a negative story. It looked like this:

  • Deflect: “All websites constantly experience account takeover attempts,” the company said.
  • Defend: “There’s no story here,” the company later told another publication.
  • Deny: “No further comment,” when asked what the company will do about it.

And if they are really caught behind the eight-ball, they will pay for 1 year of credit monitoring. Thanks, but I already pay for that, it is a better service than they usually offer, and I need more than 1 year.

Advertisements

Who Will Manage the Managers?

I have really tried to cut down on the security-related posts the past few weeks, but there is so much going on right now that I find a little ironic.

First up, Managed Service Providers are the target of Hacks. And the hacks are against code problems from a while back. Ransomware Attacks Target MSPs to Mass-Infect Customers.

If you are going to hire someone to remotely manage your systems, they should probably not be using year-old software.

In a recent post on the MSP Reddit channel, a user reports that a local mid-sized MSP was hacked and used to distribute the GandCrab Ransomware to 80 of their client’s endpoints.

It is such a big problem at this point that the Dept. of Homeland Security had to issue an advisory.

On a similar note, Google and Microsoft have teamed up to set cryptomining software loose on unsuspecting customers. Cryptojacking Coinhive Miners Land on the Microsoft Store For the First Time.

Coinhive takes over a system and uses most of the resources to mine the cryptocurrency Monero on behalf of the hackers. Monero is one of the principle alternatives to BitCoin. This exploit makes use of a “system designed by Google to help developers inject JavaScript and HTML content within their apps for tracking and analytics purposes.”

You just have to love Google and their penchant for wanting to track everything everyone does anywhere on the web.

Can We Get Some Security?

I don’t understand why we haven’t solved this problem. (No, I do know; there are 2 reasons, but I’ll get to that later.) Here We Go Again: 127 Million Accounts Stolen From 8 More Websites.

According to TechCrunch…. The following user information is for sale on the Dark Web.

Houzz (57 million), YouNow (40 million), Ixigo (18 million), Stronghold Kingdoms (5 million), Roll20 (4 million), Ge.tt (1.8 million), PetFlow (1 million), Coinmama (450,000)

This is on top of the 617 million accounts the same hacker published a few days ago, which impacted the following sites.

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Those 2 reasons?

  1. Programmer arrogance – they never, ever make a mistake, (except when they do) and
  2. Management that doesn’t want to pay for security.

They Love to Store Personal Info, They Just Can’t Be Bothered to Secure It

How many kids have credit monitoring? For their entire lives they are going to be troubled by possible identity theft. Report: K-12 Schools Experienced 122 Cyber Attacks in 2018.

For instance, in December, it was discovered that the personal data of more than 500,000 students and staff in the San Diego Unified School District were stolen over an 11-month period. The data included names, dates of birth, Social Security numbers, mailing and home addresses, phone numbers, health information and legal notices.

How much do you think the administrators worry about Security? “Oh, those IT folks, they always want to spend money on something.” So the bad guys have all that info. What do you think they are going to do with it?

Actually it looks like suburban districts are targeted more than inner city schools.

Apple Doesn’t Think They Should Play By the Same Rules as Everyone Else

They are Apple after all. Researcher Declines to Share Zero-Day macOS Keychain Exploit with Apple.

So this guy found a zero-day in the current version of Apple’s password manager. And he built a proof-of-concept. (You can see it demoed in a 1.5 minute video if you click the link above.) But he won’t share it with Apple because they don’t have a bug-bounty program. Because Apple is different from the rest of the tech companies in the world. Or something. (They are certainly more arrogant than your average tech company, and THAT is saying something.)

The vulnerability found by Henze in Apple’s macOS operating system last week is present “in the keychain’s access control” and it could allow a potential attacker to steal Keychain passwords from any local user account on the Mac, without the need of admin privileges nor the keychain master password.

This isn’t the first time Apple has built an encrypted system for which the cryptography was substandard. The original version of Messenger was supposed to be secure, but the encryption – developed by Apple, not industry standard – was substandard. (The rewrote it using an open-source encryption.)

As for the security researcher, Linus Henze…

Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers. I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)

If he was just in it for the money, I’m sure that Zerodium would have been willing to pay him big bucks before his disclosure. (They will pay as much as $2 million for a zero day.)

But Apple expects you to spend weeks or months researching problems with their code, and then you should just hand over your findings to them free of charge. Because Apple.

He hasn’t given anything away, but now that people know about the existence of the zero-day, it is only a matter of time before the exploit is discovered by someone less ethical, and put to nefarious use.

The Coming Civil War

You really need to read the whole thing. The Second Civil War, Part 2.

Democrats no longer honor the Constitution and most no longer feel any reason to conceal their disdain. When they take an oath of office to uphold and defend it, they’re lying. The law–any law–must be what they say it is and change whenever they please. When they take power again, and they will, America as we know it will be over. The rule of law is already lost. Our Justice system is already two-tiered. As I noted in my earlier argument, when they come for the guns–and they will–that will be the last straw, though it take awhile for normal Americans to rise up.

Hat tip to The Daily Gator.

When Your “Security Camera” Isn’t Secure

You bought a security camera to enhance security. But if you act stupidly when you set it up, you won’t be enhancing anything. Family says hacker sent fake North Korean missile warning through Nest camera.

So they reuse passwords. (Get a damn password manager! They are Free. FREE. And easier than trying to remember multiple passwords.) So when one of their sites was hacked, bad guys got access to their Nest camera – because it had the same PW. (No, that is not a good idea.)

And be clear, long before these guys said anything over the speaker, they had full access to the camera.

The first anecdote was almost funny. (Another North Korean missile warning.) But not all of the anecdotes are funny.

The customer service representative speculated that the family had fallen victim to a data breach at another online service and that they had used the same password on their Nest camera.

[SNIP]
Following the incident, Lyons says her husband changed the camera’s password, enabled two-factor authentication, and disabled the device’s speaker and microphone.

Something that should have been done in the beginning.

The less funny incident? (Though the couple from the incident above said their 8-year-old was traumatized.)…

A Texas couple also reported in December that a hacker had accessed a Nest camera in their infant’s room and said, “I’m going to kidnap your baby,” over its speaker.

Sign up for LastPass. Download and use KeePass. Do something. Don’t just reuse the same PW everywhere. And really, really think HARD about putting a camera inside your house that is connected to the internet. Unless you are completely dedicated to maintaining the security of that camera. (And Nest is one of the better companies. Their products are as secure as anything. Not all security cameras are secure. Some are hopeless.)