WEEKLY DATA SECURITY NEWS ROUND UP Ed. 8 October 29 - November 2, 2012
WEEK IN NUMBERS 3.6 Million
- Amount of
Social Security Numbers Stolen
Hacker Gets a Taste of His Own
from South Carolina’s State Databases
- Amount of dollars to
obtain 1 Million Facebook user’s Information including full name, e-mail, and Facebook URL
Candid Camera, Hackers Edition!
It’s about time somebody fought back. In early 2011, hackers infected the country of Georgia’s systems, including government ministries, parliament, banks, and NGOs, with advanced espionage malware that could collect “sensitive security documents” among other critical data. The researchers knew this, and followed this “Georbot Botnet” very closely, and had one very interesting technique in their arsenal. Outlined in their 27-page report, they infected one of the hackers with the same malware used against them, and they were able to record the man using the hack by accessing the computer’s webcam and microphone. They achieved this by infecting the PC from the Lab, and placed the hacker’s same malicious malware in a ZIP file named “Georgian-Nato Agreement” for the hacker to see. Seems like juicy sensitive information, right? Well, the hacker thought so, and downloaded it without a second thought. Once he opened it, they had control over his PC and then caught him on camera implementing the hack on other systems, as you can see in the flattering image above. They were able to obtain Russian documents from his e-mail that included detailed instructions on how to use the malicious software to infect targets. They also got plenty of additional information about his city, ISP, e-mail and more. Well...that’s embarrassing. A commentor, with the username DierdraVaal, on the popular site Reddit said “Somehow I can’t get over the fact that a zip file called “Georgian-Nato Agreement” is about as subtle as KieraKnightley_nude.jpg.exe.” I’m going to have DID YOU KNOW? to agree there, it looks like the same silly tricks that work on unsuspecting cyberprey can work on the cyberpredators. Source: Ars Technica
While Georgia took a reactive approach, K logix’s Data Security Quadrant is a good tool to get you thinking proactively about your security program.
South Carolina: State Computer System Is Hacked A hacker broke into South Carolina’s State Computer System, taking 3.6 Million Social Security Numbers and 387,000 credit and debit card numbers. The majority of the numbers are encrypted, but 16,000 are unprotected and there’s no guarantee the other 371,000 won’t be broken into.
South Carolina State Law Enforcement Division Chief Mark Keel, left, and Department of Revenue Director James Etter talk about the security breach. James doesn’t look too happy. Photo: Tim Smith
DID YOU KNOW? The average hack will cost an organization almost $8 million in 2013, according to our research.
This is one of the biggest hacks we’ve seen all year, and there have been some pretty big ones already. There’s no word on who committed the act, and right now it’ll be nearly impossible to track considering just how much information the hacker stole. Needless to say, South Carolina is in crises mode and has launched a full-fledged investigation. You can imagine the people in South Carolina aren’t too pleased either. “It makes me question the state and how it was securing that kind of information,” said Misha Morris, a recent Clemson graduate and Seneca, S.C., resident. “It’s scary.” Not Halloween scary either, a hack of this magnitude is downright frightening. Source: NYTimes, USAToday
Five U.S. Dollars for 1 Million Facebook Users? Deal. An Online IT Consultant and Blogger, Bogomil “Bogo” Shopov, made a post the other day that revealed he had taken advantage of a killer cyber deal. In exchange for just five bucks, he received 12 separate excel spreadsheets each filled with 100,000 Facebook user e-mails, URLs, and full names. He found it through a third-party, here’s an excerpt from the ad:
The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe. There are users from other countries as well but they are almost exclusively English speaking as well, as all the apps we provide are written in English and to use them properly one needs to read the instructions. The list is checked and validated once a month so you won’t get a list full of invalid or duplicate email addresses. It sounded a little too good to be true, but in fact the list checked out with Bogo even recognizing some of the names as his own friends! Once Facebook caught wind of this, they immediately contacted him. Bogo catalogued both the purchasing of the list and the subsequent phone call with Facebook on his blog, here’s what they said:
“Now we would like you to send us this file, delete it, tell us if you have given a copy of it to someone, give us the website from which you bought it including all transactions with it and the payment system and remove a couple of things from your blog. Oh and by the way, you are not allowed to disclose any part of this conversation; it is a secret that we are even having this conversation”. Oh well, too late now. I mean really, of all companies to think that their communications will be kept private, you would think Facebook would be a little smarter than that. Bogo sent them the list, and didn’t care about his five bucks. Whether he “deleted” it or not is up for you to decide, read his full story on his blog. Source: Talkweb
DID YOU KNOW? K logix has a Twitter and a LinkedIn Page. Check out our updates.
The Aftermath of the Google E-mail Spoofing
Mathematician Zach Harris, 35, ruffled up some companies’ feathers after his story was posted Photo: Brynn Anderson/Wired
Last week, we covered a great piece about Mathematician Zach Harris finding a glaring loophole in Google’s e-mail security - he was able to impersonate the CEOs without much trouble. He found the same issue at many other organizations. A lot of companies responded to the story saying that they had fixed their loopholes. However, they didn’t account for third-party e-mail marketing companies that take care of their various newsletters and other communications to customers. One e-mail marketing company in particular thought they had fixed the issue a year ago, but instead left Capital One, Walmart, TD Ameritrade, TiVo, and others vulnerable to spoofing. The e-mail marketing company with the weak DKIMs, Epsilon, was contacted back in Sept 2011 when the issue arose initially. They supposedly did the right thing and quickly switched to a stronger 1,024-bit keys. However, after the Wired article ran last week, additional research showed that many of Epsilon’s customers still had vulnerable 384-bit keys. Epsilon didn’t do this on purpose. They did in fact generate new 1,024-bit keys, but the 384-bit keys were still susceptible to being spoofed. In a statement made by the senior Vice President of marketing, Quinn Jalli, he said “It wasn’t an act of negligence. Removing them would have been fairly simple. But we did not know that leaving the keys would create that vulnerability.” They weren’t alone. In light of this recent news, many others are finding out that they have this same loophole. Looks like Zach Harris did many companies a big favor. Read the full follow-up story here. Source: Wired