Tag Archives: hack

Ashley Madison Hack – what has been leaked?

As with all privacy breaches there are multiple victims here. The customers whose personal data has been leaked, as well as the company trusted to keep it secure; a trust that may never be regained.

However, what makes this case highly significant is the collateral damage that will likely spread beyond just the direct privacy breach.  Family ‘secrets’ are revealed and victims are ‘ousted’ – seemingly at the hands of anonymous hackers with a point to prove.

Another oddity in this case is that AshleyMadison.com charges only men for their subscriptions and message credits, while female users are able to use the site free of charge.  This has resulted in the victims consisting mostly of men, connected by way of their credit card transaction histories, causing an asymmetry rarely seen in data breaches made public.

While the hackers have released the data in what could best be described as a harsh and judgmental way, they do offer some clues about how trustworthy the data may or may not be, “Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles.”

On that note, remember that the information obtained and released by hackers in data breaches by their very definition is never verified by the companies who are breached, and so this brings into question the integrity of all the data, regardless of how authentic it might seem.  For example, there may be deliberately false information inserted by the hackers designed to damage reputations or serve another agenda.

Accordingly, as already reported the hackers also provided this disclaimer of sorts, “Chances are your man signed up on the world’s biggest affair site, but never had one.”  In short, make sure you have all the facts before a potentially dangerous and damaging real-life Internet hoax unfolds in your own backyard.

Here’s a summary of the exact data that was breached:

  • Full names and addresses
  • Birthdates
  • Email addresses
  • Credit card transactions
  • GPS Coordinates
  • User Names & Passwords
  • Sexual Preference
  • Height, Weight, physical characteristics
  • Smoking and drinking habits

Lastly, while it may be easy to fall into the trap of victim-blaming and judging based on your own set of moral or ethical standards in this case – as social media opinions begin to rush forth in the coming days and beyond, it’s important to keep sight of the broader picture of what is transpiring.

Today’s breach may well affect nearly 30 million victims, and maybe you don’t know any of them… this time.  Next time, in another context, it could be you.

In the meantime, let’s hope that the active investigation into the perpetrators behind this hack are brought to justice, because as the statement from Avid Life Media rightly asserts, this is an act of criminality.

Until next time, stay safe out there.

Has the “Islamic State Hacking Division“ Stolen Information on U.S. Military Personnel?

And am I the only one who actually has to chuckle when reading the name “Islamic State Hacking Division” (even though I probably shouldn’t)?

The post Has the “Islamic State Hacking Division“ Stolen Information on U.S. Military Personnel? appeared first on Avira Blog.

Cybersecurity and manufacturers: what the costly Chrysler Jeep hack reveals

As the cost of fixing security mistakes in Jeep Chrysler Dodge vehicles mounts, so does the need for manufacturers to weigh cybersecurity risks in the product development process, alongside features and benefits.

The post Cybersecurity and manufacturers: what the costly Chrysler Jeep hack reveals appeared first on We Live Security.

Adulterers Beware: Ashley Madison Hacked

Ashley Madison is a social network for people in relationship (mostly married I’d guess) who want to have an affair. Now, according to Krebs on Security, the page has been hacked by “an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information”. Large parts of stolen data have been posted online by The Impact Team, the people responsible for said hack.

Apparently The Impact Team decided to post the stolen data because while Avid Life Media (ALM), the company that owns Ashley Madison, says that they will delete user profiles permanently for $19 that’s not happening, at least not completely. While there has been some controversy concerning this topic before the reaction of The Impact Team seems rather extreme.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the hacking group wrote.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

According to ALM CEO Noel Biderman the company’s investigation is ongoing. He also states that he believes that the breach was actually an inside job – perhaps by a former employee or contractor: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.“

The post Adulterers Beware: Ashley Madison Hacked appeared first on Avira Blog.

Personal data is becoming a primary target at every level

I recently published a blog about the data breach at the Office of Personal Management (OPM) and the Interior Department which is being blamed on China.

In the last week, there have been a number of experts giving more detail on the depth of the stolen data. The concern is about Standard Form 86 which is used to collect data on potential federal employees applying for positions in National Security.

As you can imagine, this form probes into areas of someone’s background, family and friends that not even those close to the person may know. There are 127 pages of the form and the collection of information includes citizenship, passport, residence schools, military service, employment, financial records, alcohol and drug use, criminal records, psychological and emotional health, groups that may have been associated with, foreign travel, associates including relatives and friends.

The data is extremely valuable to any foreign government or intelligence agency, knowing your enemy in this much detail is a definite advantage. Some observers are suggesting that the data may even be used to blackmail people.  While there is of course this possibility, I doubt anyone who successfully got a position in the NSA would be susceptible to blackmail…

However, there is the risk of an unsuccessful applicant being blackmailed with the data on their Standard Form 86. Naturally, this is bad news for them and they need protection as they are not in positions of national security.

Any breach that affects the people responsible for our security is extremely serious and there needs be a robust plan to assist current and past employees, and even those who simply filled out the form.

Personal data is becoming the primary target for many cyber criminals, foreign powers and governments and the holders of the data need to take precautions to secure it. We are all potential victims of data theft and it’s our responsibility to understand the dangers of handing over our data.

While in this case there is no alternative for national security employees, in many of the data breach cases recently there are ways that we can limit our exposure by sharing less.

iCloud celebrity photo hack: What’s fappening?!

Via: Huffington Post

Just about a year after a plethora of celebrities’ nude photos were leaked online, two homes in south Chicago have been raided and investigators have named one of the suspected hackers. As this controversial story and investigation continues to unfold, Avast researchers have come up with a few speculations regarding the origin and motivation behind the initial hack. We’ve discussed the case with one of Avast’s security researchers, Filip Chytry, who has put in his two cents about the situation:

GR: Why might have Apple not flagged or investigated an IP address’ 572 iCloud logins and attempted password resets?

FC: “Putting it simply, Apple just doesn’t have security implemented on this level. Even though they might sound large to us, attempting to track this number of logins and attempts to reset passwords is similar to discovering a needle in a haystack when it comes to Apple’s ecosystem. To give you a better idea of what I mean, a group of users who are connecting via a VPN and using the same server will appear under a single IP address. On the other hand, it’s quite common these days for companies to implement an automatic system which is capable of detecting any source(s) of traffic. It could be an automatic system which is able to learn from daily traffic and, using gathered data, detect if there is an anomaly present (such as the one in this case). Another key factor relevant in this attack is the timeframe over which it took place. If the hackers had accessed the various accounts over a much shorter period of time, such as a few hours, it would have undoubtedly been a huge red flag for Apple.”

GR: Couldn’t it be that a neighbor or another person in a remote location could have used the two PCs as a bot to execute the hack, similar to what’s discussed in the Tweets published within this Fusion article? Could it be that someone took control of the two PCs or the routers they’re connected to and used them to perform the hack?

FC: “Although DNS hijacking could very well be the culprit here, the extended period of time over which the hacks occurred makes this possibility less likely. It’s my theory that the suspected hacker(s) could have accessed the login details of a certain database that was uploaded by other users on a warez forum. They could have then used these login details to execute the iCloud logins using a script.”

There are a handful of coincidental components present in this investigation, leaving many questions unanswered in terms of finding the true path that led to the celebrities’ photos getting leaked. To many of us, the main thing that seems fishy about the malicious attack is the fact that the potential hackers didn’t make use of an IP-masking or anonymizing tool, making them come across as rookies within the hacker world. Since the cybercriminals behind this case didn’t appear to be clever enough to anonymize themselves, it’s even possible that they had ulterior motive for performing the hack in the first place – perhaps to be noticed and/or admired by other individuals or businesses. Based off of the current facts, we’re highly interested in seeing which direction this malicious attack’s investigation will take next.

US blames China for massive data breach

The OPM is responsible for human resources for the federal government which means they are the collectors and holders of personal data on all federal employees.

Law enforcement sources close to the breach stated that a “foreign entity or government”  possibly Chinese was believed to be behind the attack, according to an article published in The Guardian.

It should be noted that the Chinese government stated that it was ‘not responsible’ and this conclusion was ‘counterproductive’.

The OPM carries out background checks on employees and holds data dating back to 1985. A successful attacker could gain access to records of past and present employees, with data that could even refer to retired employees and what they are doing now.

Regardless of whether you believe the continual finger pointing by one government at another, there are real people that are effected and protecting them and their identity should be the priority.

Alarmingly, an official said to Reuters that “Access to data from OPM’s computers, such as birth dates, Social Security numbers and bank information, could help hackers test potential passwords to other sites, including those with information about weapons systems”.

 

How to stay safe

While those of us who do not work for the government won’t have been affected by this breach, what can we do to protect ourselves identity theft?

  • Ensure your online accounts are not using the email address and a password that could be guessed from personal information, if you are then change the password.
  • Keep a close watch on your credit reports. This will help you identify if someone is using your identity to take a line of credit in your name. Most credit scoring agencies allow you to run a report for free at least once.
  • Spammers may send emails that look like they are coming from valid sources. Make sure to carefully scrutinize these emails – don’t click on links that look suspicious – and if in doubt contact the sending organization directly to ensure it’s an official communication.
  • Avoid using the same email address or identity across multiple online accounts. For example, have a primarily email address used for recovery of forgotten passwords and account information. Have a secondary email address for offline and online retail transactions. Have a third for financial accounts and sensitive information.
  • Avoid Cold Calls: If you don’t know the person calling then do not hand over payment or personal details. If in doubt, hang up and call the organization directly to establish you are talking to legitimate operators.
  • Set privacy Settings: Lock down access to your personal data on social media sites, these are commonly used by cybercriminals to socially engineer passwords. Try AVG PrivacyFix, it’s a great tool that will assist you with this.
  • Destroy documents: Make sure you shred documents before disposing of them as they can contain a lot of personal information.
  • Check statements and correspondence: Receipts for transactions that you don’t recognize could show up in your mail.
  • Use strong passwords and two factor authentication: See my previous blog post on this, complex passwords can be remembered simply!
  • Check that sites are secure: When you are sending personal data online, check that the site is secure – there should be a padlock in the address or status bar or the address should have a ‘https’ at the start. The ‘s’ stands for secure.
  • Updated security software: Always have updated antivirus software as it will block access to many phishing sites that will ask you for your personal data.

 

Also consider enlisting an identity monitoring service, commercial companies that have been breached often offer this reactively to the victims. Understanding where or if your identity is being abused in real time will give you the ability to manage issues as they happen.

The dummies guide to hacking Whatsapp

WhatsApp – the super popular messaging app (800 million users), acquired by Facebook for $20 billion, has done it again… After a bug that exposed restricted profile pictures, data encryption that can be breached in 3 minutes, and the use of IMEI (International Mobile Equipment Identity) as a cryptographic key (it’s like using your Social Security Number as a password), WhatsApp is yet again in the headlines for privacy concerns…

The latest story – hacking Whatsapp. As reported by The Hacker News, anyone can hack your WhatsApp account with just your number and 2 minutes alone with your phone…

This video, posted on YouTube, shows how a hacker answers an authenticating call, intercepts a secret PIN, and uses that to access a WhatsApp account he just created on another phone.

This is not tied to a bug or loophole – it is the way that WhatsApp was built.

Bottom line? Please be very careful whom you lend your phone to, and make sure you don’t leave it lying around. Even locked, a garden-variety hacker can access your WhatsApp account in 2 minutes.

The post The dummies guide to hacking Whatsapp appeared first on Avira Blog.