Saturday, December 29, 2018

Happy 9th Birthday, KrebsOnSecurity!

Hard to believe we’ve gone another revolution around the Sun: Today marks the 9th anniversary of KrebsOnSecurity.com!

This past year featured some 150 blog posts, but as usual the biggest contribution to this site came from the amazing community of readers here who have generously contributed their knowledge, wit and wisdom in more than 10,000 comments.

Speaking of generous contributions, more than 100 readers have expressed their support in 2018 via PayPal donations to this site. The majority of those funds go toward paying for subscription-based services that KrebsOnSecurity relies upon for routine data gathering and analysis. Thank you.

Your correspondence and tips have been invaluable, so by all means keep them coming. For the record, I’m reachable via a variety of means, including email, the contact form on this site, and of course Facebook, LinkedIn, and Twitter (direct messages are open to all). For more secure and discreet communications, please consider reaching out via Keybase, Wicker (krebswickr), or Signal (by request).

Many of you have requested a redesign to make this site more mobile-friendly. We’d targeted for that to happen in 2018, but multiple unforeseen circumstances conspired to delay that project this year. Rest assured, that long-overdue change will be coming soon in 2019. Thanks for your patience.

Below are some of the most-read and commented-on enterprise stories throughout 2018, a year marked by a relentless onslaught of data breaches, data leaks and increasingly sneaky scams. It seems unlikely that 2019 will be any different, and while I will endeavor to keep readers abreast of the latest threats and trends, I’m also interested to hear what you would like to see more of in the coming year. So please sound off in the comments below or drop me a note.

By the way, if you’d prefer to keep up with KrebsOnSecurity posts via email, please consider signing up for the newsletter (expect ~3-4 emails per week).

Thanks again for your readership, encouragement and support. Happy New Year!

A Chief Security Concern for Executive Teams

What the Marriott Breach Says About Security

Half of All Phishing Sites Now Have the Padlock

Voice Phishing Scams Are Getting More Clever

Hanging Up on Mobile in the Name of Security

Google: Security Keys Neutralized Employee Phishing

Plant Your Flag, Mark Your Territory

Panerabread.com Leaks Millions of Customer Records

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers

Don’t Give Away Historical Details About Yourself



from
https://krebsonsecurity.com/2018/12/happy-9th-birthday-krebsonsecurity/

Sunday, December 23, 2018

Serial Swatter and Stalker Mir Islam Arrested for Allegedly Dumping Body in River

A 22-year-old man convicted of cyberstalking and carrying out numerous bomb threats and swatting attacks — including a 2013 swatting incident at my home — was arrested Sunday morning in the Philippines after allegedly helping his best friend dump the body of a housemate into a local river.

Suspects Troy Woody Jr. (left) and Mir Islam, were arrested in Manila this week for allegedly dumping the body of Woody’s girlfriend in a local river. Image:  Manila Police Dept.

Police in Manila say 22-year-old U.S citizens Mir Islam and Troy Woody Jr., 21, booked an Uber to pick them up at Woody’s condominium in Mandaluyong City, and when the driver arrived the two men stuffed a large box into the trunk of the vehicle.

According to the driver, Islam and Woody asked to be driven to a nearby shopping mall, but told the driver along the way to stop at a compound near the Pasig River in Manila, where the two men allegedly dumped the box before getting back in the Uber.

The Inquirier reports that authorities recovered the box and identified the victim as Tomi Michelle Masters, 23, also a U.S. citizen from Indiana who was reportedly dating Woody and living in the same condo. Masters’ Instagram profile states that she was in a relationship with Woody.

Brooklyn, NY native Islam, a.k.a. “Josh the God,” has a long rap sheet for computer-related crimes. He briefly rose to Internet infamy as one of the core members of UGNazi, an online mischief-making group that claimed credit for hacking and attacking a number of high-profile Web sites.

On June 25, 2012, Islam and nearly two-dozen others were caught up in an FBI dragnet dubbed Operation Card Shop. The government accused Islam of being a founding member of carders[dot]org — a credit card fraud forum — trafficking in stolen credit card information, and possessing information for more than 50,000 credit cards.

JoshTheGod’s (Mir Islam’s ) Twitter feed, in April 2012 warning fellow carding forum carderprofit members that the forum was being run by the FBI.

In June 2016, Islam was sentenced to a year in prison for an impressive array of crimes, including stalking people online and posting their personal data on the Internet. Islam also pleaded guilty to reporting phony bomb threats and fake hostage situations at the homes of celebrities and public officials (as well as this author).

At that 2016 sentencing, Islam’s lawyer argued that his client suffered from multiple psychological disorders, and that he and his co-conspirators orchestrated the swattings of a sense of “anarchic libertarianism.”

Islam was let out of prison under supervised release before serving the whole sentence, but soon was back inside after violating the terms of his release. Earlier this year, Islam filed a typosquatting lawsuit from prison that named Woody Jr. In that bizarre handwritten complaint (PDF), Islam refers to Woody variously as “TJ” and “Josh,” and says the two men were best friends and have known each other for eight years.

An anti-cybersquatting domain dispute filed by Mir Islam earlier this year while in jail. In it, Islam refers to Woody as “TJ” and says the two have been best friends for years.

Troy Woody Jr. describes himself as an “early crypto investor,” but sources say Woody — like Islam — was a core member of the UGNazi group who went by the nicknames “MrOsama,” and “Everlife.” His Instagram profile suggests he was in a relationship with Ms. Masters. Both are pictured in the first of the three large photos below, taken from Woody’s Instagram account.

The Instagram profile of Troy Woody Jr., a.k.a. “titled,” and “MrOsama,” one of two Americans arrested today for allegedly dumping a woman’s body in a Manila river. The woman pictured on the left is believed to the victim, identified as Woody’s condo roommate, Tomi Michelle Masters, 23.

People are innocent in proven guilty in a court of law, at least in the United States. But I can’t say any of this surprises me. Most I’ve encountered who were involved serial swatting and stalking attacks definitely had a few screws loose and were fairly scary individuals. Case in point: Tyler Barriss, the 25-year-old admitted serial swatter and stalker who pleaded guilty to a swatting attack last year that ended with police shooting and killing an innocent, unarmed man.



from
https://krebsonsecurity.com/2018/12/serial-swatter-and-stalker-mir-islam-arrested-for-allegedly-dumping-body-in-river/

Thursday, December 20, 2018

Feds Charge Three in Mass Seizure of Attack-for-hire Services

Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different “booter” or “stresser” sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.

The seizure notice appearing on the homepage this week of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites.

As of Thursday morning, a seizure notice featuring the seals of the U.S. Justice Department, FBI and other law enforcement agencies appeared on the booter sites, including:

anonsecurityteam[.]com
booter[.]ninja
bullstresser[.]net
critical-boot[.]com
defcon[.]pro
defianceprotocol[.]com
downthem[.]org
layer7-stresser[.]xyz
netstress[.]org
quantumnstress[.]net
ragebooter[.]com
request[.]rip
str3ssed[.]me
torsecurityteam[.]org
vbooter[.]org

Booter sites are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.

Cameron Schroeder, assistant U.S. attorney for the Central District of California, called this week’s action the largest simultaneous seizure of booter service domains ever.

“This is the biggest action U.S. law enforcement has taken against booter services, and we’re doing this in cooperation with a large number of industry and foreign law enforcement partners,” Schroeder said.

Booter services are typically advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

But experts say today’s announcement shreds that virtual fig leaf, and marks several important strategic shifts in how authorities intend to prosecute booter service operators going forward.

“This action is predicated on the fact that running a booter service itself is illegal,” said Allison Nixon, director of security research at Flashpoint, a security firm based in New York City. “That’s a slightly different legal argument than has been made in the past against other booter owners.”

For one thing, the booter services targeted in this takedown advertised the ability to “resolve” or determine the true Internet address of a target. This is especially useful for customers seeking to harm targets whose real address is hidden behind mitigation services like Cloudflare (ironically, the same provider used by most of these booter services to withstand attacks by competing booter services).

Some resolvers also allowed customers to determine the Internet address of a target using nothing more than the target’s Skype username.

“You don’t need to use a Skype resolver just to attack yourself,” assistant U.S. Attorney Schroeder said. “Clearly, the people running these booter services know their services are being used not by people targeting their own infrastructure, and have built in capabilities that specifically allow customers to attack others.”

Another important distinction between this week’s coordinated action and past booter site takedowns was that the government actually tested each service it dismantled to validate claims about attack firepower and to learn more about how each service conducted assaults.

In a complaint unsealed today, the Justice Department said that although FBI agents identified at least 60 different booter services operating between June and December 2018, they discovered not all were fully operational and capable of launching attacks. Hence, the 15 services seized this week represent those that the government was able to use to conduct successful, high-volume attacks against their own test sites.

“This is intended to send a very clear message to all booter operators that they’re not going to be allowed to operate openly anymore,” Nixon said. “The message is that if you’re running a DDoS-for-hire service that can attack an Internet address in such a way that the FBI can purchase an attack against their own test servers, you’re probably going to get in trouble.”

DOWN THEM ALL

Charged in a Los Angeles federal court this week were the alleged operators of “Downthem” — a booter service the government says helped some 2,000 customers launch debilitating digital assaults at more than 200,000 targets, including many government, banking, university and gaming Web sites.

Prosecutors say that in addition to running and marketing Downthem, defendants Matthew Gatrel and Juan Martinez sold huge, continuously updated lists of Internet addresses tied to devices that could be used by other booter services to make attacks far more powerful and effective.

The user interface for Downthem[.]org, one of 15 booter sites seized by the feds today.

Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.

Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The government alleges that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.

Schroeder said the government is arguing that the use of these third-party servers in reflective amplification attacks can be prosecuted under existing wire fraud and computer trespass laws.

“Certainly [booter service operators] don’t have permission from all of those other devices owners to use the devices and their bandwidth to direct these attacks,” she said. “We look at it as a wire fraud violation because essentially they’re stealing property from upstream providers and using their resources to conduct these attacks. There are also multiple ways we can show this is pretty clearly not lawful under the Computer Fraud and Abuse Act.”

Prosecutors further allege Gatrel resold his booter services to other booter operators, including Quantum Stresser — one of the 15 services seized by the government this week. The alleged operator of that service, Pennsylvania resident David Bukoski, was charged in the District of Alaska this week for aiding and abetting computer intrusions.

Investigators say Bukoski’s booter service was among the longest running services targeted by the FBI, operating since at least 2012. An indictment against Bukoski unsealed this week maintains Quantum Stresser had over 80,000 customer subscriptions, and that during 2018 the service was used to conduct over 50,000 actual or attempted attacks targeting people and networks worldwide.

According to the government, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution; seizure of computers or other electronics; significant prison sentences; a penalty or fine.

Schroeder said the government understands this week’s takedowns aren’t going to solve the booter problem once and for all, and that other booter services will likely spring up in the wake of those dismantled this week. But she said the arrests and seizures have helped built a template that the government can use in tandem with its industry partners to shorten the lifespan of new booter services and to bring those responsible to justice.

“We certainly don’t expect this problem to go away after this,” Schroeder said. But this is an attempt to build a strategic approach to this problem, to look at it in a more systemic way and deal with it on a much larger scale.”

This is a developing story and may be updated throughout the day. Any substantive updates will be noted here with a timestamp.



from
https://krebsonsecurity.com/2018/12/feds-charge-three-in-mass-seizure-of-attack-for-hire-services/

Wednesday, December 19, 2018

Microsoft Issues Emergency Fix for IE Zero Day

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.



from
https://krebsonsecurity.com/2018/12/microsoft-issues-emergency-fix-for-ie-zero-day/

Tuesday, December 18, 2018

A Chief Security Concern for Executive Teams

Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks. Even among top tech firms, less than half list a chief technology officer (CTO). This post explores some reasons why this is the case, and why it can’t change fast enough.

KrebsOnSecurity reviewed the Web sites for the global top 100 companies by market value, and found just five percent of top 100 firms listed a chief information security officer (CISO) or chief security officer (CSO). Only a little more than a third even listed a CTO in their executive leadership pages.

The reality among high-tech firms that make up the top 50 companies in the NASDAQ market was even more striking: Fewer than half listed a CTO in their executive ranks, and I could find only three that featured a person with a security title.

Nobody’s saying these companies don’t have CISOs and/or CSOs and CTOs in their employ. A review of these companies via LinkedIn suggests that most of them in fact do have people in those roles (although I suspect the few that aren’t present or easily findable on LinkedIn have made a personal and/or professional decision not to be listed as such).

But it is interesting to note which roles companies consider worthwhile publishing in their executive leadership pages. For example, 73 percent of the top 100 companies listed a chief of human resources (or “chief people officer”), and about one-third included a chief marketing officer.

Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all three roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.

Julie Conroy, research director at the market analyst firm Aite Group, said she initially hypothesized that companies with a regulatory mandate for strong cybersecurity controls (e.g. banks) would have this role in their executive leadership team.

“But a quick look at Bank of America and Chase’s websites proved me wrong,” Conroy said. “It looks like the CISO in those firms is one layer down, reporting to the executive leadership.”

Conroy says this dynamic reflects the fact that revenue centers like human capital and the ability to drum up new business are still prioritized and valued by businesses more than cost centers — including loss prevention and cybersecurity.

“Marketing and digital strategy roles drive top line revenue for firms—the latter is particularly important in retail and banking businesses as so much commerce moves online,” Conroy said. “While you and I know that cybersecurity and loss prevention are critical functions for all types of businesses, I don’t think that reality is reflected in the organizational structure of many businesses still. A common theme in my discussions with executives in cost center roles is how difficult it is for them to get budget to fund the tech they need for loss prevention initiatives.”

EXHIBIT A: EQUIFAX

Common or not, the dominant reporting structure in corporations runs the risk of having security concerns take a backseat when they get in the way of productivity, and often leaves the security team without someone to advocate for the proper budget.

Take the mega breach at Equifax last year that exposed the personal and financial data on 148 million people. Much blame has been placed on lax software patching practices at Equifax, but the cause of the intrusion was ultimately a people and organizational structure issue, argues Lance Spitzner, director of security awarness at the SANS Institute.

“When you bring up the Equifax breach, most people respond that it was a patching issue, the bad guys exploited a Struts vulnerability that Equifax knew about and should have patched,” Spitzner wrote in a breakdown of a damning report released last week by lawmakers on the House Oversight committee.

But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer.  IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.

The reason for this organizational divide? Spitzner notes:

“Ten years prior, the CSO reported to the CIO, however they had strong personality conflicts.  Since the two could not work together, the CSO was moved under legal.  However, when Equifax’s new CIO David Webb and new CSO Susan Mauldin came on board, this split was never resolved.  (Full details of this strategic failure start on page 55 of the report. I feel this is one of the most critical findings.)  As a result, the CSO is now the CISO and that individual reports directly to the CEO at Equifax today.”

Indeed, despite its myriad security and management foibles since announcing its historic data breach last September, Equifax has apparently taken this particular lesson to heart. Prior to announcing its breach last year, a CISO or CSO was noticeably absent from the ranks of Equifax’s Corporate Leadership page. Not anymore. Here’s looking at you, Experian and Trans Union.

EXECUTIVE SILOS

Workforce experts say the main reason many firms don’t list their security leaders within their top executives is that these people typically do not report directly to the company’s board of directors or CEO. More commonly, the CSO or CISO reports to the CTO, or to the chief information officer.

“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play,” said Anthony Belfiore, chief security officer for insurance company Aon PLC, in a Wall Street Journal story this month about the rising prominence of security leaders at major companies.

Source: Accenture.

Alissa Valentina Knight, senior analyst and colleague of Conroy’s at the Aite Group, said we’re in the middle of a changing of tides — where the CISO function once seen as a technology problem is now moving to a boardroom problem and bringing about a gradual shift in reporting structure.

“Historically, you’d see the CISO reporting to the CTO and despite the company having a CISO, that individual wasn’t listed on the company’s web site, [and] while they had an officer title, they weren’t given that privilege,” Knight said.

But she added that many companies — despite having a CISO — will not list them on their web site’s leadership team page, even when that reporting structure changes from the CTO to the CEO or Board of Directors.

“Some companies are even moving the cybersecurity function to report up through the CFO,” Knight said.

According to a survey released this summer by Accenture, two-thirds of companies said their chief executive and board of directors now have direct oversight of cybersecurity. The survey also found CIOs also had less control over cybersecurity budgets in 2018, 35 percent in 2017 to 29 percent this year, the survey found.

Companies can minimize conflict between the CSO/CISO and other top executives by having their security leader(s) report to the head of operations, or to the company’s general counsel, Belfiore told The Journal. For example, those that have CISOs reporting to CIOs can mix in reporting lines to legal, risk or the CEO office to offset potential conflicts.

*Calculated based on number of top 100 companies with available leadership data (see these Top 100 and Top 50 spreadsheets).



from
https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/

Thursday, December 13, 2018

Spammed Bomb Threat Hoax Demands Bitcoin

A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day.

Sources at multiple U.S. based financial institutions reported receiving the threats, which included the subject line, “I advise you not to call the police.”

The email reads:

My man carried a bomb (Hexogen) into the building where your company is located. It is constructed under my direction. It can be hidden anywhere because of its small size, it is not able to damage the supporting building structure, but in the case of its detonation you will get many victims.

My mercenary keeps the building under the control. If he notices any unusual behavior or emergency he will blow up the bomb.

I can withdraw my mercenary if you pay. You pay me 20.000 $ in Bitcoin and the bomb will not explode, but don’t try to cheat -I warrant you that I will withdraw my mercenary only after 3 confirmations in blockchain network.

Here is my Bitcoin address : 1GHKDgQX7hqTM7mMmiiUvgihGMHtvNJqTv

You have to solve problems with the transfer by the end of the workday. If you are late with the money explosive will explode.

This is just a business, if you don’t send me the money and the explosive device detonates, other commercial enterprises will transfer me more money, because this isnt a one-time action.

I wont visit this email. I check my Bitcoin wallet every 35 min and after seeing the money I will order my recruited person to get away.

If the explosive device explodes and the authorities notice this letter:
We are not terrorists and dont assume any responsibility for explosions in other buildings.

The bitcoin address included in the email was different in each message forwarded to KrebsOnSecurity. In that respect, this scam is reminiscent of the various email sextortion campaigns that went viral earlier this year, which led with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid.

I could see this spam campaign being extremely disruptive in the short run. There is little doubt that some businesses receiving this extortion email will treat it as a credible threat. This is exactly what happened today at one of the banks that forwarded me their copy of this email.

“There are several serious legal problems with this — people will be calling the police, and they cannot ignore even a known hoax,” said Jason McNew, CEO and founder of Stronghold Cyber Security, a consultancy based in Gettysburg, Pa.

This is a developing story, and may be updated throughout the day.



from
https://krebsonsecurity.com/2018/12/spammed-bomb-threat-hoax-demands-bitcoin/

Wednesday, December 12, 2018

Scanning for Flaws, Scoring for Security

Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late.

Image: US Chamber of Commerce.

For years, potential creditors have judged the relative risk of extending credit to consumers based in part on the applicant’s credit score — the most widely used being the score developed by FICO, previously known as Fair Isaac Corporation. Earlier this year, FICO began touting its Cyber Risk Score (PDF), which seeks to measure an organization’s chances of experiencing a data breach in the next 12 months, based on a variety of measurements tied to the company’s public-facing online assets.

In October, FICO teamed up with the U.S. Chamber of Commerce to evaluate more than 2,500 U.S. companies with the Cyber Risk Score, and then invited these companies to sign up and see how their score compares with that of other organizations in their industry. The stated use cases for the Cyber Risk Score include the potential for cyber insurance pricing and underwriting, and evaluating supply chain risk (i.e., the security posture of vendor partners).

The company-specific scores are supposed to be made available only to vetted people at the organization who go through FICO’s signup process. But in a marketing email sent to FICO members on Tuesday advertising its new benchmarking feature, FICO accidentally exposed the FICO Cyber Risk Score of energy giant ExxonMobil.

The marketing email was quickly recalled and reissued in a redacted version, but it seems ExxonMobil’s score of 587 puts it in the “elevated” risk category and somewhat below the mean score among large companies in the Energy and Utilities sector, which was 637. The October analysis by the Chamber and FICO gives U.S. businesses an overall score of 687 on a scale of 300-850.

Data accidentally released by FICO about the Cyber Risk Score for ExxonMobil.

How useful is such a score? Mike Lloyd, chief technology officer at RedSeal, was quoted as saying a score “taken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street.”

“You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside,” Lloyd told Dark Reading regarding the Chamber/FICO announcement in October.

Naturally, combining external scans with internal vulnerability probes and penetration testing engagements can provide organizations with a much more holistic picture of their security posture. But when a major company makes public, repeated and prolonged external security foibles, it’s difficult to escape the conclusion that perhaps it isn’t looking too closely at its internal security either.

ENTIRELY, CERTIFIABLY PREVENTABLE

Too bad the errant FICO marketing email didn’t expose the current cyber risk score of big-three consumer credit bureau Equifax, which was relieved of personal and financial data on 148 million Americans last year after the company failed to patch one of its Web servers and then failed to detect an intrusion into its systems for months.

A 96-page report (PDF) released this week by a House oversight committee found the Equifax breach was “entirely preventable.” For 76 days beginning mid May 2017, the intruders made more than 9,000 queries on 48 Equifax databases.

According to the report, the attackers were able to move the data off of Equifax’s network undetected thanks to an expired security certificate. Specifically, “while Equifax had installed a tool to inspect network traffic for evidence of malicious activity, the expired certificate prevented that tool from performing its intended function of detecting malicious traffic.”

Expired certificates aren’t particularly rare or noteworthy, but when they persist in publicly-facing Web servers for days or weeks on end, it raises the question: Is anyone at the affected organization paying attention at all to security?

Given how damaging it was for Equifax to have an expired certificate, you might think the company would have done everything in its power to ensure this wouldn’t happen again. But it would happen again — on at least two occasions earlier this year.

In April 2018, KrebsOnSecurity pointed out that the Web site Equifax makes available for consumers who wish to freeze their credit files was using an expired certificate, causing the site to throw up a dire red warning page that almost certainly scared countless consumers away from securing their credit files.

It took Equifax two weeks to fix that expired cert. A week later, I found another expired certificate on the credit freeze Web portal for the National Consumer Telecommunications and Utilities Exchange — a consumer credit bureau operated by Experian.

ARE YOU EXPERIANSED?

One has to wonder what the median FICO Cyber Risk Score is for the credit bureau industry, because whatever Equifax’s score is it can’t be too different from that of its top competitor — Experian, which is no stranger to data breaches.

On Tuesday, security researcher @notdan tweeted about finding a series of open directories on Experian’s Web site. Open directories, in which files and folders on a Web server are listed publicly and clickable down to the last file, aren’t terribly uncommon to find exposed on smaller Web sites, but they’re not the sort of oversight you’d expect to see at a company with the size and sensitivity of Experian.

A directory listing that exposed a number of files on an Experian server.

Included in one of the exposed directories on the Experian server were dozens of files that appeared to be digital artifacts left behind by a popular Web vulnerability scanner known as Burp Suite. It’s unclear whether those files were the result of scans run by someone within the company, or if they were the product of an unauthorized security probe by would-be intruders that somehow got indexed by Experian’s servers (the latter possibility being far more concerning).

Experian did not respond to requests for comment, and the company disabled public access to the directories shortly after other researchers on Twitter began piling on to @notdan’s findings with their own discoveries.

Evidence of data left behind by a Burp Suite Web vulnerability scan run against an Experian server.

As I noted in last week’s story on the 4-year-long breach at Marriott that exposed personal and financial data on some 500 million guests, companies that have their heads screwed on correctly from an information security standpoint are run by leaders who are expecting the organization will get breached constantly through vulnerabilities, phishing and malware attacks.

They’re continuously testing their own internal networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). They are finding creative ways to cut down on the volume of sensitive data that they need to store and protect. And they are segmenting their networks like watertight compartments in a ship, so that a breach in one part of the organization’s digital hull can’t spread to the rest of the vessel and sink the whole ship (it’s worth noting the House oversight report observed that the lack of network segmentation was a major contributor to the Equifax breach).

But companies with advanced “security maturity” also are regularly taking a hard look at what their outward-facing security posture says to the rest of the world, fully cognizant that appearances matter — particularly to ne’er-do-wells who tend to view public security weaknesses like broken windows, and as an invitation to mischief.



from
https://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/

Tuesday, December 11, 2018

Patch Tuesday, December 2018 Edition

Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft’s December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.

At least nine of the bugs in the Microsoft patches address flaws the company deems “critical,” meaning they can be exploited by malware or ne’er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.

Microsoft patched a zero-day flaw that is already being exploited (CVE-2018-8611) and allows an attacker to elevate their privileges on a host system. The weakness, which is present on all support versions of Windows, is tagged tagged with the less severe “important” rating by Microsoft mainly because it requires an attacker to be logged on to the system first.

According to security firm Rapid7, other notable vulnerabilities this month are in Internet Explorer (CVE-2018-8631) and Edge (CVE-2018-8624), both of which Microsoft considers most likely to be exploited. Similarly, CVE-2018-8628 is flaw in all supported versions of PowerPoint which is also likely to be used by attackers.

It generally can’t hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Also, it’s a good idea to get in the habit of backing up your data before installing Windows updates.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

For its part, Adobe’s got new versions of Adobe Reader and Adobe Acrobat that plug dozens of security holes in the programs. Also, last week Adobe issued an emergency patch to fix a zero-day flaw in Flash Player that bad guys are now using in active attacks.

Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Ask Woody’s summary.

Ghacks writeup on December 2018 Patch Tuesday.

Qualys’s take.

Ivanti Patch Tuesday Webinar, 11 a.m. ET, Dec. 12.



from
https://krebsonsecurity.com/2018/12/patch-tuesday-december-2018-edition/

Monday, December 10, 2018

How Internet Savvy are Your Leaders?

Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of. But it wasn’t until the past week that it become clear how many organizations — including towns, cities and political campaigns — actually have fallen for this brazen scam.

Image: Better Business Bureau.

The letter I tweeted about was from a company called Web Listings Inc., and it said I should pay a $85 charge for an “annual web site search engine” service.

The first clue that this was probably a scam was the letter said halfway down in capital letters “THIS IS NOT A BILL,” although it sure was made to look like one. Also, the domain it referenced was “fuckbriankrebs.com,” which was indeed registered using my street address but certainly not by me.

The sad truth is plenty of organizations *are* paying the people behind this charade, which is probably why Web Listings has been running it continuously for more than a decade. Most likely that’s because some percentage of recipients confuse this notice with a warning about a domain name they own that is about to expire and needs to be renewed.

We know plenty of people are getting snookered thanks to searchable online records filed by a range of political campaigns, towns, cities and municipalities — all of which are required to publicly report how they spend their money (or at least that of their constituents).

According to a statement filed with the Federal Election Commission, one of the earliest public records involving a payment to Web Listings dates back to 2008 and comes from none other than the the 2008 Hillary Clinton for President fund.

The documents unearthed in this story all came compliments of Ron Guilmette, a most dogged and intrepid researcher who usually spends his time tracking down and suing spammers. Guilmette said most of the public references he found regarding payments to Web Services Inc. are from political campaigns and small towns.

“Which naturally raises the question: Should we really be trusting these people with our money?” Guilmette said. “What kind of people or organizations are most likely to pay a bill that is utterly phony baloney, and that actually isn’t due and payable? The answer is people and organizations that are not spending their own money.”

Also paying $85 (PDF) to Web Listings was the 2015 campaign for Democrat Jim Kenney, the current mayor of Philadelphia.

A fund for the New York City Council campaign of Zead Ramadan (D) forked over $85 to Web Listings in 2013.

Also in 2013, the Committee to Elect Judge Victor Heutsche (D) paid $85 to keep his Web site in good standing with Web Listings. Paul T. Davis, a former Democratic state representative from Kansas handed $85 (PDF) to Web Listings in 2012.

Image: Better Business Bureau.

Lest anyone think that somehow Democratic candidates for office are more susceptible to these types of schemes, a review of the publicly-searchable campaign payments to Web Listings Inc. uncovered by Guilmette shows a majority of them were for Web sites supporting Republican candidates.

The Friends of Mike Turzai committee spent $65 in 2010 on the GOP Representative from Pennsylvania.

The fundraising committee for Republican Dick Black‘s 2012 campaign for the Virginia Senate also paid Web Listings Inc. $85. The campaign to elect Ben Chafin as a Republican delegate in Virginia in 2013 also paid out

Robert Montgomery, a former GOP state representative in Kansas, paid $85 (PDF) to Web Listings in 2012.

Those in charge of the purse strings for the “Friends of GOP New York State Senator Tom Croci” fund paid $65 in 2011 to keep his political Web site full of search engine goodness.

Paying $85 each to Web Listings in 2012 were the judicial campaigns for Louisiana GOP Judge John Slattery, and Lynn Donald Stewart, who successfully got re-elected to the Nevada state assembly that year.

Perhaps the most reliable customers of Web Listings’ dubious services have been cities, towns and municipalities across the United States. Somehow, the people in charge of the purse strings for Simpson County, Kentucky paid $85 notices from Web Listings Inc. three years in a row (2016, 2017 and 2018).

Other state and local governments that paid Web Listings for their imaginary services include El Paso County in Texas; the city council of Watertown, S.D.; the City of Cudahy, Wisconsin; the Village of Bedford Park in Cook County, Illinois; the city council in Osawatomie, Kansas; the board of supervisors in Clarke County, Iowa; Lake County, Colorado; the Morenci Areas Schools in Morenci, Michigan. 

Guilmette even found a number of bankruptcy cases where a creditor named “Web Listings, Inc.” was listed, with an amount owed being either the old price of $65.00 or else the new price of $85.00, including a creditor in the University General Health System, Inc. et. al. bankruptcy (PDF); Blue Ridge Wood Products Inc.; and an organization called Advanced Solids Control LLC (PDF). 

A review of the complaints about Web Listings Inc. left over the past few years at the Better Business Bureau suggests that many recipients of this scam are confusing the mailer with a late payment notice from their domain registrar. As such, it’s likely this phony company has scammed a ridiculous number of consumers over the years, Guilmette observed.

“I’m sure they’ve conned a zillion other people who were spending their own money,” he said. “These are only the ones for which public records are available online.”

Stay tuned for Part Two of this story, which will look at some clues about who may be responsible for this long-running racket.



from
https://krebsonsecurity.com/2018/12/how-internet-savvy-are-your-leaders/

Friday, December 7, 2018

Bomb Threat Hoaxer, DDos Boss Gets 3 Years

The ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions — has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials.

George Duke-Cohan, 19, caused a massive uproar earlier this year after communicating a series of bomb threats against 1,700 schools, colleges and universities across the United Kingdom. But shortly after being arrested on suspicion of the threats and released, Duke-Cohan was back at it again — this time expanding his threats to include schools in the United States.

One of many tweets from the attention-starved Apophis Squad, which launched multiple DDoS attacks against KrebsOnsecurity over the past few months.

At the same time, authorities in the U.K. and U.S. discovered that Duke-Cohan was responsible for falsely reporting the hijack of a plane bound for the United States. That flight, which had almost 300 passengers on board, was later quarantined in San Francisco pending a full security check.

Duke-Cohan was part of an attention-seeking group of ne’er-do-wells who called themselves the Apophis Squad. Duke-Cohan and his crew modeled themselves after the actions of the Lizard Squad, another group of e-fame seeking online hoodlums who also ran a DDoS-for-hire service, called in bomb threats to airlines, DDoSed this Web site repeatedly and whose members were nearly all subsequently arrested and charged with various cybercrimes.

Indeed, until recently the Apophis Squad’s Web site and DDoS-for-hire service was hosted on the same Internet server used by a handful of other domains that were tied to the Lizard Squad.

Earlier this year, KrebsOnSecurity.com came under sustained attack from the Apophis Squad, who took to Twitter to taunt this author while the attacks were underway. Duke-Cohan and other Apophis Squad members also attacked the free email service Protonmail, even as all of them continued to use their Protonmail accounts to communicate about the attacks.

KrebsOnSecurity assisted Protonmail in its investigation into the attacks, and the company later credited this author with helping to identify Duke-Cohan as the driving force behind the DDoS attacks.

Sources close to the investigation say Duke-Cohan may yet see additional charges from U.S.-based authorities. Also, several other members identified by this author as alleged co-conspirators along with Duke-Cohan have not yet been charged with a crime either in the U.K. or in the United States.

It’s not always fun when your site isn’t responsive because of determined attacks from groups like the Apophis Squad, but I try not to get too bent out of shape when these attacks do occur — mainly for two reasons: Firstly, those responsible typically end up getting busted and going to jail. Also, I usually get at least one good story out of it. In this case, make that two good stories.

Further reading:

Schools Bomb Hoaxes: Teenager Jailed for Nationwide Threats



from
https://krebsonsecurity.com/2018/12/bomb-threat-hoaxer-ddos-boss-gets-3-years/

Tuesday, December 4, 2018

A Breach, or Just a Forced Password Reset?

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case. Here’s a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.

The notice sent to ShareFile users looked like this:

Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didn’t understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.

I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.

A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).

More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using multi-factor authentication. To wit:

“This is not in response to a breach of Citrix products or services,” wrote spokesperson Jamie Buranich. “Citrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attacker’s additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls [emphasis added]. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.”

The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended the National Institute of Standards and Technology (NIST), which warns:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

NIST explains its rationale for steering organizations away from regular forced password resets thusly:

“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.”

“But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”

In short, NIST says it makes sense to force an across-the-board password reset following a breach — either of a specific user’s account or the entire password database. But doing so at regular intervals absent such evidence of compromise is likely to result in less complex and secure passwords.

Ideally, ShareFile users who received a password reset notice can avoid the next round of password resets by adopting one of the two-step authentication options mentioned above. And I hope it goes without saying, but please don’t re-use a password you used anywhere else.

However, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Incidentally, there are several companies — such as auth0 and Okta — that make it easy to integrate with breached password databases like Troy Hunt’s HaveIBeenPwned.com to help proactively prevent users from picking passwords they have used at other sites (or at least at other sites that have been breached publicly).

Whether online merchants are willing to adopt such preemptive approaches is another matter, said Julie Conroy, research director with the Aite Group, a market analyst firm.

“With the reality that such a vast swath of username/password combinations have been compromised, this creates the potential for a ton of inline friction, something that is an anathema to merchants, and which banks work hard to stay away from as well,” Conroy said.

Update: 4:53 p.m. ET: Citrix just published its own blog post about this here.



from
https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/

Monday, December 3, 2018

Jared, Kay Jewelers Parent Fixes Data Leak

The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers.

In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receipt via email for a pair of earrings he’d just purchased as a surprise gift for his girlfriend.

Dallas-based Web designer Brandon Sheehy discovered that slightly modifying the link in the confirmation email he received and pasting that into a Web browser revealed another customer’s order, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.

Sheehy said after discovering the weakness, his mind quickly turned to the various ways that crooks might exploit it.

“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” he said. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”

Concerned that his own information was similarly exposed, Sheehy contacted Jared parent company Signet Jewelers and asked them to fix the data exposure. When several weeks passed and Sheehy could still view his information and that of other Jared customers, he reached out to KrebsOnSecurity.

Scott Lancaster, chief information security officer at Signet, said the company did fix the problem for all future orders shortly after receiving a customer’s complaint. But Lancaster said Signet neglected to remedy the data exposure for all past orders until contacted by KrebsOnSecurity.

“When a customer first brought this matter to our attention in early November, we fixed it for all new orders going forward,” Lancaster said. “But we didn’t notice at the time that this applied to all past orders as well as future orders.”

Lancaster said the problem affected only orders made online through jared.com and kay.com, and that the weakness was not present on the sites of the company’s other jewelry brands, such as Zales and Piercing Pagoda.

Data exposures like these are some of the most common yet preventable for online retailers. In July, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

Sheehy said he’s glad Signet has fully fixed the bug, but said he was annoyed that it seems like many companies fail to address or even acknowledge such failures unless and until they’re confronted by the news media.

“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”



from
https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/

Saturday, December 1, 2018

What the Marriott Breach Says About Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

TO COMPANIES

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.

TO INDIVIDUALS

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.

Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.

This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised.

By the way, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

The assume you’re compromised” philosophy involves freezing your credit files with the major credit bureaus, and regularly ordering free copies of your credit file from annualcreditreport.com to make sure nobody is monkeying with your credit (except you).

It means planting your flag at various online services before fraudsters do it for you, such as at the Social Security Administration, U.S. Postal Service, Internal Revenue Service, your mobile provider, and your Internet service provider (ISP).

Assuming compromise means placing very little trust or confidence in anything that comes to you via email. In the context of this Marriott/Starwood breach, for example, consider all the data points that attackers may now have to make a phishing or malware attack more likely to be successful: Your Starwood account number, your address, phone number, email address, passport number, dates and times of your reservations, and credit card information.

How hard would it be for someone to craft an email that warns of a problem with a recent reservation or with your Starwood account, urging you to click a booby trapped link or attachment to learn more? Now imagine that such targeted emails can come from any brand with whom you’ve done business (for a refresher, see Reality #2 above).

Assuming you’re compromised means beefing up your passwords by adopting more robust multi-factor authentication — and perhaps even transitioning away from SMS/text messages for multifactor toward more secure app- or key-based options.

TOUGH TRADE-OFFS

If the advice above sounds inconvenient, unfair and expensive for all involved, congratulations: You are well on your way to internalizing Realities #1 and #2. For better or worse, being a savvy consumer means constantly having to make difficult trade-offs between security, privacy, and convenience.

Oh, and you generally only get to pick two out of three of these qualities. Same goes for the trio of high-speed, high-quality, and low-cost. Or good, fast, and cheap. Again, pick two. You get the idea.

Unfortunately, these transactions become even more lopsided and difficult to weigh when one party to them always selects the same trade-off (e.g., fast, low-cost, and convenient). Right now, it sure seems like there aren’t a lot of consequences when huge companies that ought to know better screw up massively on security, leaving consumers and their paying customers to clean up the mess.

I don’t know how many more big-time privacy and security debacles we need to convince our nation’s leaders that perhaps we should enshrine in law some basic standards of care for how companies handle and secure consumer data, and what rights and expectations consumers should have when companies fail to meet those standards. Because it’s clear that unless and until this happens, some subset of businesses out there will continue to make the most expedient and short-sighted trade-offs available to them, regardless of the impact to their customers and the public at large.

On this point, as with many others related to Internet security and privacy, I found it hard to argue with the opinion of my home state Senator Mark Warner (D-Va.), who observed:

“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”



from
https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/