Security Alert

November 8, 2018 by Joseph Martin

Yahoo has the dubious honor of having been on the receiving end of the largest data breach in history. As a consequence, the company has recently agreed to pay $50 million in damages and provide free credit monitoring services to its impacted users.

The company actually suffered a pair of breaches in 2013 and in 2014, although this information was not disclosed by the company until 2016. All of the company’s 3 billion users were impacted, and more than 200 million of them saw losses arising from that breach.

The compromised data included: usernames, email addresses, dates of birth, security questions (and their answers) backup email addresses, and phone numbers exposed.

The particulars of the settlement are as follows:

Yahoo pays $50 million to users whose accounts were compromised

Yahoo pays $35 million in legal fees

People who paid for a $20 or $50 a year for a Yahoo Premium account will be eligible for a 25 percent refund

People who had their email accounts compromised will be compensated $25 per hour for the time they spent handling issues related to the breach. Although in this case, users with documentation will see their compensation limited to a maximum of fifteen hours, while users without documentation will be limited to a maximum of five hours of compensation

Any impacted user can request free credit monitoring, which the company will offer for two years

Verizon, which acquired Yahoo in 2017, will pay for half of the settlement cost. Meanwhile, Altaba (the company that arose from the remainder of the original Yahoo business) will pay the $35 million fine imposed by the US Securities and Exchange Commission for the company’s failure to disclose the breach to its investors.

It’s a landmark case, and once the deal gets final approval, notices will be emailed to affected account holders and published in People and National Geographic magazines.

Joseph Martin

President & CEO
I hope you enjoyed this article. My mission is to take your stress away from dealing with IT problems. Call (252) 565-1235 or send me a message at our contact us page if you have a question, comment or want help.

October 31, 2018 by Joseph Martin

Anthem is one of the largest insurance providers in the United States. Unfortunately in 2015, they had the dubious honor of suffering the largest health data breach in history. It left protected health information of nearly 79 million of their customers exposed.

As a result, a division of the US Department of Health and Human Services called the Office for Civil Rights (OCR), levied the largest fine against the company in the agency’s history. They were fined a staggering sixteen million dollars.

An investigation into the matter revealed that Anthem had not put sufficient safeguards in place to protect patient data. As a result, hackers were able to breach the system via a phishing attack and make off with customer names, addresses, dates of birth, social security numbers, email addresses and employment information.

The Director of OCR, Roger Serverino, had this to say:

“The largest health data breach in US history fully merits the largest HIPAA settlement in history. Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Tim Sadler, the CEO of Tessian, added the following:

“During the three years since the Anthem breach took place, spear-phishing attacks have increased significantly in their indistinguishability and effectiveness. Yet human error has remained inherent, inevitable, and largely ignored as a security vulnerability by organizations.”

He concluded his remarks by pointing out that advanced AI algorithms and machine learning could be employed to help spot the kinds of attacks used to such great effect against Anthem, in order to minimize the risks going forward.

If your business is in any way connected to the healthcare industry, this approach certainly bears further investigation.

Joseph Martin

October 27, 2018 by Joseph Martin

You probably haven’t heard of the Centers for Medicare and Medicaid Systems.

They’re a low-profile division of the Department of Health and Human Services responsible for administering the Affordable Care Act.

Recently, the company announced that they detected anomalous activity in the systems related to the healthcare.gov website that brokers and insurance agents use to assist people who apply for healthcare coverage.

The abnormal activity was detected in the Federally Facilitated Exchange system, and the direct enrollment pathway in particular. This is connected to (but separate from) the healthcare.gov website itself.

A statement issued by the Centers for Medicare and Medicaid Systems said:

“At this time, we believe that approximately 75,000 individuals’ files were accessed. While this is a small fraction of the consumer records present on the FFE, any breach of our system is unacceptable… We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information.”

CMS made it clear that their investigation into the matter was still in its earliest stages.

They did offer the following additional information:

“Upon verification of the breach, CMS took immediate steps to secure the system and consumer information, further investigate the incident, and subsequently notify federal law enforcement. We are actively engaged in and committed to helping those potentially impacted as well as ensuring the protection of consumer information.”

Additionally, CMS stated that they identified the broker accounts that were associated with the anomalous activity and deactivated them out of an abundance of caution.

At some point in the near future, we can expect that CMS will be contacting those whose data was compromised and providing them with a series of next steps. The agency is already moving to bolster their security measures and promises that they’ll have them in place before the end of October 2018.

If you’ve used the healthcare.gov portal and required the assistance of a broker or insurance agent to get coverage for yourself and your family, there is a small chance your data may have been compromised. However, at this point, there’s no way to be certain. Be on the lookout for a communication from CMS in the near future, however, just in case.

Joseph Martin

October 20, 2018 by Joseph Martin

As many as 30,000 people made up of a mix of both civilian and military personnel have had their personal and financial information exposed. This exposure is what has been reported as a major security breach of the Pentagon.

This is proof positive that no organization is safe from watchful hackers scattered all around the world.

The Associated Press report on the incident includes:

“The department is continuing to gather additional information about the incident, which involves the potential compromise of Personally Identifiable Information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the department. This vendor was performing a small percentage of the overall travel management services of the DoD…The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel.”

While there’s no good time for a data breach like this, it couldn’t have come at a worse time. The Government Accountability Office (GAO) had issued a scathing report of critical vulnerabilities in virtually all of the weapons systems programs the agency currently runs.

A small excerpt of the report reads as follows:

“One test report indicated that the test team was able to guess an administrator password in nine seconds…Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the internet and gain administrator privileges for that software.”

It gets worse. When confronted with the findings of the report, Pentagon officials dismissed the report as being unrealistic.

Clearly, there was something to the report, or this breach would not have happened. The hope is that it will be sufficient to cause Pentagon officials to do some soul searching and reevaluate their positions. If not, you can bet that something like this will happen again.

Joseph Martin

October 10, 2018 by Joseph Martin

Symantec’s most recent statistics have revealed a disturbing trend. Malware designed to compromise checkout pages is seeing a big spike in use, with the company reporting a staggering 248,000 attempts since August 13th of this year, with more than a third of them (36 percent) between September 13th through September 20th. As disturbing as those numbers are, that’s just the tip of the iceberg.

As Symantec notes on their website:

“If we compare the week of September 13 to 20 to the same week in August, the number of instances of formjacking attacks blocked by Symantec more than doubled, jumping from just over 41,000 to almost 88.500 – a percentage increase of 117 percent.”

Leading the surge is a particularly nasty strain of malware known as “Magecart.” Magecart campaigns are quite robust that begin by breaching the target website, then injecting malicious scripts into it that are designed to scrape card details and other customer information provided during the checkout process. This is an attack that’s alternately known as formjacking, payment card scraping, and web-based skimming.

Symantec isn’t the only company to take note of the trend. RiskIQ has been sink holing domains associated with Magecart infrastructure for much of the month and alerting companies compromised by Magecart attacks as they find them.

Kevin Beaumont, an independent security researcher, had this to say via Twitter :

“#TrackingMagecart I’ve updated the IoCs to double the number of domains, now tracking over 1000 objects – some of the domains have now been sink holed. Recommend InfoSec vendors block/flag domains.”

Magecart isn’t new. Security researchers have been tracking it since 2015, and independent researcher Willem de Groot has created a malware scanning website called MageReport, which allows business owners to check to see if their Magento-based webshop is vulnerable to this type of attack. If you think you might be, it certainly bears making use of.

At present, the one thing that’s not known is the reason behind the sudden spike. Only that it’s happening.

Joseph Martin

October 9, 2018 by Joseph Martin

According to this year’s Traveler’s Risk Index, published by The Traveler’s Indemnity Company, a majority of business owners have a somewhat fatalistic view of hacking and data breaches.

The index includes 52 percent of survey respondents indicating that they believe a cyber-attack is inevitable.

The other statistics in the report paint a grim picture. Here’s a quick overview:

55 percent of business owners say that they have not completed a cyber risk assessment

63 percent say that they have not yet completed a cyber risk assessment on vendors who have access to their data

62 percent indicate that they have not yet developed any kind of business continuity plan, which means they don’t even have the basic outline of the steps they’ll need to take in the face of a successful attack against their company

The number of survey participants saying they have been the victim of a cyber attack has doubled from 10 percent in 2015 to 20 percent in this year’s survey

Yet in spite of this staggering lack of preparation, fully half of all survey respondents say they have cyber insurance.

Tim Francis, the Enterprise Cyber-Lead at Travelers, had this to say about the report:

“Cyber risks carry serious consequences for any business, threatening everything from revenue to operations. These findings reveal some surprising things about how companies view their cyber exposure, their relative confidence in dealing with them and the clear opportunity that exists for them to be better prepared for a cyber-attack.”

It’s a thorny problem, for sure. Most small to medium sized business are strapped for cash and simply can’t dedicate the level of resources they’d like to toward data security.

The good news is that this most recent survey reveals a few simple, low-cost things you could do starting today that would dramatically improve your chances of dealing with a cyber-attack. Given that most people agree it’s inevitable and just a matter of time, that would be an excellent place to start.

Joseph Martin

October 4, 2018 by Joseph Martin

If you use the GovPayNet portal, be advised that your personal information is currently at risk. Although at this point, there’s no indication that any hacker has made use of it. The portal is run by Government Payment Service, and is used by many Americans to pay fines, fees and bills generated by more than two thousand different government agencies operating in 35 states.

Unfortunately, the way the website is configured, when it issues a receipt for a payment, it numbers those receipts sequentially. All a hacker would have to do would be to change the receipt number in the URL to see any previous receipts, and all of the information it contains.

When the flaw was discovered by journalist Brian Krebs, more than fourteen million old records were exposed in this manner. He contacted Government Payment Service to inform them of the flaw, and the agency moved quickly to address the issue. They said in a formal statement that they “did not adequately restrict access to only authorized recipients.”

They went on to assure their users that there’s no indication that any data had been improperly accessed. They added that the receipts generated don’t include any information that could be used by a hacker to initiate any type of financial transaction.

Unfortunately, the reality was a bit different. The receipts contain the names, addresses and phone numbers of the person paying the fee in question, along with the last four digits of whatever credit or debit card was used to make payment. That is more than enough information to enable a hacker to initiate a phishing attack to get the rest.

Nick Bilorgoskiy of Juniper Networks had this to say about the matter:

“Online payment providers…should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them. To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any unnecessary files from web-accessible directories.”

It’s good advice, and here’s hoping that Government Payment Service will take it. If you use the service, there’s nothing for you to do. You don’t need to change your password, since it was never exposed. Just be mindful that someone may have seen any data your receipts contain before the site was secured.

Joseph Martin

October 2, 2018 by Joseph Martin

A new piece of legislation is making its way through the halls of Congress that could standardize and streamline the data security and breach notification process for financial institutions. This is something that most people in the industry tout as an improvement over the current situation.

The Consumer Information Notification Requirement Act (H. R. 6743) legislation was approved by committee not long after Congress received a letter cosigned by members from the American Bankers Association, the Consumer Bankers Association, the Credit Union National Association, the Independent Community Bankers of America and the National Association of federally-Insured Credit Unions.

The letter read, in part:

“Our existing payments system serves hundreds of millions of consumers, retailers, financial institutions and the economy well. Protecting this system is a shared responsibility of all parties involved and we must work together and invest the necessary resources to combat never-ending threats to the payment system.”

Despite so many influential organizations weighing in, many state regulators are skeptical of the proposed legislation and are actively pushing back against it over concerns that it would undermine state-level authority.

Whether you agree that those are valid concerns or not, the reality is both stark and terrifying. In the first half of 2018, ThreatMatrix recorded more than 81 million cybercrime attacks against financial institutions. 27 million of those targeted the mobile channel, given greater mobile banking adoption rates.

ThreatMatrix weighed in on the debate saying, “Financial services mobile transactions are growing globally, with China, South East Asia and India showing the strongest regional growth. Overall, the biggest threat in financial services comes from device spoofing, as fraudsters attempt to trick banks into thinking multiple fraudulent log-in attempts are coming from new customer devices, perhaps by repeatedly wiping cookies or using virtual machines.”

Clearly, something must be done, and while the politicians debate the issue, the attacks continue unabated.

Joseph Martin

September 28, 2018 by Joseph Martin

Users of Apple tech have a new reason to worry. A security researcher named Sabri Haddouche, who works for an instant messaging app called “Wire,” has published a proof of concept web page. It contains a fatal exploit that can crash and restart iPhones, iPads and any Mac.

Essentially then, the entire Apple ecosystem is vulnerable. Worse, the security flaw can be exploited using nothing more than CSS and HTML code. The flaw resides in Apple’s WebKit, which is its web rendering engine used by all apps and browsers running on Apple’s OS.

Haddouche tested the exploit using Chrome, Microsoft Edge, and the Safari web browser. He got the same result each time using both a MacBook Pro and an iPhone X. Apple users are advised to exercise extreme caution when visiting any web page until a patch can be issued.

The company is currently investigating the issue, and to this point has not given their legions of users a timeframe for a possible fix.

Sadly, this isn’t the first time a flaw like this has been discovered, and it’s unlikely to be the last. If there’s a silver lining, it is that Apple has historically been quick to patch flaws of this kind, and it should be noted that Linux and Windows systems are not affected.

It’s especially worrisome for small business owners, and until Apple gives us a time frame for a fix, your best bet is to steer clear of any websites but those that are business critical, and trusted sites that you know to be safe.

Although the exploit was specifically engineered to crash Apple devices, it’s easy enough to envision a nastier implementation which could critically damage the OS, rendering the device targeted by the attack completely inoperable. Stay vigilant, and stay tuned for a fix to what could be a devastating issue.

Joseph Martin

September 27, 2018 by Joseph Martin

Western Digital has a big problem, and if you use the company’s “My Cloud” network-attached storage (NAS) storage devices, you’ve got one too. The WD My Cloud service is enormously popular because it’s so convenient, allowing both business owners and individuals to store their files, perform periodic backups, and of course, access their data from anywhere in the world.

Recently, security researchers have discovered an authentication bypass vulnerability that could allow an attacker to gain admin-level control over the device. This means they’d be able to monitor all of the files sent to, opened, or deleted on it, make copies of, or even delete the files found there.

The vulnerability has been given the designation CVE-2018-17153 and is about as serious as it gets. Without going into the technical details, essentially, all a hacker would have to do to take complete control over the device is for the hacker to “tell” the device that he’s an Admin via an uploaded cookie file. The device will accept it with no password required.

When the researchers notified Western Digital of the security flaw, they also released a proof of concept detailing the attack, and disturbingly, it can be executed using just six lines of code.

There is one silver lining in that to make use of the exploit, the hacker would need either local access or an internet connection to a specific WD My Cloud device. But this is a relatively low bar that most any experienced hacker could clear without a trace.

Western Digital has responded quickly, and according to a recent blog post on the company’s website, promises to have a patch that will resolve the issue “within a few weeks.” They also stressed to their customers the importance of ensuring that the firmware on all their products is always up to date and recommended enabling auto updates.

It’s good advice that will simplify your life and ensure you never miss an update, although not always practical for SMBs.

Joseph Martin

Contact Info

Navigation