security

November 8, 2018 by Joseph Martin

Yahoo has the dubious honor of having been on the receiving end of the largest data breach in history. As a consequence, the company has recently agreed to pay $50 million in damages and provide free credit monitoring services to its impacted users.

The company actually suffered a pair of breaches in 2013 and in 2014, although this information was not disclosed by the company until 2016. All of the company’s 3 billion users were impacted, and more than 200 million of them saw losses arising from that breach.

The compromised data included: usernames, email addresses, dates of birth, security questions (and their answers) backup email addresses, and phone numbers exposed.

The particulars of the settlement are as follows:

Yahoo pays $50 million to users whose accounts were compromised

Yahoo pays $35 million in legal fees

People who paid for a $20 or $50 a year for a Yahoo Premium account will be eligible for a 25 percent refund

People who had their email accounts compromised will be compensated $25 per hour for the time they spent handling issues related to the breach. Although in this case, users with documentation will see their compensation limited to a maximum of fifteen hours, while users without documentation will be limited to a maximum of five hours of compensation

Any impacted user can request free credit monitoring, which the company will offer for two years

Verizon, which acquired Yahoo in 2017, will pay for half of the settlement cost. Meanwhile, Altaba (the company that arose from the remainder of the original Yahoo business) will pay the $35 million fine imposed by the US Securities and Exchange Commission for the company’s failure to disclose the breach to its investors.

It’s a landmark case, and once the deal gets final approval, notices will be emailed to affected account holders and published in People and National Geographic magazines.

Joseph Martin

President & CEO
I hope you enjoyed this article. My mission is to take your stress away from dealing with IT problems. Call (252) 565-1235 or send me a message at our contact us page if you have a question, comment or want help.

November 7, 2018 by Joseph Martin

Security in the Android ecosystem is awful. There’s just no other word to describe it.

In large part, the blame for that can be placed at the feet of Google. Although they have succeeded in creating a wildly successful platform, their management of OEM devices (in particular, security updates for them) have been virtually nonexistent.

This has led to a situation where many device manufacturers don’t bother to push critical updates at all. It costs money to do so, and until now, there hasn’t been a downside for failing to. That, however, is about to change.

Recently, Google announced some big changes coming to their OEM agreements that would require Android device manufacturers to roll out security updates on a regular basis.

The company offered few details when the announcement was made, but since that time, an unverified copy of the new contract was leaked and obtained by The Verge. It sheds some additional light on what’s coming.

Specifically, the new agreement requires OEMs to regularly schedule updates for any device launched after January 31, 2018 if that device has been activated by more than 100,000 users. OEMs will be required to provide security updates for a minimum of two years.

In addition to that, they must make updates that address security vulnerabilities available to their customers no more than 90 days after the patch is released. Taken together these two pieces of information point to the fact that OEMs will be required to issue quarterly updates to their customers, at a minimum.

It’s a good move and one that’s long overdue. When this new agreement becomes official corporate policy, it will have an almost immediate, profound impact on security in the Android ecosystem. While it’s far from a perfect solution, it represents a very good beginning.

Joseph Martin

November 7, 2018 by Joseph Martin

As far as hackers are concerned, no target is safe. Not even the Girl Scouts.

Recently, one of the Girl Scouts’ official email accounts was accessed by an “unauthorized third party” and as a result, as many as 2,800 girl scouts in Orange County, California may have had their personal information compromised.

Gaining access to the account naturally gave the hacker access to every email sent from that account that had not already been deleted. When the breach was discovered, the Girl Scouts sent an email to every potentially impacted individual.

The email reads, in part, as follows:

“Some of the emails stored in this account, which included emails with dates as far back as 2014 through October 1, 2018, contained information about our members. Out of an abundance of caution, we are notifying everyone whose information was in this email account.”

Based on the information the account contained, compromised data varied widely from one person to the next. However, the data included details like email address, home address, health history information, insurance policy numbers and driver’s license details. In short, that’s more than enough information to steal an identity.

While this breach is not noteworthy for its scope and scale, it has been attracting a great deal of attention because it targeted children and young adults. Identity data belonging to this demographic is extremely attractive to hackers because it can often be monetized for months, if not years before red flags are raised.

Last year, more than a million children in the US were impacted by identity fraud. What’s worse, according to a report published by Javelin Strategy and Research, 60 percent of child identity fraud victims know the fraudster, compared with just 7 percent of adult victims.

The investigation is still ongoing, but if you live in Orange County, California, and have a child in the Girl Scouts, be on high alert.

Joseph Martin

November 6, 2018 by Joseph Martin

Do you use Tumblr? If so, be aware that your personal information may have been exposed.

Tumblr recently added a feature called “Recommended Blogs” that presents you with a list of blogs you might enjoy based on your past viewing habits. It’s a great idea in theory, but unfortunately, there were problems with the way the feature was implemented.

Any blog on the recommended list was placed there in such a way that it left the blog owner’s personal information exposed, including:

IP Address

Self-Reported location

Email Address

Password

Tumblr had this to say in an open letter published on their site:

“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s’ simply the right thing to do.

We found no evidence that this bug was abused and there is nothing to suggest that unprotected account information was accessed.”

Even if you’ve never seen your Tumblr blog on the recommended list, your best bet is to change your password immediately. As usual, if you use the same password for Tumblr that you use on any other web property, change that password too.

Now would be a great time to break yourself of the habit of using the same password across multiple websites. Continuing that practice makes you a ticking bomb. Sooner or later, it’s going to explode on you, with tragic consequences that could take years to fully recover from.

We applaud Tumblr’s handling of this issue. At a time with other social media platforms are under fire for their handling of security flaws, Tumblr’s transparency is refreshing indeed.

Joseph Martin

November 6, 2018 by Joseph Martin

McAfee has long been a popular target of scammers, but recently, they’ve changed the nature of their game.

In years past, they’d display a webpage informing you that any McAfee products on your computer are out of date and provide a link to the company’s virtual storefront where you could renew.

Unbeknownst to the people clicking on those links, they were being redirected by an affiliate link, so any purchases made would generate a commission for the site owners.

It was an unscrupulous, underhanded tactic, but not an especially malicious one. Now though, they’re doing something a bit different and darker.

The same page pops up as before, notifying users that their products are out of date. This time, when a user clicks to renew their products, instead of being sent to the McAfee website, they’re simply presented with a capture box that asks for their credit card and personal information.

Assuming you enter that information in, it gets worse.

After “paying” for your purchase, you’re redirected to another webpage with a technical support phone number. The idea is, you call this number and the technician on the other end of the line will help you install your new software.

When you get someone on the phone, the “tech support representative” will ask to remotely connect to your computer.

Once they have access, they’ll tell you that your credit card information didn’t go through, and that you need to purchase the software again. They’d then helpfully open a browser and guide you to the McAfee website, via an affiliate link.

It’s a triple play. Not only are they earning a nice commission when you purchase the software via their affiliate link, but they also manage to get your credit card and personal information. That information will no doubt be put to use not long after you hang up the phone, and on top of that, they’ve got access to your device.

As ever, the best defense against scams like these is vigilance.

Joseph Martin

November 1, 2018 by Joseph Martin

If you take a lot of photos with your Android device, you’re probably constantly on the lookout for a better way to organize them and access them. That’s exactly what the authors of the malicious app called “The Album, by Google Photos” are hoping for.

The app put in a brief appearance on the Microsoft store, where it claimed to be from Google but it’s clearly not. Unfortunately, the authors have gone to great lengths to make it appear legitimate, and as such, it has been downloaded and installed an alarming number of times.

When this app is installed and run for the first time, users are presented with a (legitimate) Google sign in page. It is not known whether the authors of the app siphon user login credentials from this page, but it’s certainly possible. So if you have installed the app but haven’t run it yet, don’t log in.

Once you’re logged in, the app will connect to a malicious URL and download a configuration file. Using the information contained in the config file, it will begin running in the background, displaying ads invisibly and then clicking on them, earning revenue for the app’s creators and slowing your Android device to a crawl in the process.

Note that the authors were careful, but only to a point. Although the ads themselves are invisible, if those ads have an audio component, the user will hear the sounds associated with the ad, although of course, they won’t have any clear indication of where the sounds are coming from. This is, in fact, how researchers became aware of the malicious nature of the app.

If you’ve downloaded this app, please uninstall it immediately. Doing so will improve your device’s performance and stop those sounds that have no apparent source from troubling you further.

Joseph Martin

October 31, 2018 by Joseph Martin

Anthem is one of the largest insurance providers in the United States. Unfortunately in 2015, they had the dubious honor of suffering the largest health data breach in history. It left protected health information of nearly 79 million of their customers exposed.

As a result, a division of the US Department of Health and Human Services called the Office for Civil Rights (OCR), levied the largest fine against the company in the agency’s history. They were fined a staggering sixteen million dollars.

An investigation into the matter revealed that Anthem had not put sufficient safeguards in place to protect patient data. As a result, hackers were able to breach the system via a phishing attack and make off with customer names, addresses, dates of birth, social security numbers, email addresses and employment information.

The Director of OCR, Roger Serverino, had this to say:

“The largest health data breach in US history fully merits the largest HIPAA settlement in history. Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Tim Sadler, the CEO of Tessian, added the following:

“During the three years since the Anthem breach took place, spear-phishing attacks have increased significantly in their indistinguishability and effectiveness. Yet human error has remained inherent, inevitable, and largely ignored as a security vulnerability by organizations.”

He concluded his remarks by pointing out that advanced AI algorithms and machine learning could be employed to help spot the kinds of attacks used to such great effect against Anthem, in order to minimize the risks going forward.

If your business is in any way connected to the healthcare industry, this approach certainly bears further investigation.

Joseph Martin

October 27, 2018 by Joseph Martin

You probably haven’t heard of the Centers for Medicare and Medicaid Systems.

They’re a low-profile division of the Department of Health and Human Services responsible for administering the Affordable Care Act.

Recently, the company announced that they detected anomalous activity in the systems related to the healthcare.gov website that brokers and insurance agents use to assist people who apply for healthcare coverage.

The abnormal activity was detected in the Federally Facilitated Exchange system, and the direct enrollment pathway in particular. This is connected to (but separate from) the healthcare.gov website itself.

A statement issued by the Centers for Medicare and Medicaid Systems said:

“At this time, we believe that approximately 75,000 individuals’ files were accessed. While this is a small fraction of the consumer records present on the FFE, any breach of our system is unacceptable… We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information.”

CMS made it clear that their investigation into the matter was still in its earliest stages.

They did offer the following additional information:

“Upon verification of the breach, CMS took immediate steps to secure the system and consumer information, further investigate the incident, and subsequently notify federal law enforcement. We are actively engaged in and committed to helping those potentially impacted as well as ensuring the protection of consumer information.”

Additionally, CMS stated that they identified the broker accounts that were associated with the anomalous activity and deactivated them out of an abundance of caution.

At some point in the near future, we can expect that CMS will be contacting those whose data was compromised and providing them with a series of next steps. The agency is already moving to bolster their security measures and promises that they’ll have them in place before the end of October 2018.

If you’ve used the healthcare.gov portal and required the assistance of a broker or insurance agent to get coverage for yourself and your family, there is a small chance your data may have been compromised. However, at this point, there’s no way to be certain. Be on the lookout for a communication from CMS in the near future, however, just in case.

Joseph Martin

October 25, 2018 by Joseph Martin

Google is taking additional steps to bolster user privacy and better secure the data of the company’s legions of Android device owners. The company recently announced a change to the Android Backup Service that will encrypt all user backup data stored on its cloud servers, such that even Google itself can’t read it.

Google has long allowed Android users to back up their app data and phone settings to their Google account so when they upgrade their phones, the process of getting the new device set up is quick and painless. However, until this recent change, none of the backup data stored was encrypted.

Beginning with Android Pie, the new encryption paradigm will work as follows:

Your Android device will generate a random security key that is unknown and invisible to Google

The key will be encrypted using your passcode, pattern, or lock screen PIN

Once encrypted, the key will be sent (securely) to a Titan security chip on Google’s servers

As Google explained in a recent blog post: “The Titan chip is configured to only release the backup decryption key when presented with a correct claim derived from the user’s passcode.”

All that sounds good in theory, but what about brute force hacking attempts? The company has an answer for that as well.

Here’s what they had to say about that topic:

“The limited number of incorrect attempts is strictly enforced by a custom Titan firmware that cannot be updated without erasing the contents of the chip…by design, this means that no one (including Google) can access a user’s backed-up application data without specifically knowing their passcode.”

The company has not specified which Android smartphones will be able to take advantage of the additional layer of security. All we know at this point is that the device must be running the latest OS (Android 9 – Pie). We expect to get a comprehensive device list from Google in the near future.

Joseph Martin

October 24, 2018 by Joseph Martin

Gamers take the games they play seriously. So seriously, in fact, that they’re not above resorting to dirty tricks to score a win.

Recently, social media has been abuzz with reports of a messaging app bug on Sony’s PlayStation devices. Specifically, there’s a bug in both the Android and iOS messaging apps that allow malicious gamers to send a poisoned character via group chat that will brick your gaming console.

If you’re in the middle of a tense death match, you lose by default, because you’re booted from the system entirely.

Here’s an example of what we’re seeing on Reddit:

“There is a new glitch that basically bricks your console and forces you to factory reset it. Even deleting the message from the mobile app doesn’t work. It happened to me during Rainbow Six: Siege. A player from the other team used a dummy account to send the message and crashed my entire team. We all have had to factory reset. Only one of our guys wasn’t affected, and he has his messages private.”

This note holds the key to the workaround until Sony makes some type of official response. If you haven’t yet had the dubious honor of being the recipient of this poisoned message, set your messages to private immediately.

Here’s how you do that:

Go to “Settings” and select “Account Management, Privacy Settings”

Enter your password

Select “Messages” and change it to either “Friends Only” or “No One,” then exit out of the subsystem. You’re all set from there.

If you’d rather change your message settings from your PC and a web browser, you can do that too, though the process is a bit different.

Here’s how:

From your PC, surf your way to the PSN Privacy Settings Management Page

Select “Personal Information/Messages”

Select “Edit,” then change the setting to either “Friends Only” or “No One.” Save and exit.

Joseph Martin

Contact Info

Navigation