Skip to content

Security News

US Guard Warns Again about Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels

For the second time this year the US Coast Guard has issued a warning about the cybersecurity practices aboard commercial sea vessels. Full US Guard Alert Here

To us in Cyber Security, the recommendations are fairly standard. But for the Maritime industry, it seems new.

In order to improve the resilience of vessels and facilities, and to protect the safety of the waterways in
which they operate, the U.S. Coast Guard strongly recommends that vessel and facility owners,
operators and other responsible parties take the following basic measures to improve their
cybersecurity:

  • Segment Networks. “Flat” networks allow an adversary to easily maneuver to any system
    connected to that network. Segment your networks into “subnetworks” to make it harder for an
    adversary to gain access to essential systems and equipment.
  • Per-user Profiles & Passwords. Eliminate the use of generic log-in credentials for multiple
    personnel. Create network profiles for each employee. Require employees to enter a password
    and/or insert an ID card to log on to onboard equipment. Limit access/privileges to only those
    levels necessary to allow each user to do his or her job. Administrator accounts should be used
    sparingly and only when necessary.
  • Be Wary of External Media. This incident revealed that it is common practice for cargo data to
    be transferred at the pier, via USB drive. Those USB drives were routinely plugged directly into
    the ship’s computers without prior scanning for malware. It is critical that any external media is
    scanned for malware on a standalone system before being plugged into any shipboard network.
    Never run executable media from an untrusted source.
  • Install Basic Antivirus Software. Basic cyber hygiene can stop incidents before they impact
    operations. Install and routinely update basic antivirus software.
  • Don’t Forget to Patch. Patching is no small task, but it is the core of cyber hygiene.
    Vulnerabilities impacting operating systems and applications are constantly changing – patching
    is critical to effective cybersecurity.

Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational
imperative in the 21st century maritime environment. The Coast Guard therefore strongly encourages
l vessel and facility owners and operators to conduct cybersecurity assessments to better understand
he extent of their cyber vulnerabilities.

We recommend using a full UTM Firewall on all commercial vessels that have internet connectivity. In addition, individual connected endpoint devices, need to have active anti-malware software installed and running. L4 Networks can help! Contact Us Please.

LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

Sadly I am not surprised. As I said countless times, until there is teeth in breach laws, no one in corporate America, and gov for that matter, will spend the money to seriously enough increase cyber security. With a breach of this size, LabCorp/Quest, etc. should be wound down and their C-Suite executives held legally responsible.

QUOTE

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Just a few days ago, the news was all about how Quest had suffered a major breach. But today’s disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident: The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.

In a filing today with the U.S. Securities and Exchange Commission, LabCorp. said it learned that the breach at AMCA persisted between Aug. 1, 2018 and March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the filing reads. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

LabCorp further said the AMCA has informed LabCorp “it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

The LabCorp disclosure comes just days after competing lab testing firm Quest Diagnostics disclosed that the hack of AMCA exposed the personal, financial and medical data on approximately 11.9 million patients.

Quest said it first heard from the AMCA about the breach on May 14, but that it wasn’t until two weeks later that AMCA disclosed the number of patients affected and what information was accessed, which includes financial information (e.g., credit card numbers and bank account information), medical information and Social Security Numbers.

Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. Much like LabCorp, Quest also alleges the AMCA still hasn’t said which 11.9 million patients were impacted and that the company was withholding information about the incident.

The AMCA declined to answer any questions about whether the breach of its payment’s page impacted anyone who entered payment data into the company’s site during the breach. But through an outside PR firm, it issued the following statement:

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

The statement continues:

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

Firefox Bug – Patch now

Quote

Mozilla has released an emergency critical update for Firefox to squash a zero-day vulnerability that is under active attack.

The Firefox 67.0.3 and ESR 60.7.1 builds include a patch for CVE-2019-11707. The vulnerability is a type confusion bug in the way Firefox handles JavaScript objects in Array.pop. By manipulating the object in the array, malicious JavaScript on a webpage could get the ability to remotely execute code without any user interaction.

This is a bad thing.

What’s worse, Mozilla says it has already received reports that the flaw is being actively exploited in the wild by miscreants, making it critical for users to install the latest patched versions of the browser.

Fortunately, because Mozilla automatically updates Firefox with new patches and bug fixes, both Linux, Mac, and Windows PC users can install the patch with a simple browser restart.

Credit for the discovery and disclosure of the bug was given to Samuel Groß of Project Zero. ®

Security iPhone gyroscopes, of all things, can uniquely ID handsets on anything earlier than iOS 12.2

QUOTE

Your iPhone can be uniquely fingerprinted by apps and websites in a way that you can never clear. Not by deleting cookies, not by clearing your cache, not even by reinstalling iOS.

Cambridge University researchers will present a paper to the IEEE Symposium on Security and Privacy 2019 today explaining how their fingerprinting technique uses a fiendishly clever method of inferring device-unique accelerometer calibration data.

“iOS has historically provided access to the accelerometer, gyroscope and the magnetometer,” Dr Alastair Beresford told The Register this morning. “These types of devices don’t seem like they’re troublesome from a privacy perspective, right? Which way up the phone is doesn’t seem that bad.

“In reality,” added the researcher, “it turns out that you can work out a globally unique identifier for the device by looking at these streams.”
Your orientation reveals an awful lot about you

“MEMS” – microelectromechanical systems – is the catchall term for things like your phone’s accelerometer, gyroscope and magnetometer. These sensors tell your handset which way up it is, whether it’s turning and, if so, how fast, and how strong a nearby magnetic field is. They are vital for mobile games that rely on the user tilting or turning the handset.

These, said Beresford, are mass produced. Like all mass-produced items, especially sensors, they have the normal distribution of inherent but minuscule errors and flaws, so high-quality manufacturers (like Apple) ensure each one is calibrated.

“That calibration step allows the device to produce a more accurate parameter,” explained Beresford. “But it turns out the values being put into the device are very likely to be globally unique.”

Beresford and co-researchers Jiexin Zhang, also from Cambridge’s Department of Computer Science and Technology, and Ian Sheret of Polymath Insight Ltd, devised a way of not only accessing data from MEMS sensors – that wasn’t the hard part – but of inferring the calibration data based on what the sensors were broadcasting in real time, during actual use by a real-world user. Even better (or worse, depending on your point of view), the data can be captured and reverse-engineered through any old website or app.

“It doesn’t require any specific confirmation from a user,” said Beresford. “This fingerprint never changes, even if you factory reset the handset or reinstall the OS. This is buried deep inside the firmware of the device so the fingerprint data doesn’t change. This provides a way to track users around the web.”
How they did it

“You need to record some samples,” said Beresford. “There’s an API in JavaScript or inside Swift that allows you to get samples from the hardware. Because you get many samples per second, we need around 100 samples to get the attack. Around half a second on many of the devices. So it’s quite quick to collect the data.”

Each device generates a stream of analogue data. By converting that into digital values and applying algorithms they developed in the lab using stationary or slow-moving devices, Beresford said, the researchers could then infer what a real-world user device was doing at a given time (say, being bounced around in a bag) and apply a known offset.

“We can guess what the input is going to be given the output that we observe,” he said. “If we guess correctly, we can then use that guess to estimate what the value of the scale factor and the orthogonality are.”

From there it is a small step to bake those algorithms into a website or an app. Although the actual technique does not necessarily have to be malicious in practice (for example, a bank might use it to uniquely fingerprint your phone as an anti-fraud measure), it does raise a number of questions.
Good news, fandroids: you’re not affected

Oddly enough, the attack doesn’t work on most Android devices because they’re cheaper than Apple’s, in all senses of the word, and generally aren’t calibrated, though the researchers did find that some Google Pixel handsets did feature calibrated MEMS.

Beresford joked: “There’s a certain sense of irony that because Apple has put more effort in to provide more accuracy, it has this unfortunate side effect!”

Apple has patched the flaws in iOS 12.2 by blocking “access to these sensors in Mobile Safari just by default” as well as adding “some noise to make the attack much more difficult”.

The researchers have set up a website which includes both the full research paper and their layman’s explanation, along with a proof-of-concept video. Get patching, Apple fanbois

Boeing 737 Max Simulators Are in High Demand. They Are Flawed.

QUOTE

Since the two fatal crashes of the Boeing 737 Max, airlines around the world have moved to buy flight simulators to train their pilots.

They don’t always work.

Boeing recently discovered that the simulators could not accurately replicate the difficult conditions created by a malfunctioning anti-stall system, which played a role in both disasters. The simulators did not reflect the immense force that it would take for pilots to regain control of the aircraft once the system activated on a plane traveling at a high speed.

The mistake is likely to intensify concerns about Boeing, as it tries to regain credibility following the crashes of Lion Air and Ethiopian Airlines flights. In the months since the disasters, Boeing has faced criticism for serious oversights in the Max’s design. The anti-stall system was designed with a single point of failure. A warning light that Boeing thought was standard turned out to be part of a premium add-on.

“Every day, there is new news about something not being disclosed or something was done in error or was not complete,” said Dennis Tajer, a spokesman for the American Airlines pilots union and a 737 pilot.

The training procedures have been a source of contention. Boeing has maintained that simulator training is not necessary for the 737 Max and regulators do not require it, but many airlines bought the multimillion-dollar machines to give their pilots more practice. Some pilots want continuing simulator training.

The flight simulators, on-the-ground versions of cockpits that mimic the flying experience, are not made by Boeing. But Boeing provides the underlying information on which they are designed and built.
 

The simulators did not reflect the immense force that it would take for pilots to regain control of the aircraft once the system activated on a plane traveling at a high speed.

 

“Boeing has made corrections to the 737 Max simulator software and has provided additional information to device operators to ensure that the simulator experience is representative across different flight conditions,” said Gordon Johndroe, a Boeing spokesman. “Boeing is working closely with the device manufacturers and regulators on these changes and improvements, and to ensure that customer training is not disrupted.”

In recent weeks, Boeing has been developing a fix to the system, known as MCAS. As part of that work, the company tried to test on a simulator how the updated system would perform, including by replicating the problems with the doomed Ethiopian Airlines flight.

It recreated the actions of the pilots on that flight, including taking manual control of the plane as outlined by Boeing’s recommended procedures. When MCAS activates erroneously, pilots are supposed to turn off the electricity to a motor that allows the system to push the plane toward the ground. Then, pilots need to crank a wheel to right the plane. They have limited time to act.

On the Ethiopian flight, the pilots struggled to turn the wheel while the plane was moving at a high speed, when there is immense pressure on the tail. The simulators did not properly match those conditions, and Boeing pilots found that the wheel was far easier to turn than it should have been.

Regulators are now trying to determine what training will be required.

When the Max was introduced, Boeing believed that pilots did not need experience on the flight simulators, and the Federal Aviation Administration agreed. Many pilots learned about the plane on iPads. And they were not informed about the anti-stall system.

The limited training was a selling point of the plane. It can cost airlines tens of millions of dollars to maintain and operate flight simulators over the life of an aircraft.

After the first crash, Boeing gave airlines and pilots a full rundown of MCAS. But the company and regulators said that additional training was not necessary. Simply knowing about the system would be sufficient.

In a tense meeting with the American Airlines pilots union after the crash, a Boeing vice president, Mike Sinnett, said he was confident that pilots were equipped to deal with problems, according to an audio recording review by The New York Times. A top Boeing test pilot, Craig Bomben, agreed, saying, “I don’t know that understanding the system would have changed the outcome of this.”

Since the Ethiopian Airlines disaster in March, lawmakers and regulators are taking a closer look at the training procedures for the 737 Max, and whether they should be more robust. At a congressional hearing this week, the acting head of the F.A.A., Daniel Elwell, testified that MCAS should “have been more adequately explained.”

Boeing said on Thursday that it had completed its fix to the 737 Max. Along with changes to the anti-stall system, the fix will include additional education for pilots.
Subscribe to With Interest

Catch up and prep for the week ahead with this newsletter of the most important business insights, delivered Sundays.

The company still has to submit the changes to regulators, who will need to approve them before the plane can start flying again. The updates are not expected to include training on simulators, but the F.A.A. and other global regulators could push to require it.

“The F.A.A. is aware that Boeing Company is working with the manufacturers of Boeing 737 Max flight simulators,” a spokesman for the agency said in an emailed statement. “The F.A.A. will review any proposed adjustments as part of its ongoing oversight of the company’s efforts to address safety concerns.”

Airlines have already been pushing to get more simulators and develop their own training.

Pilots at American Airlines, which began asking for simulators when they started flying the planes, ratcheted up their requests after the Lion Air crash. Regardless of what the F.A.A. requires, the union believes pilots should get the experience. A spokesman for the airline said it had ordered a simulator that would be up and running by December.

“We value simulators in this situation,” said Mr. Tajer. “It’s not a condition of the Max flying again, but it is something we want.”

Bug-hunter reveals another ‘make me admin’ Windows 10 zero-day – and vows: ‘There’s more where that came from’

Quote

Vulnerability can be exploited to turn users into system stars, no patch available yet

A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft’s latest operating systems.

The discovered hole can be exploited by malware and rogue logged-in users to gain system-level privileges on Windows 10 and recent Server releases, allowing them to gain full control of the machine. No patch exists for this bug, details and exploit code for which were shared online on Tuesday for anyone to use and abuse.

The flaw was uncovered, and revealed on Microsoft-owned GitHub, funnily enough, by a pseudonymous netizen going by the handle SandboxEscaper. She has previously dropped Windows zero-days that can be exploited to delete or tamper with operating system components, elevate local privileges, and so on.

This latest one works by abusing Windows’ schtasks tool, designed to run programs at scheduled times, along with quirks in the operating system.
 

Meanwhile… If you haven’t yet patched the wormable RDP security flaw in Windows (CVE-2019-0708), please do so ASAP – exploit code that can crash vulnerable systems is doing the rounds, and McAfee eggheads have developed and described a proof-of-concept attack that executes arbitrary software on remote machines, with no authentication required. Eek.

It appears the exploit code imports a legacy job file into the Windows Task Scheduler using schtasks, creating a new task, and then deletes that new task’s file from the Windows folder. Next, it creates a hard filesystem link pointing from where the new task’s file was created to pci.sys, one of Windows’ kernel-level driver files, and then runs the same schtasks command again. This clobbers pci.sys’s access permissions so that it can be modified and overwritten by the user, thus opening the door to privileged code execution.

The exploit, as implemented, needs to know a valid username and password combo on the machine to proceed, it seems. It can be tweaked and rebuilt from its source code to target other system files, other than pci.sys. …….

Google Spies! The worst kind of microphone is a hidden microphone.

Google says the built-in microphone it never told Nest users about was ‘never supposed to be a secret’

Yeah right.
Quote

  • In early February, Google announced that Assistant would work with its home security and alarm system, Nest Secure.
  • The problem: Users didn’t know a microphone existed on their Nest security devices to begin with.
  • On Tuesday, a Google representative told Business Insider the company had made an “error.”
  • “The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” the person said. “That was an error on our part.”

In early February, Google announced that its home security and alarm system Nest Secure would be getting an update. Users, the company said, could now enable its virtual-assistant technology, Google Assistant.

The problem: Nest users didn’t know a microphone existed on their security device to begin with.

The existence of a microphone on the Nest Guard, which is the alarm, keypad, and motion-sensor component in the Nest Secure offering, was never disclosed in any of the product material for the device.

On Tuesday, a Google spokesperson told Business Insider the company had made an “error.”

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” the spokesperson said. “That was an error on our part.”

Google says “the microphone has never been on and is only activated when users specifically enable the option.”

It also said the microphone was originally included in the Nest Guard for the possibility of adding new security features down the line, like the ability to detect broken glass.

Still, even if Google included the microphone in its Nest Guard device for future updates — like its Assistant integration — the news comes as consumers have grown increasingly wary of major tech companies and their commitment to consumer privacy.

For Google, the revelation is particularly problematic and brings to mind previous privacy controversies, such as the 2010 incident in which the company acknowledged that its fleet of Street View cars “accidentally” collected personal data transmitted over consumers’ unsecured WiFi networks, including emails.

High tech is watching you

Quote

In new book [The Age of Surveillance Capitalism], Business School professor emerita says surveillance capitalism undermines autonomy — and democracy

The continuing advances of the digital revolution can be dazzling. But Shoshana Zuboff, professor emerita at Harvard Business School, warns that their lights, bells, and whistles have made us blind and deaf to the ways high-tech giants exploit our personal data for their own ends.

In her new book, “The Age of Surveillance Capitalism,” Zuboff offers a disturbing picture of how Silicon Valley and other corporations are mining users’ information to predict and shape their behavior.

The Gazette recently interviewed Zuboff about her belief that surveillance capitalism, a term she coined in 2014, is undermining personal autonomy and eroding democracy — and the ways she says society can fight back.
Q&A
Shoshana Zuboff

GAZETTE: The digital revolution began with great promise. When did you start worrying that the tech giants driving it were becoming more interested in exploiting us than serving us?

ZUBOFF: In my 2002 book, “The Support Economy,” I looked at the challenges to capitalism in shifting from a mass to an individual-oriented structure of consumption. I discussed how we finally had the technology to align the forces of supply and demand. However, the early indications were that the people framing that first generation of e-commerce were more preoccupied with tracking cookies and attracting eyeballs for advertising than they were in the historic opportunity they faced.

For a time I thought this was part of the trial and error of a profound structural transformation, but, certainly by 2007, I understood that this was actually a new variant of capitalism that was taking hold of the digital milieu. The opportunities to align supply and demand around the needs of individuals were overtaken by a new economic logic that offered a fast track to monetization.

GAZETTE: What are some of the ways we might not realize that we are losing our autonomy to Facebook, Google, and others?

ZUBOFF: I define surveillance capitalism as the unilateral claiming of private human experience as free raw material for translation into behavioral data. These data are then computed and packaged as prediction products and sold into behavioral futures markets — business customers with a commercial interest in knowing what we will do now, soon, and later. It was Google that first learned how to capture surplus behavioral data, more than what they needed for services, and used it to compute prediction products that they could sell to their business customers, in this case advertisers. But I argue that surveillance capitalism is no more restricted to that initial context than, for example, mass production was restricted to the fabrication of Model T’s.

Right from the start at Google it was understood that users were unlikely to agree to this unilateral claiming of their experience and its translation into behavioral data. It was understood that these methods had to be undetectable. So from the start the logic reflected the social relations of the one-way mirror. They were able to see and to take — and to do this in a way that we could not contest because we had no way to know what was happening.

We rushed to the internet expecting empowerment, the democratization of knowledge, and help with real problems, but surveillance capitalism really was just too lucrative to resist. This economic logic has now spread beyond the tech companies to new surveillance–based ecosystems in virtually every economic sector, from insurance to automobiles to health, education, finance, to every product described as “smart” and every service described as “personalized.” By now it’s very difficult to participate effectively in society without interfacing with these same channels that are supply chains for surveillance capitalism’s data flows. For example, ProPublica recently reported that breathing machines purchased by people with sleep apnea are secretly sending usage data to health insurers, where the information can be used to justify reduced insurance payments.

GAZETTE: Why have we failed even now to take notice of the effects of all this surveillance?

ZUBOFF: There are many reasons. I chronicle 16 explanations as to “how they got away with it.” One big reason is that the audacious, unprecedented quality of surveillance capitalism’s methods and operations has impeded our ability to perceive them and grasp their meaning and consequence.

Another reason is that surveillance capitalism, invented by Google in 2001, benefitted from a couple of important historical windfalls. One is that it arose in the era of a neoliberal consensus around the superiority of self-regulating companies and markets. State-imposed regulation was considered a drag on free enterprise. A second historical windfall is that surveillance capitalism was invented in 2001, the year of 9/11. In the days leading up to that tragedy, there were new legislative initiatives being discussed in Congress around privacy, some of which might well have outlawed practices that became routine operations of surveillance capitalism. Just hours after the World Trade Center towers were hit, the conversation in Washington changed from a concern about privacy to a preoccupation with “total information awareness.” In this new environment, the intelligence agencies and other powerful forces in Washington and other Western governments were more disposed to incubate and nurture the surveillance capabilities coming out of the commercial sector.

A third reason is that these methodologies are designed to keep us ignorant. The rhetoric of the pioneering surveillance capitalists, and just about everyone who has followed, has been a textbook of misdirection, euphemism, and obfuscation. One theme of misdirection has been to sell people on the idea that the new economic practices are an inevitable consequence of digital technology. In America and throughout the West we believe it’s wrong to impede technological progress. So the thought is that if these disturbing practices are the inevitable consequence of the new technologies, we probably just have to live with it. This is a dangerous category error. It’s impossible to imagine surveillance capitalism without the digital, but it’s easy to imagine the digital without surveillance capitalism.

A fourth explanation involves dependency and the foreclosure of alternatives. We now depend upon the internet just to participate effectively in our daily lives. Whether it’s interfacing with the IRS or your health care provider, nearly everything we do now just to fulfill the barest requirements of social participation marches us through the same channels that are surveillance capitalism’s supply chains.

GAZETTE: You warn that our very humanity and our ability to function as a democracy is in some ways at risk.

ZUBOFF: The competitive dynamics of surveillance capitalism have created some really powerful economic imperatives that are driving these firms to produce better and better behavioral-prediction products. Ultimately they’ve discovered that this requires not only amassing huge volumes of data, but actually intervening in our behavior. The shift is from monitoring to what the data scientists call “actuating.” Surveillance capitalists now develop “economies of action,” as they learn to tune, herd, and condition our behavior with subtle and subliminal cues, rewards, and punishments that shunt us toward their most profitable outcomes.

What is abrogated here is our right to the future tense, which is the essence of free will, the idea that I can project myself into the future and thus make it a meaningful aspect of my present. This is the essence of autonomy and human agency. Surveillance capitalism’s “means of behavioral modification” at scale erodes democracy from within because, without autonomy in action and in thought, we have little capacity for the moral judgment and critical thinking necessary for a democratic society. Democracy is also eroded from without, as surveillance capitalism represents an unprecedented concentration of knowledge and the power that accrues to such knowledge. They know everything about us, but we know little about them. They predict our futures, but for the sake of others’ gain. Their knowledge extends far beyond the compilation of the information we gave them. It’s the knowledge that they have produced from that information that constitutes their competitive advantage, and they will never give that up. These knowledge asymmetries introduce wholly new axes of social inequality and injustice.

GAZETTE: So how do we change this dynamic?

ZUBOFF: There are three arenas that must be addressed if we are to end this age of surveillance capitalism, just as we once ended the Gilded Age.

First, we need a sea change in public opinion. This begins with the power of naming. It means awakening to a sense of indignation and outrage. We say, “No.” We say, “This is not OK.”

Second, we need to muster the resources of our democratic institutions in the form of law and regulation. These include, but also move beyond, privacy and antitrust laws. We also need to develop new laws and regulatory institutions that specifically address the mechanisms and imperatives of surveillance capitalism.

A third arena relates to the opportunity for competitive solutions. Every survey of internet users has shown that once people become aware of surveillance capitalists’ backstage practices, they reject them. That points to a disconnect between supply and demand: a market failure. So once again we see a historic opportunity for an alliance of companies to found an alternative ecosystem — one that returns us to the earlier promise of the digital age as an era of empowerment and the democratization of knowledge.

That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus

Quote

Updated An unprotected MongoDB database belonging to a marketing tech company exposed up to 809 million email addresses, phone numbers, business leads, and bits of personal information to the public internet, it emerged yesterday.

Today, however, it appears the scope of that security snafu may have been underestimated.

According to cyber security biz Dynarisk, there were four databases exposed to the internet – rather than just the one previously reported – bringing the total to potentially more than two billion records weighing in at 196GB rather than 150GB.

Anyone knowing where to look on the ‘net would have been able to spot and siphon off all that data, without any authentication.

“There was one server that was exposed to the web,” Andrew Martin, CEO and founder of DynaRisk, told The Register on Friday. “On this server were four databases. The original discovery analysed records from mainEmailDatabase. The additional three databases were hosted on the same server, which is no longer accessible.

“Our analysis was conducted over all four databases and extracted over two billion email addresses which is more than the 809 million first discussed.”

The databases were operated by Verifications.io, which provides enterprise email validation – a way for marketers to check that email addresses on their mailing lists are valid and active before firing off pitches. The Verifications.io website is currently inaccessible.

The database first reported included the following data fields, some of which, such as date of birth, qualify as personal information under various data laws:

Email Records (emailrecords): a JSON object with the keys id, zip, visit_date, phone, city, site_url, state, gender, email, user_ip, dob, firstname, lastname, done, and email_lower_sha265.
Email With Phone (emailWithPhone): No example provided but presumably a JSON object with the two named attributes.
Business Leads (businessLeads): a JSON object with the keys id, email, sic_code, naics_code, company_name, title, address, city, state, country, phone, fax, company_website, revenue, employees, industry, desc, sic_code_description, firstname, lastname, and email_lower_sha256.
…..

620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

I always tell people that no one seems to take IT Security seriously – at least seriously enough to spend the money to establish good security. The response is always – nah, that can’t be true. Sadly it is is. And these are only an ‘example/subset’ the ones that are reported.

Quote

Exclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove’s seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.
Who are the buyers?

These silos of purportedly purloined information are aimed at spammers and credential stuffers, which is why copies are relatively cheap to buy. The stuffers will take usernames and passwords leaked from one site to log into accounts on other websites where the users have used the same credentials.

So, for example, someone buying the purported 500px database could decode the weaker passwords in the list, because some were hashed using the obsolete MD5 algorithm, and then try to use the email address and cracked password combinations to log into, say, strangers’ Gmail or Facebook accounts, where the email address and passwords have been reused.

All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data. The records were swiped mostly during 2018, we’re told, and went on sale this week.

The seller, who is believed to be located outside of the US, told us the Dubsmash data has been purchased by at least one person.

Some of the websites – particularly MyHeritage, MyFitnessPal, and Animoto – were known to have been hacked as they warned their customers last year that they had been compromised, whereas the others are seemingly newly disclosed security breaches. In other words, this is the first time we’ve heard these other sites have been allegedly hacked. This also marks the first time this data, for all of the listed sites, has been peddled publicly, again if all the sellers’ claims are true.
Is this legit?

A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world about in 2018. ShareThis, CoffeeMeetsBagel, 8fit, 500px, DataCamp, and EyeEm also confirmed their account data was stolen from their servers and put up for sale this week in the seller’s collection. This lends further credibility to the data trove.

Last week, half a dozen of the aforementioned sites were listed on Dream Market by the seller: when we spotted them, we alerted Dubsmash, Animoto, EyeEm, 8fit, Fotolog, and 500px that their account data was potentially being touted on the dark web.

Over the weekend, the underground bazaar was mostly knocked offline, apparently by a distributed denial-of-service attack. On Monday this week, the underworld marketplace returned to full strength, and the seller added the rest of the sites. We contacted all of them to alert them, and ask for a response. Meanwhile, Dream Market has been smashed offline again.

Here’s a summary of what is, or briefly was, purported to be on sale:

Dubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total

11GB of data taken in December 2018. Each account record contains the user ID, SHA256-hashed password, username, email address, language, country, plus for some, but not all the users, the first and the last name. This alleged security breach has not been previously publicly disclosed. Dubsmash is a video-messaging application popular with millennials and younger folk.

New York City-based Dubsmash has hired law firm Lewis Brisbois to probe the online sale. Partner Simone McCormick told us:

Our office has been retained to assist Dubsmash in this matter. Thank you for your alert. We immediately launched an investigation. We plan to notify any and all individuals as appropriate. Again, thank you for bringing this to our attention.
500px: 14,870,304 accounts for 0.217 BTC ($780) total

1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and city and country. 500px is a social-networking site for photographers and folks interested in photography.

“Our engineering team is currently investigating and if we can confirm there was a breach we will take the necessary steps to inform our users as per GDPR standards,” 500px spokesperson Stephanie Newell told us.

Update: 500px staff are now notifying their users that the site was indeed hacked, and will reset everyone’s passwords, starting with the ones weakly hashed using MD5.

“We are able to confirm a breach occurred,” Newell told us. “Our engineers immediately launched a comprehensive review of our systems and have since taken every precaution to secure them. All areas of vulnerability have been identified and fixed during our internal investigation, and we’ve found no evidence to date of any recurrence of the issue.

“We are currently working on notifying our entire user base, however, given the amount of users affected, this task will span one day at minimum. We’ve taken every precaution to ensure our users’ data is safe. A system-wide password reset is currently underway for all users, prioritized in order of accounts with the highest potential risk, and we have already forced a reset of all MD5-encrypted passwords.”

In addition, 500px, which is based in Canada, said it has taken the following steps to shore up its security:

– Vetted access to our servers, databases, and other sensitive data-storage services.

– Analyzed and are continuing to monitor our source code, both public-facing and internal, to improve our security protocols and protect against security issues.

– We have partnered with leading experts in cyber security to further secure our website, mobile apps, internal systems, and security processes.

– Modifications to our our internal software development process.

– Reviewing the PII [personally identifying information] data we collect from users and how it is used on our platform.

– We are continuing to upgrade our network infrastructure. Over the last 12 months, we have undertaken a major upgrade to our network infrastructure—this project is nearing completion, and will also offer a significant increase in security.
EyeEm: 22,360,765 accounts for 0.289 BTC ($1,040) total

1.7GB of data taken February 2018. Each account record contains an email address and SHA1-hashed password, although about three million are missing an email address. This security breach has not been previously publicly disclosed. Germany-based EyeEm is an online hangout for photographers. A spokesperson did not respond to a request for comment.

Update: EyeEm has told its customers it was hacked, and forced a reset of their passwords.
8fit: 20,180,667 accounts for 0.2025 BTC ($728) total

1.9GB of data taken July 2018. Each account record contains an email address, bcrypted-hashed password, country, country code, Facebook authentication token, Facebook profile picture, name, gender, and IP address. This security breach has not been previously publicly disclosed. Germany-headquartered 8fit offers customized workout and diet plans for healthy fitness types.

8fit CEO Aina Abiodun told us her team is investigating, adding: “I need to get back to you on this and can’t comment immediately.”

Update: 8fit has confessed to its users that it was hacked, and is resetting their passwords.
Fotolog: 16 million accounts for 0.52 BTC ($1,872) total

5.9GB of data taken in December 2018. There are five SQL databases containing information including email addresses, SHA256-hashed passwords, security questions and answers, full names, locations, interests, and other profile information. This alleged security breach has not been previously publicly disclosed. Fotolog, based in Spain, is another social network for photography types. A spokesperson did not respond to a request for comment.
Animoto 25,402,283 accounts for 0.318 BTC ($1,144) total

2.1GB of data taken in 2018. Each account record contains a user ID, SHA256-hashed password, password salt, email address, country, first and last name, and date of birth. This security breach was publicly disclosed by the NYC-headquartered business in 2018, though this is the first time the data has gone on sale, we understand.

“We provided notification about an incident potentially affecting customers back in August 2018 after we identified unusual activity on our system,” spokesperson Rebecca Brooks told us. “After identifying the suspicious activity, we immediately took the systems offline and implemented numerous security controls to help prevent an incident like this from happening again.”
MyHeritage 92,284,478 accounts for 0.549 BTC ($1,976) total

3.6GB of data taken October 2017. Each account record contains an email address, SHA1-hashed password and salt, plus the date of account creation. This security breach was publicly disclosed by the business last year, though this is the first time the data has gone on sale, we’re told. No DNA or similar sensitive information was taken. MyHeritage, based in Israel, is a family-tree-tracing service that studies customers’ genetic profiles.

A spokesperson told us:

The date, the number of users affected, and the type of information [in the 2018 disclosure] correspond almost exactly to [the for-sale database], so this does not look like a new breach. It seems likely that the perpetrator(s) of the October 2017 breach or someone who obtained the data from them is now trying to sell it. We will investigate this immediately and report the attempted sale to the authorities so they can try to trace the perpetrators. Until this moment, we have not seen any evidence of circulation or usage or abuse of the breached email addresses and hashed passwords, and this is the first time a mention of them has surfaced since June 4 2018.
MyFitnessPal 150,633,038 accounts for 0.289 BTC ($1,040) total

3.5GB of data taken February 2018. Each account record contains a user ID, username, email address, SHA1-hashed password with a fixed salt for the whole table, and IP address. This security breach was publicly disclosed by the business last year. This may be the first time it has gone on public sale. Under-Armor-owned MyFitnessPal does what it says on the tin: it’s an app that tracks diet and exercise. A spokesperson did not respond to a request for comment.

Update: Spokesperson Erin Wendell has told us the biz made every user reset their password following the discovery of the intrusion last year. If you reused your old MyFitnessPal password with other sites, now would be a good time to change your password on those other services, if you have not done so already.

“We responded swiftly to alert users and have since required all MyFitnessPal users who had not changed their passwords since that March 29, 2018 announcement, to reset their passwords,” Wendell said.

“As a result, passwords previously used for MyFitnessPal at the time of the data security issue are no longer valid on MyFitnessPal, and we continue to encourage strong password practices including unique and complex passwords for all their accounts to enable users to further protect themselves.”
Artsy 1,070,000 accounts for 0.0289 BTC ($104) total

184MB of data taken April 2018. Each account record contains an email address, name, IP addresses, location, and SHA512-hashed password with salt. This security breach has not been previously publicly disclosed. Artsy, located in NYC, is an online home for collecting and organizing art. A spokesperson did not respond to a request for comment.

Update: Artsy has emailed its users to confirm its data was stolen and sold online. It is in the process of investigating how it happened.
Armor Games 11,013,617 accounts for 0.2749 BTC ($988) total

1.8GB of data taken late December 2018. Each account record contains a username, email address, SHA1-hashed password and salt, date of birth, gender, location, and other profile details. This alleged security breach has not been previously publicly disclosed. California-based Armor Games is a portal for a ton of browser-based games. A spokesperson did not respond to requests for comment.
Bookmate 8,026,992 accounts for 0.159 BTC ($572) total

1.7GB of data taken July 2018. Each account record typically contains a username, an email address, SHA512 or bcrypt-hashed password with salt, gender, date of birth, and other profile details. This alleged security breach has not been previously publicly disclosed. British Bookmate makes book-reading apps. A spokesperson did not respond to a request for comment.
CoffeeMeetsBagel 6,174,513 accounts for 0.13 BTC ($468) total

673MB of data taken late 2017 and mid-2018. Each account record contains typically a full name, email address, age, registration date, and gender. This security breach has not been previously publicly disclosed. CoffeeMeetsBagel is a dating website.

Jenn Takahashi, spokesperson for the CoffeeMeetsBagel, told us: “We are not aware of a breach at this time, but our security team is looking into this now.” She also said the San-Francisco-based biz does not store passwords, and uses third-party sites for authentication.

“We have engaged with our legal team and forensic security experts to identify any issues and ensure we have the best security stance moving forward,” Takahashi added.

Update: CoffeeMeetsBagel has confirmed at least some user account data was stolen by a hacker who broke into the biz’s systems as recently as May 2018, as we reported.

“On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details, specifically names and email addresses prior to May 2018,” the company said in a statement.

“Once we became aware, we immediately launched a comprehensive investigation with the help of experienced forensic experts. We are currently working on notifying the affected user base. The security of our users’ information is important to us, and we apologize for any inconvenience this may have caused.”
DataCamp 700,000 accounts for 0.013 BTC ($46.8) total

82MB of data taken December 2018. Each account record contains an email address, bcrypt-hashed password, location, and other profile details. This security breach has not been previously publicly disclosed. US-based DataCamp teaches people data science and programming. A spokesperson told us they are “looking into” the online sale.

“We take this matter seriously and want to further verify if this is indeed the case,” said the biz’s Lode Vanacken. “We will also investigate access and audit logs to see if we can trace back any potential unauthorised access. If indeed further investigation shows this data to be valid we will communicate with you and with the affected end-users.”

Update: Vanacken has told us DataCamp is resetting users’ passwords after confirming its data was stolen. “We have notified the users we believe were affected or potentially affected via email,” he said.

“Out of an abundance of caution, we are logging out all DataCamp users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords and prompting them to reset their passwords.

“We continue to monitor for suspicious activity and to make enhancements to our systems to detect and prevent unauthorized access to user information.”
HauteLook 28 million accounts for 0.217 BTC ($780) total

1.5GB of data taken during 2018. Each account record contains an email address, bcrypt-hashed password, and name. This alleged security breach has not been previously publicly disclosed. HauteLook is an online store for fashion, accessories, and so on. A spokesperson for the Los Angeles-based biz did not respond to a request for comment.
ShareThis 41,028,098 accounts for 0.217 BTC ($780) total

2.7GB of data taken early July 2018. Each account record contains a name, username, email address, DES-hashed password, gender, date of birth, and other profile info. This security breach has not been previously publicly disclosed. Palo Alto-based ShareThis makes a widget for sharing links to stuff with friends. A spokesperson did not respond to a request for comment.

Update: ShareThis has written to its users, alerting them that the site was hacked, likely in July 2018, and that email addresses, password hashes, and some dates-of-birth was stolen and put up for sale online.
Whitepages 17,775,679 accounts for 0.434 BTC ($1560) total

2.9GB of data taken 2016. Each account record contains an email address, SHA1- or bcrypt-hashed password, and first and last name. This alleged security breach has not been previously publicly disclosed. Whitepages is a Seattle-based online telephone and address directory. A spokesperson did not respond to a request for comment.

The seller told The Register they have as many as 20 databases to dump online, while keeping some others back for private use, and that they have swiped roughly a billion accounts from servers to date since they started hacking in 2012.

Their aim is to make “life easier” for hackers, by selling fellow miscreants usernames and password hashes to break into other accounts, as well as make some money on the side, and highlight to netizens that they need to take security seriously – such as using two-factor authentication to protect against password theft. The thief also wanted to settle a score with a co-conspirator, by selling a large amount of private data online.

The hacker previously kept stolen databases private, giving them only to those who would swear to keep the data secret.

“I don’t think I am deeply evil,” the miscreant told us. “I need the money. I need the leaks to be disclosed.

“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.” ®
Updates below

This article was revised at 0430 UTC on Tuesday, February 12 to include confirmation from 500px that it was hacked, as we reported.

Also on Tuesday, EyeEm informed its users it had been hacked. We understand similar disclosures are due to land this week from ShareThis and others.

On Wednesday, February 13, DataCamp informed us it is resetting its users’ passwords after “some user data was exposed by a third party who gained criminal unauthorized access to one of our systems.”

Also on Wednesday, CoffeeMeetsBagel told us it is alerting its users to its security breach, we added a statement from MyFitnessPal, and 8fit admitted to its customers that it was hacked.

On Thursday, February 14, Artsy emailed its users to confirm its internal data was stolen and put up for sale, as reported. “On February 11, 2019, we became aware that account information for some of our users was made available on the internet,” the biz wrote. “We are still investigating the precise causes of the incident, and together with our engineering team, we are working with a leading cyber forensics firm to assist us.”

On Friday, February 15, ShareThis confirmed it was hacked, too.