Skip to content

Security News

Google Spies! The worst kind of microphone is a hidden microphone.

Google says the built-in microphone it never told Nest users about was ‘never supposed to be a secret’

Yeah right.
Quote

  • In early February, Google announced that Assistant would work with its home security and alarm system, Nest Secure.
  • The problem: Users didn’t know a microphone existed on their Nest security devices to begin with.
  • On Tuesday, a Google representative told Business Insider the company had made an “error.”
  • “The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” the person said. “That was an error on our part.”

In early February, Google announced that its home security and alarm system Nest Secure would be getting an update. Users, the company said, could now enable its virtual-assistant technology, Google Assistant.

The problem: Nest users didn’t know a microphone existed on their security device to begin with.

The existence of a microphone on the Nest Guard, which is the alarm, keypad, and motion-sensor component in the Nest Secure offering, was never disclosed in any of the product material for the device.

On Tuesday, a Google spokesperson told Business Insider the company had made an “error.”

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” the spokesperson said. “That was an error on our part.”

Google says “the microphone has never been on and is only activated when users specifically enable the option.”

It also said the microphone was originally included in the Nest Guard for the possibility of adding new security features down the line, like the ability to detect broken glass.

Still, even if Google included the microphone in its Nest Guard device for future updates — like its Assistant integration — the news comes as consumers have grown increasingly wary of major tech companies and their commitment to consumer privacy.

For Google, the revelation is particularly problematic and brings to mind previous privacy controversies, such as the 2010 incident in which the company acknowledged that its fleet of Street View cars “accidentally” collected personal data transmitted over consumers’ unsecured WiFi networks, including emails.

High tech is watching you

Quote

In new book [The Age of Surveillance Capitalism], Business School professor emerita says surveillance capitalism undermines autonomy — and democracy

The continuing advances of the digital revolution can be dazzling. But Shoshana Zuboff, professor emerita at Harvard Business School, warns that their lights, bells, and whistles have made us blind and deaf to the ways high-tech giants exploit our personal data for their own ends.

In her new book, “The Age of Surveillance Capitalism,” Zuboff offers a disturbing picture of how Silicon Valley and other corporations are mining users’ information to predict and shape their behavior.

The Gazette recently interviewed Zuboff about her belief that surveillance capitalism, a term she coined in 2014, is undermining personal autonomy and eroding democracy — and the ways she says society can fight back.
Q&A
Shoshana Zuboff

GAZETTE: The digital revolution began with great promise. When did you start worrying that the tech giants driving it were becoming more interested in exploiting us than serving us?

ZUBOFF: In my 2002 book, “The Support Economy,” I looked at the challenges to capitalism in shifting from a mass to an individual-oriented structure of consumption. I discussed how we finally had the technology to align the forces of supply and demand. However, the early indications were that the people framing that first generation of e-commerce were more preoccupied with tracking cookies and attracting eyeballs for advertising than they were in the historic opportunity they faced.

For a time I thought this was part of the trial and error of a profound structural transformation, but, certainly by 2007, I understood that this was actually a new variant of capitalism that was taking hold of the digital milieu. The opportunities to align supply and demand around the needs of individuals were overtaken by a new economic logic that offered a fast track to monetization.

GAZETTE: What are some of the ways we might not realize that we are losing our autonomy to Facebook, Google, and others?

ZUBOFF: I define surveillance capitalism as the unilateral claiming of private human experience as free raw material for translation into behavioral data. These data are then computed and packaged as prediction products and sold into behavioral futures markets — business customers with a commercial interest in knowing what we will do now, soon, and later. It was Google that first learned how to capture surplus behavioral data, more than what they needed for services, and used it to compute prediction products that they could sell to their business customers, in this case advertisers. But I argue that surveillance capitalism is no more restricted to that initial context than, for example, mass production was restricted to the fabrication of Model T’s.

Right from the start at Google it was understood that users were unlikely to agree to this unilateral claiming of their experience and its translation into behavioral data. It was understood that these methods had to be undetectable. So from the start the logic reflected the social relations of the one-way mirror. They were able to see and to take — and to do this in a way that we could not contest because we had no way to know what was happening.

We rushed to the internet expecting empowerment, the democratization of knowledge, and help with real problems, but surveillance capitalism really was just too lucrative to resist. This economic logic has now spread beyond the tech companies to new surveillance–based ecosystems in virtually every economic sector, from insurance to automobiles to health, education, finance, to every product described as “smart” and every service described as “personalized.” By now it’s very difficult to participate effectively in society without interfacing with these same channels that are supply chains for surveillance capitalism’s data flows. For example, ProPublica recently reported that breathing machines purchased by people with sleep apnea are secretly sending usage data to health insurers, where the information can be used to justify reduced insurance payments.

GAZETTE: Why have we failed even now to take notice of the effects of all this surveillance?

ZUBOFF: There are many reasons. I chronicle 16 explanations as to “how they got away with it.” One big reason is that the audacious, unprecedented quality of surveillance capitalism’s methods and operations has impeded our ability to perceive them and grasp their meaning and consequence.

Another reason is that surveillance capitalism, invented by Google in 2001, benefitted from a couple of important historical windfalls. One is that it arose in the era of a neoliberal consensus around the superiority of self-regulating companies and markets. State-imposed regulation was considered a drag on free enterprise. A second historical windfall is that surveillance capitalism was invented in 2001, the year of 9/11. In the days leading up to that tragedy, there were new legislative initiatives being discussed in Congress around privacy, some of which might well have outlawed practices that became routine operations of surveillance capitalism. Just hours after the World Trade Center towers were hit, the conversation in Washington changed from a concern about privacy to a preoccupation with “total information awareness.” In this new environment, the intelligence agencies and other powerful forces in Washington and other Western governments were more disposed to incubate and nurture the surveillance capabilities coming out of the commercial sector.

A third reason is that these methodologies are designed to keep us ignorant. The rhetoric of the pioneering surveillance capitalists, and just about everyone who has followed, has been a textbook of misdirection, euphemism, and obfuscation. One theme of misdirection has been to sell people on the idea that the new economic practices are an inevitable consequence of digital technology. In America and throughout the West we believe it’s wrong to impede technological progress. So the thought is that if these disturbing practices are the inevitable consequence of the new technologies, we probably just have to live with it. This is a dangerous category error. It’s impossible to imagine surveillance capitalism without the digital, but it’s easy to imagine the digital without surveillance capitalism.

A fourth explanation involves dependency and the foreclosure of alternatives. We now depend upon the internet just to participate effectively in our daily lives. Whether it’s interfacing with the IRS or your health care provider, nearly everything we do now just to fulfill the barest requirements of social participation marches us through the same channels that are surveillance capitalism’s supply chains.

GAZETTE: You warn that our very humanity and our ability to function as a democracy is in some ways at risk.

ZUBOFF: The competitive dynamics of surveillance capitalism have created some really powerful economic imperatives that are driving these firms to produce better and better behavioral-prediction products. Ultimately they’ve discovered that this requires not only amassing huge volumes of data, but actually intervening in our behavior. The shift is from monitoring to what the data scientists call “actuating.” Surveillance capitalists now develop “economies of action,” as they learn to tune, herd, and condition our behavior with subtle and subliminal cues, rewards, and punishments that shunt us toward their most profitable outcomes.

What is abrogated here is our right to the future tense, which is the essence of free will, the idea that I can project myself into the future and thus make it a meaningful aspect of my present. This is the essence of autonomy and human agency. Surveillance capitalism’s “means of behavioral modification” at scale erodes democracy from within because, without autonomy in action and in thought, we have little capacity for the moral judgment and critical thinking necessary for a democratic society. Democracy is also eroded from without, as surveillance capitalism represents an unprecedented concentration of knowledge and the power that accrues to such knowledge. They know everything about us, but we know little about them. They predict our futures, but for the sake of others’ gain. Their knowledge extends far beyond the compilation of the information we gave them. It’s the knowledge that they have produced from that information that constitutes their competitive advantage, and they will never give that up. These knowledge asymmetries introduce wholly new axes of social inequality and injustice.

GAZETTE: So how do we change this dynamic?

ZUBOFF: There are three arenas that must be addressed if we are to end this age of surveillance capitalism, just as we once ended the Gilded Age.

First, we need a sea change in public opinion. This begins with the power of naming. It means awakening to a sense of indignation and outrage. We say, “No.” We say, “This is not OK.”

Second, we need to muster the resources of our democratic institutions in the form of law and regulation. These include, but also move beyond, privacy and antitrust laws. We also need to develop new laws and regulatory institutions that specifically address the mechanisms and imperatives of surveillance capitalism.

A third arena relates to the opportunity for competitive solutions. Every survey of internet users has shown that once people become aware of surveillance capitalists’ backstage practices, they reject them. That points to a disconnect between supply and demand: a market failure. So once again we see a historic opportunity for an alliance of companies to found an alternative ecosystem — one that returns us to the earlier promise of the digital age as an era of empowerment and the democratization of knowledge.

That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus

Quote

Updated An unprotected MongoDB database belonging to a marketing tech company exposed up to 809 million email addresses, phone numbers, business leads, and bits of personal information to the public internet, it emerged yesterday.

Today, however, it appears the scope of that security snafu may have been underestimated.

According to cyber security biz Dynarisk, there were four databases exposed to the internet – rather than just the one previously reported – bringing the total to potentially more than two billion records weighing in at 196GB rather than 150GB.

Anyone knowing where to look on the ‘net would have been able to spot and siphon off all that data, without any authentication.

“There was one server that was exposed to the web,” Andrew Martin, CEO and founder of DynaRisk, told The Register on Friday. “On this server were four databases. The original discovery analysed records from mainEmailDatabase. The additional three databases were hosted on the same server, which is no longer accessible.

“Our analysis was conducted over all four databases and extracted over two billion email addresses which is more than the 809 million first discussed.”

The databases were operated by Verifications.io, which provides enterprise email validation – a way for marketers to check that email addresses on their mailing lists are valid and active before firing off pitches. The Verifications.io website is currently inaccessible.

The database first reported included the following data fields, some of which, such as date of birth, qualify as personal information under various data laws:

Email Records (emailrecords): a JSON object with the keys id, zip, visit_date, phone, city, site_url, state, gender, email, user_ip, dob, firstname, lastname, done, and email_lower_sha265.
Email With Phone (emailWithPhone): No example provided but presumably a JSON object with the two named attributes.
Business Leads (businessLeads): a JSON object with the keys id, email, sic_code, naics_code, company_name, title, address, city, state, country, phone, fax, company_website, revenue, employees, industry, desc, sic_code_description, firstname, lastname, and email_lower_sha256.
…..

620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

I always tell people that no one seems to take IT Security seriously – at least seriously enough to spend the money to establish good security. The response is always – nah, that can’t be true. Sadly it is is. And these are only an ‘example/subset’ the ones that are reported.

Quote

Exclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove’s seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.
Who are the buyers?

These silos of purportedly purloined information are aimed at spammers and credential stuffers, which is why copies are relatively cheap to buy. The stuffers will take usernames and passwords leaked from one site to log into accounts on other websites where the users have used the same credentials.

So, for example, someone buying the purported 500px database could decode the weaker passwords in the list, because some were hashed using the obsolete MD5 algorithm, and then try to use the email address and cracked password combinations to log into, say, strangers’ Gmail or Facebook accounts, where the email address and passwords have been reused.

All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data. The records were swiped mostly during 2018, we’re told, and went on sale this week.

The seller, who is believed to be located outside of the US, told us the Dubsmash data has been purchased by at least one person.

Some of the websites – particularly MyHeritage, MyFitnessPal, and Animoto – were known to have been hacked as they warned their customers last year that they had been compromised, whereas the others are seemingly newly disclosed security breaches. In other words, this is the first time we’ve heard these other sites have been allegedly hacked. This also marks the first time this data, for all of the listed sites, has been peddled publicly, again if all the sellers’ claims are true.
Is this legit?

A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world about in 2018. ShareThis, CoffeeMeetsBagel, 8fit, 500px, DataCamp, and EyeEm also confirmed their account data was stolen from their servers and put up for sale this week in the seller’s collection. This lends further credibility to the data trove.

Last week, half a dozen of the aforementioned sites were listed on Dream Market by the seller: when we spotted them, we alerted Dubsmash, Animoto, EyeEm, 8fit, Fotolog, and 500px that their account data was potentially being touted on the dark web.

Over the weekend, the underground bazaar was mostly knocked offline, apparently by a distributed denial-of-service attack. On Monday this week, the underworld marketplace returned to full strength, and the seller added the rest of the sites. We contacted all of them to alert them, and ask for a response. Meanwhile, Dream Market has been smashed offline again.

Here’s a summary of what is, or briefly was, purported to be on sale:

Dubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total

11GB of data taken in December 2018. Each account record contains the user ID, SHA256-hashed password, username, email address, language, country, plus for some, but not all the users, the first and the last name. This alleged security breach has not been previously publicly disclosed. Dubsmash is a video-messaging application popular with millennials and younger folk.

New York City-based Dubsmash has hired law firm Lewis Brisbois to probe the online sale. Partner Simone McCormick told us:

Our office has been retained to assist Dubsmash in this matter. Thank you for your alert. We immediately launched an investigation. We plan to notify any and all individuals as appropriate. Again, thank you for bringing this to our attention.
500px: 14,870,304 accounts for 0.217 BTC ($780) total

1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and city and country. 500px is a social-networking site for photographers and folks interested in photography.

“Our engineering team is currently investigating and if we can confirm there was a breach we will take the necessary steps to inform our users as per GDPR standards,” 500px spokesperson Stephanie Newell told us.

Update: 500px staff are now notifying their users that the site was indeed hacked, and will reset everyone’s passwords, starting with the ones weakly hashed using MD5.

“We are able to confirm a breach occurred,” Newell told us. “Our engineers immediately launched a comprehensive review of our systems and have since taken every precaution to secure them. All areas of vulnerability have been identified and fixed during our internal investigation, and we’ve found no evidence to date of any recurrence of the issue.

“We are currently working on notifying our entire user base, however, given the amount of users affected, this task will span one day at minimum. We’ve taken every precaution to ensure our users’ data is safe. A system-wide password reset is currently underway for all users, prioritized in order of accounts with the highest potential risk, and we have already forced a reset of all MD5-encrypted passwords.”

In addition, 500px, which is based in Canada, said it has taken the following steps to shore up its security:

– Vetted access to our servers, databases, and other sensitive data-storage services.

– Analyzed and are continuing to monitor our source code, both public-facing and internal, to improve our security protocols and protect against security issues.

– We have partnered with leading experts in cyber security to further secure our website, mobile apps, internal systems, and security processes.

– Modifications to our our internal software development process.

– Reviewing the PII [personally identifying information] data we collect from users and how it is used on our platform.

– We are continuing to upgrade our network infrastructure. Over the last 12 months, we have undertaken a major upgrade to our network infrastructure—this project is nearing completion, and will also offer a significant increase in security.
EyeEm: 22,360,765 accounts for 0.289 BTC ($1,040) total

1.7GB of data taken February 2018. Each account record contains an email address and SHA1-hashed password, although about three million are missing an email address. This security breach has not been previously publicly disclosed. Germany-based EyeEm is an online hangout for photographers. A spokesperson did not respond to a request for comment.

Update: EyeEm has told its customers it was hacked, and forced a reset of their passwords.
8fit: 20,180,667 accounts for 0.2025 BTC ($728) total

1.9GB of data taken July 2018. Each account record contains an email address, bcrypted-hashed password, country, country code, Facebook authentication token, Facebook profile picture, name, gender, and IP address. This security breach has not been previously publicly disclosed. Germany-headquartered 8fit offers customized workout and diet plans for healthy fitness types.

8fit CEO Aina Abiodun told us her team is investigating, adding: “I need to get back to you on this and can’t comment immediately.”

Update: 8fit has confessed to its users that it was hacked, and is resetting their passwords.
Fotolog: 16 million accounts for 0.52 BTC ($1,872) total

5.9GB of data taken in December 2018. There are five SQL databases containing information including email addresses, SHA256-hashed passwords, security questions and answers, full names, locations, interests, and other profile information. This alleged security breach has not been previously publicly disclosed. Fotolog, based in Spain, is another social network for photography types. A spokesperson did not respond to a request for comment.
Animoto 25,402,283 accounts for 0.318 BTC ($1,144) total

2.1GB of data taken in 2018. Each account record contains a user ID, SHA256-hashed password, password salt, email address, country, first and last name, and date of birth. This security breach was publicly disclosed by the NYC-headquartered business in 2018, though this is the first time the data has gone on sale, we understand.

“We provided notification about an incident potentially affecting customers back in August 2018 after we identified unusual activity on our system,” spokesperson Rebecca Brooks told us. “After identifying the suspicious activity, we immediately took the systems offline and implemented numerous security controls to help prevent an incident like this from happening again.”
MyHeritage 92,284,478 accounts for 0.549 BTC ($1,976) total

3.6GB of data taken October 2017. Each account record contains an email address, SHA1-hashed password and salt, plus the date of account creation. This security breach was publicly disclosed by the business last year, though this is the first time the data has gone on sale, we’re told. No DNA or similar sensitive information was taken. MyHeritage, based in Israel, is a family-tree-tracing service that studies customers’ genetic profiles.

A spokesperson told us:

The date, the number of users affected, and the type of information [in the 2018 disclosure] correspond almost exactly to [the for-sale database], so this does not look like a new breach. It seems likely that the perpetrator(s) of the October 2017 breach or someone who obtained the data from them is now trying to sell it. We will investigate this immediately and report the attempted sale to the authorities so they can try to trace the perpetrators. Until this moment, we have not seen any evidence of circulation or usage or abuse of the breached email addresses and hashed passwords, and this is the first time a mention of them has surfaced since June 4 2018.
MyFitnessPal 150,633,038 accounts for 0.289 BTC ($1,040) total

3.5GB of data taken February 2018. Each account record contains a user ID, username, email address, SHA1-hashed password with a fixed salt for the whole table, and IP address. This security breach was publicly disclosed by the business last year. This may be the first time it has gone on public sale. Under-Armor-owned MyFitnessPal does what it says on the tin: it’s an app that tracks diet and exercise. A spokesperson did not respond to a request for comment.

Update: Spokesperson Erin Wendell has told us the biz made every user reset their password following the discovery of the intrusion last year. If you reused your old MyFitnessPal password with other sites, now would be a good time to change your password on those other services, if you have not done so already.

“We responded swiftly to alert users and have since required all MyFitnessPal users who had not changed their passwords since that March 29, 2018 announcement, to reset their passwords,” Wendell said.

“As a result, passwords previously used for MyFitnessPal at the time of the data security issue are no longer valid on MyFitnessPal, and we continue to encourage strong password practices including unique and complex passwords for all their accounts to enable users to further protect themselves.”
Artsy 1,070,000 accounts for 0.0289 BTC ($104) total

184MB of data taken April 2018. Each account record contains an email address, name, IP addresses, location, and SHA512-hashed password with salt. This security breach has not been previously publicly disclosed. Artsy, located in NYC, is an online home for collecting and organizing art. A spokesperson did not respond to a request for comment.

Update: Artsy has emailed its users to confirm its data was stolen and sold online. It is in the process of investigating how it happened.
Armor Games 11,013,617 accounts for 0.2749 BTC ($988) total

1.8GB of data taken late December 2018. Each account record contains a username, email address, SHA1-hashed password and salt, date of birth, gender, location, and other profile details. This alleged security breach has not been previously publicly disclosed. California-based Armor Games is a portal for a ton of browser-based games. A spokesperson did not respond to requests for comment.
Bookmate 8,026,992 accounts for 0.159 BTC ($572) total

1.7GB of data taken July 2018. Each account record typically contains a username, an email address, SHA512 or bcrypt-hashed password with salt, gender, date of birth, and other profile details. This alleged security breach has not been previously publicly disclosed. British Bookmate makes book-reading apps. A spokesperson did not respond to a request for comment.
CoffeeMeetsBagel 6,174,513 accounts for 0.13 BTC ($468) total

673MB of data taken late 2017 and mid-2018. Each account record contains typically a full name, email address, age, registration date, and gender. This security breach has not been previously publicly disclosed. CoffeeMeetsBagel is a dating website.

Jenn Takahashi, spokesperson for the CoffeeMeetsBagel, told us: “We are not aware of a breach at this time, but our security team is looking into this now.” She also said the San-Francisco-based biz does not store passwords, and uses third-party sites for authentication.

“We have engaged with our legal team and forensic security experts to identify any issues and ensure we have the best security stance moving forward,” Takahashi added.

Update: CoffeeMeetsBagel has confirmed at least some user account data was stolen by a hacker who broke into the biz’s systems as recently as May 2018, as we reported.

“On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details, specifically names and email addresses prior to May 2018,” the company said in a statement.

“Once we became aware, we immediately launched a comprehensive investigation with the help of experienced forensic experts. We are currently working on notifying the affected user base. The security of our users’ information is important to us, and we apologize for any inconvenience this may have caused.”
DataCamp 700,000 accounts for 0.013 BTC ($46.8) total

82MB of data taken December 2018. Each account record contains an email address, bcrypt-hashed password, location, and other profile details. This security breach has not been previously publicly disclosed. US-based DataCamp teaches people data science and programming. A spokesperson told us they are “looking into” the online sale.

“We take this matter seriously and want to further verify if this is indeed the case,” said the biz’s Lode Vanacken. “We will also investigate access and audit logs to see if we can trace back any potential unauthorised access. If indeed further investigation shows this data to be valid we will communicate with you and with the affected end-users.”

Update: Vanacken has told us DataCamp is resetting users’ passwords after confirming its data was stolen. “We have notified the users we believe were affected or potentially affected via email,” he said.

“Out of an abundance of caution, we are logging out all DataCamp users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords and prompting them to reset their passwords.

“We continue to monitor for suspicious activity and to make enhancements to our systems to detect and prevent unauthorized access to user information.”
HauteLook 28 million accounts for 0.217 BTC ($780) total

1.5GB of data taken during 2018. Each account record contains an email address, bcrypt-hashed password, and name. This alleged security breach has not been previously publicly disclosed. HauteLook is an online store for fashion, accessories, and so on. A spokesperson for the Los Angeles-based biz did not respond to a request for comment.
ShareThis 41,028,098 accounts for 0.217 BTC ($780) total

2.7GB of data taken early July 2018. Each account record contains a name, username, email address, DES-hashed password, gender, date of birth, and other profile info. This security breach has not been previously publicly disclosed. Palo Alto-based ShareThis makes a widget for sharing links to stuff with friends. A spokesperson did not respond to a request for comment.

Update: ShareThis has written to its users, alerting them that the site was hacked, likely in July 2018, and that email addresses, password hashes, and some dates-of-birth was stolen and put up for sale online.
Whitepages 17,775,679 accounts for 0.434 BTC ($1560) total

2.9GB of data taken 2016. Each account record contains an email address, SHA1- or bcrypt-hashed password, and first and last name. This alleged security breach has not been previously publicly disclosed. Whitepages is a Seattle-based online telephone and address directory. A spokesperson did not respond to a request for comment.

The seller told The Register they have as many as 20 databases to dump online, while keeping some others back for private use, and that they have swiped roughly a billion accounts from servers to date since they started hacking in 2012.

Their aim is to make “life easier” for hackers, by selling fellow miscreants usernames and password hashes to break into other accounts, as well as make some money on the side, and highlight to netizens that they need to take security seriously – such as using two-factor authentication to protect against password theft. The thief also wanted to settle a score with a co-conspirator, by selling a large amount of private data online.

The hacker previously kept stolen databases private, giving them only to those who would swear to keep the data secret.

“I don’t think I am deeply evil,” the miscreant told us. “I need the money. I need the leaks to be disclosed.

“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.” ®
Updates below

This article was revised at 0430 UTC on Tuesday, February 12 to include confirmation from 500px that it was hacked, as we reported.

Also on Tuesday, EyeEm informed its users it had been hacked. We understand similar disclosures are due to land this week from ShareThis and others.

On Wednesday, February 13, DataCamp informed us it is resetting its users’ passwords after “some user data was exposed by a third party who gained criminal unauthorized access to one of our systems.”

Also on Wednesday, CoffeeMeetsBagel told us it is alerting its users to its security breach, we added a statement from MyFitnessPal, and 8fit admitted to its customers that it was hacked.

On Thursday, February 14, Artsy emailed its users to confirm its internal data was stolen and put up for sale, as reported. “On February 11, 2019, we became aware that account information for some of our users was made available on the internet,” the biz wrote. “We are still investigating the precise causes of the incident, and together with our engineering team, we are working with a leading cyber forensics firm to assist us.”

On Friday, February 15, ShareThis confirmed it was hacked, too.

Unearthed emails could be smoking gun in epic GDPR battle against Google, adtech giants

If online ads were simply outlawed, the problem would be fixed. That will not happen soon, so use the best ad-blocker you can, set your browser to dump cookies and other data upon exit (not available in Google Chrome –hhmmm now I wonder why..), and when done on one site, close browser and restart before going to new site.

Quote

Privacy warriors have filed fresh evidence in their ongoing battle against real-time web ad exchange systems, which campaigners claim trample over Europe’s data protection laws.

The new filings – submitted today to regulators in the UK, Ireland, and Poland – allege that Google and industry body the Interactive Advertising Bureau (IAB) are well aware that their advertising networks’ business models flout the EU’s privacy-safeguarding GDPR, and yet are doing nothing about it. The IAB, Google – which is an IAB member – and others in the ad-slinging world insist they aren’t doing anything wrong.

The fresh submissions come soon after the UK Information Commissioner’s Office (ICO) revealed plans to probe programmatic ads. These are adverts that are selected and served on-the-fly as you visit a webpage, using whatever personal information has been scraped together about you to pick an ad most relevant to your interests.

Typically, advertisers bid for space on a webpage in real-time given the type of visitor: the page is fetched from a website, it brings in ad network code, which triggers an auction between advertisers that completes in a fraction of a second, and the winning ad is served and displayed (assuming the advert isn’t blocked.) This transaction, dubbed real-time bidding or RTB, happens automatically and immediately when an ad is required, and it can be fairly convoluted: ad slots may be passed through a tangle of publishers and exchanges before they arrive in a browser.

Netizens known to be wealthy and with a lot of disposable income, or IT buyers with big spending budgets, for example, will command higher ad rates than those unlikely to buy anything through an ad. This is why ad networks and exchanges, like Google, love to know everything about you, all that lovely private data, so they can tout you to advertising buyers and target ads at you for stuff you’re previously shown an interest in.

The ICO’s investigation will focus on how well informed people are about how their personal information is used for this kind of online advertising, which laws ad-technology firms rely on for processing said private data, and whether users’ data is secure as it is shared on these platforms.

Meanwhile, these latest filings follow on from gripes lodged by the same online rights campaigners late last month and in 2018.

The privacy warriors allege the aforementioned auction systems fall foul of Europe’s General Data Protection Regulation (GDPR) because netizens do not have much or any real control over the massive amounts of ad-related data lobbed between sites and services. Moreover, this information can be highly personal – sometimes including location coordinates along with pseudonymous identifiers, personal interests, and the site they are browsing.

The complaints, which point the finger of blame at the IAB’s openRTB and Google’s Authorized Buyers systems, were filed to watchdogs in the UK by Open Rights Group executive director Jim Killock and privacy research Michael Veale; in Ireland by Johnny Ryan of browser biz Brave; and in Poland by the Panoptykon Foundation.

The IAB has consistently stressed that the complaints should not be directed at RTB technology makers, such as itself – and that doing so is like holding road builders accountable for people who break the speed limit. In other words, the tech can be abused, but apparently not by its developers. And the industry body claimed the complainants have only proven it is possible to break the law, not that it has been broken.

As such, the privacy warriors hope to add more weight to their arguments, and today submitted a fresh set of documents to regulators in the aforementioned trio of nations. This cache includes examples of the data passed through RTB systems, and the number of daily bid requests ad exchanges make, which reach 131 billion for AppNexus and 90 billion for Oath/AOL.
Programmatic trading, or is that problematic trading?

The complainants have also filed documents they claim prove the IAB has long been aware that there is a potential problem with RTB systems and their compliance with GDPR.

Among the latest cache is an email from 2017 – obtained under a Freedom-of-Information request – sent from the CEO of IAB Europe, Townsend Feehan, to senior staff in the European Commission Directorate General for Communications Networks, Content, and Technology.

The email reveals Feehan lobbying commission staffers against proposals for a new ePrivacy Regulation – which was meant to come into force with GDPR but has been stuck in negotiations – saying it could “mean the end of the online advertising model.”

Programmatic trading would seem, at least prima facie, to be incompatible with consent under GDPR

The exec attached an 18-page document to the email detailing IAB Europe’s reasoning, which discussed the impact of proposals to tighten rules on the use of people’s private data to the same level as that of GDPR, particularly the requirement of someone’s consent to share their information. Crucially, consent under GDPR requires that people are told clearly what’s going on with their sensitive info, which means website visitors must be told the identity of the data controller(s) processing their data and the purposes of processing. Given the instantaneous and convoluted nature of ad bidding, it is seemingly impossible to alert netizens prior to the real-time auctions, it is claimed.

This, essentially, is the rub between GDPR and today’s on-the-fly web advertising, it would seem.

“As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR,” the IAB said.

Brave’s Johnny Ryan said this acknowledges the issue at the core of the campaigners’ complaint – and suggests the IAB doesn’t think adtech’s operating model can work with GDPR.

The IAB has since launched a “Consent and Transparency Framework” to help companies involved in RTB systems meet their legal requirements – but opponents argue that this doesn’t change the facts at the heart of the matter.

Similarly, a document from May 2018 produced by the IAB Tech Lab – a group that produces standards, software, and services for digital publishers, marketers, media, and adtech firms – acknowledged concerns about GDPR compliance. In it, the lab said publishers were concerned “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad but need a way to clearly signal the restriction for permitted uses in an auditable way.”

It also said that “surfacing thousands of vendors with broad rights to use data w/out tailoring those rights may be too many vendors/permissions.” And elsewhere in the 2017 document, the IAB said that, since third parties in adtech have “no link to the end-user [they] will be unable to collect consent.”
All your basis are belong to…?

It is question-marks like these, from the industry itself, that the privacy campaigners hope will bolster their case. These concerns were also highlighted by the ICO’s tech policy lead Simon McDougall in a blog post earlier this month outlining the body’s plan to look into adtech.

“The lawful basis for processing personal data that different organisations operating in the adtech ecosystem currently rely upon are apparently inconsistent,” he said. “There seem to be several schools of thought around the suitability of various basis for processing personal data – we would like to understand why the differences exist.”

He added that the ICO was interested in how and what people are told about how their personal data is used for online advertising, and how accurate these disclosures are.

A third prong of the ICO probe will consider the security of the data that is widely and rapidly shared during the auctions. “We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure,” said McDougall.

The ICO stressed that it was in the fact-finding stages of its work, and that it wanted to listen to all the “diverging views” on adtech.

And, for their part, the complainants in the case against IAB Europe and Google have said that they aren’t, necessarily, seeking an end to online advertising. Rather, they want to see adtech firms operate without sharing the highly personal information they do at the moment. For instance, Ryan said that the IAB RTB system allows 595 different kinds of data to be included in a bid request. Scrapping the use of just four per cent would be an “easy, long overdue, fix

Security Password managers may leave your online crown jewels ‘exposed in RAM’ to malware

Quote

A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.

Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.

The problem here is mainly secure memory management. To some degree, every one of the four password managers left passwords – either the master password or individual credentials – accessible in memory. This would potentially allow malware on a system, particular malware with admin rights, to obtain those passwords.

And yeah, sure… we know. We get it. If spyware has infected your computer, you’re pretty much screwed. The point here is to demonstrate that software nasties can potentially mine all your login details straight from your password manager in one go. Think of this as a heads up to developers of passphrase managers, and malware researchers.

For what it’s worth, we reckon that if malware has taken hold of your PC it could probably impersonate your password manager, and snaffle your master passphrase that way, but on the other hand, why go to that trouble if the goodies are laying around in RAM?

So, what we’re saying here is: this isn’t anything to panic over right now – it’s something the designers of password managers, at least, should now be aware of.

The team noted that the password managers are not vulnerable when they are not running, such as right after the system boots up, but rather are exposed after the user opens the manager and types in their master password. That means the passwords stored on disk are safe, at least.

“All password managers we examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive,” Team ISE explained.

“Each password manager also attempted to scrub secrets from memory. But residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets.”

The password managers are not necessarily getting better in their newer editions, either. The ISE studied two versions of 1Password (4.6.2.626 and 7.2.576) and found that the earlier build was in fact better at protecting passwords than the newer version. This is because the later build loaded all passwords into memory as plain text as soon as the master password was entered.

Some of the described flaws have already been fixed. A LastPass spokesperson told The Register it had sorted the memory disclosure issues described in its products, and that even when the flaw was present, a real-world exploit would require the attacker to have local access to the machine with admin clearance.

The report doesn’t by any means suggest you should not be using a password manager. Even with the mild flaws ISE found, a password manager remains by far the best way to keep your login credentials secure, and experts routinely recommend them as a way to manage multiple unique and strong passphrases for your online accounts.

“First and foremost, password managers are a good thing,” Team ISE noted. “All password managers we have examined add value to the security posture of secrets management.”

See their afore-linked report for more dos and don’ts on staying safe

The Unfinished Business of the Equifax Hack

Congress needs to address the failures of credit reporting.They also need to put teeth into privacy laws and enact stiff fines for breaches.

Quote

Remember the Equifax breach? In late 2017, the credit-reporting company revealed that hackers had stolen the personal data of more than 145 million people — including Social Security numbers, addresses, and in some cases even credit-card details. The incident was remarkable not only in scale, but also for the scant regard the company apparently showed for the individuals whose sensitive information it was supposed to manage.

Almost a year and a half later, almost nothing has changed. Authorities have neither sanctioned Equifax nor addressed the deeper industry-wide flaws that the incident exposed. It’s an omission that Congress must correct.

Equifax and its two main competitors, Experian and TransUnion, provide a valuable service. Their databases grease the wheels of commerce, allowing banks, employers and government agencies to quickly and easily check almost anyone’s identity and credit history. Yet their interests don’t always align with the public good. The people whose information they maintain are not their primary customers, so the firms lack an adequate incentive to ensure privacy and security, and to fix errors that can severely complicate lives. Breaches and bad data can even benefit them, helping sell products such as credit monitoring to frightened consumers.

 

Here’s what Congress can do:

  • Require the companies to meet more ambitious benchmarks for data privacy, security and accuracy. In security, for example, government and nonprofit organizations have created guidelines that supervisors could use to set standards and assess compliance.
  • Place the burden of proof on companies in consumer disputes. If they can’t demonstrate that the information in question is correct, they should remove it.
  • Make security freezes the default option, by requiring the companies to release personal information only with a consumer’s express consent.
  • Give the CFPB responsibility for overseeing all aspects of credit reporting. Overlap with the FTC on data security, for example, has bred confusion and threatens to render the agencies collectively ineffective.
  • Give consumers the power to sue for injunctive relief. This would allow courts to compel the credit-reporting companies — and those that provide them with data — to fix practices that harm consumers, as opposed to merely paying damages.


 

Over the years, authorities have tried to adjust the incentives. The Fair Credit Reporting Act requires “reasonable” efforts to keep information accurate and prevent it from falling into the wrong hands — and empowers consumers to sue for damages. The 2010 Dodd-Frank Act gave the Consumer Financial Protection Bureau broad powers to supervise the largest credit-reporting companies. A 2015 settlement with state attorneys general requires the companies to deal with disputed information more effectively, and aims to curb the common practice of hard-selling paid services to people seeking to correct their credit reports.

Yet there’s been little real progress. In the last three months of 2018, consumers submitted almost 27,000 credit-reporting complaints to the CFPB, up from fewer than 11,000 two years earlier, before the Equifax hack. Granted, this is only a small fraction of the more than 200 million people with credit reports, and various factors — such as greater awareness — could contribute to the increase. But it certainly doesn’t suggest things are improving.

The Equifax case is especially discouraging. After its security failures exposed millions to identity theft, the company responded with a glitchy website and an offer of “free” credit monitoring — a service of dubious value, given that it alerts consumers only after their identity has been stolen. It fell to Congress to demand a basic concession from the industry: free security “freezes,” which allow consumers to prevent new accounts from being opened in their name. The Trump administration has shown little interest in further action. A joint investigation by the CFPB and the Federal Trade Commission has yet to yield results.

Consumers deserve better. Here’s what Congress can do:

Require the companies to meet more ambitious benchmarks for data privacy, security and accuracy. In security, for example, government and nonprofit organizations have created guidelines that supervisors could use to set standards and assess compliance.
Place the burden of proof on companies in consumer disputes. If they can’t demonstrate that the information in question is correct, they should remove it.
Make security freezes the default option, by requiring the companies to release personal information only with a consumer’s express consent.
Give the CFPB responsibility for overseeing all aspects of credit reporting. Overlap with the FTC on data security, for example, has bred confusion and threatens to render the agencies collectively ineffective.
Give consumers the power to sue for injunctive relief. This would allow courts to compel the credit-reporting companies — and those that provide them with data — to fix practices that harm consumers, as opposed to merely paying damages.

Democratic legislators — including Senator Jack Reed and Representative Maxine Waters, the new head of the House Financial Services Committee — have introduced bills that would make many of these changes. All that remains is to get them to the president’s desk.

It’s unacceptable for credit-reporting companies to pose a threat, or even merely be a nuisance, to millions of people who never chose to do business with them. They must show that they can take responsibility for personal data, rather than leaving the task to consumers or charging for the service. They seem to need a firmer nudge, and Congress should provide it.

Avast Highlights the Threat Landscape for 2019

Heads up, it will not get easier.

Quote
The Dawn of Adversarial AI

We foresee the emergence of a class of attacks known as ‘DeepAttacks’, which use AI-generated content to evade AI security controls. In 2018, the team observed many examples where researchers used adversarial AI algorithms to fool humans. Examples include the fake Obama video created by Buzzfeed where President Obama is seen delivering fake sentences, in a convincing fashion.

We have also seen examples of adversarial AI deliberately confounding the smartest object detection algorithms, such as fooling an algorithm into thinking that a stop sign was a 45-mph speed limit sign.

In 2019, we expect to see DeepAttacks deployed more commonly in an attempt to evade both human detection and smart defenses.

IoT Threats Will Become More Sophisticated

The trend toward smart devices will be so pronounced in the coming years that it will become difficult to buy appliances or home electronics that are not connected to the internet.

Avast research has shown that security is often an afterthought in the manufacturing of these devices. While the big name smart devices often do come with embedded security options, some producers skimp on security either to keep costs low for consumers or because they are not experts in security. Considering a smart home is only as secure as its weakest link, this is a mistake. History tends to repeat itself, so we can expect to see IoT malware evolve and become more sophisticated and dangerous, similar to how PC and mobile malware developed.

Router Attacks Will Advance

Routers have proven to be a simple and fertile target for a growing wave of attacks. Not only have we seen an increase in router-based malware in 2018, but also changes in the characteristics of those attacks.

In 2019, we expect to see the increased hijacking of routers used to steal banking credentials, for example, where an infected router injects a malicious HTML frame to specific web pages when displayed on mobile. This new element could ask mobile users to install a new banking app, for instance, and this malicious app will then capture authentication messages. Routers will continue to be used as targets of an attack, not just to run malicious scripts or spy on users, but also as an intermediate link in chain attacks.

The Evolution of Mobile Threats

In 2019, well known tactics such as advertising, phishing and fake apps will continue to dominate the mobile threat landscape. In 2018, we tracked and flagged countless fake apps using our apklab.io platform. Some were even found on the Google Play Store. Fake apps are the zombies in mobile security, becoming so ubiquitous that they barely even make the headlines as new fake apps pop up to take the place of the ones already flagged for removal. They will continue to persist as a trend in 2019, exacerbated by fake versions of popular app brands doing their rounds on the Google Play Store.

In 2018, the return of banking Trojans was also particularly pronounced on the mobile side, growing 150 percent year-on-year, from three percent to over seven percent of all detections we see worldwide. While perhaps not a big shift in terms of the overall volume, we believe that cybercriminals are finding banking to be a more reliable way to make money than cryptomining.

“This year, we celebrated the 30th anniversary of the World Wide Web. Fast forward thirty years and the threat landscape is exponentially more complex, and the available attack surface is growing faster than it has at any other point in the history of technology,” commented Ondrej Vlcek, President of Consumer at Avast.

“PC viruses, while still a global threat, have been joined by a multitude of malware categories that deliver more attacks. People are acquiring more and varied types of connected devices, meaning every aspect of our lives could be compromised by an attack. Looking ahead to 2019, these trends point to a magnification of threats through these expanding threat surfaces.”

These trends form part of Avast’s annual Threat Report. To download the full report please click here.

VPNfilter – Re-post

I am re-posting info on the VPNfilter. In 2018 security researchers around the globe sounded the alarm about the Russian hacker group APT28 (AKA Fancy Bear – the same ones who most likely hacked the 2016 U.S. presidential election.) This group is purportedly responsible for a global attack called VPNFilter. This attack use a global botnet of over more than half a million routers and storage devices ((and growing).

Sadly and as has been the norm, businesses and especially small business and home networks, fail to head the warning and take action.

Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding “VPNFilter.” In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We’ve provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named “ssler” below.

Additionally, we’ve discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called “dstr,” is also provided below.

Finally, we’ve conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

If you want an idea of how VPNfilter works, here is a great article on the details
VPNfilerdetails

Here is a list of known vulnerable routers.

List of known Routers with VPNFilter Vulnerbilities

Asus Devices:D-Link Devices:Huawei Devices:Linksys Devices:
RT-AC66U DES-1210-08P HG8245 E1200
RT-N10 DIR-300 E2500
RT-N10E DIR-300A E3000
RT-N10U DSR-250N E3200
RT-N56U DSR-500N E4200
RT-N66U DSR-1000 RV082
DSR-1000N WRVS4400N
Mikrotik Devices:Netgear Devices:QNAP Devices:TP-Link Devices:
CCR1009 DG834 TS251R600VPN
CCR1016DGN1000 TS439 ProTL-WR741ND
CCR1036DGN2200Other QNAP NAS devices running QTS softwareTL-WR841N
CCR1072DGN3500
CRS109 FVS318N Ubiquiti Devices:Upvel Devices:
CRS112 MBRN3000 NSM2 Unknown Models*
CRS125 R6400PBE M5
RB411 R7000
RB450 R8000ZTE Devices:
RB750 WNR1000ZXHN H108N
RB911 WNR2000
RB921 WNR2200
RB941 WNR4000
RB951 WNDR3700
RB952 WNDR4000
RB960 WNDR4300
RB962 WNDR4300-TN
RB1100 UTM50
RB1200
RB2011
RB3011
RB Groove
RB Omnitik
STX5

Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not Encrypted

Just maybe, I am not saying for sure, but just maybe, that reason for such stupidity is the companies like Marriot are hiring too many newbies to save money and ignoring the more senior members of the IT community. Or maybe that there is no real hard financial penalties for breaches. Maybe both.

But the real story here is not only Marriot, but the continued onslaught from China. No surprise.

Quote

WASHINGTON — Marriott International said on Friday that the biggest hacking of personal information in history was not quite as big as first feared, but for the first time conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests. Those passport numbers were lost in an attack that many outside experts believe was carried out by Chinese intelligence agencies.

What made the Starwood attack different was the presence of passport numbers, which could make it far easier for an intelligence service to track people who cross borders. That is particularly important in this case: In December, The New York Times reported that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.

Taken together, the attack appeared to be part of a broader effort by China’s Ministry of State Security to compile a huge database of Americans and others with sensitive government or industry positions — including where they worked, the names of their colleagues, foreign contacts and friends, and where they travel.

“Big data is the new wave for counterintelligence,” James A. Lewis, a cybersecurity expert who runs the technology policy program at the Center for Strategic and International Studies in Washington, said last month.

One top official of the Chinese Ministry of State Security was arrested in Belgium late last year and extradited to the United States on charges of playing a central role in the hacking of American defense-related firms, and others were identified in a Justice Department indictment in December. But those cases were unrelated to the Marriott attack, which the F.B.I. is still investigating.

China has denied any knowledge of the Marriott attack. In December, Geng Shuang, a spokesman for its Ministry of Foreign Affairs, said, “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law.”

Do make me laugh

The Marriott investigation has revealed a new vulnerability in hotel systems: What happens to passport data when a customer makes a reservation or checks into a hotel, usually abroad, and hands over a passport to the desk clerk. Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system. An additional 20.3 million passport numbers were kept in encrypted files, which would require a master encryption key to read. It is unclear how many of those involved American passports, and how many come from other countries.

Yes you read that correctly. Morons asleep at the switch

Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system.

It was not immediately clear why some numbers were encrypted and others were not — other than that hotels in each country, and sometimes each property, had different protocols for handling the passport information. Intelligence experts note that American intelligence agencies often seek the passport numbers of foreigners they are tracking outside the United States, which may explain why the United States government has not insisted on stronger encryption of passport data worldwide.

Asked how Marriott was handling the information now that it has merged Starwood’s data into the Marriott reservations system — a merger that was just completed at the end of 2018 — Connie Kim, a company spokeswoman, said: “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”


“We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”

 

Which means 1) they are still NOT encrypted and 2) They need to fire the person(s) managing the vendors and the vendors themselves (assuming vendors haven’t been screaming at Marriot to do something which may indeed be plausible.)

The State Department issued a statement last month telling passport holders not to panic, because the number alone would not enable someone to create a fake passport. Marriott has said it would pay for a new passport for anyone whose passport information, hacked from their systems, was found to be involved in a fraud. But that was something of a corporate sleight of hand, since it provided no coverage for guests who wanted a new passport simply because their data had been taken by foreign spies.

So far the company has ducked addressing that issue by saying it has no evidence about who the attackers were, and the United States has not formally accused China in the case. But private cyberintelligence groups that have looked at the breach have seen strong parallels with the other, Chinese-related attacks underway at the time. The company’s president and chief executive, Arne Sorenson, has not answered questions about the hacking in public, and Marriott said he was traveling and declined a request from The Times to talk about hacking.

The company also said that about 8.6 million credit and debit cards were “involved” in the incident, but those are all encrypted — and all but 354,000 cards had expired by September 2018, when the hacking, which went on for years, was discovered.

So far, there are no known cases in which stolen passport or credit card information was found in fraudulent transactions. But to cyberattack investigators, that is just another sign that the hacking was conducted by intelligence agencies, not criminals. The agencies would want to use the data for their own purposes — building databases and tracking government or industrial surveillance targets — rather than exploiting the data for economic profit.

Idiots, And the U.S. and State Governments are just as culpable. We need very strong laws that mandate extremely stiff penalties for breaches.