Thursday, 26 September 2013

“I was invited to their friend’s wedding!” Recycled Yahoo! IDs leak VERY private information

Yahoo! recently began recycling “inactive” user accounts, in an effort to woo new customers – but some customers who have acquired these “second-hand” email addresses say they are receiving a “bonus” of personal emails for to the old owners, some of which offer information that could be used in identity theft.
Yahoo has begun to put in place technical measures aimed at dealing with the problem.
Speaking to Information Week, users said that they received junk mail aimed at the ID’s previous owner – but also sensitive information such as appointment details and flight confirmations, and invitations to weddings.
Yahoo! has responded by introducing a new “Not My Email” button to help users get rid of unwanted emails, and which will eventually reject such unwanted mail. The company also said that it would introduce a programme to allow users to “reclaim” unused accounts.
Speaking to Information Week, one IT security professional, Tom Jenkins, said that the “recycled” addresses offered a “crazy” level of potential for identity theft.
“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t,” Jenkins said. “I know their name, address, and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding.”
Yahoo said that it had received complaints from”a very small number of users who have received emails through other third parties which were intended for the previous account holder.”
Yahoo! said prior to the scheme’s launch that it had put in place safeguards to prevent the recycled usernames being used for identity theft.
The internet company claimed that only 7% of inactive IDs are tied to Yahoo! email accounts. The company also said that it had worked with major technology companies such as Google to reduce the risk the IDs could be used for fraud.
Dylan Casey, a senior director for consumer platforms at Yahoo! said, “Can I tell you with 100 percent certainty that it’s absolutely impossible for anything to happen? No. But we’re going to extraordinary lengths to ensure that nothing bad happens to our users.”

Millions of ID records on sale as five big data firms hacked “for months”

An “identity theft service” which specialises in selling personal details gained access to some of the biggest consumer data firms in America, including Lexis Nexis and Kroll – and has had access to their computer systems “for months”, according to a report.
The site stole 3.1 million date-of-birth records and over a million social security numbers – and offered data on famous Americans including Michelle Obama, Beyonce and the director of the CIA. The breach was uncovered in a long investigation by security expert Brian Krebs, and reported on Krebs on Security.
Krebs’s report related to a website –  ssndob[dot]ms – which Krebs said had been offering personal data on any U.S. resident for two years, including addressses, birth dates, and credit and background checks, with prices ranging from 50c to $15.
Krebs said that until now, many had been puzzled where this data came from.
“The miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators,” Krebs writes. “Last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet — a collection of hacked computers that are controlled remotely by attackers.
“This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States.”
Krebs claims that the botnet had access to five servers, two at Lexis-Nexis, and two at Dun and Bradstreet, as well as another server at Altegrity, which provides an employee-screening service called HireRight, according to Information Age.
The firms say they are investigating, according to Krebs.
Infosecurity quoted statements made by Gartner analyst Avivah Litan three years ago regarding the availability of information such as birth dates and social security numbers to criminals, saying, “”I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.”
According to Infosecurity, Latan suggested that data firms were being “phished” to provide data as the basis for ID theft. “They simply get access to these employees accounts and get the keys to the data treasures,” Latan said, “They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.”

Help for the little guys: Small businesses offered “cyber insurance” – starting at $800

Small businesses will be able to buy “cyber assurance” packages to protect against possible losses from cyber attacks – with a British insurance firm offering packages starting at £500 ($800).
Cyber Assured was launched by NCC Group and is the UK’s first cyber assurance package specifically targeted at small businesses. The package will include risk assessment, and advice on how to protect against hacker attacks.
Cybercrime costs small businesses an average of £4,000 ($6000) a year, according to the British Federation of Small Businesses (FSB).
ESET offers its own “road map” for small businesses to help with security. ESET Senior Researcher Stephen Cobb says, “Criminal hacking is making headlines with depressing frequency these days, so the task of securing your business against cyber criminals can seem daunting, particularly if your business is of modest size, the kind of place that does not have a crack team of cyber security experts on staff.”
The British Federation of Small Businesses (FSB) report found that 41 per cent of the FSB’s membership had been a victim of cybercrime in the last year – putting the average cost at around £4,000($6000) per business. The most common threat is virus infections, with 20% of small businesses falling victim. Eight per cent have been victims of hacking and five per cent have suffered security breaches.
Rob Cotton, CEO at NCC Group said: “Many SMEs have been ignoring the threats to their IT infrastructure as they simply don’t understand their exposure. They assume they aren’t viable targets, and they won’t consider insurance due to the cost”.

Microsoft uncovers Sefnit Trojan return after Groupon click-fraud scam

Security padlock image
The authors of the notorious Sefnit Trojan have resurfaced using advanced infection and click-fraud techniques to earn vast sums of money through bogus advertising, according to Microsoft.
Microsoft antivirus researcher Geoff McDonald reported discovering an evolved version of the Sefnit Trojan, which takes money by targeting popular websites, such as Groupon.
In a blog post on the company's Malware Protection Centre, McDonald wrote: "The Sefnit click-fraud component is now structured as a proxy service based on the open-source 3proxy project. The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements. In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet. This allowed them to evade attention from anti-malware researchers for a couple years.
"The Sefnit botnet uses the hosted 3proxy servers to redirect internet traffic and perform fake advertisement clicks. A recorded example of this click-fraud path is shown below by using the legitimate affiliate search engine to simulate a search for ‘cat' and fake a click on an advertisement provided by Google to defraud the advertiser Groupon."
He said the technique allowed the criminals behind the malware to increase the revenue they made using the scam. "The end result is Groupon paying a small amount of money for this fake advertisement ‘click' to Google. Google takes a portion of the money and pays the rest out to the website hosting the advertisement – Mywebsearch. The Sefnit authors likely signed up as an affiliate for Mywebsearch, resulting in the Sefnit criminals then receiving a commission on the click."
He added that Microsoft uncovered evidence linking Sefnit to the Mevade malware used in the world's first large-scale Tor botnet.
"​Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymise and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent – from about 500,000 users per day to more than three million," he wrote.
"Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family."
As well as its links to Mevade, McDonald said the attack is also using a host of new custom-built components to improve its infection rate. "This latest version of Sefnit shows they are using multiple attack vectors, even going as far as writing their own bundler installers to achieve the maximum number of infections that make this type of click fraud a financially viable exercise," he wrote.
"The authors have adapted their click-fraud mechanisms in a way that takes user interaction out of the picture while maintaining the effectiveness. This removal of the user-interaction reliance in the click-fraud methodology was a large factor in the Sefnit authors being able to stay out of the security researchers' radars over the last couple of years."
Sefnit is one of many variations of malware to receive technical upgrades in recent months. Earlier this month FireEye researchers reported discovering a reworked version of the Darkleech campaign targeting Java and Adobe vulnerabilities to spread the Reveton ransomware.

F1 champions Red Bull battle constant threats of cyber attacks and data theft

Red Bull Racing factory in Milton Keynes
Triple championship-winning Formula One team Infiniti Red Bull Racing faces constant challenges from both internal and external threats as its technological developments provoke the interest of amateur hackers and rival teams.
Matt Cadieux is the CIO of Red Bul Racing
In response to questions from V3 on a visit to the Red Bull team's headquarters in Milton Keynes, CIO Matt Cadieux (pictured) explained that the intensely competitive and secretive nature of Formula One technology means he has to ensure his networks are in complete lockdown so no "bad apples" could ever walk away with technical data and give it to another team.
"The challenge is that the concept of ‘need to know' here is quite broad," he explained. "You need to have the information quickly but you then have to make it very difficult to move outside of the company. Part of it is a culture of education, part of it is employment contracts, and part of it is auditing what people do and looking for exceptions."
The danger of what Cadieux describes as the "incestuous" nature of Formula One personnel was demonstrated in 2007, when the championship-winning McLaren team was fined a record-breaking $100m after it made use of stolen documents provided to them by a former Ferrari employee.
Coming to a compromise that allows data to be readily available only to the right people has resulted in the rejection of personal smartphones on the network, as well as a complete snub of social enterprise tools.
Cadieux said: "Our laptops are very locked down, we don't allow portable media unless it's by exception and it's been audited. We use a tool which filters web traffic, we don't allow personal email, we don't allow file exchange sites."
He added that smartphones are not on the Infiniti Red Bull network either. "We're good at communicating and collaborating today without smartphones and tablets and social apps in the enterprise. We could take the next step up and use better, more friendly hardware tools, but we won't do that if it opens up big holes for our intellectual property."
Red Bull Racing are triple Formula 1 teams' champions
He explained that with the team's technical partnership with AT&T, they were looking to find a solution to at least implement some form of mobile device management (MDM), but were taking only very careful steps.
The team also endures external cyber attacks "all the time", admitted Cadieux. While he does not see them as coming from credible sources – describing the attackers as "amateurs who do it out of curiosity" – he said he believes his networks are ready for anything from state-sponsored espionage or attempts from rival teams.
Infiniti Red Bull Racing is currently leading the F1 Drivers' Championship with Sebastian Vettel and also looks set to secure the team's title for the fourth time in 2013.

Barclays employee fined £3,360 for illegally accessing customer data

A former employee of Barclays Bank has been fined £3,360 after being found guilty of illegally accessing a customer’s data.
Jennifer Addo was sentenced at Croydon Magistrates Court and prosecuted under section 55 of the Data Protection Act (DPA). The court ordered her to pay a fine of £2,990 for 23 offences, £250 prosecution costs and a £120 victim surcharge.
The case came to light when a customer of the bank was concerned someone had accessed his information to gather details on his children, which was then passed to his partner at the time.
The customer informed the bank of his concerns and it then investigated the incident. Barclays found that Addo had illegally accessed the customer’s details on 22 occasions between 10 May 2011 and 8 August 2011. Her employment with Barclays ended soon after the complaint was raised.
The case again highlights the lack of real enforcement powers that exist with section 55 offences under the DPA, a point repeatedly made by the Information Commissioner’s Office (ICO).
ICO head of enforcement, Stephen Eckersley, reiterated this after the ruling. "This case proves, yet again, why we need a more appropriate penalty for the crime of personal data theft,” he said.
“With the law as it stands, this prosecution isn’t even recorded on the police national computer, which means that an offender could apply for a job in a high street bank tomorrow and the potential employer wouldn’t be informed about the offence. The current 'fine only' regime is clearly not deterring people from breaking the law.”
Eckersley also noted how hard it is for firms such as Barclays to fully ensure data is protected when its is abused by staff in this manner.
“The banking industry has rigorous procedures and safeguards in place to make sure customers’ details are kept secure. However banks rely on the honesty and professionalism of their staff to ensure that the privileged access given to their records is not abused for personal gain."
The ICO has been pushing for stronger sentencing for some time, with the Ministry of Justice said to be looking into the situation.