The Data Breach Thread

[Zarathud]

I still don't understand how being a self-righteous dick to assholes makes the hackers anything but dicks.

[Lorini]

Yes, hackers are dicks, absolutely, no better than burglars or other criminals.

You had to be delusional to believe those promises, but there's a sucker born every minute, like they say.

[hepcat]

In this case, there are no good guys.

Well...except for me. I had put up my ad for a wealthy woman to financially care for me in exchange for a board game night once a week. Now I'm never going to find out if week 2731 was going to be THE week!

[Isgrimnur]

Yes, hackers are dicks, absolutely, no better than burglars or other criminals.

You had to be delusional to believe those promises, but there's a sucker born every minute, like they say.

If you like your privacy, you can keep your privacy!

[LawBeefaroni]

I still don't understand how being a self-righteous dick to assholes makes the hackers anything but dicks.

The target doesn't change their morality but it sure makes it easier to not take sides.

If they hacked the Mayo Clinic and threatened to expose patient treatment information if they didn't close a certain research facility, well I'm pretty sure that's about as good v. evil as you can get and I'll root for the good guys. When it's dick v. a-hole...let's just watch this one play out.

[El Guapo]

I still don't understand how being a self-righteous dick to assholes makes the hackers anything but dicks.

It's an odd cause to get super moralistic about, IMO, relative to other causes you could take up.

Pure speculation, but I wonder if it's a case of getting the information, then going on a crusade about it because that's what they had and getting moralistic about it gives the whole thing meaning for them.

[LawBeefaroni]

I still don't understand how being a self-righteous dick to assholes makes the hackers anything but dicks.

It's an odd cause to get super moralistic about, IMO, relative to other causes you could take up.

Pure speculation, but I wonder if it's a case of getting the information, then going on a crusade about it because that's what they had and getting moralistic about it gives the whole thing meaning for them.

Or maybe getting moralistic about it and making demands is what you do add perceived value while negotiating to sell the data to the Russian mob.

[LordMortis]

If you like your privacy, you can keep your privacy!

[El Guapo]

I still don't understand how being a self-righteous dick to assholes makes the hackers anything but dicks.

It's an odd cause to get super moralistic about, IMO, relative to other causes you could take up.

Pure speculation, but I wonder if it's a case of getting the information, then going on a crusade about it because that's what they had and getting moralistic about it gives the whole thing meaning for them.

Or maybe getting moralistic about it and making demands is what you do add perceived value while negotiating to sell the data to the Russian mob.

Yeah, I suspect that's a big part of it - adding the moralistic element to the demand could both help them in the public eye, and perhaps convince Ashley Madison that they're not bluffing, so as to possibly get a payout from them.

I mean, they can't (I would think) really believe that Ashley Madison will commit corporate suicide. And if they were going to dump all the data for moralistic reasons, you'd think that they would have done that already.

[Pyperkub]

Assuming you aren't using their photo services website, you should be fine. For now.

Looks like many if not all of the places using those photo services have cut ties:

Costco, Sam's Club, others halt photo sites over possible breach

[Isgrimnur]

Class action vs. Experian

Big-three credit bureau Experian is the target of a class-action lawsuit just filed in California. The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.

The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me.

Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures — a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States, and for nearly ten months after Experian acquired Court Ventures, Ngo continued paying for his customers’ data searches via cash wire transfers from a bank in Singapore.
...
The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA). The plaintiffs also want the court to force Experian to notify all consumers affected by Ngo’s service; to provide them free credit monitoring services; to disgorge all profits made from Ngo’s service; and to establish a fund (in an amount to be determined) to which victims can apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service.

[LawBeefaroni]

Class action vs. Experian

apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service.

I'd take that. I'm still sorting out my credit card from fraudulent use over a month ago. Most recently my electronic payment didn't go through because the card company truncated my bank account number when they moved my data to a new card number.

[Max Peck]

This is more of a general security story than a data breach per se, but it is an interesting read.

Car hack uses digital-radio broadcasts to seize control

Several car infotainment systems are vulnerable to a hack attack that could potentially put lives at risk, a leading security company has said. NCC Group said the exploit could be used to seize control of a vehicle's brakes and other critical systems. The Manchester-based company told the BBC it had found a way to carry out the attacks by sending data via digital audio broadcasting (DAB) radio signals.

It coincides with news of a similar flaw discovered by two US researchers. Chris Valasek and Charlie Miller showed Wired magazine that they could take control of a Jeep Cherokee car by sending data to its internet-connected entertainment and navigation system via a mobile-phone network. Chrysler has released a patch to address the problem.

[Isgrimnur]

OPM to federal agencies: Pay us because we were hacked

“Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services/benefits for the second incident involving 21.5M individuals,” said an email that Beth Cobert, OPM acting director, sent to other agencies, according to multiple reports.

Over the next two years, OPM will also raise its fees for security clearance services, Federal News Radio reported. The OPM processes over a million security clearances a year for agencies across the government.

[PLW]

Yes, hackers are dicks, absolutely, no better than burglars or other criminals.

You had to be delusional to believe those promises, but there's a sucker born every minute, like they say.

If you like your privacy, you can keep your privacy!

So far, it seems like that's right. I've been digging around a bit for the data since the announcement, and I can't find it. I've also not seen anyone analyzing the data, suggesting that the mainstream media hasn't been able to get ahold of it, either.

[Isgrimnur]

Brace yourselves, Ottawa

One in five Ottawa residents subscribes to the extramarital dating service, which was breached by vigilante cybercriminals earlier this week.

The exposure prompted a business boom for the divorce lawyers and private investigators in the capital city, which is Ashley Madison’s No. 1 Canadian hookup hub and potentially the site’s highest per capita globally.
...
Some 189,810 Ashley Madison users were registered in Ottawa, a city with a population of about 883,000. Those numbers make the capital the website’s No. 1 Canadian hub — and potentially the highest globally per capita.

Ashley Madison assured customers it had secured the leak Tuesday, and offered to waive its $19 delete fee for subscribers wishing to remove their accounts.

[LawBeefaroni]

They have a "delete fee"?

[Isgrimnur]

And as we all know that NY Daily News is the height of journalistic integrity, here's the same news from Time that cites a Reuters report.

[PLW]

That's not from the hack, it's from a handful of city-level stats the company released a couple years back.

[PLW]

I think I could write an amazing paper with an anonymized version of this dataset.

[Isgrimnur]

Well, that's just sneaky journalism.

[PLW]

My proof is that if it's not on reddit or 4chan then it's not in the public domain.

[Pyperkub]

Planned Parenthood:

Planned Parenthood confirmed Monday that its internal systems were the target of a cyber attack, hours after reports that hackers had gained access to the organization's internal databases and employee records. Planned Parenthood said that it was targeted by abortion "extremists" and had asked federal law enforcement to investigate the breach.

[Pyperkub]

United Airlines:

United Continental Holdings Inc has been the target of a data breach linked to a group of China-backed hackers, Bloomberg reported.

The company detected an attack into its computer systems in May or early June, Bloomberg reported, citing people familiar with the matter.

Among the data stolen are manifests, which include information on flights' passengers and destinations, Bloomberg said.

[Pyperkub]

UCLA Medical:

Hackers broke into the massive hospital network of the University of California, Los Angeles, accessing computers with sensitive records of 4.5 million people.

Names, medical information, Social Security numbers, Medicare numbers, health plan IDs, birthdays and physical addresses -- all were potentially stolen, according to the university.

That could affect anyone who has visited -- or works -- at the university's medical network, UCLA Health, which includes four hospitals and 150 offices across Southern California.

Ack! It's been decades since I was seen there, hopefully my records were never digitized...

Damn my alma mater and their thoroughness - I just got the letter in the mail today that I may be at risk and would I like to enroll in MyIDCare at no cost (at least for 12 months). Ah well.

[LawBeefaroni]

Pentagon, by Russia.

I really hope we have a bunch of state-sponsored coutnerhackers fucking up Putin's credit.

According to the officials, the "sophisticated cyber intrusion" occurred sometime around July 25 and affected some 4,000 military and civilian personnel who work for the Joint Chiefs of Staff.

Sources tell NBC News that it appears the cyberattack relied on some kind of automated system that rapidly gathered massive amounts of data and within a minute distributed all the information to thousands of accounts on the Internet. The officials also report the suspected Russian hackers coordinated the sophisticated cyberassault via encrypted accounts on social media.

The officials say its not clear whether the attack was sanctioned by the Russian government or conducted by individuals. But, given the scope of the attack, "It was clearly the work of a state actor," the officials say.

[Isgrimnur]

It's going to be really hard to run undercover operations in the future when a mole hunt just has to crack the database of the suspected state actors.

[El Guapo]

They should probably also change the file name of RussianMoleAgents.xls.

[Isgrimnur]

IRS breach bigger than previously thought.

A computer breach at the IRS in which thieves stole tax information from thousands of taxpayers is much bigger than the agency originally disclosed.

An additional 220,000 potential victims had information stolen from an IRS website as part of a sophisticated scheme to use stolen identities to claim fraudulent tax refunds, the IRS said Monday. The revelation more than doubles the total number of potential victims, to 334,000.
...
In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns. They were successful in getting information from about 334,000 taxpayers.

The IRS said it is notifying all potential victims and offering free credit monitoring services. The IRS is also offering to enroll potential victims in a program that assigns them a special ID number that they must use to file their tax returns.
...
On Monday, the IRS did not identify a potential source of the crime. But in May, officials said IRS investigators believe the identity thieves are part of a sophisticated criminal operation based in Russia.

It wouldn’t be the first time the IRS has been targeted by identity thieves based overseas.

In 2012, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to a report by the agency’s inspector general. The IRS has since added safeguards to prevent similar schemes, but the criminals are innovating as well.

The IRS estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013.

[Isgrimnur]

Ashley Madison

Aaaand, it's out.

It appears that hackers have released 10 gigabytes of data stolen from Ashley Madison, a dating website for married people.

Hackers claim to have distributed the personal information on 33 million accounts via the dark web and it is now being pored over by security researchers, among others.

Many, including security expert Brian Krebs, believe the dump is genuine.
...
The BBC has not been able to independently verify the authenticity of the dump, but those who have investigated it so far have said it contains users' names, addresses, phone numbers, encrypted passwords, and 36 million email address. Online security magazine CSO is also reporting that the leak contains over 15,000 government or military email addresses (ending .mil or .gov).

However, having a personal email address linked to an account doesn't mean that person is really a user of Ashley Madison. Users are able to sign up to the site without responding to an email verification, meaning anyone's email address could have been used to create an account.

[malchior]

I looked at the dump this morning - looks legit to me. Astonishing how bad at security or even common sense the AM folks were. Why did they keep credit card confirmations going back to 2008? What possible purpose would that be for? A year or maybe two tops is probably a good swag at a retention period. These guys were all over their systems and they had no clue. And this doesn't surprise me - visibility to indicators of compromise is probably one of the biggest problems out there. Also, they clearly weren't doing basic monitoring of their traffic. Oh - a huge spike in outbound traffic - what could that be? They probably didn't even see it happen. Just another indicator that organizations that should know better do not understand their TRUE RISK and are flying blind to it.

[Paingod]

Just another indicator that organizations that should know better do not understand their TRUE RISK and are flying blind to it.

It's been my experience that a lot of businesses only decide security measures are worth the cost after an incident takes place. I've encountered the same mentality over and over that skimping on IT is an acceptable risk. I'll never understand that, and I think it only makes sense in an accountant's or executive's brain.

When your company faces the world, there's really no acceptable risk. Someone, somewhere, is going to want to break in just because they can - if only to look around.

I've wanted to shift my focus to network security for some time, but there's not a huge market for it right now where I live. I think that in the not-so-distant future, every company will want some real form of it and not just a document filled with ineffective and cobbled together security policies.

[malchior]

I'm a Cybersecurity consultant and it is boomtimes right now in many ways. What I see over and over is an underestimation of the risk. Many organizations don't even know what systems they have or where they have valuable data. They have no visibility to attacks and limited monitoring or controls. They typically won't find out they've lost data unless someone on the outside tells them.

And while I've seen an increase in Board level awareness from the headlines they are not necessarily allocating the proper resources. Worse off when they do decide to pay up the talent pool is pretty much nonexistent and there is a vast tool landscape offering products with varying levels of effectiveness. Going down the wrong road is a risk and organizations often have to have cultural changes to bake security in and will resist change. It is ugly. The next 5 years are going to be interesting as budgets realign and people train up in necessary skills.

[Moliere]

The hunt is on for celebrities.

Family Values Activist Josh Duggar Had a Paid Ashley Madison Account

Someone using a credit card belonging to a Joshua J. Duggar, with a billing address that matches the home in Fayetteville, Arkansas owned by his grandmother Mary—a home that was consistently shown on their now-cancelled TV show, and in which Anna Duggar gave birth to her first child—paid a total of $986.76 for two different monthly Ashley Madison subscriptions from February of 2013 until May of 2015.

[GreenGoo]

coworker downloaded the madison data dump (to his home system). We just spent 15 minutes searching for names we know, including those we know have been in affairs before as well as a couple of greasy single people we know. No dice.

About 170 National Defense addresses alone.

[GreenGoo]

I looked at the dump this morning - looks legit to me. Astonishing how bad at security or even common sense the AM folks were. Why did they keep credit card confirmations going back to 2008? What possible purpose would that be for? A year or maybe two tops is probably a good swag at a retention period. These guys were all over their systems and they had no clue. And this doesn't surprise me - visibility to indicators of compromise is probably one of the biggest problems out there. Also, they clearly weren't doing basic monitoring of their traffic. Oh - a huge spike in outbound traffic - what could that be? They probably didn't even see it happen. Just another indicator that organizations that should know better do not understand their TRUE RISK and are flying blind to it.

While I don't disagree, is 10 gigs really that huge of a spike? For systems sitting idle, sure, but for border systems net facing? How long would it take to get the 10 gigs out? The response time for most companies (outside of banks or the NSA) would be long after the data was gone anyway. Smaller companies not specifically in the business of data protection just don't budget for or even much care about data security. I wouldn't expect a sleezy site like Madison to have much of anything, security-wise.

[Isgrimnur]

The hunt is on for celebrities.

Family Values Activist Josh Duggar Had a Paid Ashley Madison Account

Yup

Ex-reality star Josh Duggar has apologized for a "secret addiction" to pornography and cheating on his wife.

He posted a statement Thursday on the family's website.

The statement was apparently spurred by Duggar's name appearing among millions exposed in a data breach of customers of the Ashley Madison website, an online service that caters to men and women looking to cheat on their spouses. Leaked data showed that a Josh Duggar whose address was the same as the reality TV star was a member of the website from December 2014 to October 2014.

In his statement, Duggar did not address whether he had used AshleyMadison.com, nor did he detail the exact nature of his infidelity.

[GreenGoo]

I too, am addicted to cheating on Josh's wife.

[malchior]

While I don't disagree, is 10 gigs really that huge of a spike? For systems sitting idle, sure, but for border systems net facing? How long would it take to get the 10 gigs out? The response time for most companies (outside of banks or the NSA) would be long after the data was gone anyway.

The answer to all that is...it depends. Usually what happens though is the exfiltration server is something that has little traffic - it is a dark corner that no one looks at and suddenly it starts copying data. Did it need access out? Probably not. If we were monitoring for traffic anomalies would we see it? Probably. In almost every Incident Response post-mortem I've seen lately the company could have seen it early on had theybeen paying attention. Sure the actual data copy would have been on the verge of too late but not even knowing the data was even really gone? Ridiculous. (I'm assuming a lot with that last statement but I think hiring back a clueless CTO led to them being further blinded to reality).

Smaller companies not specifically in the business of data protection just don't budget for or even much care about data security. I wouldn't expect a sleezy site like Madison to have much of anything, security-wise.

This is all true and that is what I'm getting at. The true risk is existential (especially so in the case of AM where discretion was their life blood) and they didn't take it seriously - even going so far as to do basic monitoring IMO.

[Rip]

Seems most of the accounts were just people doing opfor research.....

http://www.nola.com/politics/index.ssf/ ... dison.html

Louisiana GOP executive director Jason Doré said Thursday that his name is on a list of accounts released as part of the Ashley Madison cheating website hack because the site was used for "opposition research."

The director of the statewide Republican Party said via text message that an account was created under his name and his former personal credit card billing address in connection with the work of his law firm, Doré Jeansonne. He declined to say who he was using the account for.

"As the state's leading opposition research firm, our law office routinely searches public records, online databases and websites of all types to provide clients with comprehensive reports," Doré said via text message. "Our utilization of this site was for standard opposition research. Unfortunately, it ended up being a waste of money and time."

The database shows Doré spent $175.98 on the site, which he signed up for in 2013.