Select Page

Leak of the Week – 7/19/2016

Below are leaks that were reported last week.

Wendy’s Continued – Now over 1025 restaurants – Reported last week, leaked data was credit card data (maybe yours!) from transactions at Wendy’s restaurants.  This breach began in the Fall of 2015 and wasn’t discovered until early this year.  Wendy’s confirmed this week that even more restaurants are involved and you can now find out if the restaurant that you visited was hit using this handy web page.  How nice of them.


Datadog – Number of records is undisclosed – Leaked data was usernames, passwords and e-mail addresses; all of them, apparently.  Multiple servers at Datadog were breached, including a database server that housed the login info.  Customer listed as Datadog users includes big dogs like Spotify, PBS, Slashdot, Samsung, Imgur, Coursera, The New York Times, and Ziff Davis.  Passwords were stored using a unique salt for each password and then each password was encrypted with bcrypt which is resistant to brute-force attacks.  Despite the strong storage methods used for the passwords, Datadog has invalidated all stored passwords and sent e-mails to all users with reset instructions.  More info can be found from our friends at Sophos here.  Yes, that’s a blatant plug.


Omni Hotels – Number of records is undisclosed – Leaked data includes Point of Sale (POS) data which includes credit card cardholder name, credit/debit card number, security code and expiration date.  The data was discovered missing on May 30, 2016, according to Omni Hotels, which wrote up the breach details on their own website.  The cause of the breach was due to malware that infected POS systems and only affected customers who physically presented their credit cards at one of the effected hotels between December 23 2015 and June 14 2016.  More information can be found here.


Baton Rouge Police – 50,000 records – The contents of the leaked data were not disclosed, but the leak was due to a security failure in the police department’s website which allowed Bad Actors access to login credentials for a police Oracle database. The website operators have not confirmed the breach through outside security researchers claim they have.  More information can be found here.


Ubuntu Forums – 2 million users – Leaked data includes usernames, email addresses, and IP addresses associated with the Ubuntu Forums.  The attacker was able to exploit an SQL injection vulnerability in an add-on used by an older version of the vBulletin forum software used by Canonical, the folks that develop Ubuntu and run the forums.  Ubuntu has wiped, rebuilt, and hardened the attacked servers, and passwords were changed.  Also, the forum software was fully patched, which, and we can brag a bit here, would have already been fully patched had we managed their servers.  Harrumph!  More information, without the self-congratulatory tone, can be found here.



Hackers Prefer to Steal Identity of Victims Aged 30 Years or Younger

When does being older give you an advantage besides a discount at Denny’s?  When it comes to being targeted by hackers.  A recent UK study shows people in the UK aged 30 years, or younger, are the most targeted by hackers for identity fraud.  In 2015, there was a 52% increase in fraud for victims aged 30 or younger, according to Cifas, a UK fraud prevention service.


The report showed that:

  • Only 34 per cent of 18-24 year olds say they learned about online security when they were at school
  • 50 per cent of the 18-24 year olds surveyed believe they would never fall for an online scam (compared to the national average of 37 per cent)
  • Only 57 per cent of 18-24 year olds report thinking about how secure their personal details are online (compared to 73 per cent for the population as a whole)
  • Adults aged 18-24 years are less likely to install anti-virus software on their mobile phone than the national average (27 per cent compared to 37 per cent)


With 86% of identity fraud in the UK for 2015 committed online, Cifas’ data shows that young people are the most exposed to losing personal data such as their name, date of birth, address and bank account info through social media.  To highlight the problem, they even published a short video about it which can be found here.  Using a black van in the video adds to the creepiness. </shudder>.  Some additional insight and info can be found here.

Have I Been pwned Introduces ‘Unverified’ Breaches

When is a breach not a breach?  When there are too many unanswered questions, apparently.  Have I Been pwned (HIBP), the database of breaches, is owned and operated by Troy Hunt who performs due diligence on each breach before adding it to HIBP.  A recent supposed breach of Badoo account information was presented as a breach to Hunt who then did his normal checking and cross checking of the data to verify its veracity.  Hunt, unfortunately, could not come to a definitive conclusion about whether the data actually came from Badoo.  Per Hunt:


“[S]ometimes there are breaches where I just can’t be certain of the authenticity, yet there are many indicators which point to an actual breach. The incident sits in that grey area between “very unlikely to be legitimate” and “almost certainly legitimate”.”


Hunt’s post on the analysis of the ‘Badoo’ data and his introduction of ‘unverified breaches’ can be found here, but whether a breach is a verified or unverified breach seems to boil down to these basic factors:

  • The service provider confirms (or denies) there was a breach
  • The data itself is consistent and has sufficient detail (or not)
  • There is confirmation (or denial) of data accuracy from breached users
  • Testing of the data against the site’s password reset tool is successful (or not)


If it does not pass all of these tests but looks like data from something then best be safe and report it, even if it has to be qualified as unverified.


What does this mean to end users?  Despite the new ‘unverified breaches’ category, I see the end result for the user as the same; you need to change your password and change it now.  Changing your password because it might be used by someone else has now become the Internet equivalent of turning around at the end of the block and driving back home to see if you left the iron on.  Just do it, it’s usually really simple, and you’ll sleep (and drive) better.


Even the Court Says Password Sharing Bad

The U.S. Court of Appeals for the Ninth Circuit has ruled that a former employee of a company, whose computer access credentials were revoked, had acted “without authorization” in violation of the Computer Fraud and Abuse Act (CFAA), when he and other former employees used the login credentials of a current employee to gain access to data on the employer’s computers.


David Nosal, and two other former employees at executive search firm Korn/Ferry International, used a password shared by Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux, to download confidential data.  Nosal did not himself access or download any information from the Korn/Ferry database, but was held liable for the conduct of his colleagues who acted on his behalf and at his request.  Nosal had set up his own competing firm and hired two other Korn/Ferry employees.  Before leaving their employment at Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to use at their new business.  Although the former employees were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies, the U.S. Court of Appeals for the Ninth Circuit said in its opinion.  The former employees tried to cover their tracks by using the login credentials of Froehlich-L’Heureaux, Nosal’s former assistant.  The assistant gave her username and password to Nosal’s colleagues to use.  Per the court:


“Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access,” according to the opinion, which said that the access falls squarely within the CFAA’s prohibition on access “without authorization.” Password sharing was prohibited by a confidentiality agreement that Korn/Ferry required each new employee to sign, the court said.


The dissenting judge on the three judge panel wrote that this case is about password sharing, and that “the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”.  What does this mean for end users?  It looks like it means that in order for a company to get the protection of the CFAA, there must be a “no-sharing passwords” policy in effect and employees, old and new, will need to acknowledge this in writing.  This would put the “authorization” test in place and allow the CFAA to apply.  Employees who break the password sharing rule could then be subject to the penalties of the CFAA.  It also it means don’t share your password!  The full legalese can be found here.


Tor-Powered Malware for Macs

Security researchers have found a new backdoor program that allows attackers to hijack Mac systems and control them over the Tor network.  The malware, dubbed Backdoor.MAC.Eleanor by the folks at Bitdefender, is distributed as a file converter application through websites that offer Mac software.


The application infected with ‘Eleanor’ that users download from these sites is called ‘EasyDoc Converter’.  Once installed, ‘Eleanor’ displays a fake ‘EasyDoc Converter’ interface where users can supposedly drag and drop files for conversion, but no file conversion is done.  ‘Eleanor’ then launches a shell script In the background that installs components in a folder called “/Users/$USER/Library/.dropbox.”  No interaction with the Dropbox for Mac client has been found and it appears that this is a ploy used to thwart discovery.  ‘Eleanor’ then launches a Web service with a PHP application, a hidden service that allows attackers to connect to the affected systems over the Tor network, and an agent that posts the Tor access URLs for infected systems to a Pastebin website.  Attackers can then send commands through the URLs to affect the infected Macs.


The Tor network, also known as The Onion Router because of its’ many layers, is a series of servers running route anonymization software so that one’s route cannot easily be traced.  Tor has been used for years by users who wish to protect their privacy, but has lately been leveraged by Bad Actors to hide their location from the Good People of the Internet.


Users are alerted to the malware when they try to install it since the ‘EasyDoc Converter’ app is not digitally signed with an Apple-approved certificate.  Users will see security warnings if they try to install it.  If the user has OS X 10.11 (El Capitan) they would also need to perform a manual override in order to install the application.  More information can be found here.