If you were confused about what exactly was stolen in 2022’s LastPass breach – join the club. I think much of the confusion is stemming from the damage control LastPass is attempting to do around their massive data exposure that happened in August and was revealed to the public in December. We know that much of the info that was stolen was unencrypted – login names, email addresses, URLs, etc. and there was some debate as to whether or not the hackers stole encrypted data that contained actual passwords. I’ve had several folks tell me point blank that the passwords weren’t exposed and that LastPass is still safe. Well, guess what – we can put that misconception to bed now. LastPass has dropped another bombshell – one of their devs got hacked and the hackers used the dev’s compromised home computer to gain access to LastPass’s Amazon secure cloud storage to steal the encrypted password vaults of 30 million customers.
What this means for you
There’s a whole lot of gobbledy-gook in the LastPass release – it reads like technical explanations filtered through an army of lawyers and PR flacks (because it was), and beats around the bush on the most important part: LastPass is confirming that Hackers have exfiltrated everyone’s encrypted password vaults – and as I have been warning you about since I learned about this – it is only a matter of time before someone brute-forces their way into someone’s encrypted vault and is rewarded with the password trove within. And they have all the time in the world to do this, which means you have much less time to change any passwords that were stored in LastPass. Hackers will target high-value password vaults first – they will look for ones that have lots of bank account logins or other potentially lucrative access points, but you can bet they will put computers to grinding out every single vault, big or small – because they can, and they have the resources to make this investment pay off.
Stop reading. Go change your passwords.
Image by Gerd Altmann from Pixabay
Late in the year, just in time for the holidays, LastPass released more information about the security breach they experienced in August of 2022. And as could be expected, it wasn’t good news. It wasn’t the worst news, but in my estimation, it’s still going to create a lot of headache and work for their customers, some of whom are using their service based on our recommendation. C2 uses LastPass internally but not to store client passwords, but regardless we will be migrating away from them as soon as practically possible.
What this means for you
If you’ve read their statements regarding this security breach you might be under the impression than your passwords are safe. The encrypted vault that was stolen was a backup of customer data from September 22, 2022. If you started using LastPass after that date, you are not part of the breach and you are actually in the clear (for the moment). If you’ve been using LastPass before that date, it’s highly likely that hackers have access to your encrypted passwords. Per LastPass, if you choose a strong master password, those passwords are relatively safe. However, given enough time and computational resources, any encryption can be broken, so the clock is ticking on how long they will remain encrypted. It’s more important that you should know that each password’s associated login name and URL were also captured in the data stolen and those important bits weren’t encrypted. This gives hackers many more points of data to hone their phishing attacks and will result in highly targeted, realistic phishing emails that purport to be from services you actually use, utilizing specific information you will recognize, to lend credibility to fake emails. Given that it is definitely easier to trick humans than to crack 256-bit encryption, we’re banking on the fact that everyone, not just our clients will be facing numerous phishing attempts in the coming year. What can you do to combat (I do not use that word lightly) this?
- Any passwords stored in LastPass should be changed. If you have lots of passwords stored, this may take some time, but it will be well worth it.
- Any opportunity you are given to utilize multi-factor authentication to further protect an account should be taken.
- Review your master password. If it is not complex and/or easily guessable, you should change it. Be careful! If you mess this process up and lose your master password, they will not be able to recover it. You will have to abandon the account and the data within.
- Regard emails received from your known services very carefully, especially if it results in a login prompt or a password inquiry. Phishing emails are getting very sophisticated. If you receive an email that looks legitimate, don’t use the links embedded in the email regardless. Hand-type the URL of the service you need to use into your browser or use a favorite/shortcut you created to get to the website. Make sure you don’t mistype the URL – there are plenty of fake domains created specifically to capture mistyped URLs. Don’t search for the website using your browser – this can also lead to fake websites if you aren’t paying close attention.
- Consider moving to a different password management platform. Industry opinion is mixed on whether or not LastPass was using best-in-class technology and methodology to store your data at the time of the breach, but they are being widely criticized for their lack of transparency and urgency in addressing the breach. Understand that with a breach on this scale, multiple lettered agencies will be involved as well as numerous lawyers, so transparency will always suffer in these types of matters.
If you have questions about how you might be impacted by this breach, or what your company can do to implement password management at an organizational level, please give us a call or send us an email. We can provide a platform that can provide secure password sharing for you and your co-workers that is also administered and supported by C2.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Most Americans have stopped keeping count but this will be the fifth or sixth data breach for T-Mobile, the second largest mobile service network in the United States. In case you’ve forgotten or gotten it confused with the 12 other breaches you may have been a part of recently, the previous T-Mobile breach included PII such as addresses and phone numbers as well as your billing data, but not credit cards or Social Security numbers. This time around, according to the hackers who are attempting to sell the database via the dark web, they have names, addresses, Social Security numbers, drivers licenses, and IMEI numbers of over 100M T-Mobile customers. T-Mobile and independent investigators are attempting to determine if this is true, but according to Motherboard, who first broke the story, the sample data they were provided as proof appeared to be legitimate.
What this means for you
You don’t need to be a security expert to understand how bad this is, but in case you want my hot take, if I had to rate this on a scale from one to ten of “bad”, this pins the needle at a solid ten, if only for the fact that having IMEI numbers exposed opens the possibility for wide-scale phone cloning which could then result in completely undermining any security provided via SMS-based two-factor authentication. In case parsing that last sentence was tough, the reason you implemented two-factor was because the second factor was you getting a text message to your phone that no one else could see…unless your phone was cloned.
As of this writing T-Mobile hasn’t verified that all 100M or so customer records were breached, but from various proofs provided by the hackers, as well as the fact that they are selling a subset of 30M records for $275k, seems to indicate that they indeed have the goods and you can bet this data is as good as sold, even at such a high price. For comparison’s sake, the previous breaches T-Mobile admitted to were 1M and 2M records 2 of the previous incidents.
This news is still developing, but keep your eyes and ears wide open, especially if you are a T-Mobile customer. If you see sudden two-factor prompts that you did not request, be prepared to act quickly to secure the account. If possible and it’s offered by a two-factor protected service, switching to an app-based two-factor method to secure account will remove this particular danger of a cloned phone, but only if you get it done before the hackers get you in their crosshairs. Keep in mind that the hacker will need to know your password (the first factor in a two-factor scenario) in order to trigger the second factor, so as long as that password wasn’t revealed in a previous breach, you will probably be fine. You used a unique, strong password for every service, right?
As if the SolarWinds fiasco wasn’t enough to completely undermine any trust in technology security, Microsoft is warning everyone about a significant exploit in its Exchange email platform that is actively being leveraged by a Chinese advanced persistent threat group dubbed “Hafnium.” According to Microsoft’s Threat Intelligence Center, this group is known for targeting entities in the United States primarily to steal data and intellectual property from a wide swath of industry, political and government organizations, but with this recent exploit, the attackers have spread globally, attempting to compromise as many servers as they can before administrators can patch vulnerable servers.
What this means for you
First and foremost, if your email is provided by an on-premise Exchange Server that is not being actively maintained by a qualified technology professional, you may be in danger, and you should contact an IT professional or a company like C2 immediately. It will be important to patch your servers immediately and then determine if the server has been breached. If you are breathing a sigh of relief because your email is hosted in the cloud, it’s still important to make sure your vendor has taken appropriate steps to make sure their platform is properly secured as they may be using Exchange to provide email services to you.
If your email is provided by Microsoft 365 or Google, this exploit does not impact you directly, but keep in mind that vendors and clients you work with may have been compromised, which may also have implications for your organization. Information stolen from a client or vendor in breach could be used to impersonate a trusted individual in an attempt to trick you or someone in your organization into any number of activities that could end up directly affecting your bank account. One of our clients recently notified us that one of their vendors fell for an email spoofing campaign that resulted in that vendor writing a very large check to pay off our client’s invoice, but that check was sent to a fake address. Even though you might not be directly impacted by the Hafnium campaign, the sheer size of the information breach means that someone likely very close to your organization may be affected. As such, you and all your organization’s employees should treat any unusual emails or transaction requests with caution and skepticism for the foreseeable future.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Among the many problems of the internet, one of the most egregious is the fact that anyone can create a website, put it online, and not really be held accountable for what is actually published on said website. Let’s take the website of home automation company Orvibo, who, at the time of this article’s writing, states on their website:
“Cloud platform supports millions of IoT devices and guarantees the data safety.”
The claim that their platform supports “millions” of devices is backed up by the Orvibo database size, which appears to contain more than two billion records, but the fact that we know exactly how many records are in the cloud platform and that their database is currently open for viewing on the internet without a password is the exact opposite of guaranteeing data safety.
How can a company screw up so badly?
I’ve answered this rhetorical question several times in the past on this blog, but in case you’ve missed it: Technology is fallible because humans are fallible. They are also lazy and sometimes downright malicious, but in the case of the Orvibo database which remains open and accessible at the time of this blog’s publication, we have a stunning example of gross negligence and incompetence that is impacting millions of its customers in very personally identifiable ways. Among the two billion records that includes customers from China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. are email addresses, passwords, geolocation data, IP addresses and device reset codes. Given that Orvibo devices include home automation and security products, the data exposed in this open database gives hackers literally the keys to many family’s homes and hotel rooms, and could potentially endanger their actual lives.
What should you do if you are using Orvibo technology in your home or workplace? Discontinue using it immediately if possible, and if that isn’t possible, see if you can at least disconnect it from the internet and change any passwords used on the device, especially if it’s a password you’ve used elsewhere (also a no-no for just this very reason). It’s not clear when, or even if, Orvibo will address this vulnerability anytime soon, nor will we know whether the data has been access by anyone with ill intent, but in this case, erring on the side of caution is the best course of action.
Hold onto your hats, ladies and gents, because this latest breach is a doozy! Up to 500 million individuals who have transacted with Starwood Hotels & Resorts (now owned by Marriott) have had their information exposed in a massive breach. According to the statement released by Marriott, the Starwood guest reservation database was compromised as early as 2014 and information up to September of this year is considered exposed. Compounding the severity of this issue, already ranked as one of the largest so far, is the amount and type of data exposed “… includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
What this means for you
If you happened to be one of the 500M who has stayed at a Starwood, even if it was before 2014, it’s still likely that some of your personal information was exposed in this breach. Though Marriott has said they started contacting individuals affected, for some of us who stayed at a Starwood hotel before email address collection became common place (myself included), and have since changed mailing addresses, Marriott may have some difficulty contacting you to let you know you were impacted. To be on the safe side, you should definitely consider a credit freeze (if you haven’t already put one in place from the previous Equifax breach) and you should take advantage of Marriott’s offer of a free year of WebWatcher monitoring service. As the name suggests, this service will monitor the web for your personal information (which you can enter yourself) and alert you if any of those data points appears somewhere on the web. Granted, that might actually be you entering that info, but if not, you have a head start on countering a possible identity theft in progress. And while you are at it, why not sign up for an alert from HaveIBeenPwned.com which keeps track of all the major breaches and will also alert you if your email address is on the growing list of breaches occurring almost weekly now.
I’ll dispense with the editorializing about Facebook and other internet giants playing fast and loose with our information and get down to the nitty-gritty of what you should know about the latest Facebook breach, which I initially wrote about (only) two weeks ago:
- Go to this Facebook link (while you are logged in to Facebook) to determine if you were one of the 30M that was affected by the breach: https://www.facebook.com/help/securitynotice
- Initial estimate of compromised accounts revised down from 50-90M to “just” 30M (OK, you got me, I can’t help myself).
- Approximately half (15M) of the compromised accounts had an extensive amount of information leaked, including data that most people would consider private, such as religion, relationship status, recent searches and geographical location.
- The other half (14M less the small percentage in the next line) had access to names and email addresses or phone numbers, or both.
- Three percent (about 1M) did not have any information exposed though their access tokens were stolen.
- Nobody’s Facebook passwords was stolen as part of this breach.
- Facebook cannot divulge motive or identities as it is working with the FBI, but based upon analysis of the attack, the hackers were organized and well-equipped to pull off the data heist. Translation: likely nation-state or organized crime-backed.
What this means for you
If you happened to fall into the bucket where a large amount of private information was exposed by Facebook, be extremely wary of targeted phishing attempts, usually sent by email. Because your information is now readily available to be cross-indexed with any numerous other items exposed in previous breaches, it’s trivial for cybercriminals to create very realistic emails that appear legitimate based upon the use of this stolen data, whether it be fake password reset notifications from widely used services like Office 365, Facebook, Gmail, SnapChat, or strangely familiar emails using that private data to trick you into revealing additional info or access to strangers pretending to be co-workers, friends or even family. Just to add insult to injury, if some of the leaked data is info you might use as an answer to the “Forgot your password?” questions many services use, hackers can now use that info to try and guess your answers to reset your password for their own nefarious purposes.
Just because your password wasn’t stolen in this breach doesn’t mean that it wasn’t exposed in any of the myriad breaches over the past several years. Visit this site – https://www.haveibeenpwned.com/password – to determine if it might be exposed, and if so, continued use of it will likely result in any account secured by the exposed password being compromised very soon.
Back when I first heard about Facebook I was working for a private university known for its “dry” campus. I was asked to consult on the case of a student who was being disciplined for violating the no-alcohol policy because a picture had been discovered of them buying booze at a nearby supermarket. It had been uploaded by the student’s friend to a hot new website called Facebook. I distinctly remember discussing this with staff and faculty at the time, predicting, “This is going to get a lot of kids in trouble.” There was discussion of banning access to the site, but filtering internet content back then wasn’t as straightforward as it is now, and the discussion was tabled with a promise to review the issue at a later time. Fast-forward to the present, where Facebook is still getting a lot of people in trouble, and themselves as well.
From the frying pan, to the fire, to…incinerator?
It might be hard to believe, but it was only June when we had to air out the latest load of dirty laundry from Facebook. Prior to that, they have been blog subjects seven times this year alone, and none of them were for something good! I’d say this month’s two-fer entry might be their pièce de résistance of colossal cock-ups, but there are still 90 days left in the year, and Facebook seems bent on setting some sort of record for destroying themselves.
First, they were caught red-handed letting advertisers use phone numbers provided by users for authentication purposes, something they had previously denied. To add insult to injury, it’s also come to light that they will also target individuals through contact information uploaded by their friends through the Facebook app, even if the individual never provided any sort of consent for such use.
If that isn’t enough to get your blood boiling, how about 50M Facebook users having their accounts compromised? Rather than the old-fashioned password hack, attackers exploited a bug in Facebook’s “View as” feature which allowed them to essentially steal the authentication token used to provide continued access after you’ve initially logged in. Think of this token as a VIP wristband you might wear at an event that also gets you access to the backstage. This token not only provides you a quick login to Facebook but to dozens of other connected services, such as Instagram and WhatsApp, that allow users to authenticate through Facebook instead of creating a unique login and password. Just like the wristband, Facebook only looks at the token and not the person using it, to determine what they are allowed to access, so you might get an inkling of why it being stolen is kind of a bad thing. The investigation is still ongoing, but according to Facebook, no passwords or credit cards were stolen, and it doesn’t look like the perpetrators of the September breach used their “wristbands” get into the various third-party platforms it could have granted access to, but I’d put even money on Facebook having yet another, “Wait, hold my beer,” moment, so don’t put the pitchforks too far out of reach.
Unfortunately for the two billion humans who are still trying to get some sort enjoyment (or livelihood) out of Facebook, there really isn’t any platform that comes close to being able to replace it. Your choices are “deal with it” or go cold turkey, the latter of which I don’t see any of my Facebook-hooked friends doing any time soon. If you’ve tied your various other online services to Facebook’s login in the pursuit of convenience, it only makes giving up Facebook that much harder and further illustrates just how dangerous this type of practice can be – Facebook login gave everyone a shovel, and quite a few people dug a hole that they have no idea how to get out of. Sadly, not climbing out of that hole and permanently putting the shovel aside essentially rewards Facebook for their negligent security practices, something that we should not do if we ever want the service to be something more than a way for advertisers and hackers (and Facebook!) to exploit for their own profit.
For the most part, everyone that I speak with has come to accept the possibility that the Internet knows much more about them than they might think. Their acceptance (which ranges from grudging to incredibly blasé) of a faceless, amorphous entity known as “the Internet” being more familiar with them than their neighbors is made acceptable exactly because the Internet has achieved that same omniscient and omnipresent position as “the Government” or “the CIA” or, dare we say, God him/her/itself. These entities are out there, both comforting and ominous, but not personal, not sitting right next to you.
Perhaps we’ve been doing this wrong.
People aren’t scared, upset or even bothered anymore when we tell them their privacy has been invaded by the “Internet”. In truth, that’s a kindness, because the specifics are much more disturbing. A security researcher just uncovered a veritable treasure trove of personal information on nearly 340 million Americans, i.e., all of us. This information was being hosted in an unsecured database by marketing firm Exactis, and it holds close to 2 terabytes of data. And unfortunately for all of us, it’s much worse than credit cards and social security numbers. Instead, it’s much more personal, such as home addresses and phone numbers, number of children in the family, interests, hobbies, habits, shopping preferences, up to 400 variables on each person in their database, including whether they are a smoker, how many pets and what type, and yes, religious affiliation.
If you ever question how online advertising could be so specific, wonder no more. The marketing firms know where their bread is buttered, and firms like Cambridge Analytica and Exactis are sacrificing your privacy on the altar of data aggregation for the almighty dollar. How does one fight back? Make sure you understand where your local congress critter stands on matters like privacy, encryption and regulatory enforcement on failures like the massive Equifax breach for which exactly zero justice or compensation was delivered.
Get out and vote.
I’d like to say we actually went a few weeks without having to talk about Facebook because they weren’t in the news, but in reality, they were. I was just exhausted with the punishment they have been taking in the media ring, and rang the bell out of mercy rather than letting them continue to get pounded, at least on this blog. But break time is over and its time to lace up. Facebook did come out swinging earlier this week, publicizing their last quarter efforts to clean the place up: over half a billion fake accounts have been banned since the start of 2018, and they have removed nearly one billion posts that violated the social media giant’s guidelines. But the wind was snatched from their sails with news of a yet another breach of user privacy as researchers at New Scientist uncover a leak of three million users’ extremely confidential data gathered by an app called My Personality. The app, designed by psychometric researchers affiliated with Cambridge University, gathered in-depth psychological data on over six million users, half of whom agreed to share their data anonymously with 3rd-parties for research purposes.
Pinky-swear to keep this data confidential?
While I’m sure they didn’t intend to out three million people to the internet, a class project uploaded to a popular code-sharing website by university students was found to contain a login and password to the protected database built by the My Personality team. Whoops. And that data was there, available for the public to access, for 4 years. Double-whoops. Here’s the thing: in order to gain access to this data originally, one had to register for access, and were supposedly bound by a strict confidentiality clause. Two-hundred and eighty people from 150 companies did register, but you can bet at least an equal number (and probably many more) did not, once they discovered the “backdoor” uploaded to GitHub. And the thing with data, once it’s out of the barn, there is no telling where it went from there. There’s a hard lesson to be learned from all of this: it’s extremely difficult to control data once you relinquish any control on it, and this control all but vanishes literally one step from that first line of control, as managing the chain of custody scope expands exponentially. You can liken this to the old party game of “Telephone”, but instead of the message getting muddled with each person, the security and responsibility get hopelessly mangled literally in the next whispered exchange.