Sunday, November 08, 2015

The hacking community is having lots of fun at TalkTalk's expense or TalkTalk is in much more trouble than they are admitting.
Posted while maintaining what I think is an appropriate level of skepticism…
Ben Ellery and Jaber Mohamed, who continue to report as if the dark web is something new, report that they are in contact with someone who uses the handle “The Martian” who claims to have 1 million TalkTalk users’ information – email addresses, bank account numbers and sort codes – available for bulk purchase. Obviously any such claim conflicts significantly with TalkTalk’s assessment of how many customers had their data stolen, as just yesterday, they announced that the total number of customers whose personal details were accessed is 156,959 and of these customers, 15,656 bank account numbers and sort codes were accessed.
So…. less than 16 thousand or 1 million? Do you believe the individual The Mail communicated with or TalkTalk (or neither)? According to the reporters, “The Martian”
claims to have intimate knowledge of last month’s cyber-attack which has left huge numbers of TalkTalk customers exposed to fraud, and wiped millions off the company’s share price.
He said he was directly communicating with those responsible on the day of the hack, which he claimed occurred three days before TalkTalk reported it to the police. The criminals later passed him a database of customers’ details
The reporters claim that they verified the authenticity of a sample of data they received – at least to the extent that those named in the sample are TalkTalk customers. It’s not clear to me whether those customers’ data had been caught up in any prior TalkTalk data breach.
Read more on The Daily Mail, and don’t be confused by their coverage of the fourth arrest in the case (the 16-year-old from Norwich). I don’t think they mean to suggest that that youth is “The Martian.”

Another follow-up...
Steve Orr has a follow-up on the Excellus BlueCross BlueShield data breach that was disclosed in September, but the scant details still available will doubtless continue to frustrate those who want to know how the breach occurred and why it took almost 20 months for Excellus to detect it. And the available facts serve as a reminder that encryption does not prevent all breaches. [Primary use of encryption is to render any data unusable, except to those with the key. Bob]
The Excellus breach was one of the largest in the healthcare sector, affecting over 10 million members and their dependents. It may also have impacted Highmark BlueCard holders who obtained services from Excellus providers. The initial attack reportedly occurred on December 23, 2013, but was not detected until August, 2015.
By now, about a dozen lawsuits have been filed against Excellus and its parent company, Lifetime Healthcare.
From the git-go, Excellus claimed that this was a “sophisticated” attack. And while that phrase may be over-used, frankly, if Mandiant is having problems figuring out what happened and how, Excellus may be right.
Unlike some other big breaches in the healthcare sector, spear phishing does not appear to have been involved in obtaining employee passwords, at least according to an Excellus spokesperson. But however they got in, the attackers were able to plant malware on the systems that enabled acquisition of employee login credentials. Orr reports:
The user accounts that were compromised at Excellus were of employees with high-level administrative access, which allowed them to roam freely through company data. The company told Nozzolio that the hackers could have unlocked any encrypted data they found “because of the type of access the attacker possibly had.”
Forensic analysis by Mandiant indicated that the hackers maintained access until May 11, 2015. It’s not clear what may have happened on that date that prevented further access.
Even then, Excellus did not become aware of the intrusion for another three months, until August 5, 2015. They announced the breach on September 9, 2015.
Read more on Democrat & Chronicle.

For my Computer Security students. Compare to yesterday's article on mobile Apps.
Exposing the Hidden Web: An Analysis of Third-Party HTTP Requests on One Million Websites
by Sabrina I. Pacifici on Nov 7, 2015
Exposing the Hidden Web: An Analysis of Third-Party – HTTP Requests on One Million Websites. International Journal of Communication, October 2015. Timothy Libert.
“This article provides a quantitative analysis of privacy compromising mechanisms on one million popular websites. Findings indicate that nearly nine in ten websites leak user data to parties of which the user is likely unaware of; over six in ten websites spawn third-party cookies; and over eight in ten websites load Javascript code from external parties onto users’ computers. Sites which leak user data contact an average of nine external domains, indicating users may be tracked by multiple entities in tandem. By tracing the unintended disclosure of personal browsing histories on the web, it is revealed that a handful of American companies receive the vast bulk of user data. Finally, roughly one in five websites are potentially vulnerable to known NSA spying techniques at the time of analysis.”

Just a curious question but what government agency is responsible for reporting security bugs to businesses?
NSA says how often, not when, it discloses software flaws

No comments: