November Data Breaches: More Lessons Learned
In this second of two parts, we present more advice for security pros based on data breaches that occurred in November 2013, here focusing on how to fight hackers and malware.
Each month, eSecurity Planet looks back at data breaches we've covered over the past 30 days or so, providing an admittedly unscientific but potentially interesting overview of the current breach landscape.
To get some perspective on the current threat landscape, eSecurity Planet spoke to F-Secure security advisor Sean Sullivan. In this second of two parts, we list the past month's breaches by category, noting what happened, what data was exposed and what the organization is doing in response - along with Sullivan's thoughts on many of the breach categories.
In part one, we focused on how to reduce the likelihood of accidental data breaches and how to mitigate the negative impact of lost and stolen devices.
Hackers: Shift Focus from Perimeter
As Sullivan notes, there are many ways for hackers to breach an organization, not just via a direct attack on the network. Watering hole attacks, Sullivan says, have been particularly productive lately for cybercriminals.
"Developers are hitting all kinds of websites, copying and pasting open source code and trading tips - and a lot of them think they're invulnerable because they're using Mac and Linux machines," he says. "So the IT guys are defending the moat of the castle, but their footmen are wandering all over the plains and bringing stuff back with them."
In response, Sullivan says, IT really needs to shift its focus away from the perimeter of the network. "They need to just assume somebody's in their network," he says. "So they need to keep their perimeter defenses, but they also need to spend time just monitoring internally."
That can also mean separating personal and work activities as much as possible. Sullivan says F-Secure Chief Research Officer Mikko Hypponen often meets with companies and asks where their accountants sit, where their banking machine is, and where the machine is for all their other activities.
"And they'll say, 'No, they use the same machine for everything,'" Sullivan says. "And he'll say, 'So they move around millions of dollars at the end of the day, and it's the same PC that they use to check Facebook? Maybe you should have two machines - they're not really that expensive.'"
Hackers breached the European Bitcoin payment processor BIPS and emptied several customers' wallets. The total amount stolen was 1,295 Bitcoins, worth more than $1 million at the time (and now worth almost $1.4 million).
Czech Bitcoin exchange Bitcash.cz was hacked, and all users' wallets were emptied. "I take it as a personal failure," site owner Karel Minx said. Bitcash customer Ales Janda estimated that the thieves got away with 485 Bitcoins, worth approximately $200,000 at the time (and now worth more than $500,000).
Hackers accessed the names, addresses, credit card numbers and expiration dates of more than 850,000 customers of limo company CorporateCarOnline. Those affected include celebrities LeBron James, Tom Hanks and Donald Trump. The data was found on the same servers where information stolen from PR Newswire and Adobe Systems was recently uncovered, indicating that the same hackers may have been involved.
Hackers breached Crown Castle's security system and accessed an email containing an attached payroll file that listed U.S. employees' names, Social Security numbers and compensation. All those affected are being offered a free year of identity theft protection from Experian's ProtectMyID Elite.
Data from the Australian dating site Cupid Media was found on the same server where hackers had stored stolen records from PR Newswire and Adobe Systems. The data included more than 42 million customers' names, email addresses, birthdates and passwords, all in plain text. Many of the customers are no longer active on the site, as a result of which they may not receive notifications.
Members of the Serbian TeslaTeam hacker group claimed to have leveraged a SQL injection vulnerability to breach the Brazilian website for E! Online, and published 11 user names and hashed passwords on Pastebin.
Printing service Freenters was hacked by a group calling itself the UChicago Electronic Army, which leaked more than 3,000 users' first and last names, email addresses, majors, grades, birthdates (for those registered before Feb. 20, 2013), and hashed passwords. In response, the company deleted all customer accounts from its system.
An undisclosed number of GitHub user accounts were compromised via a brute force password-guessing attack that leveraged nearly 40,000 unique IP addresses. Users with compromised accounts were notified by email, their passwords were reset, and their personal access tokens, OAuth authorizations and SSH keys were revoked.
Harbor Freight Tools' payment processing system was hacked, and credit and debit card transactions made in its stores between May 6, 2013 and June 30, 2013 were accessed. The data accessed included card numbers, expiration dates and card verification numbers. No credit protection services are being offered to those affected.
A hacker compromised the hosting account of Inputs.io and stole 4,100 Bitcoins, valued at just under $1.5 million at the time (and now worth more than $4 million). Inputs.io owner TradeFortress explained, "Inputs was not hacked through a flaw in the service, but rather through compromising a chain of emails that allowed the attacker to reset the password for the hosting account control panel."
A breach at loyalty marketing company Loyaltybuild exposed the full card details of more than 376,000 customers, of whom over 70,000 were Supervalu Getaway customers, and over 8,000 were AXA Leisure Break customers. The details of an additional 150,000 clients were potentially compromised, and the names, addresses, phone numbers and email addresses of 1.12 million customers were also taken. "The initial indications are that these breaches were an external criminal act," Ireland'sOffice of the Data Protection Commissioner said in a statement.
The MacRumors Forums were hacked in a manner similar to the breach of the Ubuntu Forums in July 2013. At least some of the MacRumors Forums' 860,000 users' information was accessed, and site owner Arnold Kim is advising all users to assume that their user names, email addresses and hashed passwords were accessed.
At database-as-a-service provider MongoHQ, a password that had been shared with an employee's compromised personal account was leveraged to access an internal support application and compromise a list of databases, email addresses, and encrypted passwords.
An intrusion into a database at Peoples Trust exposed customers' names, phone numbers, email addresses, birthdates and Social Security numbers. No credit protection services are being offered to those affected, though alerts have been placed on customers' credit files.
Hackers breached the horse racing site Racing Post and accessed a customer database. What data was potentially accessed depends on what information was provided by each customer, but it could include full names, user names, encrypted passwords, email addresses, mailing addresses and birthdates.
Grocery wholesaler URM Stores, which processes payments for several grocery stores in the Pacific Northwest, announced that its payment processing system was hit by a cyber attack. Until additional security measures were implemented, the company asked customers to pay by cash or check, though some stores were able to process credit cards via a dial-up connection.
Members of Inj3ct0r Team claimed to have leveraged a critical vulnerability in vBulletin 4.x.x and 5.x.x to access vBulletin customers' IDs and encrypted passwords. In response, the company reset all customer passwords, and DEF CON shut down its forums until the vulnerability was resolved.
Hacker AgentCoOfficial, also known as Maxney, breached and defaced the official website for Vodafone Iceland, and uploaded a file to Speedy Share that contained more than 77,000 user names, IDs, encrypted passwords, email addresses, national personal identification numbers, dates and bank details.
Malware: Stay Aware
Sullivan says it's important to remember that malware can crop up in places where you least expect it, and can still have a significant impact.
When he was working at a law firm, Sullivan says, the firm made guest machines available that weren't on the domain - but they were on the network. "We only noticed they were infected and trying to connect to every port in existence when the quality of the VoIP between Winston-Salem, N.C. and Atlanta, Ga., dropped considerably, and the lawyers complained to the phone guys, and the phone guys started saying, 'What's eating up all the bandwidth?' - and we figured out it was these guest machines that somebody in desktop support forgot about, because they assumed that, not being on the domain, they couldn't steal anything from the domain," he says. "Still, they're physically in the building, so they shouldn't have been ignored."
A virus was discovered on the payroll computer for the Flamingo Resort and Spa in Santa Rosa, Calif. The malware could have provided hackers with access to an undisclosed number of employees' Social Security numbers, birthdates, home addresses, phone numbers and bank routing numbers.
The personal information of 90,000 UW Medicine patients may have been exposed when an employee opened an email attachment containing malware. The malware may have accessed the patients' names, medical record numbers, other demographics (which may include addresses and phone numbers), dates of service, charge amounts for services received, birthdates and Social Security numbers or HIC (Medicare) numbers.
A former employee of Florida Digestive Health Specialists improperly accessed and photographed as many as 4,400 patients' records, including their names, birthdates, phone numbers and Social Security numbers. The employee was caught after trying to print the photos at Walmart; the manager alerted the Manatee County Sheriff's Office.
A former employee of Vermont's North Country Hospital refused to return a retired hospital laptop containing an undisclosed amount of patient health information. While the data was password-protected, the individual was believed to have access to the appropriate passwords.
A former employee of California's Northern Inyo Hospital inappropriately accessed a patient's medical records a total of 14 times. The records were allegedly accessed in an attempt to help the employee's husband gain leverage in a custody battle. "Every employee is aware of their responsibilities and the hospital can only do so much in the case of a rogue employee," hospital administrator John Halfen said.
A former employee of the University of Pittsburgh Medical Center inappropriately accessed almost 1,300 patients' medical records, including their names, birthdates, contact information, treatment information, diagnosis information and Social Security numbers.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.