Hackers Want to Know What Your Sexual Kinks are, and Dating Sites are Telling Them

If you are a frequent user of online dating platforms, be warned: the way they are getting relentlessly hacked, soon the only thing you’ll be kissing is your sensitive data goodbye.

It’s no coincidence that popular dating sites, such as Ashley Madison, OKCupid, and BeautifulPeople.com are being constantly attacked by hackers.

Private data really doesn’t get any more private than the stuff you share on dating websites. Could you imagine having your list of sexual fetishes leaked? Or maybe all the cringey, flirty messages you’ve sent over the years?

It is clear that dating websites have data security systems in place that are greatly disproportionate to the sensitivity of the data their users trust them to safeguard.

So what can dating websites, or any business tasked with the protection of sensitive data, do to keep their customers’ data secure?

 

header 1

 

In the recent Rosebuttboard.com hack, more than 100,000 members’ accounts were exposed.

Rosebuttboard is a forum for people who partake in the devastation of the derriere. Can you imagine how crappy it would be to have the world know about your private desires?

Rosebuttboard used out-of-date software and security strategies with known vulnerabilities, making them easy picking for cybercriminals.

What you should do: Avoid being the butt of hackers’ jokes by keeping all of your software patched, and up-to-date, ensuring that the versions you use have no known flaws. This instantly makes it harder for hackers to breach your system.

 

header 2

 

In addition to using an out-of-date forum system, Rosebuttboard also used an archaic and easily-crackable encryption method to store their users’ personal information.

And in OKCupid’s big hack of 2014, it was revealed that users’ passwords were saved in plain text.

Using outdated encryption methods (or not using any at all) is about as safe as leaving the key to your house under the doormat on your front porch.

What you should do: Encrypt all your sensitive data! That way, even if hackers somehow find their way into your network and steal your encrypted data, they will have the equivalent of a safe they don’t know the combination to.

 

header 3

 

Adult dating site Fling.com has also been a victim of a data breach, with information such as sexual preferences, emails and old passwords being hawked on the dark web. Mysteriously, even the personal information of people who had deleted their accounts was found amongst the data.

Even worse is the now-infamous Ashley Madison hack. It aired the dirty laundry of 32-million cheating spouses, and even lead to multiple suicides.

 

Ashley Madison’s story is a classic example of why data security should be taken seriously: post-breach, their web traffic plummeted by 82%, and they are still fighting against a $567 million lawsuit.

 

Among Ashley Madison’s poor security practices, the worst was their “Full Delete” option that didn’t even work. The option promised complete removal of users’ traces on the site, for a small fee of $19.

Ashley Madison reportedly netted $1.7 million USD from this service. Yet, from the data leaked, even sensitive information from those that had paid for this service was found.

What you should do: If you don’t need it, fling it! Preventing data buildup will ensure that there is less data for hackers to steal.

 

The Business-As-Usual Approach

All these tips point to the importance of engaging in BAU security practices. In today’s data-centric world, integrating security tactics in your everyday business is critical in ensuring that your company stays safe from prying eyes.

Vulnerabilities must be patched as soon as they are discovered, network intruders have to be detected quickly, and data must be carefully monitored and safeguarded.

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Sign up for a free trial of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.

Data Breach of Verizon a Grim Reminder To Us All: No One’s Bulletproof

To your everyday man on the street, Verizon Communications is an American broadband and telecommunications company. But to those of us in the IT security line, Verizon is also one of the frontliners in the fight against cybercrime, responsible for helping many Fortune 500 companies respond to massive data breaches.

But in a tragic turn of events, Brian Krebs reported last week that Verizon has suffered a data breach, resulting in the theft of 1.5 million records of their customers’ information. Read more

Ransomware Attacks On The Rise: What Are You Doing To Protect Your Business?

“We do not negotiate with terrorists”. Except, most of us have, or would.

A relatively new breed of malware, dubbed “Ransomware”, is holding computer systems hostage and demanding payment for their safe release.  

What’s surprising is that these underhanded tactics often see a payout for cybercriminals — according to one study, about 50% of ransomware victims paid their extortionists, and another 40% of people said that they would pay the ransom too if it happened to them.

It’s estimated that at least $5 million is extorted from ransomware victims each year.

Cybersecurity experts are encouraging ransomware victims not to pay the extortionists for two reasons: firstly, there’s no guarantee you’ll get your data back, and secondly, because it only further encourages cybercriminals to continue running ransomware attacks.

This, of course, includes re-runs on your environment they know is not only easy to get into, but one that is likely to cave to their demands.

It’s a non-issue as long as no ransomware makes its way onto your systems, but the odds of that actually happening are ever increasing.

As far as we know, there are currently more than 4 million samples of ransomware in existence, where there were only 1.5 million samples in 2013. Hackers can’t get enough of the stuff.

Hackers are also finding new ways to bring ransomware to a system near you. It has been reported that a disproportionately large number of websites that run on the WordPress CMS are being hacked to deliver ransomware to end users.

All you need to do to catch the bug is visit one of these booby-trapped websites with an out-of-date version of Adobe Flash Player, Adobe, Reader, Microsoft Silverlight, or Internet Explorer, and you may be looking at a ransom amount of $500 (or a few bitcoins) in exchange for your computer back.

 

ransomware 2

 

Beating Ransomware

There are basically two different types of defense strategies against ransomware attacks — making sure you don’t get infected in the first place, and staying safe post infection.

User and staff education is a key data security practice. Making sure that you and your staff are well aware of possible online hazards like phishing emails or insecure websites goes a long way into making sure ransomware never reaches your systems.

Patching your systems and making sure that all your applications are up-to-date is also textbook good practice. Ransomware can find its way into your systems through vulnerabilities, so make sure that your network has no holes for cyberattacks to slip through.

Additionally, running anti-spam software that can detect malicious links in emails will definitely go a long way to helping you ensure that no one in your business will be opening any “uh-oh” links.

 

Hit me. Whatever. I’m over it.

Perhaps you won’t be nearly that stoic, but the best way to beat ransomware is to take away their leverage. This means making sure that there is no data on your systems that would be of value to hackers.

This works for two reasons — one, hackers are a lot less likely to hold your network at a high ransom price if they search your systems and find little or nothing of value. Secondly, should they still try and hold your network hostage, starting over will be a significantly cheaper endeavor than paying the ransom amount (which doesn’t guarantee you will get anything back).

There are two basic ways to go around this. The first method is simple — backup your data. Using removable storage is a cheap and simple solution for small businesses, and a surefire way to make sure that all your eggs are not in the same basket.

The second way is simply removing sensitive data from your systems. Many companies store large amounts of sensitive data, like credit card numbers, healthcare information and personal information, without any real business justified reason to do so. Often, they are not even savvy to the fact that they are storing all that data that hackers are after.

Keeping your systems clean is a form of risk mitigation. It ensures that even if you do get hit by ransomware, you will be in a good position to recover from the attack as quickly and painlessly as possible.

Removing sensitive data from your systems is easier than you think, using Ground Labs’ line of data discovery software. Regardless of the number of systems on your network, Ground Labs has a solution tailored to help you find and lock down your sensitive data. Visit our website to find out more, and sign up for a free trial today!

ashley madison hack

Everything You Need to Know About the Ashley Madison Hack

On July 19, well-known security blogger Brian Krebs reported that the online cheating site AshleyMadison.com had been compromised. A group known as The Impact Team released a cache of data stolen from Avid Life Media (ALM), the parent company of Ashley Madison and two other hookup sites, Cougar Life and Established Men.

The data released includes snippets of account details from ALM’s users, maps of internal company servers, employee network account information, company bank account data, and salary information.

The Impact Team released the information in protest of ALM’s “lies” regarding it’s full delete function. Users were told that they could completely wipe their profiles and information from the ALM databases at the cost of $19. However, when Impact Team compromised ALM servers and inspected looked into their databases, they found that the information was not being deleted even after the delete fee had been charged.

The Impact Team’s demands were simple- either shut down Ashley Madison and Established Men, or have the full information of all 37 million users leaked. Needless to say, this was a cause of great stress for many of its users- Krebs reported that he receives a frequent stream of emails from Ashley Madison users who were afraid that the leak was going to go through.

Unfortunately for them, it just did. The Wired reported earlier today that a 9.7gb data dump was posted to the dark web containing the account details and log-ins for 32 million of the sites users, along with seven years worth of credit card and other payment transaction details.

 

AshleyMadisonDatabase

The leak statement posted by The Impact Team

 

A short while later, Krebs posted again to his blog, questioning the credibility of the leaked data. Raja Bhatia, Ashley Madison’s original founding Chief Technology Officer, told Krebs that there had been a slew of fake data dumps popping up, and there was no reason to believe that this one was legitimate.

Bhatia examined the data, and concluded that the data from the original release was real, but everything else was nothing more than generic and fake SQL files. He also said that “There’s definitely not credit card information, because we don’t store that. We use transaction IDs, just like every other PCI compliant merchant processor.”

However, Krebs has recently edited his original post with this new information:

“I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.”

So it would seem, at least for now, that the leaked data is indeed legitimate.

 

romney_ashley_madison

A cheeky billboard put up in Boston by Ashley Madison

 

From a data security standpoint, what’s interesting is that The Impact Team managed to acquire credit card data from a database that was allegedly not storing credit card information. Since multiple sources have confirmed that their credit card information was found in the leaked data, we can only conclude that ALM was storing credit card information- they just didn’t know it.

This is a common problem that many companies are alarmingly unaware of.

We have worked with many CSOs and IT compliance managers who have assured us that there was no cardholder data to be found in their systems. In one particular incident, Ground Labs software found over 100 million cardholder data records that were being backed up on a partition they didn’t even know existed, and this is one of many examples.

The entire situation highlights, once again, the importance of understanding your data. The larger your environment, the more data you’ll have, and the more locations you’ll have to store it. In today’s data-driven workplace, it’s impertinent that every company understand what it is that hackers want, and how to keep it away from them.

As of now, the dumped data is making its rounds on the web, with sites like checkashleymadison.com going up (and getting taken down by a cease and desist by ALM) to make the information more accessible for the everyday spouse.

Play It Safe

The situation at Ashley Madison is still developing, but regardless of how it plays out for ALM, The Impact Team, or the gentlemen involved in the hack, this incident is but one of many examples of why having a strong data security system in place is integral for any modern-day business.  

Are you interested in finding rogue data in your network? Take a free trial of Data Recon and find out if the same unknown risk exists within your environment.

 

The Dark Side of PCI Compliance — Beware the QSA Sith Lords

Over the years we’ve spent working in the data security industry, we’ve talked to countless QSAs, and companies that have had QSAs audit them.

Observing from a neutral perspective, it became clear to us that how quickly a company can attain PCI compliance (or, how quickly they can get secure), is dependent on the quality of service the QSA provides them.

If you got wrongfully charged for murder, you wouldn’t want a shabby lawyer to represent you in court — you’ll be gunning for the best you could afford.

In the same way, it’s ludicrous to even consider working with a substandard QSA partner. If a hacker catches you being any less secure than you should be, your company is going to be in for a world of hurt.

The most vital deciding factor for how much good a QSA can do for you is this: How much do they care for your security?

Because once a QSA goes rogue, all ethics are off the table, which may lead to some practices that will be detrimental to your state of security.

We’ve heard of all kinds of terrible QSA partners; some make no secret of the fact that they are in it only for the money, and others who just want to ‘get it all over with’ and move on to their next client.

These QSAs are willing to go where no QSA should go: incentivizing their employees to perform more audits instead of prioritizing thorough checks, letting their clients write their own onsite reviews and simply signing off on them nonchalantly, and even outsourcing parts of the job to low-cost countries, who will not provide the level of attention you require.

What A Good QSA Looks Like

SUPER-NANNYWhen you pick a QSA partner to work with, keep an eye out for these gleaming traits.

A good QSA will maintain a vested interest in you, and for the sake of your security, is willing to be tough, yet fair. Imagine a super nanny-type relationship: if you try to cross the line or cut corners, you’ll get the naughty stool.

They’re willing to go the mile because they know that if you get hacked, it’s a damage to their reputation.

Perhaps most importantly, they see themselves as being an extension of your business — your security partner.

Remember, not every QSA is run by upstanding boy scouts who are out to make your security their priority. Perform a thorough background check, including checking their LinkedIn company profile, which should give you a good idea on their manpower, and dedication to the craft.

No doubt that it’s easier and quicker to just let a bad QSA run its course, but never forget that the entire point of PCI compliance is being secure- it’s so much more than just being a hurdle to leap over.

(Image source)

 

Verizon Data Breach Incident Report 2015 Summary

 

The Verizon DBIR is one of the annual scriptures read by data security enthusiasts worldwide, and this year’s offering is no different.

The report is packed full with meticulously-gathered, mind-blowing statistics, and yet presented in a light-hearted tone with pop culture references ranging from gangster rap to Disney musicals.

Here are a few highlights from the DBIR we found to be the most interesting.

Phishing

While phishing is nothing new or unfamiliar, some findings released in the DBIR were interesting, to say the least.

To further evade detection, phishing campaigns have evolved to incorporate installation of malware as the second stage of the attack.

Just how well does phishing work?

Today, a glaring 23% of phishing email recipients open phishing messages, and 11% of them click on attachments. Of the 23% who opened the emails, half of them did it within an hour of receiving the email.

A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will fall victim to the scam.

Not only do phishing emails work well, they work fast. The median time it takes for the first click to come through is 1 minute, 22 seconds.

Can Phishing Emails Be Stopped?
verizon3In light of such discouraging statistics, it’s hard to see the point in investing in data security.

Why should you spend large amounts of money on antiviruses and firewalls, if it’s so incredibly likely that one negligent employee making one false click is going to bring your walls crashing down?

The good news is, there are a few ways to help prevent the risk of getting hooked. The DBIR recommends better email filtering, to help filter out phishing emails that make it into user in-boxes. Also encouraged is acquiring improved detection and response capabilities.

However, the most effective way cited is through awareness and training, which can reduce the number of people that fall victim to a phish to (potentially) less than 5%.

Common Vulnerabilities and Exposures (CVEs)

In late 2013, a list of the 500 most common vulnerabilities and exposures was made. Looking back on that list, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Worse still, hackers are exploiting vulnerabilities from as far back as 1999, which shows that they are aware that these old exploits are still an easy way into many systems.

Patch Hard, Patch Fast

There is a clear need for all organisations to patch vulnerabilities as they come, and to do so quickly.

While it’s true that some vulnerabilities are more high-priority than others (97% of the exploits observed in 2014 were caused by just ten of the 500 CVEs listed), you cannot call your network secure unless you are certain it has zero vulnerabilities to exploit.

Make sure that your company has in its employ someone to stay on top of what the latest vulnerabilities and threats are, and is able to quickly apply patches when necessary.

Aside from phishing attacks, vulnerability exploits are some of the easiest ways for hackers to gain access to your systems. To quote the DBIR directly: “[there is a] need for all those stinking patches on all your stinking systems.”

Miscellaneous Tidbits

  • 5 malware events occur every second.
  • Mobile devices are not as at risk as we thought- only 0.03% of mobile devices are infected with truly malicious exploits.
  • Verizon seems to have given up on trying to figure out the cost per record in data breaches. Instead they have developed this table which gives a rough estimate on how much you can expect to spend on a data breach based on the number of records you lost:

verizon1

Another Year, Another Great Report

This year’s DBIR, as usual, did not disappoint. A lot of the findings have been game changing- IT security professionals are going to be less likely to bring up the cost per record in a data breach, or talk about the dire need for mobile data security.

But regardless of how such statistics may change, good data security practices remains a constant. In other words: keep up to date with the latest trends, and understanding your data.

While we did pick out our favorite parts of the Verizon DBIR, pretty much all of it is interesting and worth a read, which you may do so here.

(Image sources: 1, 2)