Adult Friend Finder Breached, Millions Of Records Exposed

Casual dating website Adult Friend Finder, which boasts some 63 million users across the globe, has warned customers that their personal data may be at risk following what appears to be a massive leak.

The breach, which is believed to have exposed around 3.6 million or more records, is currently being investigated by police.

Compromised information is said to include usernames, email addresses, post codes, email addresses, IP addresses and details of people who have indicated they are looking for an extramarital affair.

Californian FriendFinder Networks says it is aware of the “seriousness” of the potential breach which appears to affect both current and deleted user accounts.

Given the nature of the site, and the fact that other personal details such as sexual preferences were leaked, the potential damage to affected users could be severe, as pointed out by Tripwire’s Director of Security and Product Management, Tim Erlin:

Aside from the known value of compromised personal details on the dark web, there’s certainly the potential for blackmail from this breach. If any high profile, public figures or politicians have been using Adult Friend Finder, they might consider how the details they entered there could be used against them.

Commenting on Twitter, our very own Brian Honan came to much the same conclusion:

Honan

Further details about the breach remain few and far between at the moment with the California company merely telling Channel 4 News that it “understands and fully appreciates the seriousness of the issue” and has “already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert”. The company also vowed to take the necessary action to protect its affected customers.

While the lack of further information may be frustrating, especially to anyone who has ever signed up to Adult Friend Finder, it is hardly surprising. As Erlin says:

It’s become a standard pattern to see these breach announcements with minimal details, followed by more information as investigators get involved. It’s not unusual for the scope of a breach to expand as forensics experts are engaged and gain access to data.

So what’s next if you are a victim?

While it is hardly clear-cut at the moment, the experience of one user may give some insight. Shaun Harper says he has been targeted with malware-laden emails since his details were published (you can check whether yours have been leaked here), even though he had already deleted his account and believed all of his information had been removed.

I’d suspect that in addition to infected emails and the aforementioned potential for blackmail, there is also a very strong likelihood that personal information will be sold on to companies and individuals with an interest in creating user profiles, not to mention an increase in personalised phishing emails hitting inboxes.

As Ken Westin, Senior Security Analyst at Tripwire says

The Internet has essentially become a database of You. As more data is breached, this information can be sold in underground markets and can create a very vivid profile of an individual.

Depending on the type of information that is compromised this data can be used to link aliases to other accounts via email or other shared attributes and unveil connections to accounts that were not seen until now. An example would be a politician that may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity, this is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information.

It is also highly likely that affected customers will see an increase in junk email over the next few weeks too – as the stolen records began to circulate on the dark web, hackers said they intend to spam compromised email addresses.

BH Consulting Receives Nomination For European Security Blogger Awards

I think it would be fairly safe to assume that everyone here at BH Consulting is delighted to learn that our blog (yes, this one, the one you’re reading now) has been nominated in the European Security Blogger awards.

All in, there are twelve categories eagerly awaiting your vote, including:

  • best corporate security blog
  • best european corporate security blog
  • best European security podcast
  • best security podcast
  • best security video blog
  • best personal security blog
  • best European personal security blog
  • most entertaining blog
  • most educational blog
  • best new security blog
  • best EU security tweeter
  • best overall security blog

BH Consulting just has the one nomination (unlike certain rising stars who have too many to count on one hand) and that is for the Best European Corporate Security Blog, a category that features the mighty Graham Cluley and the now Dan Raywoodless IT Security Guru, among others.

Of course being the modest people we are, we would never dream of asking you to
vote for us, and I personally would not mention that my own blog has been nominated (really? and by who??), or that the Sophos Chet Chat podcast has been put up for voting, nor that Naked Security is in contention for the Grand Prix Prize for best overall security blog.

But we would ask you to vote – this is your chance (and voting appears to be open for anyone) to heap some praise on your favourite writers, bloggers and podcasters – but you do need to act quickly.

Voting closes on 29 May.

As for who wins what, we’ll find out soon enough as the awards will be announced during the first week of June (InfoSecurity15 week).

So, get voting, and remember we here at BH Consulting don’t really mind who wins – we like to think we’re friends with everyone and whoever picks up an award will undoubtedly be worthy.

Place your votes in the European Security Blogger Awards now.

Irish Central Bank Duped By Money Transfer Scam

The Irish Central Bank, tasked with maintaining the Republic’s banking system, appears to have fallen for a fake invoice scam which, according to our CEO Brian Honan, has been received by a number of other organisations recently:

The Belfast Telegraph reports how Special Gardai financial and online investigators are now looking into the rogue transaction that reportedly led to a €32,000 loss.

In what appears to be a stroke of fortune, the bank realised something was up before a €1.4m transfer to a bogus account was fully completed. The account in question appears to be located in Galway, though the invoice it issued was payable to Danske Bank.

Since discovering the fraud, the bank has reviewed its IT systems and procedures, saying:

The maximum exposure for the Bank is less than €32,000. The controls and the relevant procedures have since been updated to address this issue. There was no impact on the Bank’s internal computer systems or data security.

Despite only being reported yesterday, the fraud came to light on Christmas Eve last year and pertains to a transaction made the day before. The bank reports that the Gardai were contacted immediately.

The bank says it is continuing to review its major systems while maintaining its European regulatory requirements, adding that:

The server-side migration of the bank’s technical infrastructure to a specialist third party data centre operation was completed during the year bringing technical scalability, strengthened security standards and greatly increased resilience to support the bank’s business continuity needs.

This latest incident comes shortly after another Irish company – Ryanair – disclosed that it too had been duped.

The airline lost up to €4.6m after funds were electronically transferred from its account via a Chinese bank. The Criminal Assets Bureau in Dublin is looking into that fraud and has been asked for its assistance in recovering the funds via its counterparts in Asia.

Ryanair says it has taken steps to ensure such a transfer cannot happen again and is reportedly confident that the funds – which have currently been frozen – will soon be returned.

Chinese Army Bans Wearables Amid Security Concerns

Gadgets.

They have a certain pull, don’t they? I don’t know what it is but new personal tech has always had an appeal, not only to myself, but to the population at large.

When I was young it was the digital watch. Then the personal computer (ok, I mean ZX81), followed by a mobile phone and much else in between.

In recent years, the rate at which new “toys” appear has certainly increased as we’ve seen the likes of Android tablets, iPhones and – argh – fitness trackers, come to market.

Now, the latest craze (one I will not be partaking in) is for more flashy wearable tech in the form of watches.

Sure, I can understand how they may be useful for some people – the sort who feel comfortable talking to their wrist, or those who wish to read a text message without going to the trouble of putting their hand in their pocket – but they are not the most secure type of device, are they?

Well, according to the Chinese army, iWatches and the like pose a threat so serious that they have been banned completely.

NBC News reports how the nation’s 1.6 million strong People’s Liberation Army has been ordered to leave all wearable tech at home after one recruit received a smartwatch as a birthday present – and then tried to use it to photograph his military friends at the eastern city of Nanjing.

According to the news service, a report in the Liberation Daily Army said:

The moment a soldier puts on a device that can record high-definition audio and video, take photos, and process and transmit data, it’s very possible for him or her to be tracked or to reveal military secrets.

After the recruit’s squad leader reported the incident, higher authorities deemed all such devices a security risk with the country’s agency for protecting state secrets saying:

The use of wearables with Internet access, location information, and voice-calling functions should be considered a violation of national security regulations when used by military personnel.

The PLA Daily now reports that teaching materials and warning signs have been deployed in order to ensure that military personnel receive the message (how do you rate Chinese security awareness techniques?).

It’s easy to see why China sees the use of wearable tech in the military as a huge concern as it can be inadvertently used (or exploited) to give away location data and other operational secrets.

But it’s not just soldiers who need to ensure mission confidentiality – businesses do too – whether that be in terms of protecting corporate information from competitors or through a need to remain compliant with national laws and regulations.

So, as we see a rapid increase in networked technology, from TVs to fridges, and a surge in popularity in wearable devices, what is your business doing to mitigate the associated risks and dangers they present?

Interview from RSA 2015

As many of you may know I attended the RSA Conference this year in San Francisco. While there I took part in a panel discussion entitled “Breach 360 – How Top Attacks Impact Tomorrow’s Laws, Litigation, Security.” The panel included myself, Tom Field from ISMG, Executive Editor for ISMG Mathew Schwartz, Eduardo PerezSVP of Risk Services for North America Visa Inc, and Joseph Burton Partner with Duane Morris.

I also took part in a book signing for my latest book “The CSA Guide to Cloud Computing” which I co-authored with Raj Samani and Jim Reavis. This proved to be quite enjoyable and I got to meet many people who found the book to be useful in their management of using the Cloud.

I was delighted to be interviewed by Mathew Schwartz for ISMG and we discussed a number of issues ranging from why is it that Europe seems to have less breaches than the US? What will the upcoming EU Data Protection Directive mean for companies? How to build resilience into your Incident Response processes. And what are the implications of threat intelligence and information sharing?  You can see the interview in full over at the ISMG website here.

 

 

Fool Me Once, Shame On You. Fool Me Three Times…

Fool me once, shame on you.

Fool me twice, shame on me.

But what if you fool me three times?

That, perhaps, is not a question Jamie Oliver is contemplating following the news that his website has been compromised for the third time in as many months.

Much like the previous two attacks (one came in February, the other in March), the celebrity chef’s WordPress site (we did warn you about the dangers that can befall an insecure installation of that particular CMS) has once again been hit with a password stealer.

Malwarebytes explains how visitors to any page of the site are being redirected to the Fiesta exploit kit.

Fortunately the good folks at Malwarebytes have done the responsible thing and informed Jamie Oliver’s team, presumably in advance of publishing their post, and report how the website admins have acknowledged the issue and are working to resolve the issue, hopefully for good.

The question, however, is why the problem was reoccurring in the first place.

While it would be tempting to say that such a site should never get hacked in the first place, that would be a rather simplistic, not to mention flippant, remark considering the determination of attackers and the myriad ways they have of gaining entry to a system.

As anyone in security should tell you, the point of having defences in place is to lessen risk, not remove it completely, so in some respects I can accept that a site, any site, can be compromised once.

But three times?

Well, there are reasons why a site could be repeatedly compromised.

As Daniel Cid recently wrote, there are four main reasons why web sites find themselves repeatedly attacked:

Sucuri blog

So that could certainly explain why Oliver’s site is continuing to experience issues though I wonder if it should?

If a small, rarely updated personal blog run by a hobbyist with little traffic was repeatedly attacked it would be unfortunate of course but, perhaps, not entirely unexpected due to the likely lack of security expertise possessed by the owner.

But Jamie Oliver’s site?

We know Oliver has a team – it proffered the following quote to the BBC:

We’ve implemented daily.. malware detection scans, also an industry leading web application firewall to protect against all common security attacks.. which has been blocking numerous hacking attempts.

We’re working with a number of security companies to find the issue once and for all. We’re also running daily manual checks which have detected and cleaned a number of threats although it’s important to note that we have had no reports from any users that have been put at risk.

But said team hasn’t, until now at least, been on the ball it appears and – according to Graham Cluley – said BBC report was the only place the chef’s mainstream fans would have likely visited that carried news of the malware attack – Oliver’s site makes no mention of it at all.

So, with a story that says much about WordPress, website security and incident response, the moral, it seems, rests with Malwarebytes which said “the best way web users could protect themselves from becoming a victim of such attacks was to keep their security software up-to-date”.

Sound advice indeed because you never know what’s going on behind the scenes of your favourite website.

With Two Vulnerabilities In A Week, Is Your WordPress Installation Secure?

WordPress is a content management system that became popular in a very short period of time.

It all began with the birth of the blogging craze that began a few years back but has since evolved into something far greater.

As the initial interest in personal blogging receded, the platform marched on as it became more than just a blogging tool for hobbyists.

Now, it can be used to run just about any type of site you can imagine, and doing so is relatively easy because WordPress is highly customisable, allowing the user to add features of their choosing.

Herein lies the problem though – with the ability to add thousands of different “themes” which allow the appearance of a site to be changed in an instant, and the availability of “plugins” that allow additional functionality to be added, the basic platform has been diluted by third party code, and lots of it.

While WordPress itself is theoretically very safe – the developers are quite aggressive in terms of keeping it up to date with bug fixes and security patches – a large proportion of the user base are not particularly technical in nature, meaning that required updates are often overlooked.

While core updates to the platform can be automated, or self-actioned with ease, I know far too many people who are unaware of the risks associated with not doing so, thus leaving themselves open to vulnerabilities like the ones we’ve seen in the last week.

The first of those was aimed at a default theme used by WordPress – TwentyFifteen – and later in a popular plugin called JetPack.

The DOM-based Cross-Site Scripting flaw left potentially millions of sites at risk, though a select few web hosts did move to protect their customers.

Negated by a critical update (version 4.2.2), Help Net Security has more on the story here.

Proof, if ever any were needed, that there is no such thing as sitting still in security, comes in the form of another story, this time from The Register, in which it is today revealed that a new WordPress vulnerability has emerged.

Richard Chirgwin reports how security researchers as Zscaler have identified a large number of compromised sites that are leaking login details to a command and control centre.

The Register notes that the vulnerability in question has yet to be identified but what does seem to be clear is the fact that a large number of compromised sites appear to be small in nature and, thus, not likely to be focused on security.

So what can you learn from this if you are a hobby blogger or administrator for a business site using the popular platform?

Well, the timely installation of updates is key as ever, not only to the core platform but to themes and plugins too (remember: the open source nature of WordPress allows people to be able to see the source code that runs it, meaning the bad guys have the time and the ability to be able to see the different ways that they can exploit it), as is, perhaps, the need to take security one step further via additional measures.

Besides services such as CloudFlare, there are a number of security plugins available that can offer an additional level of defence by limiting log-in attempts, blocking brute force password attacks and even scanning source code in an attempt to discover malicious changes.

If you are considering installing one or more such plugins I would highly recommend some due diligence first – it’s not inconceivable that someone could create a malicious plugin and label it as a security booster – and read reviews from other users who already have it installed to gauge its effectiveness.

To get you started though, here is a list of 15 of the best WordPress Security Plugins that was current at the end of April 2015 (if you are reading this in the future be aware that plugins come and go, some are updated while others are not).

As The Coalition Government Ends, What Next For Your Privacy?

Phew!

It’s over.

After what seems like months, the election is finally over and done with and we don’t need to worry about politics again for another 5 years.

Or do we?

Well, as the dust begins to settle, some within the heart of British politics have already set their minds toward policy and, irrespective of your allegiances, that means change.

One of the key policies that was mooted last night, long before the result was known, was the Snoopers’ Charter – a plan to increase the British government’s surveillance powers – that had hitherto been thwarted by the Conservative Party’s coalition partners.

Theresa May, the Home Secretary, raised the controversial legislation during an interview with the BBC last night and, now that her party has secured a majority mandate, she seems keen to finally realise her ambition of pushing the Draft Communications Data Bill through The House of Commons.

Should the proposal now secure the support it requires to become law, it will see British internet service providers forced to store massive amounts of data on their customers and to make it available to the government and its security services upon request.

The bill, which was blocked by the Liberal Democrats in 2014, has received a huge amount of criticism from security experts and civil liberties groups alike.

Given the new distribution of MPs after last night’s election, it seems likely that the bill will now find its way into law though.

Should that prove to be so, it will be interesting to see what the government’s next move is, especially given how David Cameron has previously hinted that re-election would see him seek additional powers.

Back in January, he demonstrated what many would argue was a complete lack of understanding about encryption, as he suggested there should be no form of communication that the security services should not be able to read.

His comments at the time were taken to mean that encryption could be outlawed altogether, or at the very least highly regulated, leading to concerns among British businesses who immediately felt at risk, and security professionals and privacy advocates who collectively shuddered at the though of what it may mean for the average user.

Hopefully any further ideas thought up by politicians, whatever party they may be associated with, will be better thought out, especially given how we heard only yesterday that the US appears to be moving in the opposite direction to the UK as a federal appeals court ruled the NSA’s bulk data collection program to be illegal.

We’ve also seen Germany’s surveillance agency BND caught in cahoots with the NSA – a revelation that led to a massive drop in popularity for Chancellor Angela Merkel.

Where we go next with privacy in the UK is anyone’s guess right now but what is for sure is that we now live in a world where the topic of civil liberties is becoming more widely discussed and understood (unless you’re a politician, or so it seems) which cannot be a bad thing (we like the thought of awareness here).

We live in interesting times. Let’s hope that’s not a curse.

This Rombertik-Infested PC Will Self-Destruct In 5 Seconds… Or Not

The guys over at IMF (that’s the Impossible Mission Force, not the financial institution) would, I’m sure, love a piece of malware that could literally destroy the device it is hosted on.

Alas, however, Tom Cruise and co. may have to wait a bit longer than the Daily Mail and Weekly World News would have you believe (see Graham Cluley’s excellent post to find out how journos’ can sometimes get a little excitable).

The truth about the malware in question – a computer virus that isn’t quite as explosive as some would have you believe – is that, yes, it can be quite destructive, in a manner that could cause you all manner of headaches, but it’s not exactly a threat to life and limb.

According to Cisco researchers Ben Baker and Alex Chiu, “Rombertik” can destroy a machine’s Master Boot Record (MBR), as well as home directories, should it determine that it has been detected.

In an advisory, the pair said the malware has been designed to pilfer keystrokes and other data in an indiscriminate manner, saying that:

At a high level, Romberik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server

Targeting Windows users, it spreads itself via the tried-and-tested mediums of spam and phishing emails.

Rombertik is a somewhat paranoid piece of code though, not unlike other forms of malware that hate being analysed, and will check that the user is not trying to discover it before getting on with it’s work:

Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analyzed in memory.  If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable.

While self-destructing malware is nothing new, the destruction of all data on the machine could signal the beginning of a worrying new trend.

Sagie Dulce, a security researcher at Imperva, said:

In this case, in addition to their usual tricks, they added a wiper functionality that comes into play only when the malware is analysed in a lab. This feature won’t affect regular victims (one less thing to worry about from the victims end), just the researchers trying to reverse engineer the code.

It is truly a nasty trick, which probably made the job of a research team much harder. I would expect malware writes to start using this feature, as it makes the job of reversing a malware much more tedious.

As the vast majority of home and business users will not be trying to analyse Rombertik, they will not have anything to worry about, beyond the malware’s primary raison d’etre, of course.

The concern is that such a self-destructive capability could become the new norm in the future though, as malware authors attempt to cover their tracks and prevent reverse engineering of their code.

While there are no immediate concerns of that, it is a consideration, but one that can be countered by the usual sound security advice – install security software and keep it fully updated, patch your machine regularly, and be very, very discerning when it comes to opening emails, especially if sent by someone you are not familiar with.

Tech Giveth And Tech Taketh Away

At the beginning of this month Google released a new Chrome extension – Password Alert – that, despite the name, was actually designed to protect its users from phishing attacks (I wrote more about it here).

Password Alert

As the name of the extension suggests, though, it also has something to do with passwords – namely, it checks that you aren’t reusing your Google login credentials.

Sounds handy, right?

Personally, I didn’t think it was all that, given the twin facts that Chrome already gives browser-based warnings when people attempt to access potential phishing sites, and that the extension issues a warning when someone attempts to reuse a Google password.

Ok, so the latter sounds like it may be of benefit, but the problem is that the warning can easily be passed over and we know how people can get used to dismissing security warnings, irrespective of what they may say, and the consequences of doing just that.

My conclusion, therefore, is that a password manager (think: KeePass, LastPass or 1Password) would be a far more practical, not to mention secure, alternative to using Password Alert.

Also, since Google released the extension, it has repeatedly been circumvented, primarily by security expert Paul Moore, Securify and @Sc00bz who, between them have managed a total of 6 exploits which collectively “Hide warning, intercept, reload, sandbox and buffer out of scope”.

Each time Google has responded to the exploitation of Password Alert it has been quickly exploited again, often in mere minutes and with a ridiculously small amount of coding being required.

Oops.

So what can we learn from this?

Well, firstly that “if it ain’t broke, don’t fix it” – Chrome users already had protection from phishing sites and this extension does nothing to improve that side of things.

Secondly, that the secondary function of the extension does little to protect people and may even make some blind to security warnings as they could get into a habit of “Ignoring this time” that could transfer to other sites and services in the future.

Thirdly, Google is having real big problems keeping the extension running securely as security experts (and lets not forget it’s not just the good guys who look to break things) continually find ways around it – in fact, Paul Moore has just disclosed how to corrupt it without using any code at all:

Oops again.

Lastly, we have learned that sometimes technical solutions don’t always offer the protection they promise, for one reason or another.

Imagine if you had insisted that all your staff had installed Password Alert and then sat back, thinking your business was now immune to all types of phishing and no-one within the organisation would be reusing any passwords.

You’d be wrong and likely not even know it.

There are two alternatives though – different, mature technical solutions (I’d recommend putting in some research time before picking one ) – and better security training and awareness for your people so that they learn the dangers of reusing login credentials and have some idea of how to spot a phishing message (Proofpoint’s recent Human Factor Report showed how big an issue that is) in the first place.

Of course the way in which you deliver your awareness training is important – as Jess Barker recently explained at 44CON, a fear-based approach tends to prompt inactivity or paranoia and an expectation of failure tends to breed just that. Much better then to invest in expert security awareness training, don’t you think?