Tag Archives: hackers

Hackers’ sale of Comcast log-ins reminds us to change our password habits

Hackers offered 200,000 customer passwords for sale online, forcing Comcast to send reset notices to many users. The lesson? We all need to get a lot smarter about Internet security.

In case you needed a reminder: Change your passwords frequently, and use a different password on every website.

I know, it’s annoying. But that’s the takeaway from news that Comcast had to reset passwords on nearly 200,000 customer email accounts.

Here’s the catch. Hackers didn’t breach Comcast’s computers to steal the information. Instead, they created their list of passwords with information stolen from you and me. Sometimes we’re so gullible that hackers can trick us into giving them our password. Then, since we often use the same password everywhere, those hackers have a skeleton key to our lives.

That’s often how hackers have broken into the online accounts of various celebrities over the years.

Comcast’s answer was to reset all the passwords for its affected customers, said a spokeswoman for the company. Steve Ragan, a security researcher and blogger, was the first to stumble on the list of passwords.

The good news is there are some smart password habits that can protect you from losing control of your entire online life.

Use complicated passwords

With so much information potentially for sale on the dark side of the Internet, or easily found on your Facebook page, it really isn’t a good idea to make your password the name of your beloved Pomeranian. Randomly generated passwords that use special characters and numbers are best.

There are lots of memory tricks you can use to help you accomplish this, but you should probably just…

Use a password manager

We applaud you if you’ve gotten this far without screaming out, “That’s impossible!” and closing your browser window.

The fact is, few people can memorize complicated, unique passwords for every online account they have. That’s OK.

Fortunately, software developers have come up with an answer. A variety of tools can help you keep track of all your passwords. Two of the most popular password managers are called LastPass and 1Password, both of which can help you use every tip listed here.

Of course, password managers aren’t perfect either. After hackers breached its systems a few months ago, LastPass was recently purchased by workplace log-in company LogMeIn. The hackers couldn’t access all the user passwords, but they found the hints that could have let them into some user accounts.

OK, now that you’re using a password manager…

Don’t use the same password for different accounts

If hackers steal your password, they may try it on any number of accounts. You wouldn’t want intruders to get into your bank account just because you used the same password you used for the Harry Potter fan site Pottermore, would you?

What’s more, some websites take security much less seriously than others. For example, some sites email you your password in plain text when you’ve forgotten it. That’s incredibly easy information for a hacker to intercept. Limit risks caused by one site’s laxness by having a unique password for all your accounts.

It’s also a good idea to…

Change your passwords frequently

Once your password gets stolen, it might go up for sale on the Dark Web, that untraceable series of websites where everything from drugs to your health records might be up for grabs.

That’s what happened to the Comcast passwords. A whopping 590,000 were for sale, but luckily only about 200,000 were up to date. That number could have been lower if Comcast users were changing their passwords more frequently.

And if you’re willing to go that extra step, there’s one more thing that’s easy to do…

Use ‘multiple factors’ to log in

As you can see, there’s no way to guarantee that someone won’t steal your password. That’s why you should take advantage of multiple-factor log-ins when available. Plenty of major Web-based companies will let you turn on this feature, which often sends a code to your mobile phone or email account after you take care of factor one by entering your password. Enter the code next (that’s the second factor) and you’re logged in.

Unless hackers have your phone in hand, or access to your email account, only you will be able to log in.

Tagged , , ,

WhatsApp and Facebook signals can be hacked to track your location

Hackers can monitor 4G mobile networks to detect users’ location using supposedly anonymised identifiers

Security researchers have revealed how simply contacting somebody via WhatsApp or Facebook messenger can reveal a smartphone owner’s location by exploiting a security flaw in 4G mobile networks.

A hacker could use the apps to discover the supposedly anonymised identifiers that are assigned to devices when they connect to a network, and use them to locate their owner, according to researchers in Finland and Germany.

When a smartphone connects to a mobile network, it is assigned a temporary number called a TMSI (Temporary Mobile Subscriber Identity). The network then uses this eight-digit number to identify a device, rather than a phone number, to make communication more private.

However, a hacker monitoring radio communications could tie this TMSI to an individual by sending them a Facebook message or WhatsApp chat, both of which trigger a special “paging request” from a network that contains specific location information about a particular TMSI number.

Anybody with a Facebook account can send another user a Facebook message. Unless the two users are friends, this message will end up inFacebook’s “Other” folder, a feature most users do not know about that is only accessible on the social network’s desktop version, but sending a user a message will still trigger a paging request.

Likewise, WhatsApp’s “typing notification” – a feature on the chat app that displays when a contact is composing a message – also triggers the connection. If a hacker has a victim’s phone number, they could send them a message on WhatsApp, and if the victim begins to type a response, the network issues a paging request.

Within these paging requests are location data, that on newer 4G networks can be used to track users’ locations to an area of 2km2.

Older 2G and 3G networks would place a particular smartphone within a given “tracking area” of around 100km2, representing less of a security issue, but modern 4G networks place them in smaller “cells” of around 2km2, making it much easier to pinpoint a smartphone.

This allows network issues to be better understood, but in this case, gives away more data about smartphone users.

Smartphone trackingCells are much more accurate than tracking areas  Photo: Aalto University

It is relatively easy to monitor these signals using easily-available network hardware, according to the researchers from Aalto University, the University of Helsinki, Technische Universitat Berlin and Telekom Innovation Laboratories.

Although TMSIs are supposed to refresh relatively often, in order to protect privacy, they can persist for up to three days, the researchers said.

More aggressive attackers can set up a fake network base station to accurately triangulate users. These stations can request reports from TMSI numbers, typically used in cases of network failure, which can accurately reveal a smartphone’s location. At least one device gave away its GPS co-ordinates after a failure request, the researchers said.

Tagged , , , , , , , , ,

M&S website temporarily suspended after leaking customers’ details

Updated: Around 800 Marks & Spencer customers had their personal details exposed online due to a technical glitch

British retailer Marks & Spencer temporarily suspended its website on Tuesday night, after some customers complained they could see each others’ details when they logged into their own accounts.

Posting on the company’s Facebook page, customers expressed alarm that they could see other people’s orders and payment details when registering for the new members club and card scheme called “Sparks.

“Interesting, I just created an M&S account to register my new Sparks card and out of a sudden I’m logged in to someone else’s account!” wrote Konstantinos Vlassis.

“M&S this is in breach of privacy and data security. I can see personal addresses, past orders and info of another account holder and I assume they can see mine? I can message you screen grabs if you want but this is not good security!”

Fellow customer Vanessa Frost wrote: “There seems to have been a data breach on your M&S website – if I log into my account on there it brings up another person’s details – this is happening to loads of people.”

M&S website

M&S said that the glitch was the result of an internal error rather than a third-party attack on the site, and said no financial data had been extracted. However, personal data, including names, dates of birth, contacts and previous orders were exposed.

The website was taken offline at about 6.30pm and was back on by 9pm.

“We can confirm that around 800 people were affected by a technical issue that led to us temporarily suspending our website yesterday evening,” a spokesperson for Marks & Spencer said.

“We are now writing to every customer affected to apologise and to assure them that their financial details are safe.”

Commenting on the incident, Phil Barnett, VP Global at Good Technology, said that many companies are flying blind when it comes to security, because they don’t think it affects them.

“Marks and Spencer’s proves that customer data breaches are real threats and have serious consequences. Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority,” he said.

“When GDPR is implemented in 2016, companies experiencing a data breach could face a fine of two percent of worldwide revenue, so it’s not just going to be some painful interviews and a drop in share price, there’s the potential of big fines for every business.”

Last week British telecoms firm TalkTalk suffered a major cyber attack, which potentially compromised the data of more than four million customers. A 15-year-old schoolboy has been arrested in connection with the incident.

Tagged , , , , ,

Why do companies keep getting hacked?

Police are investigating a sustained attack on the TalkTalk website that might have let hackers get at details of the firm’s four million customers.

The breach is the third big cyber-attack that TalkTalk has suffered in the last year.

It is not clear who was behind the attack or why they targeted TalkTalk – but it is far from the only company that keeps being hit.

Why does this keep happening?

A caped figure at a computerImage copyrightThinkstock

Almost every large company is being bombarded with cyber-attacks all day, every day.

About one million new malicious programs are created every day, according to security firm Symantec. That is a lot to defend against – and that does not include the many other ways attackers try to get at their targets.

Some attacks are crude and are easy to defend against. Others are more cunning and try to trick people into opening booby-trapped email messages. The most dangerous attacks exploit security holes that most people have not discovered yet in widely-used software.

Surely companies have defences that can stop attacks?

A computer with a padlock on it

Worse still, it is often hard for companies to correlate the information provided by each separate system, says Darren Thomson, European technology boss at security firm Symantec. This can mean security teams spend time chasing false positives or problems that look serious but are not the current biggest threat they face.

And technology cannot always help if somebody in an organisation opens a booby-trapped attachment on a phishing email.

Many attackers are increasingly exploiting human frailty because cyber-defences seem to have improved far faster than people.

And even the best security is weakened if a company insider decides to betray their employer.

What happened to TalkTalk?

TalkTalk logoImage copyrightTalkTalk

Details are scant but it looks like there were two elements to the breach.

The first was a distributed denial of service (DDoS) that tried to knock over TalkTalk’s servers by hitting them with lots of data.

There are hundreds if not thousands of these kinds of attacks every day, says Roland Dobbins from Arbor Networks, a company that helps firms block the massive data flows.

These attacks simply try to knock sites offline. Often, says Mr Dobbins, they can be used as a smokescreen to distract security staff from other activity. Other groups have used them to steal cash or data.

The DDoS assault on TalkTalk seems to have been accompanied by another attack which sought to get at its customer database. That is why the company has warned that personal information might have been accessed.

But TalkTalk has been hit three times…

Jamie OliverImage copyrightPA
Image captionThe website of chef Jamie Oliver was hit by attackers several times over a period of months

Other high-profile sites have been hit several times by cyber-attacks. The website of celebrity chef Jamie Oliver suffered three successive attacks centred on malicious adverts. Breaches have, unfortunately, become a fact of life for any company that uses the web for business – which is pretty much all of them.

The website Have I Been Pwned? gathers information on stolen data and now has a database of more than 223 million accounts that were stolen in a variety of hacks over the last few years.

“Five out of six firms that we talked to in a 2014 survey had been breached,” said Mr Thomson. “And given that it can take 230 days to spot a breach that sixth might have been hit but just didn’t realise it yet.”

Preparing for the worst

Data centreImage copyrightReuters
Image captionAttackers seek to infiltrate a network and then hang around so they can get at saleable data

Many companies now prepare for the day they will be breached rather than expect technology to keep them safe and secure all the time.

Often attackers can get into a corporate network using stolen staff credentials but that just gets them a foothold. From there they need to explore, expand and gather network privileges that help them get at the data they really want to steal.

The length of time it can take to realise that a breach has taken place gives attackers a long time to bed in, explore and escalate their access. Companies are getting better at spotting that anomalous behaviour but the advantage often still lies with the attackers.

Many companies employ ethical hackers to test their security systems and properly encrypting customer data helps ensure any stolen information is useless to attackers, or expensive to sell.

TalkTalk will have questions to answer if it emerges that hackers were able to steal unencrypted customer information.

Tagged , , , , ,

Online Attacks on Infrastructure Are Increasing at a Worrying Pace

Over the last four years, foreign hackers have stolen source code and blueprints to the oil and water pipelines and power grid of the United States and have infiltrated the Department of Energy’s networks 150 times.

So what’s stopping them from shutting us down?

The phrase “cyber-Pearl Harbor” first appeared in the 1990s. For the last 20 years, policy makers have predicted catastrophic situations in which hackers blow up oil pipelines, contaminate the water supply, open the nation’s floodgates and send airplanes on collision courses by hacking air traffic control systems.

“They could, for example, derail passenger trains or, even more dangerous, derail trains loaded with lethal chemicals,” former Defense Secretary Leon E. Panetta warned in 2012. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

It is getting harder to write off such predictions as fearmongering. The number of attacks against industrial control systems more than doubled to 675,186 in January 2014 from 163,228 in January 2013, according to Dell Security — most of those in the United States, Britain and Finland.

And in many cases, outages at airports and financial exchanges — like a computer outage that took down computers at airports across the country late Wednesday, including Kennedy International Airport in New York and Logan Airport in Boston — are never tied to hacks.

But it’s clear hackers are trying.

The Department of Homeland Security last year announced that it was investigating an attack against 1,000 energy companies across Europe and North America. In 2012, 23 gas pipeline companies were hacked by online spies, according to a Homeland Security report. Private investigators later linked the attack to China.

Last year, in a disclosure overshadowed by the news of the attack on Sony, a German federal agency said that in an attack at an unnamed steel mill, hackers had managed to jump from the company’s corporate network to its production systems, causing significant damage to a blast furnace.

And in an extensive attack at Telvent, an information technology and industrial automation company now owned by Schneider Electric, Chinese hackers made off with its product source code and blueprints to facilities operated by its customers, which include 60 percent of the pipeline operators in North America.

For now, dire predictions of destructive online attacks on American targets ignore the fact that the actors with the ability to cause the gravest harm to America’s critical infrastructure — China and Russia and allies like Israel and Britain — are sufficiently deterred from doing so by fear of retaliation or because of longstanding trade and diplomatic relationships. And attacks by those aggressively trying to get such a capability — Iran, North Korea and Islamic militant groups — are still several years off.

“Despite all the talks of a cyber-Pearl Harbor, I am not really worried about a state competitor like China doing catastrophic damage to infrastructure,” said Michael V. Hayden, former head of the National Security Agency. “It’s the attack from renegade, lower-tier nation-states that have nothing to lose.”

Just how far off are they? That is the question troubling policy makers at the National Security Council and intelligence and law enforcement agencies. Federal officials have repeatedly warned that Islamic State militants have been exploiting social media for recruitment, and are developing tools to break into their enemies’ systems.

Those capabilities were sufficient to prompt the assassination of Junaid Hussain, the chief of the Islamic State’s cyberarmy, who was killed by an airstrike in Syria in August. But for now, federal officials say, the Islamic State does not have a significant ability to cause damage through online attacks.

“It’s not easy to pull off a spectacular attack,” said James A. Lewis, a security expert at the Center for Strategic and International Studies in Washington. “People are always saying in theory they can do something, but it’s not at the level of a Pearl Harbor or a 9/11.”

Mr. Lewis added: “Could someone acquire the ability to cause a blackout? That’s something to worry about, but the only people who could pull it off don’t have any interest in doing so.”

Most security experts point to the attacks last year at Sony — where hackers leaked internal documents and destroyed the company’s servers — as an example of the destruction that is possible now, and a harbinger of what may come.

There were warnings the year before the Sony hacking that such an incident was possible. In a carefully planned attack in 2013, North Korean hackers knocked out almost 50,000 computers and servers for several days at South Korean banks and media companies.

Less sophisticated attackers are more likely to continue to pursue social media campaigns and isolated attacks, rather than take down parts of the power grid, said Ralph Langner, an independent security expert who was the first to attribute Stuxnet, a virtual weapon used against Iranian nuclear centrifuges, to the United States and Israel.

But the attacks that have rattled American government officials the most were similar attacks at Saudi Aramco, the world’s largest oil company, and RasGas, the Qatari oil giant, in 2012.

At Aramco, the hackers replaced the data on employees’ hard drives with an image of a burning American flag. United States intelligence officials say Aramco’s attackers were hackers in Iran, although they offered no specific evidence to support the claim. Mr. Panetta, then secretary of defense, called the Aramco sabotage “a significant escalation of the cyberthreat.”

Forensics specialists who were called in to analyze the Aramco attack said there was evidence the attackers probed the network that connects the company’s pipelines but were never able to cross from Aramco’s corporate network to its production systems. The same was true for a similar attack at RasGas two weeks later. Hackers tried and failed to hit the Qatari petroleum company’s production systems, but successfully took its corporate networks and servers offline.

But the attack on the German steel mill, disclosed last year, suggests that hackers are increasingly finding ways to cross that threshold. Just last week, it was announced that a group of hackers penetrated the Snohomish County Public Utility District in Washington State. The hackers, members of the Washington State National Guard, had been invited to test the utility’s defenses, and the results were frightening. They were able to break in with an email in under 22 minutes.

Joe Weiss, a crusader for industrial control security and founder of Applied Control Solutions, a consulting firm, is not surprised. He manages a database of 750 incidents that affected control systems and said he was most disturbed that most of them were not classified as attacks at all.

“What that tells you is that not only do we not have the mitigation, we don’t even have any type of adequate forensics to know this is happening, and whether it was intentional or unintentional,” he said.

The Department of Homeland Security tweeted late Wednesday evening that the computer outages at airports were due to a “brief outage that lasted 90 minutes” on the United States Customs and Border Protection’s computer processing systems.

But Mr. Weiss said in most cases, forensics investigations were still not adequate enough to nail down the real source of such incidents. He said the same was true across the electric, water, oil, gas, and nuclear industries.

“It’s not like with weapons, where you know where it’s coming from,” Mr. Weiss said. “With cyber- and control systems, you don’t necessarily know.”

“Will there be a cyber-Pearl Harbor? Most likely,” Mr. Weiss added. “Will we know it’s cyber? Most likely not.”

Tagged , , ,

How much is your stolen data worth on the dark web?

A new report reveals how much cyber criminals are willing to pay for stolen data on the dark web

Ever wondered how much your stolen data could be worth? A new report reveals the market value of all the most common types of stolen data available for sale to criminals on the dark web.

The “Hidden Data Economy” report by Intel Security Group’s McAfee Labs draws on years of close work with law enforcement, and ongoing monitoring of online platforms, communities and marketplaces where stolen data is hidden and sold – such as Alphabay and Crypto Market.

The report provides examples of how different types of stolen data are being packaged, and offers an illustration of average prices for different types of data. A few examples include:

  • Average estimated price for stolen credit and debit cards: $5 to $30 in the US; $20 to $35 in the UK; $20 to $40 in Canada; $21 to $40 in Australia; and $25 to $45 in the European Union
  • Bank login credentials for a $2,200 balance bank account: $190
  • Bank login credentials plus stealth funds transfers to US banks:from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
  • Bank login credentials and stealth funds transfers to UK banks:from $700 for a $10,000 account balance, to $900 for a $16,000 account balance
  • Login credentials for online payment services such as PayPal:between $20 and $50 for account balances from $400 to $1,000; between $200 and $300 for balances from $5,000 to $8,000
  • Login credentials to hotel loyalty programs and online auction accounts: $20 to $1,400
  • Login credentials for online premium content services such as Netflix: as little as $0.55

Payment card data is perhaps the most well-known data type stolen and sold. A basic offering includes a software-generated, valid number that combines a primary account number, an expiration date, and a CVV2 number.

Valid credit card number generators can be purchased or found for free online. Prices rise based on additional information that allows criminals to accomplish more things with the core data.

This includes data such as the bank account ID number, the victim’s date of birth, and information categorised as “Fullzinfo”, including the victim’s billing address, PIN number, social security number, date of birth, the mother’s maiden name, and even the username and password used to access, manage, and alter the cardholder’s account online.

Online payment service accounts – like PayPal accounts for example – are also sold on the open market, with their prices determined by additional factors.

The report claims that illegal sellers list adverts in the same way as any legitimate seller would – offering guarantees on stolen credit cards – and forums name and shame “bad sellers” who have sold stolen cards that don’t have offer up what was promised

“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” said Raj Samani, chief technology officer for Intel Security in Europe, the Middle East and Africa.

“This ‘cybercrime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”

A selection of credit cards in a fan.

The news coincides with the publication of new figures from the Office for National Statistics, showing that cyber crime is now the UK’s most common offence, with 2.5m incidents in the last year.

Cyber crime was previously excluded from official statistics but its inclusion in this latest report has resulted in an overall surge in crime rates of 107 pc – over double.

The most common cyber crimes, offences committed under the Computer Misuse Act, were where the victim’s device was infected by a virus.

Tagged , , , , , ,

French hackers intercept Siri and Google Now to control phones

Researchers claim to have intercepted the digital assistants to control the iPhone and Android devices, broadcasting silent commands from 16 feet away

French researchers claim to have remotely accessed iOS and Android digital assistants and silently delivered commands by using headphones with inbuilt microphones as antennas.

The team from the French government’s Network and Information Security Agency (ANSSI) claim to have discovered “a new silent remote voice command injection technique”, meaning they were able to intercept Siri and Google Now via radio from up to 16 feet away.

An Android device or iPhone with a pair of headphones containing an inbuilt microphone – such as Apple’s standard earbud model – plugged in effectively turns the cord into an antenna, converting electromagnetic waves into electrical signals the phone perceives to be audio commands, without actually speaking a word.

In theory, this means the digital assistants could be hijacked into sending texts or emails, making searches or calls or direct the handset to malicious websites, though the researchers required an amplifier, laptop, antenna and Universal Software Radio Peripheral (USRP) radio.

“The possibility of inducing parasitic signals on the audio front-end of voice-command-capable devices could raise critical security impacts,” researchers José Lopes Esteves and Chaouki Kasmi wrote, as spotted by Wired.

Last month a hacker claimed to have discovered a 30-second method ofinfiltrating a locked iPhone via Siri, which Apple fixed with the updated software iOS 9.0.1.

How to protect yourself

  • Attacks like this are extremely improbable, but in theory could happen. The researchers have suggested the companies improve the shield on their headphone cords, or introduce personalised phrases to wake digital assistants.
  • If you’re really worried, you could disable voice activation or turn the digital assisant on your phone off.
Tagged , , , , , , ,

Computer attack insurance rates rise after high-profile breaches

Hacks of Sony, Target, Home Depot and major health insurers have made it more expensive to cope with data theft, Reuters reports.

Just as you safeguard your home with insurance, companies get insurance to cover any problems with customer and corporate data. With hacking on the rise, that protection is getting harder to obtain and pay for.

A torrent of cyberattacks on US companies over the past two years has led cyber insurers to boost premiums for high-risk companies and in some cases limit damage cover to a maximum of $100 million, according to a Reuters report on Monday. The limits make it hard for companies to operate in the modern networked era and could mean higher costs they’ll have to pass along to customers.

Hacks are expensive. Companies must pay for forensic investigations, credit monitoring, legal fees and settlements. Rising cyber insurance premiums and limited damage coverage effectively mean that companies could be liable to pay more if they’re hit by a cyberattack. Companies without full insurance could easily end up paying hundreds of millions out of pocket.

The 2013 attack on US retailer Target cost the company $264 million. Target expects to only recoup around $90 million of that from insurance payouts, Reuters said. A similar attack on Home Depot forced the US home improvement chain to shell out $234 million in expenses, but insurance will only cover about $100 million, Reuters said.

High-profile attacks, like the ones against Sony, Home Depot and Target, have forced insurers to judge certain companies as too high risk. That’s especially true for health and retail companies, which have highly sensitive customer data. Three insurance companies recently told Reuters that they turned away clients seeking computer attack insurance or limited coverage to $75 million and $100 million after reviewing companies’ computer security mechanisms.

Just like good home security systems can get you a break on your home insurance payments, the price of cyber insurance depends in part on companies’ security measures.

Health insurers are suffering the most from insurance hikes, sometimes seeing premiums triple in price, said Bob Wice, a focus group leader for insurer Beazley, according to Reuters. Massive security breaches at the beginning of 2015 affected millions of customers at two US health insurers, Anthem and Premera Blue Cross.

Upon renewing its insurance after the hack, Anthem only managed to secure $100 million in insurance protection, and that was on the condition that it pay the first $25 million of any damage costs itself, the company told Reuters.

Tagged , , , , , ,

Privacy groups call for investigation into Experian hack

US consumer privacy groups have called for a Federal investigation into Experian, following a major hack at the credit database firm.

Experian claims personal data on 15 million T-Mobile US customers was stolen in the breach.

But the Public Interest Research Group (PIRG), backed by 28 other bodies, fears the hack may have extended to the rest of Experian’s credit database.

This holds personal information about some 200 million Americans, it said.

“A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it added.

‘Troubling possibility’

The Experian breach occurred at Decisioning Solutions, a subsidiary of the credit agency which T-Mobile uses to process information on subscribers.

Names, birth dates and social security numbers were among data stolen, but not financial details, the firms said.

Experian has said the business was “completely separate” from its main credit bureau business, which was “not affected”.

But in a statement, PIRG’s consumer programme director, Ed Mierzwinski, urged both the Consumer Financial Protection Bureau and the Federal Trade Agency to investigate whether other Experian databases had been breached.

He said: “If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?

“If it was subject to the same protections as the credit reporting server, doesn’t this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?”

Credit cards

Breached before

Prominent cybercrime journalist Brian Krebs has also raised concerns about Experian’s internal data protection policies.

In a blog, published on 8 October, he claimed to have interviewed “half a dozen security experts” who recently left Experian frustrated with its approach.

“Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability at the firm,” he said.

Experian data has been breached before – such as in 2012, when an attack on an Experian subsidiary exposed social security numbers of 200 million Americans.

This prompted an investigation by at least four states, including Connecticut.

Commenting on PIRG’s campaign, an Experian spokesman said: “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.”

He added: “Security is a top priority for the company, and Experian is committed to continuous investments in upgrading talent, processes, and technologies needed to protect our systems.”

He said the firm had invested of “tens of millions of dollars” in the last three years to strengthen its security.

A number of lawsuits seeking class action status are under way against T-Mobile and Experian, on behalf of victims affected by the breach.

Tagged , , , ,

Webcam hacker spied on sex acts with BlackShades malware

A Leeds-based hacker used a notorious piece of malware called BlackShades to spy on people via their webcams.

Investigators from the National Crime Agency found images on the computer of Stefan Rigo, 34, including ones of people involved in sexual activity, some of whom were on Skype at the time.

Rigo was arrested in November last year during an international investigation.

He has been given a 20-week suspended sentence and placed on the sex offenders’ register for seven years.

Rigo targeted a variety of victims after gaining remote access to their computers’ webcams.

Incriminating images on his computer were discovered after a forensic examination.

Out of 14 confirmed individuals he spied on – roughly half were people he knew personally, an NCA spokesman told the BBC.

At a hearing in July, Rigo pleaded guilty to one count of voyeurism and another computer-related offence.

The court took Rigo’s guilty plea into account when handing down the 20 week sentence. As well as being placed on the sex offenders register, Rigo will have to complete 200 hours of unpaid work within the next 12 months.

Victims ‘unaware’

Investigators found and arrested Rigo after raiding two addresses in Leeds.

The hacker had used his ex-girlfriend’s details to purchase BlackShades, a remote access trojan (RAT) which allows for a high level of surreptitious control over a victim’s computer.

“The problem with RATs specifically is a lot of the time people don’t know they’re being affected,” the NCA spokesman said.

“In the case of Stefan Rigo that we were looking at, his victims weren’t aware.”

BlackShades has been around since 2010 and has been sold for as little as $40 (£26), explained Jens Monrad at cyber security firm FireEye.

“The application in itself is not that difficult to detect but typically the attackers will wrap some sort of exploit around the application,” said Mr Monrad.

“Even with patches the victim will still be vulnerable so long as there is a hole in the operating system.”

Mr Monrad recommended that computer users be careful of clicking on suspicious links or downloading dubious email attachments.

Cam scams

The criminal market for webcam hacking tools is highly active, according to Mr Monrad, since malicious hackers are often able to exploit their victims after taking covert images of them.

There have also been cases in which hackers sold access to specific cameras.

Connected security cameras in buildings may be at risk too, though there are sometimes difficulties in publicly discussing how secure they are.

One researcher recently cancelled a forthcoming talk on the issue following legal pressure from the manufacturers of widely-used surveillance cameras.

Gianni Gnesa was due to discuss “vulnerabilities found on major surveillance cameras and show how an attacker could used them to stay undetected” at the HITB GSEC security conference in Singapore.

The Register reports that a legal threat from one, unnamed, manufacturer resulted in Gnesa withdrawing his presentation.

Tagged , , , , , , ,