Implications and response to large security breaches
•Download as PPTX, PDF•
2 likes•650 views
This is part of a talk that I gave at Syracuse University lecture on breach response in Apr 2017
Recommended
Recommended
More Related Content
Similar to Implications and response to large security breaches
Similar to Implications and response to large security breaches (20)
More from David Strom
More from David Strom (20)
Recently uploaded
Recently uploaded (20)
Implications and response to large security breaches
- 1. Implications and response to large security breaches SYR IST 323 class lecture David Strom Slides available here: http://slideshare.net/davidstrom 1
- 2. Who am I? • Long time IT B2B trade press journalist • Actually hired Molta in a weak moment • Started numerous print and Web pubs, wrote two computer networking books 2
- 4. Agenda • A review of the more recent, larger breaches • Questions to ask for post-breach analysis • What are some IT security lessons learned • Where to find breach info for your case studies 4
- 5. Yahoo! • Three separate reported breaches from 2013, 2014, 2016 with millions of accounts leaked • Using MD5 hashes, not state of the art and not salted either • Long persistent attack that lasted years • Yahoo Account Key -- zero factor auth! • CISO-of-the-month club: not cool • Russian FSB officers criminally charged in Mar. 5
- 6. 6
- 7. 7
- 9. Hookup site breaches • Ashley Madison (7/15): 30M users revealed – Passwords using bCrypt easily cracked – Analysis revealed most female accounts fake • AdultFriendFinder (11/16): 415M accounts – Including previously deleted accounts using format “email@address.com@deleted1.com” – Encryption using SHA1 easily cracked 9
- 10. Dailymotion (10/16), 85M accounts • Only 20% of the records have any passwords associated and these were encrypted properly 10
- 11. 11
- 12. E-Sports Entertainment Association (12/16, 1.5M users) 12
- 14. NAS Leaks: Stewart Airport, Ameriprise Financial Services 14
- 15. Three Mobile (UK cell provider) 15
- 16. Arby’s • 1000 restaurants • 355k customer card data leaked • Started 10/16 • Long time to ack breach 16
- 17. 17
- 18. Questions for post-breach analysis • Did the company express the breach in plain language? • Did they precisely indicate what happened and whom was affected? • Did they constructively suggest a solution? • Can non-IT people understand what to do next to protect their personal info? • Has anything IT-related changed as a result? 18
- 19. 19
- 20. 20
- 21. Home Depot breach • Symantec Endpoint Protection installed, BUT – No Network Threat protection module active • No point-to-point encryption for payments • POS systems using WinXP Embedded BUT – Not secure and not most recent OS • No vulnerability mgmt program active • Using a flat network topology both POS/PCs • Not managing 3rd party vendor auth credentials 21
- 22. 22
- 23. 23
- 24. 24
- 25. 25
- 26. Lessons learned • How to craft a breach notification messages and campaigns – Exact dates, times and places – Provide lots of other details – Has follow up contact info for concerned customers • When to notify the public and customers – The sooner the better. Days matter. 26
- 27. More lessons • How to explain the specifics of the breach – What data was stolen, both customer and corporate – How to prevent this from happening again – Make it easy for customer to find out this stuff • What to do personally – Don’t use real online “birthday” on social nets – Don’t reuse passwords, really 27
- 28. 28
- 29. Where to get breach news • Naked Security/Sophos • The Intercept (but with a bucket of salt) • SANS.org (for tech info, training classes) • Threatpost • MacKeeper/Chris Vickery • LeakedSource (notification and data dumps) • And of course, Inside Security ! 29
- 31. 31
- 32. 32
- 33. 33
- 34. 34
Editor's Notes
- V3 add Nrian photo on rescator page
- http://dilbert.com/strip/2016-04-18
- https://www.wired.com/2017/03/yahoo-hack-russia-indictment/
- https://help.yahoo.com/kb/account/SLN27925.html?impressions=true
- October 2016 customers paying by credit cards from last July-Sept data was leaked. Had to be in the physical store, online not hit. They have 150 stores around the world. http://www.darkreading.com/attacks-breaches/vera-bradley-stores-report-payment-card-breach/d/d-id/1327173
- A massive data breach targeting adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts, including millions of supposedly deleted accounts. This number refers to the entire customer databases of several dating sites, including Cams.com, Penthouse.com and other sites. The attack happened at around the same time as one security researcher, known as Revolver, disclosed a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on their web server. The data does not appear to contain sexual preference data unlike the 2015 breach, however. Comments were swift. “This is ten times worse than the Ashley Madison hack. Wait for a raft of class-action lawsuits,” says KnowBe4. The company verified that its servers were vulnerable. LeakedSource revealed that the company did not properly encrypt its users’ data. The company stored user passwords in plainly visible format, or with the very poor SHA1 hashes that were easily cracked. The deleted emails were retained in this format: “email@address.com@deleted1.com” which is curious and obviously intentional. -- ZDNET
- DailyMotion had more than 80 million of their account IDs and passwords exposed. Only a fifth of these accounts had passwords and they were fortunately encrypted. The company admitted the breach in a blog post. http://blog.dailymotion.com/2016/12/06/8886/ Leaked Source obtained the data file.
- Hackers shut down a Finnish heating system thanks to a DDoS-based DNS attack. At least two housing blocks in the city of Lappeenranta were affected and confirmed by the facilities management company. The issue was no firewall and using public IP addresses of the HVAC management systems that could be easily reached by the hackers. When the company tried to reboot their systems, they needed more than a week to get computers back online since the attack also denied remote access to the systems. Luckily, outdoor temperatures weren’t critical. Researchers at IBM found that many building automation systems suffer from a range of security issues, from weak authentication and authorization controls to vulnerable administrative web interfaces used to provide remote access. -- https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/ http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter
- E-Sports Entertainment Association is one of the largest competitive video gaming communities on the planet. They were hacked in December 2016 and a database containing 1.5 million player profiles was compromised. A full timeline of events has been posted to the E-Sports website. LeakedSource confirmed the leak that was confirmed by this post. While passwords were encrypted, other information was not and could be used to set up compromised attacks. Hackers demanded ransom payment of $100k but E-Sports did not comply. – http://www.csoonline.com/article/3155397/security/esea-hacked-1-5-million-records-leaked-after-alleged-failed-extortion-attempt.html
- A Pentagon contractor has accidentally leaked more that eleven gigabytes of data, including individuals’ names, locations, Social Security numbers, salaries, and assigned units. This comes from Chris Vickery, a security researcher with MacKeeper, who wrote about it last December. The data comes from the military’s Special Operations Command, which had no user name or password protection of the database that was leaked from the Potomac Healthcare Solutions site. After Vickery called Potomac, the information was still available an hour later. “It shouldn’t take over an hour to contact your IT guy and “ fix this, he said. Eventually, the information was removed. – https://mackeeper.com/blog/post/314-special-ops-healthcare-worker-breach
- Sometimes you have security researchers that specialize in a particular product with weak controls. This is the Buffalo Terastation network attached storage. Essentially, it is a hard drive with a network connection, and software that allows you to make backups to an Internet site. The problem is that these backups are often maintained in the clear – without any password protection, and it is easy to find them if you know what you are looking for. That is exactly what MacKeeper’s Chris Vickery figured out in two separate incidents: one reported on in February at Stewart Airport, in downstate New York, and one involving an office from Ameriprise Financial. The airport leak involved 700 GB that sat out on the Internet for a year after the IT manager opened a firewall port and forget to protect his data. The data includes everything from sensitive TSA letters of investigation to employee social security numbers, network passwords, and 107 gigabytes of email correspondence. https://mackeeper.com/blog/post/334-extensive-breach-at-intl-airport The Ameriprise leak inadvertently exposed hundreds of investment portfolios, worth tens of millions of dollars. In this case, the NAS drive was at the home of one of their advisors. Amusingly, one of the pieces of the leaked data is a confidential memo in which Ameriprise asks its advisors “Do you keep your backup computer records (i.e. hard drive, memory stick, etc.) at a location other than your office?”, to which the possible answers are “Yes”, “No”, and “N/A – (select this option if you are using an online solution)”. https://mackeeper.com/blog/post/310-ameriprise-data-breach
- While this could be the largest breach of the year in terms of numbers, Three Mobile, one of UK's biggest mobile phone operators, has been breached. Supposedly the personal information and contact details of six million of its customers has been exposed, which are about two-thirds of the company’s overall customers. Hackers used an employee’s login credentials to gain entry. The reason for the breach was simple theft: the company confirmed around 400 cases in which fraudsters had stolen high-value phones through burglaries and other devices have already been illegally obtained through tracking who was eligible for upgrades. Three people have been arrested so far. http://thehackernews.com/2016/11/3-mobile-uk-hacked.html And recently, another technical glitch exposed new customer info: https://www.theguardian.com/business/2017/mar/20/three-mobile-possible-data-breach-data-usage-call-history
- Data from more than 1,000 corporate-owned Arby’s fast food restaurants were compromised, resulting in personal information stolen from at least 355,000 customers’ credit and debit cards. Sources suggest the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017. https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/
- http://download.schneider-electric.com/files?p_Reference=SEVD-2016-288-01&p_EnDocType=Technical%20leaflet&p_File_Id=4837908514&p_File_Name=SEVD-2016-288-01+Unity+Simulator.pdf https://www.indegy.com/blogs/new-scada-vulnerability-enables-remote-control-of-ics-networks/ SCADA controller manages millions of them around the world called Unity Pro. It is in every single control network that this company sells. Here is the notifcation to its customers.
- http://www.networkworld.com/article/3011735/security/review-best-password-managers.html
- An example of a carder website is Rescator shown here. As you can see, the site has full search capabilities based on the type of stolen credit card you are searching for.
- https://krebsonsecurity.com/2017/03/google-points-to-another-pos-vendor-breach/ Uses a photo of Brian Krebs to lend authenticity to the login page of Rescator. Source of POS malware used in many of these retail attacks, including CiCi’s
- http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
- http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- https://oag.ca.gov/ecrime/databreach/report-a-breach