December 20, 2014

Security Breach Roundup: From big names like Facebook to an Illinois water plant and – say it ain’t so – Santa’s workshop

Bookmark and Share
November saw one high-profile company – Facebook – suffer a significant security breach while two other big names were accused of breaches but deny it. Also unclear is whether a public water utility in Illinois was breached, a case that raises the specter of some truly frightening scenarios. Finally, we’ve got a report on a security company with a sense of humor – just in time for the holidays.

Facebook hack

The Washington Post reports on how the Facebook hack came about:

According to Facebook, users were somehow tricked into copying and pasting malicious code into their browser bars. Hackers then gained access to their profiles and could post whatever they wished, and any of the user’s Facebook friends could see the images.

And what did the hackers want to post? Pornographic images, of course, along with violent ones. Not the kind of thing (most) Facebook users want their “friends” to see. But, as the Post story notes, the episode could give rise to far more disastrous attacks:

Experts said it was easy to imagine another attack on the Facebook platform that would be more troubling: sending false messages to family and friends to lure them to malicious sites, where they might be tricked into revealing private information. They warned that hackers could use the template of this attack to launch copycat efforts.

In a way, Facebook may be a victim of its own success, the Post reports:

Part of Facebook’s success has stemmed from its ability to get developers to create games and other applications that work seamlessly on the site’s platform. But giving such leeway to outside programmers means the site is also vulnerable to hackers, [Chester] Wisniewski, [a security researcher at Sophos,] said.

Facebook could be doing more to stop these kinds of attacks, he said, such as checking the credentials of programmers who register with the site and giving users the option to double-check any actions before they take effect.

That should be a given. It’s not unlike how Apple vets applications before allowing them for sale in its app store – and you don’t hear much about viruses and malware on Apple platforms.

AT&T and Microsoft deny reports of security breaches

Reports of attacks on AT&T and Microsoft XBox Live accounts are untrue, albeit not unfounded, according to AT&T and Microsoft.

As Reuters reports on the attempted hack on AT&T wireless customers:

AT&T Inc, the No. 2 U.S. mobile provider, said it is investigating an “organized and systemic attempt” to access wireless customers’ information but that it did not believe any accounts were breached…Spokesman Mark Siegel said AT&T’s “investigation is ongoing to determine the source or intent of the attempt to gather this information.”

“In the meantime, out of an abundance of caution, we are advising the account holders involved,” he said.

In its letter to customers AT&T warned them to be [cautious] of emails or texts asking for sensitive information because there “may be an increased risk of fraudulent attempts to access” account information.

That’s both an encouraging story, if indeed AT&T was successful in thwarting the attempt, and a responsible reaction to inform customers. Kudos to AT&T – and we’re not just saying that in hopes of getting some free wireless service, as nice as that would be.

Microsoft, meanwhile, claims it was essentially an innocent bystander in a scam that targeted its Xbox Live customers. From Consumer Reports:

Hackers allegedly broke into thousands of Xbox Live accounts, in order to steal millions of dollars, The United Kingdom’s The Sun newspaper reported today.

But Xbox Live operator Microsoft contends that the compromised accounts are the result of a phishing scam, not an outright hack on Xbox Live. Shortly after The Sun’s story was published, a Microsoft spokesperson told news outlets that “Xbox Live has not been hacked. Microsoft can confirm that there has been no breach to the security of our Xbox Live service.”

That spokesperson went on to say that in this case, “a number of Xbox Live members” were the victim of a phishing scam. In one phishing attempt, e-mails were sent to Xbox Live players directing them to bogus websites that offered up free Microsoft points that could supposedly be used toward the purchase of new games. If users entered their personal information, the scammers were able to access account details, including credit card information, according to The Sun. The online scammers then skimmed small amounts over several weeks using the stolen credit-card information, which made the transactions difficult to detect.

No telling how the scammers got email addresses for all those Xbox Live users, or if they did. Probably more likely they simply sent their phishing emails to a huge number of addresses, some of which belonged to Xbox Live users. So it sounds like a classic case of users being duped.

Suspected cyber attack on Illinois water plan

This is the type of story that is truly chilling. From the Washington Post:

Foreign hackers caused a pump at an Illinois water plant to fail last week, according to a preliminary state report. Experts said the cyber-attack, if confirmed, would be the first known to have damaged one of the systems that supply Americans with water, electricity and other essentials of modern life.

The story goes on to say how the FBI and the Department of Homeland Security were investigating but weren’t yet ready to concede it was indeed a cyber attack or that any threat existed to critical infrastructure. It came to light after a security expert obtained a report from an Illinois state intelligence center that said a pump motor was being turned on and off repeatedly until it burned out. Weird, right?

A report in the trade journal Government Technology quotes Mike Geide, senior security researcher at Zscaler ThreatLabz, who posits that it may be a case of criminals going after the SCADA systems that control various utilities.

“This is not only a wake-up call for the security industry, but a further wake-up call for attackers to say, ‘Hey, we really need to focus more energy on low-hanging fruit, such as SCADA systems,’” Geide said.

One way to protect critical infrastructure systems like public utilities is to ask whether the system in question must be connected to the Internet, and if so, how connected. Geide advocates for a least-privilege scenario, in which access to the system is only given to those who need it.

The least-privilege idea is a good one – for enterprises and utilities alike.

A security firm with a sense of humor

We’ll close with an amusing story from security software vendor Application Security, Inc., which posted a press release on its site announcing it had been commissioned to help investigate a high profile data breach:

TeamSHATTER, the research arm of Application Security, Inc. (AppSecInc) today announced that it has been commissioned to assist in the investigation of what is being called the largest, most disturbing and most costly data breach in history – the hack of the databases for Santa’s Workshop and Santa Claus’ renowned Naughty/Nice list. In a year highlighted by the biggest data security breaches on record, this latest occurrence proves that there are no limits or geographic boundaries to the lengths motivated attackers will go to get what they want.

Among the data said to have been stolen:

Santa’s famous Naughty/Nice list database including names, home addresses, email addresses, customer notes indicating what they want for Christmas and corresponding shopping patterns and the proprietary classification methodology used by Santa Claus in determining who is placed on which list and why.

Suspects included the Grinch, of course, along with:

…the reportedly disgruntled Santa’s Workshop employee, Hermey the Elf, who has long wanted to become a dentist, a desire which has resulted in unrestrained mockery from his fellow elves and Hermey’s growing animosity toward them.

Don’t tell the kids.

Speak Your Mind