Tag Archive for Data breach

| June 6, 2012
Comments Off on Bad Day at LinkedIn

Bad Day at LinkedIn

Bad Day at LinkedInIt’s been a bad day for LinkedIn (LNKD). LinkedIn users have been the victim of two security and privacy blunders on the same day. First, the LinkedIn mobile app for iOS devices is sending potentially confidential private and business information to the company servers without the users’ knowledge.

LinkedIn logoHelp Net Security reports that security researchers Yair Amit and Adi Sharabani at Skycure Security identified the security hole. According to the researchers, the security flaw involves calendar syncing which collects data from all the calendars (private and corporate) on the iOS device.

“The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers point out in the article. “…this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines.”

The first response from LinkedIn‘s spokeswoman Nicole Perlroth appears to minimize the issue and blame the users for the privacy breach when she told Help Net Security that the feature is opt-in, and said nothing about whether the company will update the app that would stop this privacy snafu from happening in the future. (Looks like LinkedIn updated the App and broke it according to reviews in the Apple AppStore) This was reinforced by Joff Redfern, Mobile Product Head at LinkedIn on the LinkedIn blog where he also pointed out the information harvesting app is an opt-in feature. He claims that the information collected is not stored or shared. LinkedIn did change the LinkedIn app for Google (GOOG) Android so it no longer sends data from Droids to LinkedIn. There was no information in the article if LinkedIn plans to change the Apple iOS app.

But wait it gets worse…

LinkedIn also lost 6.5 million accounts today. They were however found on a Russian forum. LinkedIn has confirmed on their blog that there are “compromised accounts.” Cameron Camp, Security Researcher at ESET, commented on the leak for Help Net Security:

“The difference with this hack … is that people put their REAL information about themselves professionally on the site not just what party they plan on attending, ala Facebook and others …  mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it.”

rb-

I wrote about the value of different credentials here and here.

I am wondering about the timing of the two security problems for LinkedIn. Could they be related? Were attackers using the Apple iOS app as an attack vector? After all, we know that Apple loves to collect personal info on its customers.

Mitt Romney

What happened here?

Action Items:

  • Toggle off the “Add Your Calendar” option in the Sync Calendar feature of the LinkedIn app on your Apple iOS devices
  • Immediately change your LinkedIn password and any accounts that share the same password.
  • Be on the lookout for phishing campaigns that might leverage the incident.
Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| May 17, 2012
Comments Off on All EMU Students Dismissed by Email Mistake

All EMU Students Dismissed by Email Mistake

All EMU Students Dismissed by Email Mistake Eastern Michigan University sent a mass email dismissing to the entire student body and an unknown number of recent EMU graduates. Julie Baker at AnnArbor.com reports that the message dismissed the students from the university and canceled all further enrollment. The article says the mass email was sent from the email of Associate Director of Academic Advising Molly D. Weir. EMU says it is investigating how it happened. The dismissal message said in part;

Eastern Michigan University“As a result of your Winter 2012 academic performance, you have been dismissed from Eastern Michigan University … you will be ineligible to register for classes … you will not be eligible to resume coursework at EMU until Summer 2013 at the earliest.

Eastern Michigan University President Susan Martin emailed a statement addressed to students, faculty and staff read: “I deeply apologize for the incorrect email many of our students received this evening indicating they were dismissed from the University. This message was a terrible mistake and I regret the undue alarm and concern it caused.”

take whatever steps are necessary to make sure it never happens againVice President of Communications Walter Kraft denied any claims that this event was the result of a breach of security or a hack. EMU is pointing the finger at a contractor. Mr. Kraft said; “An outside company that we contract with for this notification process, GradesFirst, sent the dismissal message to the entire student body instead of the file of 100 or so students who were supposed to receive it,” he said. “GradesFirst has offered an apology for its role in this matter.

VP Kraft added EMU will continue to investigate to find exactly what went wrong and take whatever steps are necessary to make sure it never happens again according to AnnArbor.com.

rb-

Margaret Thatcher

We are not amused

Why are they outsourcing their communications with their customers? Goes to show that if you let others control your message, they will screw it up.

Didn’t Longfellow say “If you want something done right; do it for yourself?”

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| March 15, 2012
Comments Off on First Computer Passwords Useless

First Computer Passwords Useless

First Computer Passwords UselessRobert McMillan at Wired dug thru the annals of tech and recently confirmed that passwords have been a pain in the tuckus for a millennium. But who’s to blame? Who invented the computer password?

ShakespeareThe origin of the password is shrouded in the mist of history like the invention of the wheel or the story of the doorknob, according to Wired. Roman soldiers memorized spoken passwords to gain access to camps. Shakespeare kicks off Hamlet but where did the first computer password show up? Wired asks.

Computer passwords probably arrived at the Massachusetts Institute of Technology in the mid-1960s. Wired says nearly all the computer historians they contacted said that the first password must have come from MIT’s Compatible Time-Sharing System. In geek circles, it’s famous. CTSS pioneered many of the building blocks of computing as we know it today: things like e-mail, virtual machines, instant messaging, and file sharing.

IBM logoFernando Corbató who worked on CTSS back in the mid-1960s is a little reluctant to take credit. “Surely there must be some antecedents for this mechanism,” he told Wired, before questioning whether the CTSS was beaten to the punch in 1960 by IBM’s (IBM) Sabre ticketing system. When Wired contacted IBM, big blue claimed it wasn’t sure.

According to Mr. Corbató, even though the MIT computer hackers were breaking new ground with much of what they did, passwords were pretty much a no-brainer. “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files,” he told Wired.Putting a password on for each individual user as a lock seemed like a very straightforward solution.”

Back in the ’60s, there were other options, according to Fred Schneider, a computer science professor at Cornell University. The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example.

But in the early days of computing, passwords were surely smaller and easier to store than the alternative, Professor Schneider says. A knowledge-based system “would have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.”

Data breachThe irony is that CTSS may also have been the first system to experience a data breach. The article recounts that in 1966, a software bug jumbled up the system’s welcome message and its master password file so that anyone who logged in had access to the entire list of CTSS passwords.

The story goes that an MIT Ph.D. researcher was looking for a way to bump up his usage time on CTSS. He received four hours per week, but it wasn’t nearly enough time to run the simulations he’d designed for the new computer system. So he simply printed out all the passwords stored on the system.

There was a way to request files to be printed offline by submitting a punched card,” he wrote. “Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.

To spread the guilt around, Mr. Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab’s director Robert Fano and leaving “taunting messages” behind.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| December 22, 2011
3 comments

Santa Gets Hacked!

The UK firm Twist & Shout reports that one of Santa Claus’s key databases has been compromised due to the loss of an unencrypted USB stick at the Kris Kringle North Pole workshop.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Holidays | Tags: , , , , ,
| April 6, 2011
Comments Off on BP Data Spill

BP Data Spill

Data breachNational Public Radio (NPR) reports that British Petroleum‘s (BP) problems in the U.S. now include a data spill as well as the oil spill. BP is paying compensation amounting to $4,000,000,000 to victims of its mishap incident disaster in the Gulf of Mexico last summer. Now BP has lost the personally identifiable information (PII)  on approx. 13,000 of its victims are seeking compensation for oil spill damages. NPR reports that names, addresses, phone numbers, and social security numbers, were lost opening these people to identity theft.

BP Gulf of Mexico oil spillBP spokesman Curtis Thomas told NPR that the oil giant mailed letters to roughly 13,000 people whose data was stored on the missing computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored. The company also reported the missing laptop to law enforcement, he said. The laptop was password-protected, but the information was not encrypted, Mr. Thomas said.

The employee lost the laptop on March 1 during “routine business travel,” said BP’s Thomas, who declined to elaborate on the circumstances. “If it was stolen, we think it was a crime of opportunity, but it was initially lost,” Thomas said. Asked why nearly a month elapsed before BP notified residents about the missing laptop, Mr. Thomas said, “We were doing our due diligence and investigating.”

Matt O’Brien, the part-owner of Tiger Pass Seafood, a shrimp dock in Venice, La., who said he had filed a claim with BP, told an AP reporter this was the first he had heard about the possible compromise of his personal information by BP. “That’s like it’s par for the course for them.” Mr. O’Brien said of BP, “They can’t seem to do nothing right.”

Once again, 13,000 lives are disrupted because a single laptop that was not encrypted, was lost or stolen “during routine business travel.” SophosNaked Security blog pointed out in 2008 that laptops are easy to lose. The security vendor cited a survey that found that 12,000 laptops are lost every week at U.S. airports alone.

In that 2008 survey, almost three years ago now, 53% of people said that their laptops contained confidential business information, with two-thirds having taken no measures to secure their data. Clearly, some companies still aren’t taking proper measures.

rb-

As BP again has demonstrated, we all need to lift our game, As Sophos says, even if your organization is willing to take risks with your own data, firms have a clear moral duty not to take risks with data you keep about other people.

During these economic times, many organizations are saving a few pennies by doing as little as possible about encryption-related security. Why not consider the value of encryption to your business, instead of considering only the cost?

What do you think?

Oil spills, Data spills, Outrageous gas prices – Is BP out to get the U.S.?

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , ,
« Older Entries   Recent Entries »