Tag Archive for Security

| February 4, 2017
Comments Off on State of Michigan Data Breach

State of Michigan Data Breach

State of Michigan Data BreachData breaches are no surprise these days. I have covered a number of data breaches here on the Bach Seat here, here, and here. Now the State of Michigan (SOM) has joined the ranks of data leakers like Yahoo, Home Depot, Target, BCBS, and the US government. MLive is reporting that the State of Michigan has spilled the personal data of millions of Michigan citizens. On February 03, 2017, the Michigan Department of Technology Management and Budget (DTMB) announced the Michigan data breach. The breach leaked the Personal information of nearly 20% of Michigan residents who were vulnerable to unauthorized access for four months.

Unemployment Insurance Agency

Unemployment Insurance AgencyThe article reports that in October 2016, a software update to the Michigan Data Automated System (MiDAS) system was used by the state’s Unemployment Insurance Agency (UIA). MiDAS was created by Fast Enterprises of Centennial, CO, and went live in 2012 as part of a modernization of the unemployment benefits and tax system. A flaw allowed employers and human resources firms to get access to names and social security numbers of nearly 1.9 million Michigan residents they were not authorized to view.

The state identified the Michigan data breach on Jan. 30 and fixed it on Jan. 31, 2017. Contracted payroll service providers had unauthorized access to the MiDAS system, according to UIA spokesperson Dave Murray. Anybody working for a company that uses one of those payroll service providers may have had their personal information compromised. DTMB official Caleb Buhs warned, “If you are an employee in Michigan and your company uses a payroll vendor to process payroll, then you can potentially be included.

Impacted by the Michigan data breach

According to a report on MLive, the 31 vendors with unauthorized access to Michigan citizens’ PII included:

  • 7-Eleven
  • Aatrix
  • Accountants World
  • Acrisure
  • ADP
  • Benepay
  • Casper Willson Wilson
  • Computing Resources
  • Connectpay LLC
  • CoStaff National Services Inc
  • Craft Accounting
  • CSS Payroll Inc
  • DTMB
  • DM Payroll
  • Dominion Systems
  • GT Independence
  • Heins Acctg
  • Hewitt Assoc
  • Highpoint Business Services LLC
  • Infiniti HR LLC
  • Julie Lepper Acctg
  • Mercantile Bank
  • My Pay Solutions
  • Nieland & Kosanke PC
  • One Source Virtual
  • Paychex
  • Paycomm Payroll LLC
  • Paycor
  • Paylocity Corp
  • Payroll 1
  • Payroll Tax Mgt
  • Professional Systems
  • Ultimate Software
  • VenSure HR Inc
  • Wayne County Regional
  • Zen Payroll

Data security is a top priority for the state of MichiganDTMB Director and State CIO David Behen stated, “Data security is a top priority for the state of Michigan … We will work with our third-party vendors and our state team to check our processes and procedures to avoid incidents like this in the future.

Recommendations

Here’s what the SOM is recommending those who may have had their PII exposed do:

  1. Call the state hotline at 855-707-8387 between 8 a.m. and 4 p.m. on weekdays to make inquiries about this issue.
  2. Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  3. Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax, Experian, and TransUnion – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission.
  4. Take steps to monitor their personally identifiable information and report any suspected instances of identity theft to their local law enforcement.

MiDAS has been in the news before. MiDAS’ “robo-adjudication” feature wrongly flagged at least 20,000 people for unemployment fraud between October 2013 and August 2015. MiDAS would automatically flag a discrepancy and send a message to a seldom-used internal unemployment system. When the victims didn’t respond, the system would automatically find they had committed fraud and issue a 400% fine.

rb-

The way data breach report work is that the originating firm under-estimates the number of records lost by half. So it is possible that the SOM has released nearly 4 million or 38% of all Michiganders personal records.

Michigan State Police Cyber CommandDespite the Michigan State Police Cyber Command being on the job, it is likely that nothing will happen to the perpetrators – nothing ever does. DTMB spokesman Buhs said, “We are learning from this.” I hope so.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| January 10, 2017
Comments Off on Blockchain Basics

Blockchain Basics

Blockchain BasicsThis is the season for predictions. Many tech prognosticators say that 2017 will be the year for Blockchain. As an emerging technology, Blockchain is approaching what Gartner (IT) calls the Peak of Inflated Expectations – a period the analyst refers to as “when early publicity produces a number of success stories — often accompanied by scores of failures. Some companies take action; many do not.”

Transform digital banking and financeJust to prove the point, Business Insider claims blockchain has the capability to transform the world of digital banking and finance — and beyond. The author suggests that the complex technical nature of blockchain makes it difficult for people to fully grasp how the technology works. BI helps blockchain novices understand exactly what blockchain is and how it works.

Blockchain is a distributed database or ledger that allows companies to start trade digitally without the need for approval from a central authority. Because blockchains are distributed, an industry or a marketplace can use them without the risk of a single point of failure.

distributed ledgerThe ledger is the central part of a blockchain. The ledger is publicly available and shared among all parties within the network. It can’t be changed or tampered with, making it secure. The ledger keeps track of all the details of a transaction, including time, date, parties involved and the transaction amount.

The article examines how the most common blockchain application, a bitcoin transaction, works.

  1. Alice decides to buy bobbles from Bob’s Bead Boutique online.
  2. Bob’s Bead Boutique accepts bitcoin.
  3. Alice has a 3rd party bitcoin wallet set up to hold her digital funds.
  4. Bob at Bob’s Bead Boutique shares his unique numerical bitcoin address with Alice.
  5. Alice makes her payment to Bob’s Bead Boutique by signing it with the private key of her own address. The transaction is called a block.
  6. The block is broadcast to everyone within the peer-to-peer network.
  7. Users who verify the buyer’s block via a process called “mining” will be rewarded with bitcoins.
  8. To verify and validate the block, miners take information from the block and run it through an algorithm.
    The approved block is attached to the previous transaction in the network.
  9. Collectively all the transactions form a blockchain that cannot be altered making it permanent and transparent
  10. The transaction is verified and completed.

disruptive technologyBI claims that the most important aspect of blockchain is its versatility. The author claims that the disruptive technology has implications far beyond bitcoin. The article points out there are more than 100 blockchain projects spread across many industries. Here are some industries blockchain could disrupt.

Banking and Financial Services – Blockchain is more secure and efficient so financial processes powered by blockchain could save banks up to $20 billion dollars annually by 2022.

Healthcare – Blockchains could allow patients to securely share their health records across a vast network of healthcare providers more securely. Preventing many of the recent healthcare data breaches.

Music –  Blockchain could potentially be used to help prevent piracy in music while also increasing sales.

Insurance – Blockchain could allow wholesale insurers to overcome complex transactions that involve a large number of participants and increase efficiency in areas like documentation and claims management.

rb-

The Brookings Institute correctly argues that Blockchain is a foundational technology, like TCP/IP, which enables the Internet. And much like the Internet in the late 1990s, we don’t know exactly how the Blockchain will evolve – but evolve it will.

Disruptive technologiesSimilar to the Internet, the Blockchain must also be allowed to grow unencumbered. This will need careful handling that recognizes the difference between the platform and the applications that run on it. TCP/IP empowers many financial applications that are regulated, but TCP/IP is not regulated as a financial instrument.

Disruptive technologies rarely fit neatly into existing regulatory considerations, but rigid regulatory frameworks have repeatedly stifled innovation.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| December 16, 2016
Comments Off on IT Pros Stressed Out This Holiday

IT Pros Stressed Out This Holiday

IT Pros Stressed Out This HolidayIt’s the holidays and nearly one-third (29%) of IT Pro’s will be too busy to take time off according to a new study. Unified security management vendor AlienVault noted the IT Pro stress in an article at Infosecurity Magazine. They report that industry skills shortages will have a major impact on IT professional’s time off (paid or unpaid) this holiday season.

The AlienVault study polled over 400 IT pros to better understand their workplace stresses. They found that half of those that can afford to take time off this festive period will spend it worrying about work.

Other factors adding to IT Pro’s holiday stress included:

  • 53% said they thought their colleagues are overworked and overstretched.
  • 41% claimed to have had unfilled vacancies in their teams for a month or more in 2016.

AlienVault security advocate, Javvad Malik, argued that shortages are not always down to a lack of available talent. He told Infosecurity:

On the other side of the coin is the willingness of companies to invest into more staff … Particularly in small, but growing companies where we often see a company’s infrastructure may grow rapidly, yet the IT team doesn’t scale at the same rate.

Data breach stress

Another reason leading to holiday workplace stress cited in the article is data breaches. Almost a quarter (21%) of respondents said that when a security breach happens the IT teams are blamed. The author speculates that might explain why 14% said that would cover up a breach and not report it, if it didn’t involve regulated data.

IT teams are also increasingly ready to turn a blind eye to users bypassing security controls. If it makes their job easier in the short term. AlienVault’s Malik explained there could be several reasons why some IT staff turn a blind eye to employees bypassing controls. He told Infosecurity:

It could very well be because controls may be too rigorous in the first place. Sometimes this is as a result of controls being implemented by those unfamiliar with the day-to-day operations, or even because of compliance regulations. In smaller companies, it is sometimes because of agreements they may have in place with larger companies who dictate stringent security controls as a condition of business.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Holidays | Tags: , , , , , , ,
| November 26, 2016
Comments Off on Reducing Your LinkedIn Risks

Reducing Your LinkedIn Risks

Reducing Your LinkedIn RisksMicrosoft’s recent purchase of LinkedIn has pushed the struggling ersatz professional networking site back into the limelight. There is plenty of speculation why Microsoft (MSFT) purchased the site for over $2.6 billion. Undoubtedly it has to do with LinkedIn’s (LNKD) cache of over 430 million online users. Whatever Redmond’s designs are, now is probably a good time to check LinkedIn security to reduce your LinkedIn risks.

LinkedIn logoAttackers have long used social networking as part of their reconnaissance activities. They cull personal information posted on the site to craft targeted attacks that have a higher chance of succeeding. The cyber-criminals rely on the fact that people tend to trust people within their personal network.Their targets are more likely to fall for a spear phishing email if it appeared to come from a fellow member. The victims would also be more likely to visit a website if a member of their network suggested it.

LinkedIn risks

The fake LinkedIn profiles “significantly increase” the likelihood that these social engineering attacks will work according to research by Dell SecureWorks. The SecureWorks article describes how attackers use fake LinkedIn profiles. Most of these fake accounts follow a specific pattern:

  1. LinkedIn RisksThey bill themselves as recruiters for fake firms or are supposedly self-employed. Under the guise of a recruiter, the attackers have an easy entry point into the networks of real business professionals. Real recruiters already use the service as a way to find potential candidates. LinkedIn users expect to be contacted by recruiters, so this ruse works out in the scammers’ favor.
  2. They primarily use photos of women pulled from stock image sites or of real professionals. Many of the fake LinkedIn accounts use unoriginal photographs. Their profile photos were found on stock image sites, other LinkedIn profiles, or other social networking sites.
  3. Attackers copy text from profiles of real professionals. They then paste it into their own. The text used in the Summary and Experience sections were usually lifted verbatim, from real professionals on LinkedIn.
  4. They keyword-stuff their profile for visibility in search results. Fake LinkedIn accounts stuff their profiles with keywords to gain visibility in to specific industries or firms.  Northrup Grumman and Airbus Group are popular.

The primary goal of these fake LinkedIn accounts is to map out the networks of business professionals. Using these fake LinkedIn accounts, scammers can establish a sense of credibility among professionals to start further connections. The fake network was created to help attackers target victims via social engineering.

disguise it as a résumé applicationIn addition to mapping connections, scammers can also scrape contact information from their connections. The attackers collect personal and professional email addresses as well as phone numbers. This information could be used to send spear-phishing emails.

LinkedIn cyber-thieves use TinyZbotmalware (a password stealer, keystroke logger, multifunctional Trojan) and disguise it as a résumé application. The Dell researchers advise organizations to educate their users of the specific and general LinkedIn risks in their report:

  • Avoid contact with known fake personas.
  • Only connect with people you know and trust.
  • Use caution when engaging with members of colleagues’ or friends’ networks that they have not verified outside of LinkedIn.
  • When evaluating employment offers, confirm the person is legitimate by directly contacting the purported employer.

Reduce your risks

There are a few ways users can identify fake LinkedIn accounts:

  • search engineDo a reverse-image search. Tineye.com offers a browser plugin or use Google’s Search by Image to confirm the in picture is legit.
  • Copy and paste profile information into a search engine to find real profiles.
  • If someone you know is already connected with one of these fake accounts, reach out to them and find out how they know them.
  • If you suspect that you’ve identified a fake LinkedIn account, you should report it.

LinkedIn told Panda Security:

We investigate suspected violations of our Terms of Service, including the creation of false profiles, and take immediate action when violations are uncovered. We have a number of measures in place to confirm authenticity of profiles and remove those that are fake. We urge members to use our Help Center to report inaccurate profiles and specific profile content to LinkedIn.

As always, it pays to be careful with information that you share online as it can save you many potential problems in the future.

Here are some tips to keep your LinkedIn experience as secure as possible. Update Privacy Settings to understand how you’re sharing information. Smart options include:

  • ApathyTurn your activity broadcasts on or off. If you don’t want your connections to see when you change your profile, follow companies or recommend connections, uncheck this option.
  • Select what others can see when you’ve viewed their profile. When you visit other profiles on LinkedIn, those people can then see your name, photo, and headline. If you want more privacy, display anonymous profile information or show up as an anonymous member.
  • Select who can see your connections. You can share your connections’ names with your other first-degree connections, or you can make your connections list visible only to you.
  • Change your profile photo and visibility. You can choose to have your photo displayed only to your first-degree connections, only to your network, or to everyone who views your profile.

Opt into Two-Step Verification to prevent other people from accessing your account. LinkedIn lets members turn on two-step verification for their accounts. This will require an account password and a numeric code sent to your phone when you attempt to sign in from a device your account doesn’t recognize.

Opt into Secure Browsing for extra protection against unauthorized access to your Internet activity and to make sure you’re connected to the real LinkedIn website. While LinkedIn automatically secures a connection when you’re on certain pages that require sensitive information, you also have the option to turn on this protected connection when viewing any page.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| November 10, 2016
Comments Off on Bad Passwords Crippled the Web

Bad Passwords Crippled the Web

Bad Passwords Crippled the WebFollowers of the Bach Seat know that passwords suck and now default passwords really suck. In fact, default passwords seem to be a key part of the massive DDOS attack that disabled large parts of the Internet on October 21, 2016. The cyberattack targeted Internet traffic company DYN. DYN provides DNS services for many high-profile sites. Some of the sites affected by the attack on Dyn included; Amazon (AMZN), Business Insider, New York Times, Reddit, and Twitter (TWTR).

Security researcher Brian Krebs, whose site, krebsonsecurity.com, was one of the first sites hit by a massive 620 GB/s DDoS attack, has reported the Mirai botnet was at the center of the attack on his site. CIO.com reports  ‘Mirai’ can break into a wide range of Internet of Things (IoT) devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots. CIO reports a single Chinese vendor, Hangzhou Xiongmai Technology made many of the devices used in the Mirai attacks.

Level 3 Communications says there are nearly half a million Mirai-powered bots worldwide. To amass an IoT botnet, a Mirai bot herder scans a broad range of IP addresses, trying to login to devices using a list of default usernames and passwords that are baked into Mirai code, according to US-CERT. The Mirai zombie devices are largely security cameras, DVRs, and home routers. Mr. Krebs identified some of the specific devices.

Mirai Passwords

UsernamePasswordFunction
admin123456
root123456ACTi IP camera
adminpassword
admin1password
rootpassword
admin12345
root12345
guest12345
admin1234
root1234
administrator1234
888888888888
666666666666Dahua IP camera
admin(none)
admin1111Xerox printers, etc.
admin1111111Samsung IP camera
admin54321
admin7ujMko0adminDahua IP camera
adminadmin
adminadmin1234
adminmeinsmMobotix network camera
adminpass
adminsmcadminSMC router
Administratoradmin
guestguest
motherfucker
root(none)Viviotek IP camera
root00000000Panasonic printers
root1111
root54321Packet8 VoIP phone
root666666Dahua DVR
root7ujMko0adminDahua IP camera
root7ujMko0vizxvDahua IP camera
root888888Dahua DVR
rootadminIPX-DDK network camera
rootankoAnko Products DVR
rootdefault
rootdreamboxDreambox TV receiver
roothi3518HiSilicon IP Camera
rootikwbToshiba network camera
rootjuantechGuangzhou Juan Optical
rootjvbzdHiSilicon IP Camera
rootklv123HiSilicon IP Camera
rootklv1234HiSilicon IP Camera
rootpass
rootrealtekRealtek router
rootroot
rootsystemIQinVision camera, etc.
rootuser
rootvizxvDahua camera
rootxc3511H.264 - Chinese DVR
rootxmhdipcSenzhen Anran security camera
rootzlxx.EV ZLX two way speaker
rootZte521ZTE router
serviceservice
supervisorsupervisorVideoIQ
supportsupport
techtech
ubntubntUbiquiti AirOS Router
useruser

US-CERT says the purported author of Mirai claims to have 380,000 IoT devices are under its control. Some estimate the botnet has generated greater than 1Tbps DDoS attacks.

DDOS attackWhen Mirai botnets are called upon to carry out DDoS attacks, they can draw on a range of tools including ACK, DNS, GRE, SYN, UDP and Simple Text Oriented Message Protocol (STOMP) floods, says Josh Shaul, vice president of web security for Akamai.

rb-

Followers of Bach Seat already know that many of the default passwords used by Mirai are among the worst and should have been changed already. They include:

  • Password
  • 123456
  • 12345
  • 1234

While reports say, Chinese vendor, XiongMai Technologies equipment was widely exploited, other notable tech firms are included. The Mirai zombie army includes equipment from Xerox (XRX), Toshiba (TOSBF), Samsung (005930), Panasonic (6752), and ZTE (763).

I wrote about security cameras being compromised as part of botnets back in July here.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »