Tag: data

Navigating the Cyber Seas: What You Need to Know About Recent Data Breaches

Posted on by Fabella Security in Articles

Ahoy, fellow digital sailors! As we dive into the heat of summer, it’s not just our bodies that need protection from sun overload – our digital lives need some serious safeguarding too. Recent events in the cyber world have thrown a couple of curveballs our way, and it’s high time we arm ourselves with knowledge and a pinch of humor to tackle these digital perils.

AT&T Data Breach: A Slight Bump on the Cyber Highway

First up on our radar, AT&T recently faced a data breach. From May to October 2022, unauthorized folks accessed call and text records. Luckily, your name, Social Security number, and financial information were kept safe from prying eyes. Think of it as someone sneaking a peek at your grocery list but not your bank statement. AT&T has since locked the doors and beefed up their security.

RockYou2024: The Mother of All Password Leaks

Next, we have the granddaddy of password leaks – RockYou2024. Nearly 10 billion passwords (yes, you read that right, billion with a B) were discovered on a hacking forum. It’s like finding out your secret cookie recipe was shared at the biggest bake sale ever. This treasure trove of passwords includes both new and old ones, setting the stage for potential credential stuffing and brute force attacks.

How to Protect Yourself: Tips from Your Cyber Lifeguard

So, how do you dodge these cyber cannonballs? Here are some lifesaving tips to keep your digital treasure chest secure:

  1. Change Your Passwords:
    • If you suspect any of your passwords might have been part of the leak, change them faster than you can say “cybersecurity.”
    • Use strong, unique passwords for each account. Think of it as creating different keys for every lock.
  2. Enable Two-Factor Authentication (2FA):
    • Add an extra layer of security by enabling 2FA. It’s like having a bouncer for your online accounts.
  3. Monitor Your Accounts:
    • Regularly check your financial and online accounts for any suspicious activity. Consider it your digital equivalent of checking under the bed for monsters.
  4. Be Cautious of Phishing Attempts:
    • Be wary of emails or messages asking for your credentials or personal information. If it smells fishy, it probably is.

The Perils of Password Recycling

Using the same password across multiple accounts is like using the same key for your house, car, and office. If one gets compromised, you’re in big trouble. Always use unique passwords for different services to avoid a cyber domino effect.

Password Hygiene: Keeping It Clean

Practicing good password hygiene is crucial:

  • Create complex passwords that include a mix of letters, numbers, and special characters. Imagine you’re concocting a digital alphabet soup.
  • Avoid using easily guessable information like birthdays or common words. Your dog’s name might be cute, but it’s not a secret.

Additional Resources

For more detailed information on the AT&T breach, visit AT&T’s Data Incident Page, https://att.com/dataincident. For general cybersecurity tips, check out AT&T CyberAware, https://about.att.com/pages/cyberaware.

Stay informed and stay safe out there, digital sailors.

Anchors aweigh, and may your passwords be ever secure!

          Patches and Data Theft

          Posted on by Greg Price in Articles
          Greg Price

          If you use a Windows-based computer, you are aware of Patch Tuesday and also the dark side of Windows patching. To say Microsoft’s patching process is riddled with issues would be a kind gesture.

          The last several Windows 10 updates were buggy, and, in some instances catastrophic if installed. I often envision the Microsoft patching process as a game of whack-a-mole: one issue is addressed, another bursts onto the scene and the cycle seems to loop continuously.

          In October 2019, Microsoft released a new update that was designed to remedy a printer driver issue from the previous update. However, many users encountered the nightmare for all Windows users: The Blue Screen of Death. If you’re not familiar with the Blue Screen, I’ll summarize. Your PC stops functioning completely.

          In October, those who encountered the dreaded Blue Screen had to roll back their machines to a previous version of Windows, if they did so within ten days of installing the update. As usual, miscellaneous applications and settings had to be restored, but at least you could resurrect your PC.

          Fast forward a few months and Microsoft did it again; an update is causing major problems for some.

          The February Windows 10 update, KB4532693, contains almost 100 different bug fixes and some enhancements to improve user interaction, but there’s another problem lurking among the update.

          Your data is deleted.

          Yeah, you read that correctly, not a Blue Screen of Death, arguably, something worse. Reports from many Windows forums reveal that Windows 10 will sometimes fail to load user profiles correctly following the installation of the February update. As a result, personal files and settings disappear. Some researchers suggest the issue is related to the mechanism Windows uses to install the update. A temporary user profile is created by the update process and the profile isn’t waived, rather, Windows gets “stuck” in the temporary profile, resulting in loss of data to your other profiles.

          In the forums that I reviewed, users who experienced the issue didn’t lose all data; however, in all instances when the error occurred, all files saved to the Desktop, custom wallpapers and icons vanish.

          Microsoft hasn’t issued a response to the complaints, yet. However, Windows 10’s rollback feature appears to address the problem.

          If you observe the issue, I suggest rolling back to the most previous working version of Windows 10. The steps follow.

          Click the Start button and select settings. Go to “Update & Security”, then select Recovery. Under “Go back to the previous version of Windows 10”, choose “Get started”. Follow the instructions. Eventually the PC will prompt for a restart, and, your device should revert.

          But, please note, Windows 10 can only rollback within a ten-day window following an update – if you miss the timeframe, the rollback option is no longer available.

          For me, I advocate for keeping devices updated. It’s a solid method for securing a device against known vulnerabilities and ensures that you have the latest features and functionality. Microsoft’s poor history with updates is disconcerting. Many people are afraid to enable auto-updates due to the continued failures, more strikingly, large organizations fear Microsoft patches – the looming concern of “breaking” the business is a palpable anxiety.

          I don’t know how Microsoft tests and manages quality for the patches. I recognize that their software is wildly popular and testing every permutation and application isn’t a reasonable expectation; however, exposing users to a seemingly incompetent process only erodes confidence and instills a reticence to staying current. In fact, Windows users often litter discussion forums with questions of “who’s done it”, hoping to find the poor soul who jumped before looking.

          Let’s hope Microsoft recognizes that new features don’t outweigh reliable, safe operations.

          Shifting gears, a bit, MGM Resorts recently announced a data breach. The breach occurred in July 2019, resulting in data compromise of nearly 11 million guests.

          MGM didn’t specifically express the number of affected guests; however, a cybercrime monitoring firm offered that 10.6 million people had their information breached.

          According to a statement from MGM Resorts, they discovered the breach last summer. The stolen data was stored in a cloud server. Among the data were basic “phone book information”. Apparently, names, email addresses, phone numbers and physical addresses were the main items stored in the cloud server. A much smaller number of guests’ driver license, military ID and passport information were exposed.

          ZDNet revealed the personal information theft, indicating that it was accessible on a hacking forum. After the ZDNet report, MGM Resorts published a statement in which they acknowledged the event. The statement indicated that they hired two cybersecurity companies to assist in the investigation and pledged to upgrade the security systems.

          MGM Resorts further stated, “We are confident that no financial, payment card or password data was involved in this matter.” MGM indicated they notified guests according to state data breach laws. Law enforcement is also working the incident, no indication of the cybercriminal was offered, and, no one has overtly issued claim to the breach.

          Given that most state data breach notification laws do not require victims to be notified when the stolen information is limited to basic data, such as directory information, it’s likely that many of those affected have no idea their information exists among the breached data.

          If you’ve stayed at an MGM Resort property recently, I suggest you follow basic fraud monitoring techniques; even though no financial data seems to exist among the data, we only know what has been released and stated. Taking a few precautions isn’t a bad idea.

          Check your financial accounts for fraudulent activity. If you observe something odd, contact your financial services provider and seek a review. If you employ credit monitoring, check your credit reports. If you don’t, request a free report. Again, if you notice something peculiar, report it.

          And lastly, consider changing your passwords. Despite the relatively low quality of the data, password guessing success increases as the volume of pertinent data increases.

          Watch those patches and check your financial records. Be safe.

          Why is Education a Cyber Target?

          Posted on by Greg Price in Articles
          Greg Price

          As a computer technologist, an innate bias envelops the word “technology”; whenever I hear the word, I immediately think of computers, software. Similarly, when a reference to security arises, instantly I think of cybersecurity.

          Our modern-day society is predicated on many forms of technology and a collective desire to progress is inextricably intertwined with the advancement of technologies. Among those technologies, undoubtedly, are computers, applications and a fascinating blend of things yet-to-be contemplated.

          So, for these comments, please share my predilection that technology inherently suggests some form of computer technology.

          Our schools are reliant on technology. The business of learning and fostering knowledge is deeply steeped in efficient, reliable technology.

          Computers provide access to boundless resources; we no longer refer to libraries as libraries, rather, they are media centers. I haven’t seen a card catalog in two decades – the physical volumes of the media center are cataloged within a database. Student ID cards reveal identity and serve as a digital passport for access to food services, secured structures, sporting events, the media center. Classrooms exhibit smartboards, digital displays, interactive media and mobile devices.

          The hallways are guarded by closed-circuit television. Textbooks are often paperless. Computer labs are an anachronism – some schools issue tablets, laptops to students. With the proliferation of high-speed wireless networks, the students and faculty are always “plugged” in.

          I doubt any of these comments are shocking to anyone.

          How are these technologies sustained?

          A new version of my cellphone appears every fall, every three weeks my software provider announces a new update, every day my computer installs new antivirus and anti-malware defenses, new firmware for my home router arrives, my wireless cameras exceed storage space, and on and on and on.

          Take those individual pieces and multiply them by a few thousand, by several thousand. The annoying becomes overwhelming.

          Yet, technology is easy, right?

          Developers march forward, seeking greater expansion and application of the newer and the better. Vendors offer their wares as the next generation of the latest and greatest. Rapid development techniques and intuitive user interfaces suggest greater advancement coincides with simpler management, lowered costs and ease-of-use.

          But, don’t be fooled.

          Today’s technology is incredibly complex. The digital architectures upon which our devices operate, and information flows require constant observation and maintenance. The rapid development of software results in flawed, error prone products. Our penchant for chasing the connection of all things creates an awkward mash-up of inter-connected devices.

          The requirements to manage thousands of digital devices and software and users requires resources.

          Most organizations, including educational entities, do not have adequate information technology resources.

          As Frankenstein networks emerge, combined with increasingly fragile software and high-speed cyber highways, the opportunity for security risks rise significantly.

          Every school hasn’t replaced textbooks with tablets; every classroom isn’t equipped with a smartboard and digital display. Without a doubt, variability in the use of, and adoption of, technology exists among our schools. However, the single thing that exists among all entities is security concern.

          Technology adoption will increase. With the growth, security concerns will flourish. Inadequate support resources coupled with frightening risk is a recipe for disaster.

          And the bad guys know it.

          Why do would-be bad actors target education?

          Opportunity is abundant and the environment is ripe with desirable goods.

          Educational organizations house treasure troves of personal information: employee and student biographical data, health data, financial data, performance data.

          Data is the new currency. With data, a bad actor can buy, sell, trade for practically anything. With data, a bad actor can embarrass, attack, impersonate another.

          Technology presents fabulous opportunity for students and teachers. Similarly, technology presents opportunity through unmanaged risk for exploitation and manipulation by those who endeavor to cause harm.

          Recent events underscore the value of adequately addressing cybersecurity needs in our schools. Ransomware has crippled school systems, phishing scams resulted in lost funds, hijacked credentials ended in reputation ruin, and the list goes on.

          In a recent discussion about computer resources being held hostage, a participant stated to the group that “we can teach without the computers.” I agree to an extent. We can also teach in temporary shelters following a natural disaster, but should we?

          Technology isn’t going away; we must increase our awareness to the threats presented by technology and work to safeguard our students and employees from the effects of cyberthreats.

          In order to close the gap in our defenses, the community must commit to supporting educational technologies comprehensively.

          If you employ technology, you have risk. If you collect student and employee data, you possess a commodity desirable by those who have the knowledge and means to do “evil”.

          What should we do?

          Support is needed. A structured, pragmatic approach to managing and mitigating the cyber risk is here. Prescribing awareness and best practices are a solid foot forward. However, to achieve maximum effectiveness, we must provide the proper resources and guidance to ensure that adequate controls are in place.

          Additionally, we need to expect and request more from our technology developers and integrators – we’re not alone in this voyage.

          Antivirus Program Runs Afoul

          Posted on by Greg Price in Articles
          Greg Price

          This article was originally published in The Troy Messenger on January 31, 2020.

          The internet is riddled with all sorts of wickedness.  The opportunity to encounter malicious content is ever-present.  Protecting our technology and digital presences is a matter of necessity.  Quite often, the most frequent tool to assist with protection is an anti-virus application.

          If you’re not running an anti-virus program on a modern computing device, it’s likely you’re either playing with fire, or, a very lucky person – in either case, it’s only a matter of time before the would-be bad actors reach success and infiltrate your devices with some virus or malware.  I’ve written extensively on the importance of protecting devices, updating software and maintaining a healthy dose of skepticism about “apps”.

          However, it’s with a heavy heart that I inform you of a substantial issue with a common, and, free antivirus tool: Avast.

          I suppose we shouldn’t be too shocked that trusted software can serve duplicitous roles.  You all have read of reported issues with other security tools sharing information via clandestine avenues with shadowy organizations.  So, let’s add Avast to the list of protective software accused of deceptive tactics.

          Avast is well-known and loved.  Since 2017, Avast has been the most popular anti-virus vendor on the market.  The company holds the largest share of the market for anti-virus applications.  I’ve suggested it for many years, in fact, I use the tool.  Well, I suppose I should say, I used the tool until recently…

          Earlier this week, an investigative report revealed that the Avast anti-virus platform was collecting personal data from its enormous user base and selling the collected personal data to third-parties.

          The accusation sent waves through the security community.  Such a violation of trust by a provider of software anchored in trust was incorrigible.  I was both angered and disappointed.

          There’s a reason why the endpoint protection axiom is shouted from the rooftops of every cybersecurity manual: it works.  Protect the endpoint, the end-user device, and your defenses are strengthened.  Neglect the endpoint and you will suffer the perils of the internet-connected world.

          So, what happens when the good guys are suddenly exposed as supposed bad guys?

          The trust relationship erodes quickly.

          If my anti-virus program fails, that’s a big deal.  If I update the application frequently, scan my device intensively and discover that my computer is littered with a variety of badness, I will doubt the product, the company’s ability to deliver on their promise: protect me.

          But, what are your concerns about an anti-virus company that protects you while simultaneously spiriting away personal data in the background?  Is a moral conundrum afoot?

          As an aside, please review every social media platform article I’ve written.  But, back to Avast.

          The harvesting of personal data is the claim via an investigation by Motherboard and PCMag.

          Documents reveal that Avast has been purposefully collecting data from customers for years.  A subsidiary company of Avast, called Jumpshot, served as the intermediary for the sale of the data.

          What types of data, you ask?

          Well, for starters, web browsing history.

          Yeah, pause for a moment and think about that.  Your anti-virus program protects your device from badness, while peaking over your shoulder.  All of those clicks, those websites have been bundled and sold.

          Included among the web browsing history are shopping and search engine queries.

          The report indicated that some of the biggest companies in the world paid millions of dollars for the data.

          One option offered within the data was something referred to as “all clicks feed”.  The option tracks all web clicks and interactions with websites with an incredible degree of both accuracy and completeness.

          In one example described in the investigative report, a user was observed visiting pornography sites.  Not only were the pornography sites listed, but, every click on the sites, every search on the sites, and how the user located the pornography site were included among the datasets.

          The report revealed that the data was anonymized: personally identifiable features were not included among the data.  But, given the extent of the intrusion, it’s not hard to imagine that data exists somewhere.

          So, what do you do?

          According to several reports, simply installing Avast doesn’t necessarily equate to an invasion of privacy.  A specific browser plugin, suggested by Avast, appears to be the key to the data harvesting efforts.  The plugin is offered as a way to protect against cyberattacks and unauthorized connections from dubious web servers and traffic.  If the browser extension, plugin isn’t installed, it’s likely that your data hasn’t been pilfered.

          Avast’s initial response to the report was weak.  They didn’t deny the operation, instead, they simply indicated that the data had been anonymized, bundled within large datasets, and can’t be used to personally identify or target a specific user.

          While the statement appears to be technically true, Avast assigned an identifier as a substitute for a personally-identifiable attribute.  The assigned identifier persists on your device unless you uninstall the Avast anti-virus product.

          However, in the world of big data, when large datasets are combined, the opportunity to specifically identify an individual increases greatly.  A collection of anonymized data in the right hands can be reassembled with other “known” data and a clearer picture of the user brought into focus.

          On January 30, 2020, Avast announced that they would close Jumpshot and issued an apology.

          So, what should you do?

          Consider another product.  If you’re a Windows user, use Windows Defender.  The tool is robust, runs intimately with the operating system and is updated very frequently.

          In the meantime, read those software agreements thoroughly and be safe!

          Protect Your Business Continued

          Posted on by Greg Price in Articles
          Greg Price

          Last week I referenced the Verizon breach report and some of the key observations among the data.

          Small businesses are a favorite target for cyberattacks.

          I offered two “stacks” of suggestions: the easy-to-do stack and the more-difficult stack.  Each stack represents best practices for improving your cybersecurity posture and reducing data breach risk.

          The “easy” stack included suggestions for raising employee awareness, managing backup routines, enabling automatic updates, upgrading password hygiene, and strengthening physical security.

          The “difficult” stack is heavy with policy and planning.

          Verizon’s report revealed that an incredible sixty percent of small businesses that suffered a data breach were closed within six months of the cybersecurity event.

          Why?

          Obviously, cost and damage to reputation account for many of the closures.  However, given that small businesses often operate on razor thin margins, and, owners are also operators, time is a precious resource.

          As a result, expending time on building technology usage plans and incident response plans are not front-burner priorities.  Making payroll and improving revenue are vital to the business’ success, not a plan that may never be used – at least, that’s a common thought.

          However, let’s suppose you operate a business that is dependent upon mechanical devices.  Your ability to produce is dependent upon machines, and, more specifically the efficient operation of those devices.

          If a device breaks, many small businesses owners have the expertise to repair their equipment themselves, in fact, their knowledge of the functional side of a business is often the value they depend upon for success.  Manuals and a network of knowledgeable resources complement what the owner may lack.

          What happens when a data breach occurs?

          Choose your own adventure – a hacker breaks into your business software and steals customer data.  Or, a ransomware attack is successfully deployed via an email and all of your computers and cash registers are broken.  Or, perhaps, a thief smashes a window and walks away with your server.

          What do you do?

          If a piece of vital equipment broke, you’d employ your knowledge, or, knowledge network to repair the device.

          In other words, you would launch a repair plan.

          The same must exist with your IT operations.  A plan is needed, especially if IT isn’t your core business function.

          Enter the IT plans.

          A written security policy is necessary for modern businesses.  In some instances, a security policy is a regulatory requirement.

          In Alabama, the new data breach notification law requires that businesses evaluate and implement reasonable security measures – a security policy/plan will assist in those efforts.

          While there’s no penalty for not being proactive, if a breach results, your situation will not be enhanced by not having a written security policy.

          A good security policy outlines how you manage customer data, how you protect it, and, if an incident occurs, what you do to respond.

          I suggest considering the plan as a blueprint for you and your employees: if something goes wrong, it’s a basic manual for controlling the situation.

          A good starting place for policies are templates designed by security experts.  Free templates are available at https://www.sans.org/security-resources/policies.

          Review the policy templates and tailor them to your specific needs.  Share them with your employees and review them, at least annually.

          Encryption is another must.

          Encryption of your data reduces the likelihood of the data being read by an unintended recipient.  Most modern operating systems provide a mechanism by which you can encrypt your local data.  By enabling local encryption on your office devices, you reduce data loss through physical theft.  If someone breaks into your office and steals a computer, an encrypted device presents a formidable challenge to the thief.  Similarly, using encryption for accessing email and other sensitive systems is important.  If you employ a commercial email product, encryption is always included in the solution, simply verify that it is enabled.

          Backups, part two.

          I mentioned the importance of backups last week.  However, in addition to establishing a backup routine and testing the quality of your backups, there are a few additional items to consider.

          The purpose of a backup is to restore lost data.

          If your backup solution doesn’t encrypt your data, you should enable backup encryption.  If a data thief gains access to your backups, if they aren’t encrypted, you’ve provided a nice package that enables easy theft of volumes of data from one location.

          Also, consider your backup strategy.

          Are you depending on a local device for backup, such as an external hard drive, tape?  Do you depend on a cloud backup, such as Microsoft OneDrive?

          Redundancy is important.  If you backup data to a local external hard drive, that’s great – make sure it’s encrypted and stored safely.  But, what do you do if the hard drive fails?  What do you do if your cloud provider is down when you need to restore lost data, or, if your internet service provider is experiencing problems?

          Redundancy provides extra protection and can be accomplished very simply.  In fact, for small businesses, the tools are often available with current software subscriptions, the features simply need to be activated.

          And, lastly, data destruction and life cycle should be reviewed.

          Don’t hoard electronic data.  If you have no regulatory requirement or business need to maintain copies of unused data, get rid of it.  Dispose of the data properly, use verified tools for deletion of the data.  By doing so, you reduce the amount of data that a would-be bad actor can access, and, make your systems run more efficiently.

          Last week’s small, easy tasks will enhance your security posture quickly.

          This week’s suggestions require more planning and thought.  However, there are many free sources for technology, security plans, and, most modern software provide the enhanced features that I mentioned.

          Be safe and protect your business and your customers’ data.