Login
A proof-of-concept exploit has been published detailing a spoofing vulnerability in Microsoft Azure Service Fabric. The flaw allows attackers to gain full administrator permissions and then perform any manner of malicious activity.…
Webinar The individual memory of a bee is the repository for one facet of the collective memory of the beehive - the hive mind. Working together each bee feeds into the collective consciousness of the hive to optimize the production of the very best honey.…
In the first step of our doxxing research, we collected a list of our online footprint, digging out the most important accounts that you want to protect and obsolete or forgotten accounts you no longer use. Because the most recent and relevant data is likely to live in the accounts you use regularly, our next step will be to review the full scope of what’s visible from these accounts and to set more intentional boundaries on what is shared.
It’s important to note here that the goal isn’t to eliminate every trace of yourself from the internet and never go online again. That’s not realistic for the vast majority of people in our connected world (and I don’t know about you, but even if it was I wouldn’t want to!) And whether it’s planning for an individual or a giant organization, security built to an impossible standard is destined to fail. Instead, we are shifting you from default to intentional sharing, and improving visibility and control over what you do want to share.
Before making changes to the settings and permissions for each of these accounts, we’re going to make sure that access to the account itself is secure. You can start with your email accounts (especially any that you use as a recovery email for forgotten passwords, or use for financial, medical, or other sensitive communications). This shouldn’t take very long for each site, and involves a few straightforward steps:
The best way to prevent a breached password from exposing another account to attack is to use a unique password for for every website you visit. And while you may have heard previous advice on strong passwords (along the lines of “eight or more characters, with a mix of upper/lower case letters, numbers, and special characters”), more recent standards emphasize the importance of longer passwords. For a great explanation of why longer passwords work better than shorter, multi-character type passwords, check out this excellent XKCD strip:
A password manager will make this process much easier, as most have the ability to generate unique passwords and allow you to tailor their length and complexity. While we’re on the topic of what makes a good password, make sure that the password to access your password manager is both long and memorable.
You don’t want to save or auto-fill that password because it acts as the “keys to the kingdom” for everything else, so I recommend following a process like the one outlined in the comic above, or another mnemonic device, to help you remember that password. Once you’ve reset the password, check for a “log out of active devices” option to make sure the new password is used.
MFA uses two or more “factors” verifying something you know, something you have, or something you are. A password is an example of “something you know”, and here are a few of the most common methods used for an additional layer of security:
If you want to know more about the different ways you can log in with strong authentication and how they vary in effectiveness, check out the Google Security Team blog post “Understanding the Root Cause of Account Takeover.”
Before we move on from passwords and 2FA, I want to highlight a second step to log in that doesn’t meet the standard of strong authentication: password questions. These are usually either a secondary prompt after entering username and password, or used to verify your identity before sending a password reset link. The problem is that many of the most commonly-used questions rely on semi-public information and, like passcodes, are entered on the same device used to log in.
Another common practice is leveraging common social media quizzes/questionnaires that people post on their social media account. If you’ve seen your friends post their “stage name” by taking the name of their first pet and the street they grew up on, you may notice that’s a combination of two pretty common password questions! While not a very targeted or precise method of attack, the casual sharing of these surveys can have consequences beyond their momentary diversion.
One of the first widely-publicized doxxings happened when Paris Hilton’s contact list, notes, and photos were accessed by resetting her password using the password question, “what is your favorite pet’s name?”. Because Hilton had previously discussed her beloved chihuahua, Tinkerbell, the attacker was able to use this information to access the account.
Sometimes, though, you’ll be required to use these password questions, and in those cases I’ve got a simple rule to keep you safe: lie! That’s right, you won’t be punished if you fib when entering the answers to your password questions so that the answers can’t be researched, and most password managers also include a secure note field that will let you save your questions and answers in case you need to recall them later.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Germany's government has stood down the president of its Federal Office for Information Security, Arne Schönbohm, over his links to Russia.…
When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almost always made whole by their financial institution. Yet, one class of Americans — those receiving food assistance benefits via state-issued prepaid debit cards — are particularly exposed to losses from skimming scams, and usually have little recourse to do anything about it.
California’s EBT card does not currently include a chip. That silver square is a hologram.
Over the past several months, authorities in multiple U.S. states have reported rapid increases in skimming losses tied to people who receive assistance via Electronic Benefits Transfer (EBT), which allows a Supplemental Nutrition Assistance Program (SNAP) participant to pay for food using SNAP benefits.
When a participant uses a SNAP payment card at an authorized retail store, their SNAP EBT account is debited to reimburse the store for food that was purchased. EBT is used in all 50 states, the District of Columbia, Puerto Rico, the Virgin Islands, and Guam.
EBT cards work just like regular debit cards, in that they can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM.
However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make payment cards much more difficult and expensive for skimming thieves to clone.
Alas, it is no accident that all of the states reporting recent spikes in fraud tied to EBT accounts — including California, Connecticut, Maryland, Pennsylvania, Tennessee, and Virginia appear to currently issue chip-less cards to their EBT recipients.
The Massachusetts SNAP benefits card looks more like a library card than a payment card. Oddly enough, both are reliant on the same fundamentally insecure technology: The magnetic stripe, which stores cardholder data in plain text that can be easily copied.
In September, authorities in California arrested three men thought to be part of a skimming crew that specifically targeted EBT cards and balances. The men allegedly installed deep insert skimmers, and stole PINs using tiny hidden cameras.
“The arrests were the result of a joint investigation by the Sheriff’s Office and Bank of America corporate security,” reads a September 2022 story from The Sacramento Bee. “The investigation focused on illegal skimming, particularly the high-volume cash-out sequence at ATMs near the start of each month when Electronic Benefits Transfer accounts are funded by California.”
Armed with a victim’s PIN along with stolen card data, thieves can clone the card onto anything with a magnetic stripe and use it at ATMs to withdraw cash, or as a payment instrument at any establishment that accepts EBT cards.
Skimming gear seized from three suspects arrested by Sacramento authorities in September. Image: Sacramento County Sheriff’s Office.
Although it may be shocking that California — one of America’s wealthiest states — still treats EBT recipients as second-class citizens by issuing them chip-less debit cards, California behaves like most other states in this regard.
More critical, however, is the second way SNAP cards differ from regular debit cards: Recipients of SNAP benefits have little to no hope of recovering their funds when their EBT cards are copied by card-skimming devices and used for fraud.
That’s because in the SNAP program, federal law bars the states from replacing SNAP benefits using federal funds. And while some of these EBT cards have Visa or MasterCard logos on them, it is not up to those companies to replace funds in the event of fraud.
Victims are encouraged to report the theft to both their state agency and the local police, but many victims say they rarely receive updates on their cases from police, and, if they hear from the state, it’s usually the agency telling them it found no evidence of fraud.
Maryland’s EBT card.
That’s according to Brenna Smith, a reporter at The Baltimore Banner who recently wrote about the case of a Maryland mother of three who lost nearly $3,000 in SNAP benefits thanks to a skimmer installed at a local 7-Eleven. Maryland [Department of Human Services] spokesperson Katherine Morris told the Banner there was evidence of “a nationwide EBT card cloning scheme.”
The woman profiled in Smith’s story contacted all of the retailers where her EBT card was used to buy thousands of dollars worth of baby formula. Two of those retailers agreed to share video surveillance footage of the people making the purchases at the exact timestamps specified in her EBT account history: The videos clearly showed it was the same fraudster making both purchases with a cloned copy of her EBT card.
Even after the police officer assigned to the victim’s case confirmed they found a skimmer installed at the 7-Eleven store she frequented, her claim — which was denied — is still languishing in appeals months later.
(Left) A video still showing a couple purchasing almost $1,200 in baby formula using SNAP benefits. (Right) A video still of a woman leaving from the CVS in Seat Pleasant. Image: The Baltimore Banner.
The Center for Law and Social Policy (CLASP) recently published Five Ways State Agencies Can Support EBT Users at Risk of Skimming. CLASP says while it is true states can’t use federal funds to replace benefits unless the loss was due to a “system error,” states could use their own funds.
“Doing so will ensure families don’t have to go without food, gas money, or their rent for the month,” CLASP wrote.
That would help address the symptoms of card skimming, but not a root cause. Hardly anyone is suggesting the obvious, which is to equip EBT cards with the same security technology afforded to practically everyone else participating in the U.S. banking system.
There are several reasons most state-issued EBT cards do not include chips. For starters, nobody says they have to. Also, it’s a fair bit more expensive to produce chip cards versus plain old magnetic stripe cards, and many state assistance programs are chronically under-funded. Finally, there is no vocal (or at least well-heeled) constituency advocating for change.
In what can only be described as inevitable, the FBI is warning those eligible for student loan debt relief to keep an eye out for scammers trying to take advantage of President's Biden program.…
Automobile manufacturer Toyota recently announced a data breach that may have exposed the emails of up to 300,000 customers for a period of nearly five years.
Toyota says the breach is the result of a subcontractor posting source code for Toyota’s “T-Connect” app on the software development platform GitHub in December 2017. This code included an access key to the data server that hosted the e-mail addresses and customer management numbers of T-Connect users. The publicly available source code was found on September 15th, 2022, at which time Toyota changed the access key.
Toyota customers affected by this data breach include T-Connect users who registered their email on the Toyota T-Connect site since July 2017.
According to Toyota’s announcement and apology no other personal information such as customer names, phone numbers, and credit cards were affected. (Note that this announcement was published in Japanese—you can use your browser to translate.)
The company further could not confirm whether this information was in fact accessed. However, the company could not deny the possibility that it was at some point during that five-year period.
Toyota said that it will individually send an apology and notification to the registered email address of any customer whose information may have been leaked.
Any time a data breach occurs, it means that your personal information could end up in the hands of a bad actor. Different pieces of personal information can be more useful to them than others. Some are directly useful, such as a Social Security Number or credit card information because they uniquely identify you. Others are indirectly helpful, like device IDs, browsing history, geolocation information, and internet protocol addresses. On their own, such information will not uniquely identify you. Yet with enough indirect information, and in the right combination, a bad actor could use them to piece together your identity.
In light of this, there are a few steps you can take to protect yourself in the aftermath of a data breach, which involves a combination of preventative steps and some monitoring on your part.
Given that email addresses may have been compromised, Toyota specifically warned its customers about the possibility of phishing attacks and other unsolicited emails that may contain malware or links to malicious sites. While it’s always wise to keep a skeptical eye open for unsolicited messages that ask you for information or that contain attachments you weren’t expecting, it’s particularly important after breaches. If you receive such emails, delete them, and don’t click on any links or attachments.
Also note that bad actors may launch phishing attacks where they pose as Toyota, all with the aim to steal personal information. Such emails can clearly look like a scam, such as when they include typos, grammatical errors, or sloppy graphics. Others can look far more sophisticated, almost like a legitimate email. Learning how to tell the two apart can take a little skill, and you can check out this quick read so you can spot and protect yourself from phishing scams.
A complete suite of online protection software can offer layers of extra security. In addition to more private and secure time online with a VPN, identity monitoring, and password management, it includes web browser protection that can block malicious and suspicious links that could lead you down the road to malware or a phishing scam—which antivirus protection can’t do alone. Additionally, we offer $1M identity theft coverage and support from a recovery pro, just in case.
As far as passwords go, strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager will help you keep on top of it all, while also storing your passwords securely. Moreover, changing your passwords regularly may make a stolen password worthless because it’s out of date.
Because so many accounts use an email address as the username, and because email addresses were exposed in the Toyota leak, updating your passwords across your accounts can provide an extra level of protection.
While a strong and unique password is a good first line of defense, enabling two-factor authentication across your accounts will help your cause by providing an added layer of security. It’s increasingly common to see nowadays, where banks and all manner of online services will only allow access to your accounts after you’ve provided a one-time passcode sent to your email or smartphone. If your accounts support two-factor authentication, enable it.
An identity monitoring service can monitor everything from email addresses to IDs and phone numbers for signs of breaches so you can take action to secure your accounts before they’re used for identity theft. Personal information harvested from data breaches can end up on dark web marketplaces where it’s bought by other bad actors so they can launch their own attacks. McAfee’s monitors the dark web for your personal info and provides early alerts if your data is found on there, an average of 10 months ahead of similar services. We also provide guidance to help you act if your information is found.
As mentioned earlier, information stolen in a data breach may indirectly identify you. Yet when pieced together with other information, it can then directly identify you. Cad actors can complete this identity picture puzzle with information provided by data brokers that buy and sell personal information online. However, you can take some control over this. Our Personal Data Cleanup service scans high-risk data broker sites for your personal information and then helps you remove it—which denies bad actors the information they may need to commit identity theft.
If your personal information gets caught up in a data leak or breach, take the steps to protect yourself. Should that information get into the hands of bad actors, it could lead to follow-on attacks such as phishing attempts, account hacks, and, in extreme cases, identity crime.
Further, as in the case of Toyota, it can take months or even years for companies to discover leaks and breaches. From there, it can take yet longer before a company announces the leak or breach. Together, that leaves bad actors with plenty of opportunity to commit all kinds of identity crime in the meantime.
Because of this, taking preventative steps to secure and monitor your identity can help protect you from harm—even if your information wasn’t involved in an attack. With data leaks and breaches of all sizes now commonplace, a proactive stance offers far better protection than reactionary measures taken after the fact.
The post Toyota Data Breach Exposes Customer Data – What You Can Do to Protect Yourself appeared first on McAfee Blog.
Sponsored Post We're all looking for a way to get the best cyber security training on the market, so we can push ahead in our careers. But we want to do it at our own pace, and in a location that suits us.…
SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming.…
Tensions between the US, China, and Taiwan have far-reaching impacts beyond semiconductor saber-rattling and trade restrictions. There is an enterprise security angle that CISOs should be on guard to tackle, according to US intelligence.…
Webinar If there was a tablet of stone inscribed with ten commandments for the fundamental requirements of an operating environment, the first would almost certainly be 'thou shalt have security and stability.'…
It has been almost a year since the ransomware gang Ransom Cartel was first detected and the crew over that time has racked up a steady drumbeat of victims in such countries as the United States and France and from a broad array of industry sectors.…
Sponsored Feature The steady migration of applications and infrastructure out of in-house data centres and server farms and into the cloud looks unstoppable at this moment in time. Research firm Gartner has estimated that by 2025, 51 percent of IT spending on application and infrastructure software, business process services and system infrastructure will have shifted to the public cloud, up from 41 percent in 2022. And you can bet that large volumes of the data that those applications and systems host and process will go with them.…
Organizations hit earlier by the HermeticWiper malware have reportedly been menaced by ransomware unleashed this month against transportation and logistics industries in Ukraine and Poland.…
FreshRSS 