31 MAY 19
NY Investigates Exposure of 885 Million Mortgage Documents
New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.
On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records.
On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement.
First American says it has hired a third-party security firm to investigate, and that it shut down external access to the records.
The Times says few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company when they go to close the deal on buying or selling a new home.
“First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions,” wrote Stacy Cowley. “The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.”
News also emerged this week that First American is now the target of a class action lawsuit alleging the Fortune 500 mortgage industry giant “failed to implement even rudimentary security measures.”
Identity thieves hijack cellphone accounts to go after virtual currency
Originally published August 21, 2017 at 6:15 pm Updated August 21, 2017 at 10:56 pm
Joby Weeks, a Bitcoin entrepreneur who lost his phone number and about a million dollars’ worth of virtual currency last year, in Arvada, Colo., on Aug. 8, 2017. So-called phone porting attacks are exposing a vulnerability that could be exploited against anybody with valuable emails or other digital files. “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” Weeks said. (MATTHEW STAVER/NYT)
Hackers have been calling up wireless carriers and asking them to transfer control of a victim’s phone number to a device under the control of the hackers. They can then reset the passwords on every account that uses the phone number as a security backup.
The New York Times
Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile US, Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.
“My iPad restarted, my phone restarted and my computer restarted, and that’s when I got the cold sweat and was like, ‘OK, this is really serious,’” said Chris Burniske, a virtual-currency investor who lost control of his phone number late last year.
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matters activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.
But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual-currency fanatics like Burniske.
Within minutes of getting control of Burniske’s phone, his attackers had changed the password on his virtual-currency wallet and drained the contents — some $150,000 at today’s values.
Most victims of these attacks in the virtual-currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a bitcoin entrepreneur.
Weeks lost his phone number and about $1 million worth of virtual currency late last year, despite having asked his mobile phone provider for additional security after his wife and parents lost control of their phone numbers.
The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible.
Accounts with banks and brokerage firms and the like are not as vulnerable to these attacks because these institutions can usually reverse unintended or malicious transactions if they are caught within a few days.
But the attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files — including politicians, activists and journalists.
Last year, hackers took over the Twitter account of DeRay Mckesson, a leader of the Black Lives Matters movement, by first getting his phone number.
In a number of cases involving digital-money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another.
The vulnerability of even sophisticated programmers and security experts to these attacks sets an unsettling precedent for when the assailants go after less technologically savvy victims. Security experts worry that these types of attacks will become more widespread if mobile-phone operators do not make significant changes to their security procedures.
“It’s really highlighting the insecurity of using any kind of telephone-based security,” said Michael Perklin, chief information security officer at the virtual currency exchange ShapeShift, which has seen many of its employees and customers attacked.
Mobile-phone carriers have said they are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps.
But these measures have not been enough to stop the spread and success of the culprits.
After a first wave of phone-porting attacks on the virtual-currency community last winter, which was reported by Forbes, their frequency appears to have ticked up, Perklin and other security experts said.
In several recent cases, the hackers have commandeered phone numbers even when the victims knew they were under attack and alerted their cellphone provider.
Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.
But just a day later, he said, the attacker persuaded a different Verizon agent to change Pokornicky’s number without requiring the new PIN.
A spokesman for Verizon, Richard Young, said that the company could not comment on specific cases, but that phone porting was not common.
“While we work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human performance falls short,” he said. “We strive to correct these issues quickly and look for additional ways to improve security.”
Perklin and other people who have investigated recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device — and by trying multiple times until a gullible agent was found.
“These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” Weeks said.
As Scope of 2012 Breach Expands, LinkedIn to Again Reset Passwords for Some Users
MAY 18, 2016 BRIAN KREBS
A 2012 data breach that was thought to have exposed 6.5 million hashed passwords for LinkedIn users instead likely impacted more than 117 million accounts, the company now says. In response, the business networking giant said today that it would once again force a password reset for individual users thought to be impacted in the expanded breach.
The 2012 breach was first exposed when a hacker posted a list of some 6.5 million unique passwords to a popular forum where members volunteer or can be hired to hack complex passwords. Forum members managed to crack some the passwords, and eventually noticed that an inordinate number of the passwords they were able to crack contained some variation of “linkedin” in them.
LinkedIn responded by forcing a password reset on all 6.5 million of the impacted accounts, but it stopped there. But earlier today, reports surfaced about a sales thread on an online cybercrime bazaar in which the seller offered to sell 117 million records stolen in the 2012 breach. In addition, the paid hacked data search engine LeakedSource claims to have a searchable copy of the 117 million record database (this service said it found my LinkedIn email address in the data cache, but it asked me to pay $4.00 for a one-day trial membership in order to view the data; I declined).
Inexplicably, LinkedIn’s response to the most recent breach is to repeat the mistake it made with original breach, by once again forcing a password reset for only a subset of its users.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” wrote Cory Scott, in a post on the company’s blog. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”
LinkedIn spokesman Hani Durzy said the company has obtained a copy of the 117 million record database, and that LinkedIn believes it to be real.
“We believe it is from the 2012 breach,” Durzy said in an email to KrebsOnSecurity. “How many of those 117m are active and current is still being investigated.”
Regarding the decision not to force a password reset across the board back in 2012, Durzy said “We did at the time what we thought was in the best interest of our member base as a whole, trying to balance security for those with passwords that were compromised while not disrupting the LinkedIn experience for those who didn’t appear impacted.”
Alex Holden, co-founder of security consultancy Hold Security, was among the first to discover the original cache of 6.5 million back in 2012 — shortly after it was posted to the password cracking forum InsidePro. Holden said the 6.5 million encrypted passwords were all unique, and did not include any passwords that were simple to crack with rudimentary tools or resources [full disclosure: Holden’s site lists this author as an adviser, however I receive no compensation for that role].
“These were just the ones that the guy who posted it couldn’t crack,” Holden said. “I always thought that the hacker simply didn’t post to the forum all of the easy passwords that he could crack himself.”
The top 20 most commonly used LinkedIn account passwords, according to LeakedSource.
According to LeakedSource, just 50 easily guessed passwords made up more than 2.2 million of the 117 million encrypted passwords exposed in the breach.
“Passwords were stored in SHA1 with no salting,” the password-selling site claims. “This is not what internet standards propose. Only 117m accounts have passwords and we suspect the remaining users registered using FaceBook or some similarity.”
SHA1 is one of several different methods for “hashing” — that is, obfuscating and storing — plain text passwords. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse.
The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.
But by adding a unique element, or “salt,” to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords.
LinkedIn said it added salt to its password hashing function following the 2012 breach. But if you’re a LinkedIn user and haven’t changed your LinkedIn password since 2012, your password may not be protected with the added salting capabilities. At least, that’s my reading of the situation from LinkedIn’s 2012 post about the breach.
If you haven’t changed your LinkedIn password in a while, that would probably be a good idea. Most importantly, if you use your LinkedIn password at other sites, change those passwords to unique passwords. As this breach reminds us, re-using passwords at multiple sites that hold personal and/or financial information about you is a less-than-stellar idea.
Below is the original story from the 2012 Breach
LinkedIn’s Data Breach Settlement Moves Forward
by Wendy Davis, February 3, 2015, 2:15 PM
A federal judge has tentatively approved LinkedIn’s $1.25 million settlement of a class-action lawsuit stemming from a 2012 data breach.
“The settlement agreement falls within the range of possible approval as fair, reasonable, adequate, and in the best interests of the class,” U.S. District Court Judge Edward Davila in the Northern District of California wrote in an order issued on Thursday.
Davila’s order only grants the deal “preliminary” approval, meaning that he could still reject the settlement after a final hearing.
The settlement agreement calls for LinkedIn to pay up to $50 to some of the users who purchased premium memberships to the service. The social-networking company also promises that for the next five years, it will protect users’ passwords by “salting” and “hashing” them.
But class counsel estimates in court papers that only 20,000 to 50,000 subscribers will be able to qualify for payments from the settlement fund. Any money that isn’t distributed to class members will go to three nonprofits: the Center for Democracy and Technology, World Privacy Forum and the Carnegie Mellon CyLab Usable Privacy and Security Laboratory.
The litigation stems from an incident in 2012 when hackers obtained access to the company’s servers and then posted 6.4 million users’ passwords online. Shortly after the data breach, Virginia resident Khalilah Gilmore-Wright, a paid LinkedIn subscriber, alleged in a class-action lawsuit that she wouldn’t have purchased a premium LinkedIn membership if she had known the company used “obsolete” security measures.
Davila’s order requires LinkedIn or a settlement administrator to notify users about the deal via email by Feb. 26. He will hold the next hearing on June 18, when he will hear arguments about whether to grant final approval to the settlement.
Copyright &Trademark ParkCityHub.com™
Registration Number: 5183510