Mozilla's Firefox Monitor security tool checks if your accounts have been compromised by hackers

June 26, 2018 Jonathan Greig

Mozilla's Firefox Monitor security tool checks if your accounts have been compromised by hackers

Despite the prevalence of hacks and data breaches in the news recently, few people ever find out if their information has been released or taken advantage of unless there is a noticeable problem. Just last year, more than 179 million records were exposed in the U.S.

Mozilla is hoping to change that by teaming with Troy Hunt -- a renowned Australian digital security expert who runs HaveIBeenPwned.com -- to create Firefox Monitor. The website HaveIBeenPwned.com allows you to search for your email address to see whether it has been involved in a data breach, giving you the date, breached company, and amount of data stolen. The website also gives a description of the hack your email was involved in and suggests ways to move forward.

Have I been pwned?

"Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called 'Firefox Monitor'," Hunt wrote in a blog post about the partnership.

"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream."

HaveIBeenPwned.com currently has a secure database of 5.1 billion records, with 3.1 billion unique email addresses, yet only a bit more than 2 million subscribers. The more people that take advantage of the pwned website, the more people will be able to secure their accounts and make it safer for everyone, including the websites involved in the original hack.

"Understandably, people are now more worried about internet-related crimes involving personal and financial information theft than conventional crimes. In order to help keep personal information and accounts safe, we will be testing user interest in a security tool that lets users check if one of their accounts has been compromised in a data breach," Mozilla wrote in its announcement of the deal.

Check for a privacy breach

"Visitors to the Firefox Monitor website will be able to check (by entering an email address) to see if their accounts were included in known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach. The site will offer recommendations on what to do in the case of a data breach, and how to help secure all accounts," they said adding that they were working on another feature that would let users know when their information was involved in a data breach.

Mozilla and HaveIBeenPwned.com initially announced a partnership last fall that saw the web browser add an alert that would notify users when they were visiting a website that had recently been involved in a data breach.

Hunt also secured a deal with 1Password, a password management app, in February that allows users to search if their email or password had been released in a data breach.

Both Hunt and Mozilla wrote extensively about the security concerns people may have with the database and entering their email addresses into the service. They employ a detailed strategy that makes it nearly impossible to use or even identify the email addresses in their database.

According to Mozilla, Firefox Monitor will begin testing next week, with 250,000 mostly U.S.-based users invited to join the trial period.

Mozilla Firefox since the end of last year has put protecting its users privacy and personal data at the top of its list. Firefox lets you create and manage strong passwords with an easy-to-use password manager that can handle credit card and other login information. The Firefox browser also includes tools that block websites from tracking your online activities. You can also extend Firefox's usefulness through browser extensions that let you harden your browser's security.

*This article was featured on Download.com on June 26, 2018: https://download.cnet.com/blog/download-blog/mozillas-firefox-monitor-security-tool-checks-if-your-accounts-have-been-compromised-by-hackers/

Source: https://download.cnet.com/blog/download-bl...

Hackers' hotel 'master key' could be big risk for business travelers →

April 25, 2018 Jonathan Greig

Cybersecurity researchers have worked on cracking the code to hotel room keys since 2003.

Two intrepid cybersecurity researchers have figured out a way to crack the security systems of hotel rooms around the world, exploiting lapses in the electronic lock systems made by Swedish lock manufacturer Assa Abloy, according to a Wednesday press release.

Assay Abloy, which created VingCard's "Vision" system, has deployed it at 42,000 properties in 166 countries, including everything from hotel rooms to garages and secure spaces, as noted by our sister site ZDNet.

Tomi Tuominen and Timo Hirvonen, researchers from F-Secure, discovered a way to breach the system after nearly a decade of research following a strange occurrence at a Berlin security conference in 2003. A friend of theirs had a laptop stolen from his hotel room with no signs of forced entry, leading the two men on a decade-long journey to prove their theory that someone had figured out how to manipulate the RFID card reader.

The specific RFID card reader they were looking into was a typical kind sold by VingCard and created by Assay Abloy for mass use at hotels across the world, as noted by Wired. What Tuominen and Hirvonen have discovered, and will exhibit at a conference in Miami this week, is a program that can not only create cards for certain rooms but a master key for every room, giving potential thieves access to any part of any hotel they choose, the release said.

The main instruments needed are a $300 Proxmark RFID card reading and writing tool and any card, either old or new, from a hotel, according to Wired. From there, Tuominen and Hirvonen only need one minute to steal data from the used card and create a master card that can open any door on the same system.

Both men have tried to downplay any fears hotels and customers may have about the loophole and have actively worked with Assay Abloy to fix their system. Although it took them more than a decade, they said if someone worked full time, they could create a similar system in far less time.

"We don't know of anyone else performing this particular attack in the wild right now," they told ZDNet in an email.

They later added: "Developing [the] attack took considerable amount of time and effort. We built a RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017. If somebody was to do this full time, it would probably take considerably less time."

Assay Abloy has since created a new line of locks and released a patch update earlier this year to address the issue, the release said. But the patch has to be installed manually by each hotel in each lock, leading both men to wonder whether the updates had actually been implemented.

There was also a discrepancy in the number of hotel rooms that are vulnerable. According to Wired, Assay Abloy told Tuominen and Hirvonen privately that "the problem affects millions of locks in total," while publicly they have said the problem would only affect close to 500,000 rooms locks.

A spokeswoman for Assay Abloy told the BBC that any electronic device is vulnerable to hacking and that a breach of this kind would require large teams and copious amounts of time.

"Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure," the spokeswoman told the BBC. "These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology."

Tuominen and Hirvonen have said they will not release information on how their device works and will only give a broad overview of their method at the conference in Miami this week, the release noted.

A similar situation six years ago led to a US-wide robbery spree of hotel rooms following the release of a list of possible lock system vulnerabilities by a security researcher. Wired noted in their article that a number of government intelligence agencies, including those in the US and Israel, claim to already have ways to hack into hotel room key systems.

The ACLU noted as far back as 2012 that some security companies were even marketing themselves by advertising their ability to teach people how to crack VingCard locks.

Many major international hotels, including the Intercontinental, Hyatt, Radisson and Sheraton, use VingCard's system and are in the process of updating the locks now that the system's vulnerabilities have been made public.

Being that a stolen laptop was the impetus for this research, it goes without saying that business travelers should use extra caution when traveling and staying at a hotel. Check with management to see if the locks have been updated and, if worried, be sure to bring your valuables with you when you leave the room.

*This article was featured on the Tech Republic website on April 25, 2018: https://www.techrepublic.com/article/hackers-hotel-master-key-could-be-big-risk-for-business-travelers/

Thousands of Sears, Delta customers affected by data breach →

April 5, 2018 Jonathan Greig

A third-party vendor used by both companies announced that its system had been breached for two weeks starting in September 2017.

Delta Air Lines and Sears Holdings Corp. revealed yesterday that one of its third-party vendors managing online customer chat services had been hacked in September 2017, leaving the credit card information of hundreds of thousands of people open to cybercriminals for more than two weeks.

Questions remain unanswered about why it took so long for the hack to be noticed, and why Delta and Sears were only notified of the data breach in mid-March 2018, months after the initial hack took place.

[24]7.ai, the vendor that was hacked, said in a statement that it was "working diligently with our clients to determine if any of their customer information was accessed." They did not answer multiple questions from the media about why they waited so long to tell the companies about what happened.

The hack began on September 26, 2017 and was discovered by [24]7.ai two weeks later on October 12, 2017.

Sears and Delta said they were working with federal law enforcement and credit card companies to deal with the breach, but gave conflicting information on whether they believe information was stolen or accessed during the two-week window.

"At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers' information was actually accessed or subsequently compromised," Delta said in its statement, stressing that no passport information or government IDs were impacted by the hack.

Sears, on the other hand, said, "we believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised," but claimed none of its stores or Sears-branded credit cards had been affected.

"Data security is of critical importance to our company, and we take any matter related to customer's personal information very seriously," Sears said, adding that Kmart customers were also affected by the hack.

Delta would not say how many customers were affected, only referring to it as a "small subset," while Sears said it was less than 100,000. The information that was breached included credit card numbers, addresses, expiration dates, and CVV numbers.

This latest hack comes just days after high-end retailers Lord & Taylor and Saks Fifth Avenue revealed that its systems had been breached. The credit card data of millions is now being sold on the dark web due to the hack.

Like Saks and Lord & Taylor, Delta and Sears have set up websites and hotlines for concerned customers. Both companies also plan to contact customers who they are certain were affected by the hack and reminded their buyers that no one is liable for unauthorized or fraudulent account activity.

*this article was featured on the Tech Republic site on April 5, 2018: https://www.techrepublic.com/article/thousands-of-sears-delta-customers-affected-by-data-breach/

Hackers hit Saks Fifth Avenue and Lord & Taylor, stealing credit card data of millions →

April 2, 2018 Jonathan Greig

Russian-speaking hackers compromised systems at the luxury retail outlets in May 2017, and are now offering the data of millions on the dark web.

Hackers have put the credit card data of 125,000 people up for sale on the dark web and have the information of another 5 million people after infiltrating the systems of high-end retailers Saks Fifth Avenue and Lord & Taylor.

Both stores are owned by Canada-based Hudson's Bay Company, which only confirmed the hack after cybersecurity firm Gemini Advisory released information on the breach in coordination with a number of affected financial institutions. The Gemini Advisory report estimates that the breach first occurred in May 2017, but was only detected after the hackers announced details of their attack in March 2018.

On Wednesday, March 28, infamous hacking syndicate JokerStash, also known as Fin7, announced that it had information from 5 million credit and debit cards, which it was offering for sale on the dark web.

According to Gemini Advisory, the financial institutions involved have confirmed that the credit and debit card numbers are real and say most were stolen from stores in New York and New Jersey. The data was stolen through malware that was installed on cash registers and was still funneling card numbers to the hacking group until last month, the report said.

In a statement, Saks Fifth Avenue said they "took steps to contain" the hack and "believe it no longer poses a risk to customers shopping at our stores."

"Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring," Saks Fifth Avenue wrote in the statement, adding that their e-commerce sites had not been affected by the hack.

But Gemini said the hackers are openly offering about 35,000 card numbers for sale from Saks Fifth Avenue and about 90,000 from Lord & Taylor, with almost 5 million more they can continue to sell for years.

"The theft of five million payment cards is undoubtedly among the most significant credit card heists in modern history, and will negatively affect a large number of consumers in North America," Gemini Advisory wrote.

"Cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time," Gemini Advisory continued.

JokerStash is well known for its hacks of many stores and outlets, including Whole Foods, Chipotle, Omni Hotels & Resorts, and Trump Hotels, the report said.

The hack comes on the heels of other major security breaches at companies across the country in the last five years. Just last year, credit reporting company Equifax admitted that data—including social security numbers, addresses, tax ID numbers, and driver's license information—from 145.5 million Americans had been stolen. Additionally, 56 million card numbers were stolen from Home Depot in 2014 and 40 million from Target in 2013.

Sportswear company Under Armour admitted on Friday that hackers had broken into their system and stolen data from the MyFitnessPal fitness-tracking app, exposing information from 150 million users.

Gemini urged all brick-and-mortar stores to switch from magnetic stripe card machines to Europay Mastercard and Visa, or EMV, terminals, which are able to verify purchases through a microchip in the physical card itself.

*This story was featured on Tech Republic’s website on April 2, 2018: https://www.techrepublic.com/article/hackers-hit-saks-fifth-avenue-and-lord-taylor-stealing-card-data-of-millions/

Baltimore emergency 911 dispatch hacked, taken offline for 17 hours →

March 28, 2018 Jonathan Greig

The cyberattack slowed emergency response times as dispatchers had to resort to manual methods.

Government officials in Baltimore recently confirmed that their emergency dispatch system was infiltrated by unknown hackers around 8 am on Sunday, forcing the city to shut the entire system down and handle emergency calls manually for nearly 17 hours.

The office of Baltimore Mayor Catherine Pugh confirmed the hack yesterday and the city's CIO, Frank Johnson, told the Baltimore Sun that instead of emergency calls being "being relayed to dispatchers electronically, they were relayed by call center support staff manually."

Hackers breached the city's CAD system, which manages 911 and 311 calls, and city officials quickly took the affected server offline, Johnson told the Baltimore Sun. City officials didn't comment in detail on the situation, although they confirmed that the police department and the FBI became involved almost immediately. The system was eventually restored at 2 am on Monday.

The story of what happened in Baltimore gained prominence this week as Atlanta also struggled with a similar but even more widespread hacking event, as reported by our sister site ZDNet.

Since Thursday, all of Atlanta's government computers were shut down during a ransomware attack by notorious hacking group SamSam. Just last year, the group hacked into the Dallas emergency system and set off tornado sirens, according to the New York Times.

In Atlanta this weekend, the group demanded a $51,000 payment in Bitcoin in exchange for releasing all of the government's files and threatened to destroy them if they weren't paid. Details on the resolution are murky due to the ongoing government investigation, but Atlanta city officials were able to use their computers again on Tuesday, the Times reported. At a press conference, Atlanta Mayor Keisha Lance Bottoms called the multi-day hack a "hostage situation."

Law enforcement officials across the country have been raising the alarm about possible cyberattacks to government entities, highlighting the fact that hackers have been upping the ante against hospitals and emergency services, believing them to be the parts of government that can least afford to be down for long periods of time.

CIOs in a number of states said in a 2016 ICMA survey that local governments needed to prioritize cybersecurity like any other service, due to the rapidly rising number of attacks.

"The survey...found that about one-quarter of local governments reported that they were experiencing attacks of one kind or another, successful or not, at least as often as once an hour," the New York Times wrote. But they added that only about a third of local governments had a detailed plan to handle hacking situations.

"A smart local government will have fire, police and cybersecurity at the same level," David Jordan, CISO for Arlington County, VA, told the New York Times.

*this article was featured on the Tech Republic website on March 28, 2018: https://www.techrepublic.com/article/baltimore-emergency-911-dispatch-hacked-taken-offline-for-17-hours/

IoT security spending to hit $1.5B in 2018 as targeted cyberattacks grow rampant

March 21, 2018 Jonathan Greig

Spending on security for smart devices will see a 28% increase from last year, eventually hitting $3 billion by 2021.

As Internet of Things (IoT) devices like Apple's HomePod and Amazon's Echo become more popular, attempts to hack these devices have also increased, prompting industry leaders to spend more time and money on security in an effort to address the issue.

Some 20% of organizations have experienced at least one IoT attack in the last three years, according to a new report from Gartner. While spending on security for smart devices will reach more than $1.5 billion this year, the firm predicts, the inability of the industry to prioritize and implement "security best practices" is hampering efforts to tackle the problem, according to a press release.

"Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed," Ruggero Contu, research director at Gartner, said in the release. "However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing."

The entire IoT industry is in need of better regulation, Gartner said in the report, and as more smart devices are weaved into other heavily regulated industries such as healthcare and automotives, companies will be forced to comply with more stringent security rules.

"This innovation, often described as Industrial Internet of Things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology (OT), such as energy, oil and gas, transportation, and manufacturing," Contu said in the release.

The tech industry has been grappling with the security of IoT devices for years, most notably since a massive cyber attack in the fall of 2016 left many of the internet's biggest websites down for hours across the globe.

The attack featured the use of the " Mirai botnet" which focused specifically on targeting IoT devices, giving it access to thousands of different entry points into a system.

David Fidler, an adjunct senior fellow for cybersecurity at the Council on Foreign Relations, told The Guardian in 2016 that he couldn't remember a hacking attempt even half the size of the Mirai attack.

"We have a serious problem with the cyber insecurity of IoT devices and no real strategy to combat it. The IoT insecurity problem was exploited on this significant scale by a non-state group, according to initial reports from government agencies and other experts about who or what was responsible," Fidler told The Guardian.

"Imagine what a well-resourced state actor could do with insecure IoT devices," he added.

More and more governments are integrating smart technology and IoT devices into every aspect of daily life, but the security is often an afterthought.

Despite many new regulations aimed specifically at IoT deployment, few, if any companies, governments and people take the time to secure their devices, according to a report from Future Markets Research.

"Although a number of governing authorities have issued guidelines to be followed by IoT device manufacturers so as to protect against cyber-attacks on IoT networks and devices, many device manufacturers and users are not strictly adhering to these guidelines," they wrote in the report, which focused on IoT security between 2017 and 2027.

"Non-adherence to these guidelines results in security lapses, which cyber attackers can take advantage of and this creates challenges for IoT security solution providers. This factor is expected to hamper growth of the IoT security product market to a large extent," they said.

*this article was featured on the Tech Republic website on March 21, 2018: https://www.techrepublic.com/article/iot-security-spending-to-hit-1-5b-in-2018-as-targeted-cyberattacks-grow-rampant/