Security News for the Week Ending November 29, 2019
The Problem with Big Data is, Well, That it is Big
On October 16th researchers revealed that they had found an exposed database with 4 billion records covering 1.2 billion people. The first database contained information on 1.5 billion unique people (note these numbers do not exactly match) including work phone numbers and mobile phone numbers. The second database contains hundreds of millions of scraped profiles from LinkedIn. The data appears to be linked to “data enrichment” firms, People Data Labs and Oxy.io, but the firms say that the server doesn’t belong to them. They did not say that the data did not originate from them. Likely, the server belongs to one of their customers. The good news is that the databases do not contain passwords or credit cards, but still there is a lot of data there. The term data enrichment is an expression for “we aggregate data from a bunch of sources and put it all together, so if all YOU have, for example is a person’s email, we can tell you how much they make, how many kids they have and the roads they travel on to work, etc…” Source: Computer Weekly.
California DMV Made > $50 Million Last Year Selling Your Data
First the law requires you to provide all kinds of information to the DMV. Then the DMV sells that information to anyone who’s check clears. And they do not need to ask your permission. In theory the law restricts who they sell your data too, but there are a lot of exceptions. One example was a private investigator who bought the information and gave it to his stalker client who killed the person. Another is data brokers like Lexis/Nexus. Maybe the law should be changed, but in the meantime the DMV loves the cash. Source: Vice
Another Public Leakware Attack
As I said in my November 19, 2019 post titled “Argh – They Have a Name for it Now – Leakware“, leakware is becoming more popular. Now we have a case of the security and building facilities firm Allied Universal ($7 billion in revenue, 200,000 employees). Allied was breached and the hackers want money. To make a point, they leaked 700 megabytes of data. They say that they have 4 GB+ more to leak and they will give it to Wikileaks. They posted the sample data to Bleeping Computer’s forum, which took it down and also to a Russian crime forum who was not so supportive. The hackers initially wanted $2 million. Not they want $4 million; Allied offered $50k. A bit of a gap. Allied says that they take security seriously but didn’t say what they planned to do to protect the stolen data. If these hackers are Russian, there really isn’t much they can do other than to negotiate. They have brought in security experts after the breach. While it is useful to close the barn door once the horses are gone and the barn is burned to the ground, that probably won’t make much difference to the customers who’s data was compromised. Stay tuned for lawsuits. Assuming this trend continues, we need to create different defenses for ransomware. Source: Bleeping Computer
That Thanksgiving e-Card – Yup, Its Malware
With the holiday season starting, the purveyors of malware are in the holiday spirit too. They are sending out millions of MALICIOUS, INFECTED e-greeting cards.
Open the card and you, too, will be infected. In one campaign, the malware is the emotet password stealing trojan.
Open that card and all of your passwords will be sent to Russia or China or some other friendly place.
When I get one of these cards, I send the person who sent it a note thanking them, but telling them that, in an unfortunate sign of the times, it is too risky to open it.
Then I hit the delete key. Source: Bleeping Computer