After hack, LivingSocial tells 50M users to reset passwords
Users’ names, email addresses and passwords may have been accessed, CEO Tim O’Shaughnessy said
Computer World by Zack Miners April 26, 2013
After hack, LivingSocial tells 50M users to reset passwords
IDG News Service –
More than 50 million users of the daily deals site LivingSocial are being asked to reset their passwords after hackers attacked the company’s servers and potentially made off with personal data.
The cyberattack “resulted in authorized access to some customer data on our servers,” including names, email addresses, dates of birth and encrypted passwords, LivingSocial CEO Tim O’Shaughnessy said in an email to employees and in a separate email being sent to customers.
The database that stores customer credit card information was not affected, nor was the database that stores merchants’ financial and banking information, the Washington, D.C.-based company said.
Although decoding users’ passwords “would be difficult,” the site says it is taking “every precaution” by expiring its users’ passwords and asking them to create a new one. Emails are being sent this afternoon to the more than 50 million users whose data may have been compromised, a LivingSocial spokesman said.
LivingSocial says it has 70 million members worldwide. Customers in Korea, Thailand, Indonesia and the Philippines aren’t being contacted because the company uses different computer systems in those countries, it said.
The group behind the attack has not been identified. “We are actively working with law enforcement to investigate this issue,” LivingSocial said on its website.
The hack may have resulted in users’ accounts on other sites being compromised. “We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s),” O’Shaughnessy said.
“We need to do the right thing for our customers who place their trust in us,” O’Shaughnessy said in the employee email, adding, “We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.”
The hack follows a slew of attacks on Twitter, Facebook, Microsoft and other companies. LivingSocial said it is “redoubling” its efforts to prevent future breaches.
“With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account,” wrote Eric Doerr, Microsoft Account group program manager, in a blog entry announcing the secondary authentication. “It’s your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy.”
With two-factor authentication, a user logging in to a service or device supplies a second piece of information in addition to a password, thus making it impossible for another party to gain illicit access to the user’s accounts without all the separate pieces of information. Microsoft is using additional verification methods such as a short code sent to the user’s mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address.
Microsoft Account, formerly called Windows Live ID, is a single sign-on Web service to authenticate users of Outlook.com, SkyDrive, Skype, and other Microsoft services. It can also be used as an authentication mechanism for Windows PCs, the Xbox and Microsoft Office. Overall, Microsoft has over 700 million users registered to Microsoft Account.
Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user’s mobile phone, the number of which Microsoft will keep on file, each time the user logs on.
As an alternative to security codes, Microsoft is providing a number of other forms of authentication as well. For smartphones, users can deploy an authenticator app. Microsoft has released an authenticator app for Windows Phones, and third-party authenticator apps can be used for other platforms. For those devices that do not directly support two-factor authentication, such as the Xbox, users can get a secondary password, one unique to each device.
Microsoft can also keep a list of trusted devices designated by the user. With such devices, users enter a security code once and have that device remembered in future visits, eliminating the need to enter the security code for each log in. Microsoft currently offers this capability, but only with Internet Explorer and the use of additional software. Users can manage their list of trusted devices through their account settings page.
Doerr cautioned that, though more secure, two-factor authentication can be more difficult to manage. Losing a security code results in a 30 day wait for a new code. And Microsoft is asking for at least two pieces of information on file, in case one of the pieces is lost or forgotten. And if the user loses both the password and all the security information, he or she will not be able to access the account again.
So-called security experts making basic information security errors isn’t a new occurrence. Arguably, it even led to the rise of the Anonymous hacktivist collective.
Information Week by Mathew J. Schwartz November 15, 2012
Is there any way to keep online identities and the content of email communications hidden?
Clearly, covering one’s tracks is tough to do, as demonstrated by David Petraeus, the highly decorated general who last year became director of the CIA. Notably, his affair with Paula Broadwell — hardly a national security matter — came to light this week after the FBI found that the couple was using a Gmail account to communicate.
Still, for the director of a U.S. intelligence agency to have been caught in this manner is, frankly, a security embarrassment. Rather than using a VPN to mask their IP addresses or encryption to scramble the contents of their messages, or simply avoiding email altogether, Petraeus and Broadwell communicated using saved Gmail drafts. Having gone to the trouble to hide what they were doing, why didn’t they find a more secure communications mechanism?
Then again, no amount of hiding their online tracks may have helped foil determined investigators. Even supposedly master hackers have been identified after just one small misstep.
* Seems it’s getting harder to maintain your privacy.
Consider the example of LulzSec leader Sabu — real name, Hector Xavier Monsegur. He reportedly failed to mask his IP address just once or twice before logging into an IRC chat room, which ultimately allowed the FBI to pinpoint his real IP address and then identity. Meanwhile, Backtrace Security also found, hidden in a LulzSec chat file, a domain name that led to a subdomain that mirrored a page where Monsegur had posted a picture of his beloved Toyota AE86.
Seeing so-called security experts commit basic information security errors isn’t a new occurrence. Arguably, it even led to the rise of the Anonymous hacktivist collective. According to journalist Parmy Olson’s book We Are Anonymous, the collective had lost steam after its Church of Scientology and PayPal exploits. Then HBGary Federal CEO Aaron Barr launched a PR stunt meant to drum up business, publicly boasting that he would soon unveil the identities of key Anonymous players. That led the key players, including Sabu, to see just what Barr knew — he turned out to not have identified them at all — as well as make a lesson of him to any other would-be Anonymous enemies.
As Olson recounts, Sabu scanned the HBGary Federal website and found — ironically, for an information security firm — that it was built using a commercial content management system that contained a known vulnerability. Using a SQL injection attack, the hacktivists retrieved a list of HBGary employees’ usernames and passwords, although the latter had been hashed using MD5. While that temporarily stymied Sabu — the group was still sharpening its technical skills — he uploaded three of the passwords to the hashkiller.com forum. Its members quickly cracked the hashes and shared the plaintext passwords, including Barr’s work password, which was “kibafo33.”
The hackers then tested whether Barr’s password worked for any of his other website accounts. Remarkably, Barr, a self-described information security expert, had reused his work password on numerous sites — including Facebook, Flickr, Twitter, Yahoo as well as World of Warcraft. On Super Bowl Sunday 2011, Anonymous owned those accounts and began issuing vulgar tweets in Barr’s name and providing links to a torrent file containing over 70,000 HBGary emails that it had surreptitiously copied and deleted from the company’s servers.
Compared to the HBGary episode, Petraeus’ Gmail missteps — still surprising for the head of an intelligence agency — appear less galling. In the end, however, his story isn’t just about the startling ease with which one’s supposedly hidden communications or identity can be uncloaked, our country’s poor privacy protections or an investigation that should never have begun. Rather, it’s also about human errors.
Namely, Broadwell was jealous of Jill Kelley, a married Tampa socialite who volunteers with wounded veterans and military families, and her friendship with Petraeus, which she saw as a threat. So Broadwell sent threatening emails to Kelley, who passed them to FBI agent Frederick W. Humphries II, which triggered the investigation. Given that Broadwell, who was married, was having an affair with the director of the CIA, shouldn’t more discretion have been the order of the day?
With information security–as in life–the biggest wildcard remains the human factor.
Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)
Hacking Google: The three Israeli white hats rooting out the web’s security holes
Summary: Three Israeli hackers have been among the most prolific hunters in Google’s bug bounty program – but they still trust the company with their data.
ZD NET News by David Shamah for Tel Aviv Tech October 12, 2012
Google Bug Program
If you’ve been trusting the cloud with your data, three Israeli hackers have a message for you: the cloud isn’t safe. It really, really isn’t safe.
How unsafe is it? “It’s so unsafe that I refused to put a credit card on PayPal until I was able to personally test their security,” said hacker Ben Hayak. “And it’s a good thing I didn’t because they really had a major security hole, which has since been closed.”
Hayak was able to check PayPal’s cloud security thanks to the company’s “bug bounty” programme, which pays hackers to search out security vulnerabilities on its site.
Security, according to a recent blog by Paypal’s chief information security officer Michael Barrett, has to be at the top of the agenda for any company that does business in the cloud, “but we realise that no company can do it all alone”.
Instead, the company began working with ‘white hat’ hackers – the ‘good guys’ of the hacking world – to discover security lapses in XSS (cross site scripting), CSRF (cross site request forgery), SQL injection or authentication bypass.
“I originally had reservations about the idea of paying researchers for bug reports,” Barrett wrote in the blog, “but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers’ attention on internet-based services and therefore find more potential issues.”
Paypal is actually one of the latest cloud companies to grasp the wisdom of putting the hacker community to work for you, instead of against you. Other companies with similar programmes include Facebook, Mozilla, and Twitter, but the first to formally work with hackers was Google, which has been running its bug bounty programme (officially called the Vulnerability Reward Program) since late 2010.
Since then, hundreds of hackers have uncovered perhaps thousands of security vulnerabilities in Google code, across the company’s full range of properties, from Gmail to Google Docs to Blogger.
All three work at Israeli security company Avnet, which, among other things, tests enterprise websites in Israel for vulnerabilities. The Google work is a sideline for the three hackers – but a very lucrative one that has earned each several thousands of dollars, given that Google pays between $500 and $3,000 for each bug discovered.
The three white hats have each earned that kind of money despite the fact that hundreds of hackers around the world participate in the programme – Google is so large, there are more than enough security lapses to go around.
“Recently, Shai showed us how to get control of a Google server by playing with Google Calendar,” said Hayak. “We were also able to get into Google servers via Gmail, and when we hacked into Google’s Blogger.com, we were able to find the code that made us admins on all of the service’s blogs.” The three did not need sophisticated root kits or under-the-hood Unix scripts to find these vulnerabilities: “We were able to do all this by directly engaging with the service itself,” Hayak said.
All three say they have always been white-hat hackers and have never been on the ‘dark side’ – but the programmes by Google and others do attract black-hat hackers as well.
“I know of several cases in which a hacker found a vulnerability and sold it on the black market to a criminal gang, and then turned around and reported it to Google,” said Goldshlager.
That’s one reason he trusts Google with his data – to the extent that he now even uses Gmail. “With so many people working on finding the vulnerabilities in order to collect the reward, any existing problem is going to be discovered very quickly, so even if the wrong elements get wind of a vulnerability, the damage they are going to be able is going to be limited,” he said. In fact, added Hayak, Google decided to institute the programme after Chinese hackers were able to get into accounts of dissidents in 2010.
Since then, the number of security incidents for the company has gone down significantly, Hayak said. Still, the cloud is a scary place. “I don’t trust it,” said Rod, the third member of the Avnet hacker team. “You get what you pay for, and if you are getting free services, you have to put up with a lot of intrusion.”
Security for free and paid-for accounts is the same – or starts out the same, said Rod – but somehow companies seem to feel they have a bigger obligation to ensure the safety of their paying customers’ data. “It’s not even about the security, it’s about the privacy,” he said. “I am sure that if many people read the TOS [terms of service] on many free web services, they would think twice before accepting.” And the more opportunity for a company to invade account users’ privacy (like sweeping their information in order to better target them with ads), the more opportunity for a security bug to develop.
As far as the hackers are concerned, the situation at Google and the other services that have bug bounty programmes is better than at companies that don’t, said Hayak.
“I can’t tell you about security in the App Store or at Amazon because I have no legal way of testing their defences,” he said. “But the fact that Google, Paypal, and the others that have bug bounty programmes are willing to let people like me test their systems shows that they are serious about security.”
Despite encryption, a study released today identifies standard email as the number one way unauthorized data leaves a federal agency.
According to the study, 80% of Federal information security managers fear data loss through encrypted email, and 58% state that encryption makes it harder to detect data leaving.
For more news and insights on innovations at work in government, please sign up for the AOL Gov newsletter. For the quickest updates, like us on Facebook.
The study also reveals that despite security measures, Federal information security and email management professionals state that standard work email is the main culprit in releasing unauthorized data. Specifically, the study found:
83% of agencies provide users with the ability to encrypt outbound email
One in four agencies rate the security of their current email solution an “A”
Approximately one in four Feds see email encryption as a problem today and 51% of information security professionals see email encryption becoming a more significant problem in the next five years
The study also points out that while 79% of Federal information security and email management professionals say cybersecurity is a top priority, only one in four give the security of their current email solution an “A.”
Yet 83% of federal agencies provide users with the ability to encrypt outbound email. Email is the number one way unauthorized data, including classified and sensitive information, leaves federal agencies followed by agency-issued mobile devices and USB flash drives. In a number of cases, the very encryption that may be used to ensure the security of information becomes the tool for hiding sensitive information as it leaves through the email gateway.
Most agencies — 84% — believe that they are safe and support the inspection of desktop-encrypted email. However, to effectively support the inspection of desktop-encrypted emails, agencies must validate all email users, have proper email polices in place and ensure users must follow correct email policies.
Currently, 47% of agencies cite the need for better email policies and 45% report that employees do not follow these policies. In fact, even if these three conditions are met, agencies may be unable to enforce email policies unless their email gateways explicitly decrypt and scan desktop-encrypted email.
“Email encryption is an important tool for protecting sensitive information, but agencies must be sure that encryption is not making outbound emails so opaque that sensitive information can pass through without detection,” said Michael Dayton, senior vice president, security solutions group, Axway, which sponsored the study. “Agencies themselves may be providing the tools by which Federal workers are leaking critical information – intentionally or not.”
Information security professionals also reported seeing email encryption becoming a more significant problem for federal agencies in the next five years.
The study also explores file sharing through email, especially when the files being shared contain critical data. The ability to enforce encryption of certain documents in an automated way and also provide Federal agencies with the ability to decrypt files is key to ensuring secure file sharing through email.
Federal information security and email management professionals say the top barriers to securing federal email are lack of budget, lack of employees adhering to security policies, the rise of mobile technology and lack of training.
The study is based on an online survey of 203 Federal government information security and email management professionals in June and July 2012.