An enormous security breach was discovered at the end of April affecting more than 80 million American households. It is yet another example in a string of breaches demonstrating the vulnerability of online database platforms. The owner of the database is yet to be identified and researchers at VPNMentor, who discovered the breach, are asking for assistance from the public to help them find the owner.
The good news is that the database did not contain credit card information, social security numbers or passwords. However, it was thoroughly unprotected, hosted on a Microsoft cloud server, and required no password to access the data files.
VPNMentor Found the Unprotected Database by Accident
Hacker experts at VPNMentor, Ran Locar and Noam Rotem found the database by accident. VPNMentor researchers were running a routine web mapping project, looking for holes in web systems. They were using a port scanning tool which locates weaknesses and finds data leaks. When they find a database with leaks, they typically contact the owner so immediate action can be taken to correct the problem. But in this case, the database did not identify its owner. Even though there is an IP address associated with this database, the researchers say it does not necessarily lead to its owner.
A Staggering Number of Households Were Exposed
The fact that 80 million US households were exposed in this breach is very troubling. This is almost 65 per cent of the entire number of American households. The database contains 24 gigabytes of highly detailed information, including full addresses, names, birth dates, ages, and residences.
The coded information which is contained in numerical values appears to relate to marital status, income, gender, and dwelling category. Since each database entry ends with “score” and “member code” and everyone listed appears to be over the age of 40, researchers believe that the database owner might be a mortgage, insurance or healthcare company. The fact that social security numbers are missing from the database, as well as payment information and account numbers, makes it unlikely that the owner is a bank or broker.
For now, the unsecured database is offline. Researchers did not download all the data, although they did verify some segments in the cache for accuracy. It was more important to protect the already exposed accounts from further invasion.
Hoping for Some Help from the Public
VPNMentor researchers stress that even though the database did not contain social security numbers or credit card information, there is still a significant risk of nefarious activities with the data that was exposed. Affected households are vulnerable to phishing scams, fraud, identity theft and possibly even home invasions since addresses are included. They sent out a plea to the public for assistance in identifying the owner of the database so that steps can be taken as soon as possible to secure the data.
This is not the first time Noam Rotem has been involved in uncovering a potentially serious data breach. Earlier this year, he discovered a very damaging vulnerability in the Amadeus online air travel booking system. The platform’s security vulnerability would have made it easy for hackers to access the database, alter customer bookings and steal airline mileage credits.
On 16 and 21 October 2015 Matthew Hanley hacked the TalkTalk website and stole personal details of over 150,000 customers. This included their full names, postal addresses, telephone numbers, dates of birth and banking details. Hanley handed the data over to Connor Allsopp to sell to Daniel Kelley, who had the intention of committing fraud with the information. Kelley then tried to extort 465 bitcoins (around US$2 million) from Dino Harding – the CEO of the company at the time.
TalkTalk suffered massive losses. The breach cost the company a staggering £77 Million in financial losses, including a fine of £400,000 levied on the company by the Information Commissioner’s Office (ICO) for their failure to carry out fundamental security measures required to prevent a security breach such as this from happening. This is not to mention the implications the attack has on future business for the company. Who wants to subscribe to a vulnerable supplier? The attack also caused severe distress and misery to the people whose confidential information were stolen and then passed on to a third party.
Two individuals of extraordinary talent
The court case took place on Monday, 19 November at Old Bailey where Judge Anuja Dhir presided. The Judge said that it is tragic that the two hackers have such extraordinary talent. During the trial, Matthew Hanley (23), and Connor Allsopp (21) admitted to the crimes against TalkTalk. Until his arrest on October 2015, Hanley was an unwavering hacker – he was fully aware that what he was doing is illegal, and of the risk involved in it. The hacker was sentenced to one year in prison and his associate Allsopp received an eight-month sentence. Described by Judge Dhir as a ‘dedicated hacker’ Hanley’s sentence was longer than Allsop’s who ostensibly played a lesser role in the cybercrime.
Android is great. It’s established a solid reputation when it comes to the wide and varied choices in handsets, reliable hardware, fast charging and a fantastic range of apps. Unfortunately, Android is not that great on all fronts. In fact, when it comes to security updates it’s quite a mess.
The problem with Android updates
There’s no issue with the availability of Android security updates. Even when security patches are rolled out in time, Android device manufacturers often take their time by delivering patches to their customer base. This leaves major parts of the Android ecosystem vulnerable to hackers. To combat this, it is crucial that patches are delivered regularly and on time – which is currently not happening.
What Google is doing about it
In Google’s I/O Developer Conference in May, the company revealed a plan to compel Android device manufacturers to roll out security patches on a regular basis. Later in the year, an unverified copy of Google’s new contract with OEMs was leaked. According to the contract, manufacturers will have to provide regular security updates for popular devices for at least two years. This is defined as all devices that have been launched after 31 January 2018 and have achieved over 100,000 users. The mandate specifies a minimum of four security updates during the first year but fails to specify an amount pertaining to the second year. It also stipulates that patches created for security risks may not be delayed for more than 90 days.
Change is on the horizon
According to a spokesperson from Google, 90 days is a minimum requirement when it comes to security hygiene. It was also stated that the most recently-deployed Android devices are running an update from the last 90 days. Although this ties in with the leaked contract, its authenticity has not been verified. Should it be genuine, the changes made by Google are set to make a profound impact on the state of Android security and be of serious benefit to Android users. In other news, Google has announced a plan to start charging licensing fees to Android OEMs in Europe who want to include Gmail, the Play Store, Maps, Chrome and YouTube on Android handsets.
Your New Friend Alexa May Have an Issue with Boundaries
Make sure to check your Amazon Echo to find out whether your helpful virtual assistant Alexa is not spying on you. There is no doubt that the dulcet tones of Alexa on the Amazon Echo can be a massive help around the home or office. Popular with millions of people around the world, Alexa is always ready to respond when you call, but recently researchers from a cybersecurity company have created a ‘hack’ that may allow Alexa to be a little too proactive.
Always Listening – That’s the Problem
Alexa is designed to stay in sleep mode, until voice-activated with the command, “Alexa!”. Cybersecurity experts, however, have designed a simple program that forces Alexa to remain always-activated, record conversations and then send those recordings to a third party. The malicious program was camouflaged as an app calculator that is activated when a user opens the app, or tells Alexa to open the calculator app. Once activated, Alexa is always listening, even when you think your Echo is off.
Hacking into Alexa
The device’s inbuilt security protocols should force the program to terminate the session once complete, or to request permission to continue the session. But the hack was able to bypass the protocols and force Alexa to continuously listen and record voices.
How to Protect Your Systems
This specific program was created purely to test the system’s security and was immediately reported to Amazon, which has since fixed the vulnerability. However, it is a sobering reminder of the potential dangers of such a system. What can you do to protect yourself from your Alexa? Just like any other online systems, computers and mobile phones, it’s important to check regularly for malware, unknown applications and small files that you know you did not install. Also, take a look at the little blue light every now and again. It indicates the Amazon Echo is activated. When you’re not using it, it should be off. If it isn’t there might be a problem.
Your Technology Needs to be More Radical than Your Cyber-Attacker’s
There is no doubt that the world has become completely digitized. Virtually every facet of our lives is impacted by internet technology, from social media, digitized data, artificial intelligence, smart homes—you name it, the internet dominates the world.
Digital is great but the Risks of Data Breaches Have Multiplied
Digital data has revolutionized the way business is conducted today. The benefits are enormous. And so are the risks. While digital platform developers are working diligently to improve the world for consumers, hackers are working diligently to steal crucial business data for personal gain. A mere glance at the news reveals that every business sector has been impacted by cyber crime. Not only are the economic disruptions staggering, but the risk of personal financial harm is significant. Recently, for instance, it was reported that FedEx became victim to a cyber attack, resulting in a significant impact on its worldwide operations. Protecting the cyber borders of data is more important than ever.
Cyber Criminals are Patient
Cyber criminals are primarily interested in extracting data from company servers, with the aim of disrupting operations. This requires companies to rethink their cyber security strategies, to focus instead on the “cyber supply chain.” Hackers have become very adept at sneaking into the system and slowly stealing data for months before they are detected. Cyber security professionals, therefore, need to focus their attention on both inbound and outbound traffic.
Organizations are not Paying Enough Attention to the Risks
In spite of the vulnerabilities and increased incidents of breaches, response and recovery of data continue to be the weak link in corporations today. Organizations should conduct cyber security emergency drills, similar to the national emergency drills conducted by the government in order to remain alert and abreast of the newest cyber terrorist strategies. Artificial intelligence is assuredly the next frontier, but the success of any cyber security strategy relies on vigilant and skilled people. A strong cyber defense system requires a team effort, constant attention, and a continuous assessment of and response to threats coming from all sources.
Shimon Sheves truly embodies the adage, “Think Global, Act Local”. He is deeply passionate about his homeland of Israel and works tirelessly to support his community. Sheves is also the founder and chairman of HolistiCyber company that provides nation-state level cyber protection.