Tuesday 3rd of June 2014
The start of a new month and another companies system has been hacked; what’s next and what can we do to stop the continual electronic hacks?
Giant companies are being brought to their knees by cyber attacks, and that should be sending an alarm bell to all companies. The storage of your clients information needs to be handled with the utmost care.
The massive data breach of Target clients (late last year) forced the resignation of the CEO of that company, and now the e-commerce site eBay is asking users to change their password as their database of encrypted passwords has been compromised by a similar cyber attack and even more recent owners of Apple devices are having themselves digitally held to ransom by hackers demanding payment before they will relinquish control of their devices. iPad, iPhone and Mac owners in Queensland, NSW, Western Australia, South Australia and Victoria have reported having their devices held hostage.
The eBay issue/hack
Cyberattackers stole a small number of employee log-in credentials that gave access to eBay's corporate network, the company said. The San Jose,California-based company is working with law enforcement to investigate the attack. The database was hacked sometime between late February and early March, but compromised employee log-in credentials were first detected only two weeks ago.
The company says its investigation is active and it can't comment on the specific number of accounts affected, but says the number could be large, so it is asking all users to change their passwords.
According to eBay, there is no evidence of any unauthorized activity and no evidence any financial or credit card information was stolen. (This statement reminds me of a similar line used by Adobe last year.)
“It is a lesson even the smallest company can draw from – and everyone should take to heart.”
“It isn’t just for large corporate entities or governments. It is a cautionary tale. It could be a three or one person business, ultimately the data you have cannot (must not) be lost or stolen.” Tony Busseri, CEO of Route 1 Inc
Busseri strongly advocates a security methodology that ensures data never leaves the safe confines of an organization's firewall.
“The root cause for most breaches is lost, stolen or ‘hacked into’ mobile devices used for remote access,” he says. “This is the fifth or sixth of these type of breaches that have happened with our federal government, and there seems to be a type of behaviour where they allow portable hardware to be attached to a network to extract information, and then that portable device that isn’t encrypted is lost or stolen.”
The Target issue/hack
Target’s President and CEO Gregg Steinhafel resigned in the wake of the company’s massive data breach this summer. The breach put the credit and debit card information, as well as email addresses and phone numbers, of more than 100 million customers into the hands of malicious hackers.
Since then, Target – a Fortune 100 company – has faced declining profits and loss of consumers’ faith.
The Apple issue/hack
Owners of Apple devices are having them digitally held for ransom by hackers demanding payment before they will relinquish control. One iPhone user, a Fairfax Media employee in Sydney, said she was awoken at 4am on Tuesday to a loud "lost phone" message that said "Oleg Pliss" had hacked her phone. She was instructed to send $50 to a PayPal account to have it unlocked.
It is likely hackers are using the unusual name as a front to get money from people. A real Oleg Pliss is a software engineer at tech company Oracle. A similar name is listed on LinkedIN as a banking professional in Ukraine, while there are others in Russia.
Users who have a passcode on their device appear to be able to unlock it after the hacker has sent them the message demanding payment, but those who had not set a passcode are unable to. Dozens of others across the country reported similar early morning messages.
A Melbourne Apple user reported the issue affecting their iPad. "I was using my iPad a short while ago when suddenly it locked itself," the user, "veritylikestea", wrote on Monday. "I went to check my phone and there was a message on the screen ... saying that my device(s) had been hacked by 'Oleg Pliss' and he/she/they demanded $100 USD/EUR (sent by Paypal to lock404@hotmail.com) to return them to me. I have no idea how this has happened."
A PayPal spokesman said there was no PayPal account linked to the email address the hacker used. The spokesman added that any money that may have been sent by victims would be refunded.
Those with iPhones say they have been calling Telstra, Vodafone and Optus to try to fix the issue. Some have been calling Apple directly.
"Vodafone kept saying 'iPhone can't be hacked,' " one Apple user, "Shleighbo", wrote.
"Rang Telstra and they said it is an Apple issue," another, "georgie81", said.
"The Optus tech support was not helpful," said yet another user, "Bettybam".< /p>
Comment is being sought from Apple.
A Telstra spokesman said the telco was aware of the reports and had referred the matter to Apple. "In the meantime customers who need assistance can contact Apple Care," the Telstra spokesman said.
Vodafone said no customers had reported the issue to its support centre.
Optus said if customers had any questions about their Apple devices, they "should speak directly to Apple".
The Australian Competition and Consumer Commission, which runs the federal government's Scam Watch website, said only one user had reported the issue to it so far.
Troy Hunt, a IT security expert, speculated that hackers were using compromised login credentials from recent data breaches to access accounts and lock users out.
As is often the case, web users largely use the same password across their multiple online services, meaning that if their password is compromised in a breach at one firm and they do not change it, their other accounts become vulnerable.
"It’s quite possible this is occurring by exploiting password reuse," Mr Hunt said. "Regardless of how difficult someone believes a password is to guess, if it's been compromised in another service and exposed in an unencrypted fashion, then it puts every other service where it has been reused at risk. "
Companies like Target ( Apple, Adobe and eBay) having to come forward and ask customers to change passwords and check their bank accounts creates a lack of trust, says Busseri, and ultimately puts the company in a poor light.
Just recently, the computer security flaw nicknamed ‘Heartbleed’ took advantage of a flaw in a key piece of security technology used by more than 500,000 websites – that had been exposing online passwords and other sensitive data to potential theft for more than two years.
No matter how good the encryption method, there will always be one fatal flaw; people.
As mentioned above most people use the same password on multiple accounts/devices. Once an account become compromised all other accounts are then open to attack/access. With mobile devices automatically logging in to various accounts (such as; Google, Facebook, ebay and even banks) to provide remote users access, the problem will only get worse. These items are easily lost or stole and if they fall in to the wrong hands, even the most secure system can be compromised.
Almost all of the above issues were caused by email accounts being hacked. Most likely, the password was too weak, so hackers have then gained access to your email account by brute-forcing a password (trying different combinations until they got the right one). Then, if your email address was connected to your account, the hackers requested password recovery for your account. Once the new password arrived, they got a pair - your ID/username and your new password.
Please be sure to use a secure password for you accounts and that it is different for each of your many accounts. This can be difficult manage but it is almost a requirement now. Maybe you will need to store your logins in a secure vault?
If you have any questions regarding the your logins, please don’t hesitate to contact our support team support@rhyemedia.com.au or follow us on Facebook, Twitter and Google+ pages!
Route1 Inc. is a data security and identity management company that provides solutions for secure, remote access to the US Department of Defence and the US Department of Homeland Security, as well as certain divisions of the Canadian Government and private sector businesses.
Sources:
http://www.insurancebusinessonline.com.au/news/target-ebay-hacks-lessons-for-brokers-188249.aspx
http://www.smh.com.au/digital-life/consumer-security/australian-apple-idevices-hijacked-held-to-ransom-20140527-zrpbj.html
https://au.news.yahoo.com/technology/a/23722507/massive-breach-at-ebay-which-urges-password-change