Tag: data leak

By Jack More for Mashable 

They wouldn’t have numbered it if it was the only one.

On 16 January, security research Troy Hunt uploaded a massive cache of leaked e-mails and passwords to his invaluable website have i been pwned.

The 87GB dataset, dubbed “Collection #1,” was admittedly years old, and had been passed around by hackers for some time now. Still, the sheer scale of it — containing over 772-million email addresses — turned heads. Hold onto your digital butts, because as Krebs on Security reports, you ain’t seen nothing yet.

According to Krebs, the Collection #1 data breach is, unsurprisingly, part of a much larger collection of stolen online credentials being sold online. And, taken as a whole, it dwarfs Collection #1’s size.

Just how big are we talking? According to the hacker allegedly selling access to the data who communicated with Krebs over Telegram, the entire data set of email addresses and passwords comes close to 1TB. Brian Krebs, the infosec journalist behind Krebs on Security, tweeted a screenshot purportedly depicting a page listing the data for sale.

In addition to the 87GB Collection #1, there’s a 526GB Collection #2, a 37GB Collection #3, a 178GB Collection #4, a 42GB Collection #5, and two other folders totaling an additional 126GB worth of credentials.

The seller told Krebs that, in total, they had close to 4TB of so-called password packages. Yeah, that’s a lot. According to the image above, the “Price for access lifetime” is only a cool $45 (R630).

So your email, along with one or more passwords to various throwaway online accounts you’ve used and discarded over the years, is likely being traded on the dark web. What does this mean for you?

Well, if you’re smart about your online security, probably not too much immediately. Assuming you use unique passwords for each account online — and you definitely should — any of your passwords contained in the dataset would only gain a hacker access to one specific online service. Like, say, your old Tumblr account. And, if you use two-factor authentication, you’re likely in the clear.

However, all this goes out the window if a hacker gets access to your main email account and can initiate password resets. And if the email account in question just so happens to share a password with your now-defunct Neopets account or whatever? You might legit be in trouble. Consider getting a password manager, and make sure your email has a unique password and 2FA.

And then go about your normal online business, comfortable in the knowledge that your personal data is being sold to hackers for the low, low price of $45 (R630).

To see whether your email address has been breached, visit have i been pwned.

Facebook has made its data crisis worse

Facebook Inc tried to get ahead of its latest media firestorm. Instead, it helped create one.

The company knew ahead of time that on Saturday, the New York Times and The Guardian’s Observer would issue bombshell reports that the data firm that helped Donald Trump win the presidency had accessed and retained information on 50-million Facebook users without their permission.

Facebook did two things to protect itself: it sent letters to the media firms laying out its legal case for why this data leak didn’t constitute a “breach.” And then it scooped the reports using their information, with a Friday blog post on why it was suspending the ad firm, Cambridge Analytica, from its site.

Both moves backfired.

On March 16, Facebook said it “received reports” that Cambridge Analytica hadn’t deleted the user data, and that it needed to suspend the firm. The statement gave the impression that Facebook had looked into the matter. In fact, the company’s decisions were stemming from information in the news reports set to publish the next day, and it had not independently verified those reports, according to a person with knowledge of the matter. By trying to look proactive, Facebook ended up adding weight to the news.

On March 17, any goodwill the company earned by talking about the problem first was quickly undone when reporters revealed Facebook’s behind-the-scenes legal manoeuvring. “Yesterday Facebook threatened to sue us. Today we publish this,” Carole Cadwalladr, the Observer reporter, wrote as she linked her story to Twitter, in a post shared almost 15,000 times. The Guardian said it had nothing to add to her statement. The Times confirmed that it too received a letter, but said it didn’t consider the correspondence a legal threat.

Front-running the stories along with the letters to newsrooms are but two of several ways Facebook failed to contain fallout from the Cambridge Analytica revelations. Silence on the part of chief executive officer Mark Zuckerberg and chief operating officer Sheryl Sandberg didn’t help. Nor did a report late March 19 in the New York Times that chief security officer Alex Stamos is leaving after clashing with other executives, including Sandberg, over how Facebook handled Russian disinformation campaigns. Facebook said Stamos is still at the company, but didn’t outright deny that he plans to leave.

“Most of its executives haven’t done a real interview in ages, let alone answer deep questions,” Zeynep Tufecki, an associate professor at the University of North Carolina who specialises in social networks and democracy, wrote in a post on Twitter.

In a sign of investor dismay, Facebook shares tumbled 6.8% on March 19, the biggest decline since March 2014. As the stock fell and criticism from lawmakers poured in from the US and Britain, the company worked to make it clear that it didn’t actually have enough information, on its own, to react to Saturday’s news reports in a stronger way.

Facebook put out another blog post, saying that Cambridge Analytica and the researcher who provided them the data, Aleksandr Kogan, had agreed to a digital forensics audit to prove they deleted it. Facebook said the one person who didn’t agree to the audit was Christopher Wylie, the former Cambridge Analytica contractor who spoke to the newspapers about the data leak. With the post, Facebook aimed to stir more scepticism around Wylie’s information, according to a person familiar with the matter.

That didn’t resolve things quickly either. The auditors were already on site at Cambridge Analytica’s London office March 19 when they had to pause their work. The UK Information Commissioner’s Office is pursuing a warrant to conduct its own on-site investigation.

The Cambridge Analytica saga is the latest in a series of bungled Facebook responses, often reactionary and sometimes unintentionally stirring public outrage instead of resolving concerns. The company’s interaction with the public tends to start with a carefully crafted blog post, and then evolve into a much more improvised Twitter-based conversation with lower-level executives who defend the social network and explain its decisions. It doesn’t always go well.

Earlier this year, when the US government indicted 13 Russians who used Facebook to manipulate voters, a Facebook advertising executive took to Twitter to clarify that overall, the Russian ads were primarily used to divide Americans, not influence the election. His comments went viral after President Donald Trump used them to back up attacks on the “fake news media.”

In 2017, Facebook made its disclosures on Russia’s activities in a slow drip, each time illustrating a bigger problem. An April white paper on “information operations,” for example, didn’t name the country. The company that October said 10 million users saw Russia’s ads. Later that month, Facebook said 126 million people saw Russia’s posts in general. The company upped the number to 150 million during Congressional interrogation, when a senator asked if Facebook could include Instagram, the photo-sharing app it owns, in the count.

Stamos, who has favoured more forthright disclosure, was frequently outvoted, according to the New York Times. He’s planning to leave the company in August, the newspaper reported. On Twitter, he later said he’s still fully engaged with his work at Facebook, without answering questions about his plans. But that would make him the most high-profile exit since Facebook’s election-related troubles began.

Meanwhile, higher ranking executives remain quiet. Zuckerberg and Sandberg, who in past years would post frequently about the issues of the day, have shied away from reacting to the most controversial news. Lawmakers have now called out Zuckerberg by name in both the US and the UK.

Zuckerberg and Sandberg plan to remain quiet on the Cambridge Analytica situation until the company completes its internal review of what happened, according to a person familiar with the matter. Until they do, questions about Facebook’s ability to cope with the Cambridge Analytica crisis will undoubtedly persist. — Bloomberg

By Sarah Frier for The Star
Image: 123rf

The largest data leak recorded in South Africa has been traced to a Web server registered to a real estate company based in Pretoria.

Table headings from the data leaked are as follows:

  • NEW_IDN
  • TITLE
  • FIRST_NAME
  • SURNAME
  • DECEASED_STATUS
  • CITIZENSHIP
  • GENDER
  • AGE_GROUP
  • POPULATION_GROUP
  • LOCATION
  • MARITAL_STATUS
  • LSM_GROUP
  • ESTIMATED_INCOME
  • HOMEOWNERSHIP
  • DIRECTORSHIP1
  • CIV_NET
  • MOST_RECENT_PHYSICAL_ADDR_LINE1
    MOST_RECENT_PHYSICAL_ADDR_LINE2
    MOST_RECENT_PHYSICAL_ADDR_LINE3
    MOST_RECENT_PHYSICAL_ADDR_LINE4
  • MOST_MAIL_PHYSICAL_ADDR_LINE1
    MOST_MAIL_PHYSICAL_ADDR_LINE2
    MOST_MAIL_PHYSICAL_ADDR_LINE3
    MOST_MAIL_PHYSICAL_ADDR_LINE4
    MOST_RECENT_POSTAL_ADDR_LINE1
    MOST_RECENT_POSTAL_ADDR_LINE2
    MOST_RECENT_POSTAL_ADDR_LINE3
    MOST_RECENT_POSTAL_ADDR_LINE4
  • CELL_1
    CELL_2
    CELL_3
  • WORK_1
    WORK_2
    WORK_3
  • HOME_1
    HOME_2
    HOME_3
  • EMAIL_1
    EMAIL_2
    EMAIL_3
  • OCCUPATION_1
    OCCUPATION_2
    OCCUPATION_3
  • EMPLOYER_1
    EMPLOYER_2
    EMPLOYER_3
  • PROPERTY_1_TRANSFER_DATE
    PROPERTY_ID10
    PROPERTY_1_PROVINCE
    PROPERTY_1_TOWNSHIP
    PROPERTY_1_ERF_NUMBER
    PROPERTY_1_UNIT_NUMBER
    PROPERTY_1_SALES_PRICE
    PROPERTY_1_BOND_AMOUNT
    PROPERTY_1_BOND_HOLDER
    PROPERTY_1_TITLE_DEED
  • PROPERTY_2_TRANSFER_DATE
    PROPERTY_2_PROVINCE
    PROPERTY_2_TOWNSHIP
    PROPERTY_2_ERF_NUMBER
    PROPERTY_2_UNIT_NUMBER
    PROPERTY_2_SALES_PRICE
    PROPERTY_2_BOND_AMOUNT
    PROPERTY_2_BOND_HOLDER
    PROPERTY_2_TITLE_DEED
  • PROPERTY_3_TRANSFER_DATE
    PROPERTY_3_PROVINCE
    PROPERTY_3_TOWNSHIP
    PROPERTY_3_ERF_NUMBER
    PROPERTY_3_UNIT_NUMBER
    PROPERTY_3_SALES_PRICE
    PROPERTY_3_BOND_AMOUNT
    PROPERTY_3_BOND_HOLDER
    PROPERTY_3_TITLE_DEED
  • PRIMARY KEY (NEW_IDN’)
  • KEY MOST_RECENT_PHYSICAL_ADDR_LINE3’ (MOST_RECENT_PHYSICAL_ADDR_LINE3’)
  • KEY PROPERTY_1_TOWNSHIP’ (PROPERTY_1_TOWNSHIP’)
    KEY PROPERTY_2_TOWNSHIP’ (PROPERTY_2_TOWNSHIP’)
    KEY PROPERTY_3_TOWNSHIP’ (PROPERTY_3_TOWNSHIP’)

“Whois lookup” information points to Jigsaw Holdings, a holding company for several real estate franchises, including Realty1, ERA and Aida. The misconfigured website had exceptionally lax security, and until recently allowed anyone with a small amount of technical knowledge to view or download any of the 75-million database records held there. More than 60-million of those records consisted of the personal data of South African citizens.

Contacted by TechCentral for comment on Wednesday morning, Jigsaw management requested time to investigate the issue, and on Wednesday evening neither the company nor its legal counsel was contactable.

It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agentsWhen the news of the huge trove of personal information was shared by information security researcher Troy Hunt on Tuesday, the initial response was that there had been a hack. But it seems that hacking wasn’t required: the information was easily available on an open Web server. Direct access to the server, had at the
time of writing late on Wednesday afternoon, been secured.

It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agents. Presumably this was to allow the agents to vet prospects, and get contact information for leads. It is questionable whether a real estate company should be hosting this volume of information and it is unclear what the original source of the data was.

The company initially fingered for the breach in some online articles, Dracore Data Sciences, is innocent. Initial circumstantial evidence linking the company based on some common headers on one of their own websites seems to be coincidence. Although Dracore may have been a data “enricher” for the company that leaked the data, it doesn’t seem likely that they had anything to do with the leak, and Dracore is adamant that it’s not involved.

Popi Act
Poor information control, as in this case, is one of the reasons for the introduction of the Protection of Personal Information (Popi) Act. And, had the act been fully implemented, a negligent company could be liable to up to R10-million in fines and negligent company officers jailed for up to 10 years. The ramifications of this breach probably won’t be as dire. Anyone who suffers damages due to the release of the data would have to sue for damages under common law, something that is quite difficult and complex to do.

Chris Basson, from Eighty20 business consultancy, put it like this: “Without making too many assumptions, we can say that the people responsible for building a solution which provides such uncontested access to personal information, had no business having the data in the first place.”

The credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere.

Basson argued that one should look beyond the ineptitude of the people who made the information so easily available, and rather ask the question: “Who was the idiot that gave them access to the data in the first place?”
The security missteps are egregious and, according to infosec consultancy SensePost’s Willem Mouton, showed an “overall lack of security awareness”.

“From a development perspective, the websites appear to be vulnerable to SQL injection… [and]… in terms of deployment, having database interfaces open to the Internet provide entry points.”

He pointed out that while examining the site, SensePost noticed that “the credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere”.
These leaked credentials allowed for full administrator privileges in the database, and in fact allowed full administrator access to all the databases on the server. To make matters worse, the personal data was contained in a single database in clear text.

Mouton also noted that it was concerning that nobody noticed the large volume of data leaving the network. “Multiple people pulled a 30GB file, and nobody noticed.”

He said verbose error messages and indexable Web directories were a boon to anyone who wished to hack the server.
Unfortunately, for South Africans whose personal information is now widely available, there isn’t much that they can do other than increase their vigilance for any attempts at identity theft.

By Andrew Fraser for Tech Central; PasteBin

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top