CategoriesData BreachesNewsSecurity

Panera Bread Ignored Data Breach Warning, Said it was a “Scam”

Panera Bread has suffered a major data breach, affecting potentially 7 million customers. The data is said to include names, email addresses, and credit card information. What’s worse – the data could have been crawled and indexed with simple automated tools.

This wasn’t news to those at the top at Panera Bread. Last summer, a security researcher told Panera Bread that their website was exposing this sensitive data. When Panera was made aware of the flaw, they dismissed it as a scam or sales pitch. After months of the flaw continuing to be exposed and unpatched, the security researcher decided to go public with evidence of the vulnerability.

“I am not exaggerating when I say you have a massive sensitive data exposure issue,” he said, “and I’d simply like you to be made aware of it so you can quickly resolve it.” -researcher Dylan Houlihan (in response to Panera Bread maintaining that he was giving a sales pitch).

Panera Bread is now downplaying the security of the breach, telling Fox News they have secured the breach and only ten thousand records were exposed. Krebs on Security is not buying it, especially considering Panera’s commercial division which serves countless catering companies which may run on the same software.

As of this writing, Panera has not made any statement on their website (it was recently taken down) nor on Twitter about the breach.

Photo Credit: Mike Mozart

CategoriesHackingSecurity

Are The Shadow Brokers Like Snowden? Theory Suggests Insider Hack

By now, most of our readers have heard of the Shadow Brokers, the hacker group who obtained a large trove of data from the National Security Agency (NSA) and leaked information about the NSA’s cyber tools. The cyber tools were apparently stolen from the Equation Group, a cyber attack operation who experts believe are part of the NSA.

(Watch a quick overview about the NSA hack – “NSA Reportedly Hacked By Group Called The Shadow Brokers”):

Initially, evidence suggested that the Shadow Brokers were Russian, but a new theory is emerging that whoever is leaking this data might be “a second Edward Snowden… albeit one with different motives” (Fortune). James Bamfield, a journalist who is well known for his publications about United States intelligence agencies, believes that Russia would not want to publish these hacks if they obtained them, because companies would quickly patch their vulnerabilities and the information would soon be worthless to anyone trying to sell the data. He also brings up that the bad English used by the hackers seems to be phony. Furthermore, he suggests that the hacker(s) could be linked to the NSA’s Tailored Access Operations (TAO) which is a unit of the surveillance agency that gathers intelligence related to cyber-warfare. He states:

“Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.

So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations” (Reuters).

As of now, the “second Snowden” theory is just that – a theory. Most experts still say Russia is behind the hacks. Nevertheless, as Bamford puts it in his commentary – the “NSA may prove to be one of Washington’s greatest liabilities rather than assets.”

CategoriesHackingNewsSecurity

Facial Recognition gets “Hacked” Thanks to Facebook

Facial recognition technology is utilized in many different systems. Biometric software is used in facial recognition tools for security purposes and other applications such as social media marketing. Algorithms use a statistical approach to identify facial features – and facial recognition is increasingly used as a crime-fighting tool. In the future it could be used to monitor employee attendance at work, to enhance security measures at ATMs and to prevent voter fraud. Many privacy advocates see a problem with this technology because it could quickly turn us into a surveillance society.

University of North Carolina researchers have discovered a way to get around facial recognition security. By using a virtual reality (VR) system to develop 3D models of the face, they were able to trick the biometric security measures. They did this with just a handful of photos found on Facebook and were able to fool the systems more than half the time (Newsweek).

Clearly this is a huge security flaw in the technology which means other types of “verifiable data” would need to be used for authentication in order for facial recognition to be a feasible option. One technique that could be used is the detection of infrared radiation which would be given off by a real face, not a 3D model (Techworm).

For more information on how facial recognition technologies work, check out this video from Brit Lab:

CategoriesNewsOpinion

Should Uber Drivers be Fingerprinted in Background Checks?

I’ve heard a LOT of talk recently about Uber and Lyft’s pending exit from the Austin, TX marketplace, and I can’t say that I blame them. On one hand — Government “regulation,” only stifles competition… but on the other, when one realizes that just about -anybody- can become a driver for either of these companies so long as they have a 2005+ model vehicle, the idea of fingerprinting potential drivers (IMO) does not seem too far fetched.

Allow me to explain:

When you go to work for Yellow cab, for example, you become a licensed; bonded driver. In short, Yellow Cab knows exactly who you are, where you’ve lived, as well as have access to your (criminal) background information (which INCLUDES your Fingerprints). To me it’s a safety issue — as a passenger, I would think that knowing your driver is a rational; sane, functional member of society would be quite settling as it alleviates the “what if’s,” associated with climbing into a stranger’s car.

Sadly, responsibility has never actually been part of Uber or Lyft’s business plan. They would much rather you [sic, the driver] assume any and all liability wherein they [sic, the Company] are held in no way responsible for their utter & complete disregard for proper working conditions, accommodations, etc. As far as I’m concerned, their whole entire platform is digital ; it’s not like they really require brick & mortar office buildings, etc. in order to conduct their daily routines —- it’s not too much to ask for them [sic, the Company] to properly vet the individuals representing them, else they risk hiring the Zodiac Killer.
Austin, TX for the win..

More: Uber, Lyft set to leave Texas city over fingerprinting rule – MSN.com

CategoriesSecuritySmart PhonesTechnology

Gesture Analysis: Could your Movements be Hacked?

Smart phone and tablet developers will need to put better security measures in place to keep hackers and governments out of their devices. Many newer generation devices implement fingerprint readers in place of passcodes, which are often promoted as a stronger security feature. However, as we learned in recent news, authorities can force you to use your fingerprint to unlock your phone (but you can still invoke your 5th amendment right to withhold your numeral passcode from them). Gesture analysis could come next.

Free-form gestures have been said to be the next step in passwords. It is very difficult to simulate a complex gesture as opposed to guessing a numerical combination. Jailbroken iPhones got this feature awhile back (called Stride2), you can see how it works here:

In addition to using gestures to set your passwords, your touch-screen device could continuously verify your identity while you’re using it. It would do this by interpreting your gestures with mathematical algorithms. According to Motherboard, “the basic idea is to observe a user’s movements on a touchscreen device for some period of time and to come up with a gestural profile unique to that individual.” Every person makes unique gestures when they use a device and those all add up to make a personal profile. Ideally, if hijackers or authorities have access to your unlocked device, they wouldn’t be able to use it for long. If they did, the device would recognize that the user is not you since the gestures would not fit the profile. Yet as we see from the Motherboard article, robots were able to recreate user biometrics pretty easily.

Phones and tablets could end up having multiple layers of authentication (fingerprint, gesture analysis and codes) but many users would find that to be too much of a hassle. Facial recognition could be another alternative to passwords, but that might not protect you from authorities either. Voice recognition would probably be protected under the 5th amendment, but isn’t a convenient way to work with your phone in quiet places. Research into better security features is at the forefront of developers minds right now. Hopefully we will see better solutions in the near future.

Photo Credit: Jhaymesisviphotography

CategoriesInternetPrivacySecurity

New Security Measures from Gmail (VIDEO)

Have you noticed some of the changes lately in your Gmail inbox? You may have received an email from a friend or colleague and saw that it had an unlocked red padlock next to it like this:

gmail not encrypted did not encrypt this message

When you hover over the padlock, it says something like: “Some recipients use services that don’t support encryption” or “[(x) service provider] did not encrypt this message”. Gmail put this visual element in place to let users know that the sender’s email service does not support TLS encryption (video explaining TLS encryption following this article). Gmail users took notice of this change and in less than 2 months of implementation, “the amount of inbound mail sent over an encrypted connection increased by 25%” –Nicolas Lidzborski Gmail Security Blog

Another change you may have noticed is that the person you receive an email from has a question mark next to their name rather than the standard Google Plus avatar. A message is displayed that says: “Gmail couldn’t verify that this message was sent by [sender]…” This is a new way for Gmail to help you flag spam or determine if emails are spoofed.

gmail couldn't verify spammer

You will often see this warning when the message has been forwarded or has been sent by a third party site, as reflected by the email headers – or if the email service provider did not sign or verify the messages.

These new features are part of Google’s protections that are designed to help keep their users safe. Since 2012, Google has also warned its users if state-sponsored attackers may be targeting them. Even though this is a rare warning to receive, it is important for people like journalists and activists to know if they’re being targeted.

state sponsored attackers gmail

Now Google has made a new announcement. If they have reason to believe government-backed attackers may be trying to steal your password, they will give you a full page warning upon sign in like this:

new warning google government state sponsored attackers

Google maintains: “The security of our users and their data is paramount.” Do you believe these changes will in fact make Gmail’s users safer?


(Google now lets Gmail users know if senders are not using TLS encryption. Learn about TLS by watching the above video)

CategoriesInternetNewsPrivacySecurity

Skype Will Better Protect Users by Hiding IP Addresses

Skype has announced that in their new update, they will finally hide your IP address so that you are protected from “trolls”. This news is especially good for gamers who often find themselves DDoS’d by gaming rivals. There have been many YouTube tutorials helping Skype users find IP addresses through Skype calls. This sometimes leads to retaliation tactics against other gamers.

Here is an example of one such tutorial:

Instead of allowing users to opt-out of sharing IP addresses with contacts, Skype’s new update will automatically hide the IP address.

“Microsoft says the measure will “prevent individuals from obtaining a Skype ID and resolving to an IP address,” which won’t only protect gamers, but other Skype users who may be targeted by online trolls.” –Matt Brian, Engadget

Many believe that Skype is responding to the wishes pro-gamers have had for a long time. Some users were already using work-arounds to disguise their IP to protect themselves.

If you still need to get the latest version of Skype, you can find it here.

CategoriesInternetPrivacySecurity

How Do SSL Certificates Work?

How do you exchange private data over the internet? Part of the answer lies with SSL certificates. Secure Socket Layer (SSL) certificates work by creating a private line of communication in which allows private data to be delivered.

The main problem with communication and security over the internet is eavesdropping. Others may be able to access the data exchange between your computer and the website’s servers. This is also called a main-in-the-middle attack. SSL certificates are a way of ensuring that no one is able to intercept and decrypt this information.

To better understand how SSL certificates work, let’s imagine a boy is being picked up at the train station for the first time by someone who he’s never met. How can he know for sure to trust the person picking him up? The answer is simple. His parents write a letter signed by them stating they trust that individual. By trusting his parent’s authority, the boy can now trust the person picking him up.

This is quite similar to how SSL certificates work. Web sites can create certificates and have them signed by something called a CA or Certificate Authority. An example includes DigiCert. By having them signed, browsers can then identify website and servers by their certificate. They then know if they can trust them. This is the basic concept of how SSL Certificates help to identify and trust the websites we are communicating with.

What about actually communicating? What if two people want to talk in that same train station without worrying if someone else is listening? The answer lies with keys. To illustrate the concept of keys and how they help with encryption, imagine each of the two people have a box and a set of keys. The keys are labeled private and public. They exchange their public keys. Now, each person has a private key, the other’s public key, and a box.

The basic process works like this: One person writes a message and places it into the box. They then lock the box with the other’s public key. They then pass the box along. Once the box is at its destination, only the person holding the private key can open the box locked by its very own public key. If the other person wants to send a message back, they can send back a letter in the box locked with the other’s public key. The entire communication, also called a session, can go back and forth securely using this method.

This is much like how SSL certificates are used to create private and public keys. Web servers send the user a copy of its public key along with the certificate. The browser can then decide to trust the website based on this information. If it does, it can then send messages back and forth simply by encrypting and decrypting keys.

Identifying websites that have and use SSL are easy. Simply look for the lock at the top of the browser. Never exchange private data unless there is a lock up at the top of the browser. If there isn’t, there is not an acceptable level of encryption being used on that site. Anyone who sells anything online needs to have an SSL .All banks and e- commerce sites need to have an SSL to help ensure security.

CategoriesSecuritySocial Media

The Importance of Two-Factor Authentication

Security is not about whether something can be cracked or hacked. The fact is that, given enough resources, anything can be hacked. This is especially true for social media accounts. However, the goal is to balance security measures with the severity of what would happen if the account were to be hacked. The more sensitive the information, the more security measures need to be used. In other words, in order to better secure and ensure privacy over the internet, multi-factor authentication needs to be used. If you want to better secure your social media accounts, use two-factor authentication.

Methods of Authentication 

Multi-factor authentication simply means combining ways to ensure the right people are able to access a system. There are different ways or factors that allow someone to be authenticated over the internet or any other system.

The first one is what the user knows. This is usually something like a password. In order to log into an email account, someone has to know their username and password. This is using only one factor in authenticating someone.

The next factor or method of authenticating someone is what the user or person has. This can be a badge or an ID. You are being authenticated by something you have on you. A driver’s license can be identified as this method as well.

The last factor is what the person is. This can be fingerprints, DNA, and even retina patterns. This means that biometric scanners are a way of authenticating you by what you are. Some laptops have fingerprint scanners which only allow you to use the computer if you are scanned and authenticated.

Two-Factor Authentication

Two-factor authentication is the balance between resources and risks. Hackers may steal your password to your social media accounts. However, it would be more difficult for them to steal both a password and your mobile phone. By including your phone in your security setup with your social media accounts, you are using two-factor authentication to better secure your privacy.

For example, Facebook allows you to use your phone to control login approvals. When you log in, Facebook will send you a code to your phone. You then put in the code that they send you. The two factors in this authentication method are what you know and what you have. You have to know your password and have possession of your phone in order to log in.

Hacking Your Social Media Account with Just Your Email

Hacking into a social media account that doesn’t use two-factor authentication is simple. All a hacker needs is an email password. Email accounts are easy to know. After all, everyone usually has their email address as public knowledge. From there, a hacker can narrow your password to something you are familiar with. Rarely do people have complicated passwords. A hacker would possibly try different passwords at intervals so not to cause any locks on your account.

After a given period of time, a hacker could come to the right password. After that, all the hacker would have to do is click the “Forgot Password” link on any social media site and they would send the password right to the hacker. This is all with one- factor authentication.

The Best Security Method for Social Media

The best method for privacy on social media sites is including your phone in your privacy settings. Most social media sites and even Google include features to send codes right to your phone. This method allows you to use two-factor authentication in order to gain better security and control over your social media accounts.

Resources

https://www.facebook.com/about/basics/how-to-keep-your-account-secure/login-approvals/