Demi Moore’s AmEx appears to have gone on a wild $169,000 shopping spree without her.
Federal prosecutors are going after David Matthew Read for allegedly reporting Moore’s credit card missing and requesting a new one back in March, then spending nearly $200,000 on items before Moore’s assistant called American Express to report questionable activity later that month, according to court documents obtained by Page Six on Wednesday.
Read, 35, was identified by surveillance footage from when he picked up the new credit card at FedEx.
The prosecutor could also identify Read on Saks Fifth Avenue security footage after he spent approximately $16,249.80 at the store, according to the court docs. He also allegedly purchased $3,748.73 worth of merchandise at a Nordstrom store — where he was also identified by store footage — and hit up two other Nordstrom locations before racking up his whooping $169,764.73 bill.
Finally, Read was identified in April after “a Nordstrom loss prevention investigator told [the prosecutor] that the same person who used the card … on the [specified] dates … also used a Chase debit card to pay off a balance on some of the transactions, and that the account holder for the debit card was [Read].” Chase confirmed the card was used at Nordstrom, and provided the investigator with Read’s birthday to help nab him.
Read had previously been arrested in February 2018 by the Glendale Police Department for fraud and vehicle theft after allegedly purchasing a Mercedes using another person’s information.
His booking photos were compared with the surveillance footage from the stores to make the arrest. When confronted, he admitted that he used the card without Moore’s authorization, according to the court docs.
It was also alleged that Read worked with Marc Ian Highley, and that the men rented a storage unit to house the stolen goods. Highley also used Moore’s credit card, according to court documents.
Read’s next court date is set for July 13. His attorney did not immediately get back to us.
A rep for Moore did not immediately return our request for comment.
LOOKING BACK AT the first six months of 2018, there haven't been as many government leaks and global ransomware attacks as there were by this time last year, but that's pretty much where the good news ends. Corporate security isn't getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.
Here are the big digital security dramas that have played out so far this year—and it's only half over.
Russian Grid Hacking
In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility's control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn't until this year, though, that the US government began publicly acknowledging the Russian state's involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House's public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED's grid-hacking guide to gauge when you should really freak out.
In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.
Rampant Data Exposures
Data breaches have continued apace in 2018, but their quiet cousin, data exposure, has been prominent this year as well. A data exposure, as the name suggests, is when data is stored and defended improperly such that it is exposed on the open internet and could be easily accessed by anyone who comes across it. This often occurs when cloud users misconfigure a database or other storage mechanism so it requires minimal or no authentication to access. This was the case with the marketing and data aggregation firm Exactis, which left about 340 million records exposed on a publicly accessible server. The trove didn't include Social Security numbers or credit card numbers, but it did comprise 2 terabytes of very personal information about hundreds of millions of US adults—not something you want hanging out for anyone to find. The problem was discovered by security researcher Vinny Troia and reported by WIRED in June. Exactis has since protected the data, but it is now facing a class action lawsuit over the incident.
Cloud leaks pop up regularly, but data exposures can also occur when software bugs inadvertently store data in a different format or location than intended. For example, Twitter disclosed at the beginning of May that it had been unintentionally storing some user passwords unprotected in plaintext in an internal log. The company fixed the problem as soon as it found it, but wouldn't say how long the passwords were hanging out there.
After the revelation of a data exposure, organizations often offer the classic reassurance that there is no evidence that the data was accessed improperly. And while companies can genuinely come to this conclusion based on reviewing access logs and other indicators, the most sinister thing about data exposures is that there's no way to know for sure what exactly went down while no one was watching.
Hackers breached Under Armour's MyFitnessPal app in late February, compromising usernames, email addresses, and passwords from the app's roughly 150 million users. The company discovered the intrusion on March 25 and disclosed it in under a week—some welcome hustle from a large company. And it seems Under Armour had done a good enough job setting up its data protections that the hackers couldn't access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials. The company had even protected the passwords it was storing by hashing them, or converting them into unintelligible strings of characters. Pretty great, right? There was one crucial issue, though: Despite doing so many things well, Under Armour admitted that it had only hashed some of the passwords using the robust function called bcrypt; the rest were protected by a weaker hashing scheme called SHA-1, which has known flaws. This means that attackers likely cracked some portion of the stolen passwords without much trouble to sell or use in other online scams. The situation, while not an all-time-worst data breach, was a frustrating reminder of the unreliable state of security on corporate networks.
One to Watch: VPNFilter
At the end of May, officials warned about a Russian hacking campaign that has impacted more than 500,000 routers worldwide. The attack spreads a type of malware, known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet. But it can also directly spy on and manipulate web activity on the compromised routers. These capabilities can be used for diverse purposes, from launching network manipulation or spam campaigns to stealing data and crafting targeted, localized attacks. VPNFilter can infect dozens of mainstream router models from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei. The FBI has been working to neuter the botnet, but researchers are still identifying the full scope and range of this attack.
HOME ROUTERS HAVE become the rats to hackers' bubonic plague: an easily infected, untreated, and ubiquitous population in which dangerous digital attacks can spread. Now security researchers are warning that one group of sophisticated hackers has amassed a collection of malware-infected routers that could be used as a powerful tool to spread havoc across the internet, or simply triggered to implode networks across the globe.
On Wednesday, Cisco's Talos security division warned of a new breed of malware it calls VPNFilter, which it says has infected at least half a million home and small business routers, including those sold by Netgear, TP-Link, Linksys, MicroTik, and QNAP network storage devices. Talos believes that the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities. Perhaps most disturbingly, they note the tool also has a destructive feature that would allow the hackers behind it to immediately corrupt the firmware of the entire collection of hacked routers, essentially bricking them.
"This actor has half a million nodes spread out over the world and each one can be used to control completely different networks if they want," says Craig Williams, who leads Talos' security research team. "It's basically an espionage machine that can be retooled for anything they want."
'It's basically an espionage machine that can be retooled for anything they want.'
CRAIG WILLIAMS, LEAD FOR TALOS' SECURITY RESEARCH TEAM
Exactly how VPNFilter infects its targets isn't yet clear. But home routers are notoriously prone to vulnerabilities that can allow remote hackers to take them over, and rarely receive software updates. "This is a set of devices that's getting targeted more and more over the years," says Michael Daniel, the head of the Cyber Threat Alliance, a security industry group that's working with Cisco's Talos to alert the industry to the VPNFilter threat and hasten its removal. "They sit outside firewalls, they don’t have native antivirus, they're hard to patch."
Talos writes in a detailed blog post that the VPNFilter malware is capable of siphoning off any data that passes through the network devices it infects, and appears specifically designed to monitor credentials entered into websites. Another, largely unexplained spying feature of the tool seems to watch for communications over the ModBUS SCADA protocol that's used for controlling automated equipment and internet-of-things devices.
But Talos' Williams also points out that the mass of hacked routers can also function as a collection of proxies for other activities the hackers might engage in—from penetrating other targets to distributed denial-of-service attacks designed to knock websites offline. Hence the VPN in its name. "We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor," Talos' blog post reads.
Separately from the espionage threat it represents, however, Talos hints at yet another possible mission behind VPNFilter. The majority of its 500,000 victim routers are in Ukraine, a portion that has been growing quickly since May 17, when Talos saw a spike in Ukrainian infections controlled by a separate command-and-control server. Combined with the malware's firmware-corrupting capability, that suggests the hackers behind the router malware could be preparing a mass disruption that might take down hundreds of thousands of Ukrainian networks simultaneously. "When you combine the factors at play here, the destructive nature of the malware, and the targeting of Ukraine, this gives you pretty high confidence someone is trying to do bad things in Ukraine again," Williams says.
Ukraine, after all, has become a frequent canary in the coal mine for global cyberattacks, particularly the ongoing cyberwar carried out by its brazen and aggressive Russian neighbors. Talos notes that the increase in Ukrainian infections precedes the anniversary on June 27th of the NotPetya attack—a data-destroying worm that was released in Ukraine and spread to the rest of the world, becoming the most costly malware outbreak in history, and one that the White House has vocally blamed on the Russian military.
In fact, Talos found that one element of VPNFilter's code overlaps with BlackEnergy, an all-purpose piece of spyware that was used in the first stages of hacker intrusions that hit Ukraine in 2014. Those attacks culminated in the first-ever confirmed blackouts caused by hackers in December of 2015, turning off the lights for hundreds of thousands of Ukrainians. Those attacks have since been attributed to a Russian hacker group widely known as Sandworm, which has also been linked with NotPetya.
The Ukrainian government, for its part, was quick to point the finger at Russia. In a Ukrainian-language statement, the country's security service SBU claimed that the attack was an attempt to disrupt the Champions League soccer tournament taking place in Kiev this week. "Specialists of the SBU believe that the infection of equipment in the territory of Ukraine is preparation for another act of cyber aggression on the part of the Russian Federation, aimed at destabilizing the situation during the Champions League finals," the statement reads.
Talos' Williams, however, declined for the moment to definitively claim that the VPNFilter malware was the work of the same Russian hackers who have targeted Ukraine in the past, indicating that another hacker group could potentially have copied the same code snippet from BlackEnergy into the router malware. "All we’re saying is the code overlap looks like the same, but everything lines up with this looking like another attack on Ukraine," he says. In addition, Talos would not comment on whether the VPNFilter malware is the same set of attacks that the UK and US governments warned about in a public alert in April 2018, which explicitly pinned a new round of mass router attacks on Russia.
WIRED has reached out to Netgear, TP-Link, Linksys, MicroTik, and QNAP for comment on the VPNFilter malware. Netgear responded in a statement that users should update their routers' firmware, change any passwords they've left as the default, and disable a "remote management" setting that hackers are known to abuse, steps it outlines in a security advisory about the VPNFilter malware. The other companies have yet to respond to WIRED's request.
Talos and the Cyber Threat Alliance both recommend an initial step of restarting routers, which removes part of the router malware's functionality—though not all, given that one element of the code persists on devices even when they're rebooted and can allow the hackers to reinstall the rest of their toolset. Fully cleaning affected routers requires reinstalling the router firmware, Talos says. Talos' blog post also includes clues internet service providers can use to identify infected routers and warn customers.
"What's important is that people understand how severe the risk is and go to see if their machines are infected," Williams says. "If they don’t, an hour from now, next week, at some point in the future, the attacker can press the self-destruct button. And then there’s very little that can be done for them."
Thanksgiving is fast approaching, and it brings with it all of the usual trimmings. Stuffing and the cranberry sauce, to be sure, and also family visits, travel scams to avoid, the pitfalls of Black Friday and Cyber Monday shopping, and more.
There are many ways you can protect yourself from the risk of identity theft and fraud attempts during this time of year, but it can be more effective if you’ve planned ahead:
Holiday travel– Believe it or not, more U.S. adults travel at Thanksgiving than even Christmas, and scammers are well aware of this. It’s important to plan well in advance for your holiday travel—even if your plans unexpectedly change and you find yourself booking last minute trips or accommodations. Use only reputable sources of online reservations, and avoid the temptation of flashy sidebar ads and “too good to be true” deals.
Holiday shopping– Black Friday gets its name from the very fact that this single day of consumer activity can result in enough sales to put businesses “back in the black” for the entire year. That means consumers spend enough money on this single shopping day to make or break a business’ bottom line. Scammers and identity thieves are well aware of this, and they’re already making their preparations to ply their trade.
It’s important shoppers are prepared in order to avoid credit card theft, phony deals and other scams. Planning your shopping ahead by knowing which forms of payment you’ll use, and checking your account statements in the days afterward are important steps to keep criminals at bay.
Online options– Recent data has shown that more and more shoppers are heading online and avoiding the crowds, not just on Cyber Monday, but all during the Thanksgiving weekend. This opens up a whole new world of threats, such as hacking, installing malicious software, falling for a shopping scam or phishing attempt, and more. It’s important that your anti-virus software is up-to-date and that you limit your internet shopping to trustworthy sites with a HTTPS designation. Having one specific credit card that you use for your online purchases can minimize the likelihood that someone can hack multiple accounts, and also give you only one source to monitor in the coming weeks.
Taking proactive steps before, during and after the holiday season is just one step you can take to help protect your personal information and ultimately your identity.
By Eva Velasquez
Spam is supposed to be a thing of the past, but it’s not—and today it comes weaponized with manifold data-grabbing threats—from ransomware to keystroke recorders and beyond. Your email has never been more dangerous.
There was a time in the early 2000s when email spam and malicious botnets were viewed as mere nuisances. A confident Bill Gates waved it away at the 2004 World Economic Forum in Davos, Switzerland: “Two years from now, spam will be solved.” The technical community was on the job—it had spam’s number.
Unfortunately, it was a repeating number.
Today, criminals are spreading evermore malicious forms of email spam, and the number of spam emails is still robust. Though not at early-days numbers, spam accounts for more than half of all email traffic.
Spambots are multitaskers these days. First, they trawl the internet for email addresses. (Yes, emails are sensitive information for this reason.) Next, they compile a gargantuan mailing list. Final step: they send your grandmother an email that promises to solve her male-pattern balding.
That is, unless that email offers her a discount on a medication that she takes, and she clicks a link that downloads software that exfiltrates all her user credentials.
Onliner is an especially pernicious spambot. Crafted to bypass many types of spam filters, Onliner specializes in the delivery of messages containing malicious attachments. It may name the IRS, hotel chains, or delivery services as the sender. The social engineering is nuanced, designed to trick the recipient into clicking on the attachment, thus triggering a copy of the Ursnif Trojan to install. Ursnif then swiftly steals account logins, credit card details, and other personal information.
There are others. We know about Onliner because its creators neglected to lock down a server, which allowed access to Onliner’s master mailing list of 711 million email addresses.
“What this tells us is that the spamming industry is alive and well and continues to adapt to produce a steady stream of profits,” observes Christian Lees, chief security officer at threat intelligence company InfoArmor. “Email continues to be an efficient attack vector. A high percentage of major data breaches are directly sourced via email.”
Some historical context is helpful in understanding just how far spam and botnets have advanced. When Bill Gates spoke at Davos, spamming was carried out manually, and spammers had to actually rent or steal time on physical servers housed at hosting companies. Meanwhile, botnets were comprised of PCs surreptitiously infected and controlled by script-kiddie hackers out to make a name for themselves.
Today, spam delivery has become highly automated, thanks to the wide availability of resilient botnets for hire. Instead of having to bother with hosting services, spammers retain the services of a botnet operator who is in command of tens of thousands of infected PCs, supplemented with tens of thousands more virtual instances of computing devices.
These virtual bots represent stunningly clever use of public cloud computing resources, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Botnet operators can now spin up hundreds of thousands of virtual bots cost-effectively and in the public cloud, which is why we now experience periodic surges of garden-variety advertising spam.
Wide-Open Attack Vector
Understandably, spambots are of acute concern to financial services companies, health care businesses, and other vertical industries that do business with their consumers online. These organizations recognize the “potential for losing their credibility,” says Giovanni Verhaeghe, product strategy director at VASCO Data Security. “Customers are wondering which messages are fake and which ones are really sent by the bank.”
Most organizations today filter email aggressively. But as Onliner makes clear, filtering is not enough. Email remains a wide-open attack vector that criminals continue to successfully exploit. The very existence of spambots reminds us that each individual bears the burden for staying alert, reducing their digital footprint whenever the opportunity to do so presents itself, and responding quickly if their email is hacked.
What does this mean for you? First: it’s time to dial back on convenience and use multi-factor authentication whenever it’s offered. And for sure it’s time to stop sharing every detail of our digital lives. Companies can help by providing efficacious employee training and encouraging a security-first culture. Employees need to be continually reminded of the spam threat. Spearphishing has never been more nuanced. “Trust but verify” should be everyone’s watchword these days.
Someday our technocrats may “solve” the spam problem, as Bill Gates predicted. But it won’t be tomorrow.
Modern internet banking mobile apps cover a range of services. With your smartphone, you can open an account, secure a loan, buy securities and get many other services that previously required an in-person transaction.
There are still some hidden dangers behind these conveniences. It’s easier now to lose all the money in your bank account—and much more difficult to get it back. Banks need solid proof of noninvolvement.
Android vs. iOS
When banks offer mobile services, they typically recommend clients install antivirus software on their smartphones. Android users should be particularly attentive here. If you compare two popular mobile platforms Android and iOS, Android-based devices are much more susceptible to attacks of various viruses and malware.
Apple devices can also be infected with a key logger (that will secretly record your authorization data) or a tailor-made banking Trojan, but this is much more difficult and more expensive for malware operators due to iOS security features. Therefore, iOS users have actually no special need for third-party antivirus software. The main thing is to update your iOS in a timely manner.
Phones that have one or several banking apps installed must be protected by a strong password. If your mobile phone is lost and not password-protected, and the data that is on it is unencrypted (the encryption option is available to users of most popular mobile platforms), this is very bad.
With the introduction of contactless payments by Android Pay and Apple Pay, the password from the phone is, in fact, the password from the wallet. In such a situation, losing the phone may mean the losing all money on your bank card.
Here are some basic security measures:- Don’t, under any circumstances, share your logins and passwords with others or allow third-party apps to use them.
Hacking a smartphone’s main password is easy for cyber criminals, according to experts. The good news? Widespread hacking of private devices is rare.
Typically, fraudulent online transactions, which are committed with the help of viruses, are carried out against big corporate bank customers. It's unlikely that anyone will be hacking a phone found on the street. It's an expensive operation, doing it randomly, without knowing how much money is at stake, makes no sense.
Face-scanning is bad
The latest trend in mobile user verification technologies is fingerprint scanning. From the point of view of protecting the phone, it’s a highly effective technology. In addition, it’s much easier and more convenient to apply a finger than to enter the pin code.
A number of gadget manufacturers, however, went even further, offering the scanning of the owner's face to gain access to the phone.
It turned out, this method is not perfect. Equipped with this advanced system, the flagship Samsung Galaxy S8 smartphone managed to be easily deceived. Bloggers managed to unlock the device, showing him selfie images from the screen of another gadget.
As for private users, their money, as a rule, is abducted from bank accounts by methods of social engineering. The basis for such schemes is to use all possible ways to get some sensitive information, such as login, permanent or one-time password, etc.
Fraudsters prefer to communicate through the phone or instant messages. The fraudster may impersonate himself as a bank employee and ask his victim to provide additional info need to confirm the payment. There are also many schemes employing popular platforms like Craigslist or eBay, when scammers, appearing as buyers, lure out personal data from sellers.
Root rights and jailbreaking
In order not to catch a virus, applications should be installed only from official websites like AppStore and Google Play.
Smartphone owners who install the so-called jailbreak for iOS devices and root-rights on Android, act at their own risk. Although these operations allow you the greater use of the device capabilities, and even if you have an antivirus software installed, your phone becomes vulnerable to malicious software. Not only you the owner but other apps may get extended rights on the device. In this case, all hidden viruses and Trojans once penetrated your device, will be able to more effectively monitor your activity, transmit stolen data to attackers, or even lock your device and demand ransom.
Banks state that internet banking can be freely used by connecting to a Wi-Fi network, as each bank builds protection against hackers directly at the level of its application. It’s proclaimed that you can make absolutely any online transactions, there are no risks here, you may transfer even tens of millions. To do this without risk, you need to observe the basic security measures outlined above.
But, as some infosec experts say, not everything is so simple. When connected to a public Wi-Fi network, for example, the MAS address of the phone becomes visible, and the attacker, who is sitting near the necessary equipment and scanning connections, can use this data.
In addition, a public Wi-Fi network, to which the phone will try to connect, may be just fake. It's not uncommon for the attackers to change one letter in the name of a Wi-Fi network, create their own fake network and make it completely open.
If the network is genuine you can use mobile banking applications in public places. Most often such applications know the IP-address of the server with which they need to connect and establish a secure connection. It turns out that something like a tunnel through which the data transfer occurs: the risks of penetration of hackers to these data are minimal.
Wi-Fi attacks are probably very common. We cannot know about most of them as people rarely report them. Therefore, it’s recommended that you obtain a VPN application for your device to additionally protect all mobile communications.
There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.
Two other things also are true: All too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.
A new survey by the nonprofit Identity Theft Resource Center, scheduled to be released in full next week, reinforce these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:
Keep your guard up
These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.
The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.
The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”
Cognitive psychologist, Brian Stanton, who co-authored the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”
Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen—and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.
Attacks are multiplying
With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64 percent of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40 percent in 2016 while point of sale (POS) fraud remained unchanged.
It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.
Over the past four years there has been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management, the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.
Be safe, not sorry
Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:
There is a bigger implication of losing sensitive information as an individual: It almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more proactive about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.
NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”
By Byron Acohido, ThirdCertainty
Melanie Grano contributed to this story.
The United States Securities and Exchange Commission (SEC) said late Wednesday that it was the victim of a cyber-attack in 2016 that may have allowed hackers to profit through trading on non-public information in its EDGAR filing system.
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” the Commission announced.
“Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” the announcement continued.
An internal investigation was commenced immediately at the direction of SEC Chairman Jay Clayton.
According to Clayton, the EDGAR system receives and processes over 1.7 million electronic filings per year.
“While we don’t have any technical details of the data breach, I would refrain from making any conclusions about its origins or attackers,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “The SEC statement is very obscure and may provoke speculation and rumors around it, including attempts to blame nation-states or attribute it to (in)famous hacking groups.”
While the SEC did not make any suggestion on the possible threat actor(s) behind the attack, it is certainly not the first-time attackers have targeted non-public company information that could have been used to gain insights leading to profits.
In March 2017, FireEye shared details of a cybercrime group tracked by the company as FIN7, which had been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the SEC.
In August 2015, the SEC announced that a cybercriminal group hacked into newswire services to steal non-public information about corporate earnings announcements that were used to make financial trades that generated more than $100 million in illegal profits.
In December 2016, the SEC charged three Chinese men accused of hacking into two New York-based law firms to steal information related to clients that were considering mergers or acquisitions, which the hackers then used to trade.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Chairman Clayton said in a statement. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
In a related statement, Clayton detailed the SEC's approach to cybersecurity as an organization and as a regulatory body.
“This incident clearly exposes how vulnerable our global financial ecosystem is, and how unprepared we are to fight skyrocketing cybercrime,” Kolochenko added. “In the future we will see steady fusion of common crime with cyber gangs that jointly may challenge state power and dictate their laws, while law enforcement agencies are catastrophically underfinanced by governments and just don’t have enough resource to tackle global cybercrime.”
The SEC said that the 2016 intrusion "did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
News of the SEC hack comes less than two weeks after credit reporting agency Equifax said it was the victim of a massive cyber-attack that exposed sensitive data on more than 143 million people.
By Mike Lennon on September 21, 2017
Below are excerpts from a recent article in the LA Times written by Michael Hiltzik on September 18th, 2017, that calls serious attention to LifeLock which is heavily promoting their services due to the recent Equifax Data Breach. The issue however, is that some of LifeLock's monitoring services are provided by Equifax yet that is not disclosed unless you read the really fine print. See below.
"The ID theft protection firm LifeLock is certainly one of the big winners from the big data breach suffered by Equifax, which exposed the personal information of 143 million Americans to hackers.
LifeLock has been going to town on the Equifax breach, with ads and press releases trumpeting how the breach proves how valuable its own services (cost: up to $29.99 a month) can be to protect you from identity theft.
“A major credit bureau just experienced a breach potentially impacting 143 million people,” the firm says on its Web page. “Don’t wait to get identity theft protection.” An executive of Symantec, LifeLock’s parent company, told Bloomberg that since the Equifax breach was reported, LifeLock’s Web traffic has increased sixfold and enrollments per hour are running 10 times ahead of the pre-Equifax era. “Most are paying the full price, rather than discounts,” the executive said. “It’s a really incredible response from the market.”
Here’s what LifeLock isn’t advertising so widely: When you buy its protection, you’re signing up for credit reporting and monitoring services provided by, yes, Equifax.
LifeLock signed a four-year contract with Equifax in December 2015, with the services to start the following April. At the time, LifeLock said it would “purchase certain credit products and services from Equifax” that would then “comprise a part of LifeLock’s identity theft protection services for consumers.”
The relationship is still active, according to a statement LifeLock issued to me by email late Monday. LifeLock’s terms of service, a small-print 6,000-word document on its website, lists Equifax Consumer Services as one of its “service providers.” It specifies that as a LifeLock customer you’re authorizing Equifax “to obtain your consumer report information, including your credit information, from the personal credit report” maintained by itself and its fellow credit reporting firms, Experian and TransUnion. This enables Equifax to generate a FICO-like credit score for you and to “locate” your credit reports in the three firms’ records.
In its statement, LifeLock said it is “following this situation closely” and “at the conclusion of Equifax’s investigation, we will take whatever steps are appropriate to ensure that they are protecting their data to our satisfaction.” That still leaves LifeLock dealing with the fact that the credit firm it’s purchasing services from is the same firm whose dereliction it’s exploiting in its marketing."
LifeLock has continued its relationship with Equifax despite previous signs that Equifax wasn’t subjecting consumer data to rigorous security. As we’ve already reported, Equifax suffered a breach at its TALX business subsidiary from April 2016 through March of this year, but apparently didn’t reveal it to any victims until April this year. And on Monday, the company confirmed it had discovered a separate breach of consumer data in March. Equifax said that breach was unrelated to the latest hack, but didn’t provide details about the data that was stolen or how many people it belonged to.
As we’ve reported before, the consumers whose information is on file at Equifax, Experian, and TransUnion aren’t those firms’ customers—they’re the product. Their data is sliced and diced and sold to marketers using the information to target their pitches ever so much more precisely, and offered to banks and credit issuers deciding whether to extend credit, and at what price. Some car dealers won’t even let you take a vehicle out for a test drive before running your credit history first.
This all means that the credit reporting firms have zero incentive to protect your personal information to the last mile. And the early evidence of what caused the Equifax breach points to an alarming indifference at that firm to the consequences of a breach. The evidence is that Equifax had a timely warning that some of the software it was using had a gaping security hole and had been provided with a patch—but didn’t install it. LifeLock doesn’t have an especially sterling record for delivering what it promises to customers. In 2015, the company paid $100 million to settle Federal Trade Commission charges stemming from an earlier complaint that it vastly overstated how well it secured customer data and the level of protection it offered from ID theft.
“LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions,” the FTC alleged. The company also “falsely advertised that it would send alerts ‘as soon as’ it received any indication that a consumer may be a victim of identity theft.” The company had agreed to settle the charges in 2010 for $12 million, but failed to comply with the settlement terms. The $100-million penalty that followed was “the largest monetary award obtained by the commission in an order enforcement action,” the FTC said at the time.
This is the same company, by the way, that staged an audacious advertising campaign in 2006 by emblazoning its CEO’s Social Security number on the side of a truck and broadcasting it over the air. The idea was that it could do so with confidence that its services would protect the CEO from identity theft. In reality, his identity was stolen at least 13 times after the campaign began.
The CEO, Todd Davis, tried to spin the fiasco as proof that the service worked, since many more ID theft attempts were tried and thwarted. Davis left his CEO job after the $100-million settlement. Symantec bought the company last year.
Equifax, a consumer credit reporting company, discovered a breach in its online systems that could impact 143 million consumers.
When did the breach occur?
The breach occurred from mid-May to July and was discovered on July 29. Equifax alerted the public on Sept. 7.
What information was involved?
Hackers gained access to files with names, birth dates, Social Security numbers (SSN), driver’s licenses and addresses. They also stole the credit card numbers of 209,000 consumers.
Why should I care?
The Equifax breach has been described as “massive” and “epic.” Adam Levin, chairman and founder of CyberScout, calls it a watershed event—one of the largest and worst breaches ever—because of the number of people affected and the type of information exposed. Impacted consumers are now vulnerable to a number of identity theft crimes and are often on their own to repair the damage done.
How did the breach occur?
Hackers exploited a vulnerability in Apache Struts, a kind of open-source software that companies like Equifax use to build websites, according to The New York Times. The security weakness was identified in March and a security patch to fix it was available. That means Equifax could have installed the patch two months before the breach but didn’t.
Who was behind the breach?
A group of hackers called “PastHole Hacking Team” claimed responsibility and demanded 600 Bitcoin in ransom or they’d release the data. Intelligence officials say it’s too early to confirm who’s behind the breach, but one theory is that a nation-state hit the company.
What is Equifax doing about the breach?
The Atlanta-based company set up a website where consumers could find out if their information was exposed. Consumers were asked to provide their last name and six digits of their SSN. Once submitted, they would receive a message saying if they were affected. Equifax also said it was offering one year of free credit monitoring and included terms of service language that barred enrollees from participating in class-action lawsuits. Public reaction was swift, and the company has since removed that language.
How has Equifax handled the breach?
Equifax has been surprisingly inept in its response. Consumers, privacy advocates, lawmakers and regulators all have expressed outrage. U.S. breach notification laws require notification in 30 days—sometimes 45 days in exceptional circumstances—after discovery of a breach. During that time, any company would be scrambling to analyze the damage, but it appears that Equifax gave short shrift to how to notify consumers whose information was violated long after the damage had been done.
What is the fallout from the breach?
A slew of class-action lawsuits claiming personal harm to consumers have been filed since the breach. We can also “expect commercial class actions claiming potential harm to businesses and other organizations,” that depend upon credit bureau data to verify identities and determine credit worthiness, according to Eduard Goodman, CyberScout’s global privacy officer.
State and federal government initiatives have begun and may lead to regulation. In the long term, it’s likely that a replacement for the Social Security number as a unique way to verify identity will be needed. Alternatives may arise in the marketplace, through regulation or a combination of both.
What should Equifax do for consumers?
Ideally, Equifax should offer five years of credit monitoring to consumers. That would be ideal, but unlikely.
What should consumers do?
1. Contact FreedomID. Or, ask your insurers, banks and employers if they offer FreedomID management services, which often are a low-cost or free addition to existing services and will protect you going forward for the long term. Identity management services look for signs of fraud and provide access to specialists who can help you recover from identity theft quickly. You can signup for family coverage on your own at family.freedomid.com
2. Review credit reports for any unusual activity. Visit annualcreditreport.com, the government-mandated source for free annual credit reports. Investigate suspicious activity and monitor it until it’s resolved. Also, look for signs of fraud in your medical files, on your Social Security statement, in insurance claims, and in public records.
3. Place a fraud alert on your credit file. An alert placed with one of the three major credit bureaus (yes, that includes Equifax) signals to potential creditors that you could be a victim of identity theft. Initial fraud alerts last for 90 days and require potential creditors to confirm the legitimacy of your identity before granting credit. Extended fraud alerts last for seven years and are available to consumers who are confirmed identity theft victims with a valid police report.
4. Consider placing a security freeze on your credit report. This may be necessary if you're experiencing fraud as a result of the data breach. A freeze locks access to your credit, so no one will be able to open a new account in your name. To determine whether a freeze is right for you, read more here.