Breach Notification , Data Breach , Forensics

It's rare that information security news involves fishing, rather than phishing. The latter involves cybercriminals sending real-looking but fake email messages in an attempt to lure victims into sharing personal details, installing malware or visiting dodgy sites. The definition of the former, meanwhile, remains the subject of thousands of jokes.

See Also: Eight Capabilities IT Pros Should Look for in a CASB

But Dallas-based Active Network has confirmed that a hacker attempted to steal user data relating to online applications for hunting and fishing licenses in Idaho, Oregon and Washington. Active Network provides a software-as-a-service application used for activity and participant management by a number of different types of organizations, ranging from marathon organizers and camps to churches and golf courses.

"On Aug. 22, we became aware that we were the victim of an unauthorized and unlawful attempt to access our online hunting and fishing licensing applications in Idaho, Oregon, and Washington," an Active Network spokesman tells me.

The potential hacking alert may have arrived via the website of daily newspaper The Oregonian, after someone used the newspaper's "contact us" page to claim to have stolen driver's license, Social Security data and cell phone numbers from license applicants, the newspaper reported. It said the Oregon Department of Fish and Wildlife took its online licensing system down on Aug. 23 before restoring it later in the day after concluding that no data breach had taken place.

But on Aug. 26, state CIO Alex Pettit announced that he'd ordered the site to be taken down again. "We are working with the vendor to determine if any personal information was indeed accessed while ensuring their system is secure before allowing Oregonians to use it," he said.

Scant Breach Details

Active Network has declined to comment about when the breach may have occurred, what was stolen or how it got a heads-up. But the Active Network spokesman tells me that after the company learned that it may have been breached, "within 15 hours, we conducted a full security sweep and tested and released an update to the three applications to address the reported threat."

A third-party digital forensic investigation firm hired by the software company is continuing to investigate the breach. "All indications are that this potential threat was isolated," the spokesman says, in apparent reference to the organization suspecting that only the three states' license information databases may have been breached.

The breach details provided directly by Active Network are scant - perhaps owing to the still-in-progress investigation. But Idaho Department of Fish and Game has released more substantial information. In an Aug. 26 website alert, the Idaho department says that it first received a warning about the breach on Aug. 23 and that it shut down the related online service the next day, when it issued a public alert about the breach, noting that it was suspending the sale of online tags and licenses "after being notified that its online license vendor's computer system was breached."

Via the Aug. 26 alert, it said that "the data breach apparently occurred sometime over the summer," and that "personal information potentially [exposed] includes name, age, address, and Social Security number." It explained that Idaho Fish and Game is required by state law to obtain this information to issue a license, and that no credit or debit card information appears to have been compromised, although it recommends applicants keep an eye on their financial statements, just in case.

Idaho: Pre-2008 Information at Risk

Idaho Fish and Game said that stolen information may relate to "Idaho residents and nonresidents who started buying hunting and fishing licenses and tags before 2008. Those who made their first license purchase after 2008 are not at risk." It emphasized that this information is state-specific.

Again, however, it's not yet clear whether personal data was inappropriately accessed. "Whether any of Idaho Fish and Game's license buyers' information was obtained has not yet been determined," it said. "Fish and Game is working with the online vendor to investigate the matter and determine whether and to what extent Idaho data was accessed."

The department notes that members of the public can still buy tags from Fish and Game offices as well as a variety of business that sell the licenses and tags by using a separate system that was not hacked. "Fish and Game officials regret the inconvenience to hunters and anglers, but are taking these steps out of abundance of caution," it said. "Fish and Game requested Active Network hire an independent cybersecurity firm to conduct a review and the company agreed to the request."

Free Fishing in Washington

A steelhead - a type of rainbow trout - caught near Salmon, Idaho. Photo: Ryndon Ricks (Flickr/Creative Commons)

Many states require anglers and hunters to obtain a license, at least when accessing public land or bodies of water. Idaho, for example, requires anyone who fishes in the state - and who's 14 years of age or older - to have a license and charges extra for fishing for salmon and steelhead or using two poles. A one-year adult fishing and hunting license for state residents costs $33.50.

In the wake of the breach alert, however, on Aug. 25, the Washington Department of Fish and Wildlife announced that it would be offering "free fishing" days until Aug. 30, by which time it hoped the situation would be resolved.

On Aug. 27, however, WDFW said via its Facebook page that it had restored the system and that telephone-based sales would resume Aug. 29, while free fishing would continue through Aug. 30.

Authentication , Data Breach , Technology

To the annals of super-bad historical mega breaches that no one knew about, add a new entry: file-hosting service Dropbox. Separately, music service Last.fm also was reportedly breached badly in 2012, although that has yet to be independently confirmed.

See Also: How to Mitigate Credential Theft by Securing Active Directory

On Aug. 27, Dropbox began alerting customers that if they had signed up to the service before mid-2012 but not changed their passwords since mid-2012, then they would be required to do so.

Dropbox's Aug. 27 alert suggests that the service might not know which users have changed their passwords since mid-2012.

"We recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012," Dropbox says on its website, indicating it first heard related rumors in mid-August. Resetting the passwords that it believes may have been exposed "ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts," the alert notes.

Dropbox first learned about that breach in 2012 and issued an alert to users in July of that year, saying it had traced the breach to an employee reusing their corporate password across multiple sites. The company said it added new security features designed to protect against such breaches. But at the time, Dropbox evidently failed to comprehend the true magnitude of the breach and forced relatively few password resets.

What's belatedly come to light, however, is that as a result of that 2012 breach, details for almost 69 million user accounts - including email addresses and hashed passwords - were stolen. The information reportedly began circulating recently on underground forums.

More Historical Mega Breaches

This year has seen a spate of mega breaches belatedly coming to light. Four announced in May came from MySpace - the date of its breach remains unclear, though it's obviously not recent; LinkedIn, which disclosed that its 2012 breach resulted in 165 million passwords being compromised; Tumblr, which warned that 65 million accounts were breached in 2013, prior to its acquisition by Yahoo; and "adult social network" Fling, which said that 41 million accounts were breached in 2011.

On Sept. 1, paid data breach site Leaked Source described yet another old, alleged breach, this one hitting music service Last.fm. Leaked Source claims that the service was hacked in March 2012 and data on 43.6 million users - including usernames, email addresses and passwords - was stolen. While that breach has yet to be independently verified, Leaked Source says that it successfully cracked 96 percent of the site's unsalted passwords, which had been hashed with MD5.

Last.fm didn't immediately respond to a request for comment on that report.

Dropbox Breach: Worse than Believed

Dropbox's Aug. 27 breach alert arrived just a few months after several identity theft services misreported that user data from the site had been leaked (see Dropbox Confident Amidst Breaches).

It turns out, however, that the 2012 Dropbox breach appears to have been much worse than originally believed. Indeed, sometime after Dropbox was hacked in mid-2012, "a large volume of data totaling more than 68 million records was subsequently traded online and included email addresses and salted hashes of passwords, half of them SHA-1, half of them bcrypt," says Troy Hunt, who runs the free Have I Been Pwned? website.

Security experts laud bcrypt as an excellent, purpose-built password-hashing algorithm, but warn that SHA-1 - as well as MD5 - are deprecated and shouldn't be used. Dropbox, to its credit, in recent years appears to have phased out SHA-1 in favor of bcrypt.

Technology news site Motherboard reports that it obtained a sample of the data that hackers allegedly stole from Dropbox, and that it contains details relating to 68.7 million accounts, including email addresses and hashed passwords. It says that an unnamed, senior Dropbox employee confirmed that the information was legitimate.

Dropbox couldn't be immediately reached for comment on that report.

But Hunt says he independently reviewed the data and found it to be authentic. He acknowledges that it contains old passwords set by him and his wife.

That's both my wife's & my unique 20 random character passwords always stored in an encrypted password manager confirmed in the Dropbox data

The Dropbox passwords were salted, which refers to the practice of adding data to a password before it gets run through a one-way hashing algorithm, which makes it more difficult for attackers to crack. Whenever users enter their password in the site again, it gets salted and run through the password-hashing algorithm, and if there's a match, then the site knows the password is authentic.

Hunt says that while the passwords are salted, that doesn't mean they were invulnerable. "The risk is they may be cracked, but their password hashing approach means that's only likely with bad passwords," Hunt says via Twitter.

Hunt has added the Dropbox breach to his website's list of the top 10 breaches of all time. It currently holds sixth place, behind breaches of Adobe (152 million accounts exposed), China's Badoo (112 million) and Russian social media site VK (93 million), among others.

Enable Two-Step Verification

Two safeguards against breaches that may happen today, but not be revealed until well into the future, are to use unique passwords for each site - thus blocking attackers from reusing the credentials to log into other sites - as well as to enable two-step authentication whenever possible. The latter means that even if attackers obtain a user's valid password, they can't use it unless they can somehow also obtain, for example, a one-time verification code.

After it was hacked in July 2012, the next month Dropbox introduced two-step verification as a free option for all users. Today, it works via text messages or a mobile app, generating a unique six-digit security code that users must enter to log in. The authentication feature also works with some types of security keys - small USB or near-field communication devices that typically get carried on a keychain and are used as the second step for verification.

Data Breach , Forensics , Fraud

Point-of-sale malware attacks: Another week, another hotel chain warning that it's suffered a malware-fueled data breach that led to the theft of customers' card data.

See Also: Detecting Insider Threats Through Machine Learning

This week's data breach notification comes from Kimpton Hotels & Restaurants, a boutique hotel and restaurant chain with 62 properties in about 30 U.S. cities. It's warning all customers that their payment card data and names may have been compromised via a POS malware infection that lasted nearly five months.

Kimpton couldn't be immediately reached for comment about how many payment cards were stolen or how many customers might have been affected.

The San Francisco-based chain's data breach notification, posted on Aug. 31 to Kimpton's website, says that it's working with law enforcement agencies to investigate and notes that it gave payment card issuers a heads-up on the breach to help them monitor for future fraud.

Based on a now concluded digital forensic investigation into the suspected breach, Kimpton's breach notification says that malware infected every one of the hotel's properties, potentially compromising cards used at front desks and many of the hotel's restaurants at various points between Feb. 16 to July 7.

Kimpton says it launched its investigation July 15 after receiving "a report ... of unauthorized charges occurring on payment cards after they had been used by guests at the restaurant in one of our hotels."

The hotel chain says it hired multiple cybersecurity firms to investigate. "Findings from the investigation show that malware was installed on servers that processed payment cards used at the restaurants and front desks of some of our hotels ... [that] searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server," Kimpton says. Compromised information included card numbers, expiration dates, internal verification code and "in a small number of instances" potentially also cardholders' names.

62 Properties Affected

Kimpton has published a list of affected properties and infection dates on its website. "We regret any inconvenience this may have caused," it says. Of course, affected cardholders may yet face future inconvenience as well.

Kimpton says that it's eliminated the malware from its systems, putting unspecified security improvements in place and also notifying customers directly for whom it has contact information. "Kimpton Hotels & Restaurants does not have information available to identify the name and address of restaurant guests. We will be mailing letters to those guests who used their card at a front desk during an at-risk time frame for whom we have a mailing address."

Linked to HEI Breach?

The breach confirmation from Kimpton - owned by InterContinental Hotels Group - comes just three weeks after hotel management firm HEI reported a POS malware breach affecting 20 U.S. hotels that it manages. The two incidents are potentially related, since the list of breached hotels managed by HEI includes properties it manages for InterContinental Hotels Group, as well as Hilton, Hyatt, Marriott and Starwood Hotels and Resorts (see Recent POS Attacks: Are They Linked?).

A spokeswoman for Kimpton couldn't be immediately reached for comment about how it learned about the breach, which cybersecurity firms it hired, whether its breach appears to be linked to the HEI breach, or which POS system supplier it uses.

The identity of Kimpton's POS supplier is potentially relevant, because Alex Holden, CISO at security and digital forensics firm Hold Security, recently discovered that 10 POS vendors had been compromised, including Cin7, ECRS, NavyZebra, PAR Technology and Uniwell. Holden told Information Security Media Group that the attacks date from mid-July and that "huge amounts of data - anywhere from 14 GB to 16 GB - was exfiltrated by hackers from most of the 10 identified POS providers," he said.

Holden's investigation was triggered by Oracle last month warning that it had found "malicious code in certain legacy MICROS systems." MICROS, which Oracle acquired in 2014, builds POS software and hardware that Oracle says is used across 330,000 customer sites in 180 countries (see MICROS Breach: What Happened?).

Follows Millennium, Noble Breaches

Kimpton is far from the only hotel chain to recently warn that it suffered a POS malware infection that compromised cardholder's payment card data. In late August, both Denver-based Millennium Hotels & Resorts North America and Noble House Hotels and Resorts, based in Kirkland, Wash., separately warned that they'd learned their systems had been breached. Both organizations said they learned of the breaches via the U.S. Secret Service (see POS Malware Hits Two Hotel Chains).

Neither hotel would comment on which POS vendor they used. But MHR's breach notification used language that closely paralleled Oracle's MICROS notification, noting that its "third-party service provider - that supplies and services the affected point-of-sale systems - [warned] that it had detected and addressed malicious code in certain of its legacy point-of-sale systems, including those used by MHR."

Their breaches follow a similar spate of POS malware infections at hotel chains in recent months that have affected Hilton, Hyatt, Starwood Hotels and Resorts, Omni Hotels & Resorts and Trump Hotels, among others.

Anti-Malware , Fraud , Technology

Attackers have been continuing to compromise banks' local security controls to send fraudulent messages via SWIFT's interbank messaging network.

See Also: Managing Identity, Security and Device Compliance in an IT World

That alert comes via a private letter sent from SWIFT to its customers on Aug. 30, warning that since June, it's cataloged multiple attempts by attackers to hack into banks' systems and issue fraudulent SWIFT transfers, reports Reuters, which obtained a copy of the letter. Some banks have lost money as a result, the letter reportedly notes.

Formally known as the Society for Worldwide Interbank Financial Telecommunication, SWIFT is a member-owned, Brussels-based collective. About 11,000 institutions in more than 200 countries use SWIFT's interbank messaging software and network.

A SWIFT spokesman declined to share a copy of the letter, but confirmed that "the cooperative has uncovered new cases of input fraud" that have been reported by clients since the February theft of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York via fraudulent SWIFT messages.

"Whilst preserving the anonymity of the affected firms, the letter sets out how the attackers have followed a broadly similar modus operandi in these attacks, specifically tailoring every attack to each individual target," the spokesman tells Information Security Media Group.

The letter to customers does not specify which institutions were targeted, which attacks were successful or how much was stolen, he says.

"The letter explains that the targeted customers varied in size and geography; have used diverse connectivity methods and a range of interfaces from different vendors, but have all had particular weaknesses in their local security," he says. "These weaknesses have been identified and exploited by the attackers, enabling them to compromise the customers' local environments and input the fraudulent messages."

In the letter, SWIFT reiterates that there are no indications that its network or messaging services have been hacked, he says. SWIFT also indicates that its new customer security program, launched this past summer, has produced results. The spokesman, however, did not detail those results.

The letter also "warns customers that the cyber threat is persistent, adaptive and sophisticated, cautions customers that they are potentially at risk if they fail to ensure the physical and logical security of their environment, and sets out a number of measures they should take to protect themselves," the spokesman says.

According to Reuters, the letter also threatens to report banks to their regulators and banking partners if they don't meet a Nov. 19 deadline for installing updated SWIFT software that includes better user authentication, stronger password management rules, as well as better tools for detecting hacker attacks.

Who's at Fault?

Shortly after the Bangladesh Bank hack, similar SWIFT-related attacks came to light, including the theft of $12 million from Ecuador's Banco del Austro in January 2015 and the attempted theft of $1.4 million from Vietnam's Tien Phong Bank in late 2015.

Who's responsible for fraud via SWIFT? After it lost $81 million, Bangladesh Bank blamed SWIFT and the New York Fed. But both organizations have strongly rejected that assertion. Backed by Bangladesh police reports noting that the country's central bank lacked firewalls and used $10 second-hand switches to network its computers, SWIFT has called on all client banks to ensure that they're using strong security practices.

Bank Hacks: No Surprise

It's not surprising that some banks with poor security are getting hacked by attackers and potentially seeing millions of dollars get stolen via fraudulent SWIFT messages, asserts Alan Woodward, a computer science professor at the University of Surrey who's also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency.

"People don't seem to realize that - as that program says on the TV - you are the weakest link," he says. "It's down to the person who makes the most stupid mistake or the cheapest most insecure bit of equipment in your network - those are the sorts of things that people have really got to start thinking about seriously."

How Much Power Does SWIFT Wield?

Some security experts contend that SWIFT has little power to hold banks accountable and that it's up to countries' banking regulators to ensure that their financial institutions have robust information security practices. In fact, regulators in some regions have already called on banks to outline how they're responding to these threats. For example, in April, the Bank of England reportedly ordered U.K. banks to detail their response plans.

In June, the Federal Reserve began auditing its effectiveness when it comes to ensuring that U.S. banks have robust information security policies, procedures and practices in place, including the ability to quickly detect and respond to data breaches. Multiple members of Congress have also been asking questions about banking security.

This month, the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. instructed their examiners to pay closer attention to the security of banks' links to the SWIFT network, The Wall Street Journal reported.

Customer Security Program

Still, former members of SWIFT's management team and board have said the organization failed to do enough to secure communications sent via its network, according to a Reuters report (see Report: SWIFT Screwed Up). "It's a huge wake-up call," Leonard Schrank, who served as SWIFT's chief executive for 15 years until he left in 2007, told The Wall Street Journal in May, following the Bangladesh Bank heist. "They should play a higher role."

Since then, however, SWIFT appears to have begun moving in that direction. In late May, SWIFT launched a new customer security program designed to articulate best practices for using its software and urged banks to share more information about how they're being targeted, with SWIFT promising to share that information in anonymized form with other institutions.

Then in July, SWIFT announced the launch of an incident response team in collaboration with cybersecurity specialists BAE Systems and Fox-IT. The team will help hacked banks investigate intrusions and trace fraudulent SWIFT transfers and attempts (see SWIFT to Banks: Who You Gonna Call?).