#CyberFLASH: Buyer Beware . . . Lessons Learned From The Ashley Madison Hack

internet-privacy.jpg.size.xxlarge.letterbox“Life is short. Have an affair®.” This is the (in)famous marketing slogan used by Ashley Madison, a Canadian web site founded in 2008 and operated by Avid Life Media Inc. with the explicit mission statement of helping married individuals chat, connect and ultimately have affairs with one another. The site assured users that use of its services would be “anonymous” and “100 per cent discreet,” but, unfortunately, this was not to be the case.

Between July 15 and Aug. 20, 2015, a person/group identifying itself as “The Impact Team” hacked ALM and published details, initially on the Darkweb and eventually on the open web, of approximately 36 million user accounts. Leaked data included profile information (user names, addresses, passwords, phone numbers, the types of experiences they were looking for on the site, gender, height, weight, ethnicity, body type); account information used to facilitate access to the Ashley Madison service (e-mail addresses, security questions, hashed passwords); and billing information (billing addresses and the last four digits of credit card numbers); in addition to ALM internal documents and the CEO’s private e-mail messages. User information was quickly disseminated through several public web sites. Despite the best efforts of ALM’s counsel to quickly shut down the spread of data using DMCA copyright notices after the material appeared on Twitter and other social media sites, the breached information continued to be publicly searchable.

The fallout was swift. Reports of suicides in Canada and the U.S., myriad job resignations and marital breakups surfaced, arising from the data exposure and related public shaming. In Alabama, editors at one newspaper decided to print all the names of people from the region who appeared on the Ashley Madison database. Scammers and extortionists have also targeted Ashley Madison’s users (and alleged users) on a global basis, falsely claiming they could remove a user’s information from published data or threatening to publicly shame users online unless they sent a ransom payoff in Bitcoins to the blackmailers. Malware may have also been delivered through web sites offering to scrub user information from stolen data lists.

Read more here

#CyberFLASH: University of Ottawa missing hard drive with data on 900 students

university-of-ottawa-2The University of Ottawa has launched an investigation after an external hard drive containing the personal information of approximately 900 students disappeared earlier this month.

Current and former students have been notified of the possible privacy breach and an information line has been set up, the university said in a news release Wednesday.

Ottawa police and the Information and Privacy Commissioner of Ontario have also been notified.

The hard drive was used to back up personal information on individuals who accessed a university resource for students with disabilities or mental health issues applying for special academic accommodations.

Figuring out exactly what personal information was stored on the drive is one of the objectives of the investigation, the university said..

“The University takes its role in safeguarding personal information and using it in an appropriate manner very seriously. Measures have been put in place at SASS to reduce the risk of the situation recurring. The University is deeply sorry about this situation,” the university said..

Read more here

#CyberFLASH: Smaller firms, financial institutions becoming more vulnerable to cyber attacks

10712553A director of an international bank took concerns about cyber crime into his own hands recently, hiring a specialized team to covertly breach his own company’s network.

The attackers used a so-called “spear phishing” technique, baiting the bank’s employees to open an email that appeared to come from someone they knew. If they did — and clicked on the attachment — their computers were infected with malicious software, which then spread to other computers in the network. Once they were in, the expert hackers revealed themselves to the bank’s management, who they then graded on their ability to track down the infiltrators and thwart unauthorized money transfers.

“Once we … gave them hints, it took more time than it should have to find us,” says Robert Masse, a partner at Deloitte in Montreal who runs the consultant’s Canadian incident response practice, which runs such infiltration exercises for financial companies around the world.

Masse, who agreed to discuss only non-Canadian cases because he didn’t want to risk disclosing information that could identify a client in the small domestic market, said he was not surprised the international bank was not up to snuff.

“Unless you have gone through this exercise before, almost everyone is in the same boat.”

For the Canadian financial industry, the stakes in the cyber-security game are enormous. Bay Street banks and wealth management firms have access some of the most sensitive data in the country, and access to millions of dollars in savings and investments, which makes them a natural target for hackers.

“The closer you get to the money, the more of a target you are to cyber criminals,” says David Mohajer, chief executive of cyber security firm Xahive.

Read more here

#CyberFLASH: Eddie Bauer customer data hacked

eddie-bauer-bankruptcyAnyone who shopped at an Eddie Bauer store this year should be on the lookout for unusual activity in their payment card account statements, the chain has warned.

The company announced that the point-of-sale system at its more than 360 retail stores in Canada and the United States had been infected with malware.

The malware infection could have given hackers the ability to access customers’ payment card information.

Payment card information used for online purchases at eddiebauer.com was not affected.

“We have fully identified and contained the incident,” said Eddie Bauer CEO Mike Egeck. “In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the
future.”

Free ID protection offered

Eddie Bauer says its terminals were infected on various dates between Jan. 2 and July 17 this year.

The retailer says not all cardholder transactions were affected. But it says it will offer free identity protection services for a year to all customers who made purchase or returns during that six-month period.

Eddie Bauer said it is in the process of notifying customers whose payment card information may have been accessed.

Read more here

#CyberFLASH: Extreme online security measures to protect your digital privacy – a guide

Cyber-700x5001 Secure your email

Outlook and other email clients let you install a personal security certificate, which you can use to encrypt email so that only trusted recipients can read it, or digitally sign your messages to prove that they came from you. You can get your own certificate from comodo.com and it doesn’t cost a penny. The catch is that your recipients will need to be using a compatible email system – if they’re using Gmail on their smartphone, they’ll just be annoyed when you keep sending them unreadable strings of garbled data. “It also means you’ve got to protect your laptop,” points out Tony Anscombe, security “evangelist” at the antivirus firm AVG. “If your laptop’s stolen and your password is written on a Post-it note on the screen, then what’s the use of the encryption?”

2 Get virtual

Running programs in a virtual environment, rather than on your “real” desktop, makes it harder for viruses to sink their claws into your computer and if you do get infected, it’s easy to roll back your software to an earlier state. “It’s a complex thing to do,” warns Anscombe. “But there are benefits. If I wanted to download something that I was suspicious of, I might do that in a virtual machine, then disconnect the VM from the network before opening it.” Virtualisation isn’t a panacea, though. Many attacks are aimed at stealing your passwords and banking details; if you get tricked into revealing these, virtualisation won’t make a blind bit of difference.

Read more here

#CyberFLASH: Saint John Development Corporation finds cyber attack damage

GettyImages-556421117The Saint John Development Corporation says it’s working to restore an annual report that it lost to a cyber attack in early 2015.

“We lost a lot of our data,” said General Manager Kent MacIntyre. “We had some [Saint John] city IT people working with us to try to recover that but in the end, it wasn’t recovered.”

According to MacIntyre, sensitive information wasn’t compromised because it was being stored on city servers at the time.

He said the ransomware infected only the office laptops and he doesn’t know why they were hit at all.

“Ransomware isn’t always a targeted attack,” said David Shipley, a member of UNB’s cybersecurity team.

Shipley said organized criminals push out emails that contain malicious software that can scramble information, making it inaccessible without a key.

The perpetrators then demand money to restore the information.

Shipley said it must be paying off, because ransomware attacks have become a huge crime wave around the world.

UNB has seen a significant spike in activity.

A million viruses in a month

“In a typical month, we might receive 149,000 emails with malicious attachments or viruses in them,” said Shipley. “In March, we saw that number almost jump to a million.”

Read more here

#CyberFLASH: Ransomware: How do you avoid getting caught in the trap?

10712553From universities and hospitals to small charities and businesses, criminals using ransomware aren’t picky about targets — as long as they pay.

Ransomware is the name given to software or computer viruses that spread by email attachments or compromised websites and encrypt the host computer’s files, holding them hostage until the perpetrators are paid.

So what can you do to avoid having your data held hostage? And if it happens, what can you do to protect yourself?

Avner Levin, the director of Ryerson University’s privacy and cyber crime institute, was on CBC Radio’s Ontario Today at 12 p.m. ET to discuss how ransomware works and how to avoid it.

He later took part in a live chat to answer questions about how to avoid having your computer or business held hostage by ransomware.

Read more here

#CyberFLASH: Consumer privacy needs to be a core business value

SomanA number of high-profile cases involving violations of online privacy have raised public alarm. Home Depot made headlines in 2014 when a massive theft of its consumer credit and debit card database affected more than 56 million customers. And Target was in the spotlight a few years ago for sending a teenage girl coupons for baby gear – before her parents even knew she was pregnant.

Fuelling the trend is the fact that, from a consumer perspective, the risks of sharing our information online have increased exponentially – but this is not widely recognized. To make a fully-informed decision about what information to should share online on any given occasion, a fully-rational consumer must go through three important decision-making steps.

First, she needs to employ the appropriate mental model to think about ‘information sharing’ as a risky prospect – similar to the risks of contracting disease on exposure to contaminated food, the risk of a side-effect after consuming medication or the risk of losing money when trading in risky assets.

Second, she needs to use available information to quantify the risk and identify the possible outcomes. There is usually limited information to enable this, but a lot of information in disclosures and privacy policies exists that would allow her to identify harmful outcomes.

Third, the consumer would need to integrate the ‘identified risk level’ with the ‘outcome information’ to arrive at a judgment as to whether the benefits of sharing her information exceed the potential harm. Unfortunately, decades of research show that most humans lack both the cognitive apparatus and the motivation to go through these steps, for three reasons.

1. We are limited processors of information.

2. We are highly susceptible to cognitive laziness.

3. We are increasingly displaying impulsive behaviour online.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.