Cyber Advisors Business Blog

In the Know - Cyber Security Update - Week of September 24th - October 1st

Written by Eric Brown | Oct 3, 2017 1:04:59 PM

Attackers turn their attention to foods this week, Wholefoods & Sonic compromised point of sale systems, cause fire sale of credit and debit card account numbers on the dark web, we learn how much Tinder knows about you, and it seems the Deloitte hack is going to be a lot worse than originally estimated.

For those in the Twin Cities:

We are having a Cyber Security Fall Forum at Utepils Brewery on October 17th, Craft beer, soda, food and an afternoon of Cyber Security!  Register here:  http://connect.cyberadvisors.com/brew-and-bytes-fall-securitforum

  1. Wholefoods taprooms and restaurants point of sale systems compromised. 

Whole Foods Market — which was recently acquired by tech giant Amazon for $13.7B — said Thursday that hackers were able to gain access to credit card information for customers who made purchases at some of its in-store taprooms and restaurants.

The tap rooms and restaurants use different payment systems than Whole Foods check-out counters at its ~450 stores, the company said. “Amazon.com systems do not connect to these systems,” the company clarified in a press release.

While Amazon has not released information as to how the compromise occurred, security researchers call out Point of Sale devices as a weak point.  Since these devices come pre-loaded with an operating system, familiarity with the vulnerabilities on one device allow attackers to exploit all unprotected devices connected to the internet or via wireless.

It would not take much for an organized attacker to collaborate and send “agents” to each of the stores at the same time for a cooperative data-gathering event.  Maximizing the amount of compromised data that could be gained before the attack was discovered.

Press Release:
http://media.wholefoodsmarket.com/news/whole-foods-market-payment-card-investigation-notification

  1. Sonic serves up credit card numbers to hackers in its point of sale breach

Sonic Drive-In which operates 3,600 stores across 45 states experienced a breach in its store payment systems.  The situation was brought to Sonic's attention last week by its credit-card processor, which flagged "unusual activity" with cards used at its restaurants.

Brian Krebs a security researcher and blogger reported that as many as 5 million credit and debit card account numbers may be for sale on a black market site called Jokers Stash.

Batches of cards are available with geographic specificity down to individual cities, zip codes, issuing banks, and the type of card (silver, gold, platinum), credit or debit.  The freshly issued stolen card numbers range in price from $20 to $55.

Krebs article: 
https://krebsonsecurity.com/2017/09/breach-at-sonic-drive-in-may-have-impacted-millions-of-credit-debit-cards/

  1. The creepy data Tinder stores on you that one day may be for sale

Judith Duportail, a research journalist, obtained the data Tinder has collected about her under the EU privacy act.  She received a file 800 pages long.  Intimate information about her matches, preferences, likes, dislikes, etc. were all exposed in black and white.

“As I flicked through page after page of my data I felt guilty. I was amazed by how much information I was voluntarily disclosing: from locations, interests and jobs, to pictures, music tastes and what I liked to eat.”

Personal data is the fuel of the economy. Consumers’ data is being traded and transacted for the purpose of advertising.” Explains Alessandro Acquisti, professor of information technology at Carnegie Mellon University.  Tinder’s privacy policy clearly states your data may be used to deliver “targeted advertising”.

Tinder’s privacy policy clearly states: “you should not expect that your personal information, chats, or other communications will always remain secure”.

What will happen if this treasure trove of data gets hacked, is made public or simply bought by another company?

Likely, it isn’t a question of ‘if’ it’s more likely a question of .when’.

For the academics – Tinder Scraper – a tool to “collect publicly available information on tinder users in order to draw insights that may serve the public.”
https://github.com/gcwelborn/tinder-scraper

Judith’s article:
https://www.theguardian.com/technology/2017/sep/26/tinder-personal-data-dating-app-messages-hacked-sold

  1. Deloitte hack - worse than expected:

To date Deloitte has notified six clients that their data may have been compromised in a recently discovered breach.

Unfortunately, new research has uncovered the real impact may be much worse.  The breach may have occurred in October or November of 2016, and was discovered in March or 2017.

Attackers gained access to an administrator account of the email service, emails to and from Deloitte’s 244,000 staff which is hosted in Microsoft’s Azure cloud, granting extensive control and access to data. The account apparently wasn’t protected by two-factor authentication, hinging its security on a single password.

This breach is an embarrassment for Deloitte, which offers advice on managing the risks of cybersecurity attacks.

“Cyber risk is more than a technology or security issue, it is a business risk,” Deloitte tells potential customers on its website.

“While today’s fast-paced innovation enables strategic advantage, it also exposes businesses to potential cyber-attack. Embedding best practice cyber behaviors help our clients to minimize the impact on business.”

Deloitte has a “Cyber Intelligence Centre” to provide clients with “round-the-clock business focused operational security”.

“We monitor and assess the threats specific to your organization, enabling you to swiftly and effectively mitigate risk and strengthen your cyber resilience,” its website says. “Going beyond the technical feeds, our professionals are able to contextualize the relevant threats, helping determine the risk to your business, your customers and your stakeholders.”

Statistics show that it takes organizations three to six months to discover a breach…it seems Deloitte is no exception.

https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails