Security News This Week: The Deloitte Breach Was Worse Than We Thought

Credit to Author: Lily Hay Newman| Date: Sat, 30 Sep 2017 12:00:00 +0000

News about the massive Equifax credit bureau hack was finally winding down this week, offering space for reflection on all the ways the company utterly botched its response to the incident. The respite also gives US consumers the opportunity to finally figure out what the heck they’re going to do to protect themselves.

Meanwhile, new research indicates that millions of Macs don’t have the latest firmware updates because of distribution flaws and installation errors, leaving them potentially exposed to critical compromise by hackers. The Department of Homeland Security will begin recording details of US immigrants’ online activity including social media use, worrying immigration experts and privacy advocates alike. And WIRED delved into the life of Bassel Khartabil, a Syrian open internet advocate who was arrested by Syrian military intelligence in 2012 and executed in military prison in October 2015.

In good news, the robust end-to-end encrypted messaging app Signal introduced a method of protecting users’ mobile address book data using a technological trick that may be adopted by other privacy and security-focused products. And the internet infrastructure company Cloudflare pledged to offer unlimited DDoS protection to all of its customers (even free accounts) for no additional charge, no matter the size of the barrage.

And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories.

Hackers infiltrated the sensitive internal email service of the prominent accounting firm Deloitte, potentially exposing a large range of data about the company and its high-profile clients. First reported by The Guardian, the breach likely occurred in October or November 2016, but wasn’t discovered by Deloitte until March. Deloitte notified six clients that their data had been “impacted” by the breach, but the company is continuing to investigate, and a source with knowledge of the inquiry told Krebs on Security that the damage may be far more extensive than Deloitte has indicated.

Attackers gained access to an administrator account of the email service, which is hosted in Microsoft’s Azure cloud, granting extensive control and access to data. The account apparently was not protected by two-factor authentication, hinging on a single password. Deloitte offers accounting, tax work, audits, and other types of consulting and had $37 billion in revenue last year, so the contents of its internal communications would be potentially extremely valuable. The firm works with governments and top players in numerous industries, and the breach may have exposed IP addresses, health data, usernames, passwords, and other sensitive file attachments in addition to emails themselves.

On Tuesday, the fast food chain Sonic Drive-In confirmed a breach of some of its restaurant payment systems. The company has almost 3,600 locations around the United States, but it has not yet disclosed how many of them were affected. At the same time, millions of new credit and debit card numbers started flooding digital black markets in mid-September, and some evidence indicates that they are from the Sonic incident. "Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic,” the company said in a statement on Tuesday. "We immediately engaged third-party forensic experts and law enforcement when we heard from our processor."

Similarly, Whole Foods announced Thursday that payment platforms at some of its in-store restaurants and taprooms had been compromised. The company said that the point-of-sale terminals for its main grocery transactions were not affected. Amazon recently acquired Whole Foods, but Amazon.com was apparently exempt as well. Whole Foods was short on details about the incident, but had a word of caution for consumers: "While most Whole Foods Market stores do not have these taprooms and restaurants, Whole Foods Market encourages its customers to closely monitor their payment card statements and report any unauthorized charges."

A technique disclosed by security researcher Manuel Caballero on Tuesday exploits a flaw in Microsoft's Internet Explorer to let an attacker track anything a user types into the browser's address bar. In addition to URLs, that could include things like search queries and IP addresses. Specifically, the website a user is on can pull text from the address bar after the user submits data, which could let an attacker see things like the next site the victim is going to visit or the next thing they want to search for. Caballero found that the attack can be concealed from the victim and works on the latest version of IE. Microsoft referenced its "Patch Tuesday" cycle in a statement, perhaps implying (but not confirming) that a fix for the bug is on its way.

Under European Union data privacy laws, citizens can ask for full downloads of the personal data a company holds about them. To see what this entails in practice, Guardian writer Judith Duportail worked with a human rights lawyer and a privacy activist to make such a request of Tinder. Duportail joined the dating service in 2013 and has been using it on and off ever since, so the eventual result of her request was 800 pages of deeply specific and personal data about where and how she uses the app, what types of people she is romantically interested in, and other life preferences. The trove also includes data from other services she connected to Tinder, like Facebook and Instagram. Over the last four years, Duportail has opened the Tinder app 920 times, matched with 870 people, and sent 1,700 Tinder messages, and all of it was there for her to review—and for a hacker to potentially access. Data scientist Olivier Keyes told her, “I am horrified but absolutely not surprised by this amount of data.”

https://www.wired.com/category/security/feed/