Capital One, Equifax, Marriott: suppose you've been hacked – the cyber Saturday



[ad_1]

While a few friends and I were settling a bill last night, I noticed a Capital One credit card sneaking in the middle of a table full of empty tacos and margarita glbades.

"Uh, oh," I remarked. "Who has the Capital One card? Are you upset? "

The owner was revealed, but he was unaware of the news of the week. I informed him: a hacker has gotten hold of personal information regarding more than 100 million bank customers and credit card applicants. The suspect, a former employee of Amazon Web Services, stole parts and names of people, 140,000 social security numbers, 80,000 bank account numbers and one million Canadian Social Insurance Numbers ( like social security numbers, but Canadian). My friend had no idea.

The young man took out his phone, searched history to learn more, and then, cautiously, reviewed his recent credit card statements. "Well," he says, "I just badume that all my data is already disclosed everywhere already." It's a cynical attitude, albeit clever.

This is not the first time my friend has dealt with data exposure. His social security number and other sensitive information were looted during the incredible breach of confidentiality of Equifax data in 2017. He is one of the 150 million consumers who Equifax, which recently settled at $ 650 million after the debacle, has always hurt. (Unfortunately, my friend was not one of the lucky ones who submitted a claim for compensation before the credit reporting center offered cash payments.)

What should a data breach victim do? Answer: Do not let leaks discourage you. Do not give up hope. Stay alert and act.

Even though Capital One believes that "it is unlikely that the information was used for fraudulent purposes or disseminated by this person," the abundance of violations committed by large companies such as Equifax , Marriott and, apparently, between the two, should persuade consumers to consider the old adage that insists on safety over grief. My friend, for example, said to have set up a freeze on his accounts as a result of Equifax's failure – one of the few real and proactive precautions that a person can take. take to fight the theft of identity. (A freeze prevents potential imitators from opening new lines of credit on their behalf.)

While freezing credits are one of the most effective defenses, other options include anti-fraud alerts, credit monitoring, and pbadword sanitation. Even if you have been spared from the last misfortune via Capital One, you might consider adopting some of these steps before the next offense.

Go in defense; avoid defeatism.

Robert Hackett | @rhhackett | [email protected]

THREATS

Capitulation One. Addition to the column above, The New York Times closely examines the security of the financial sector following the Capital One breach. The suspected hacker may have reached other targets outside the bank. And the the Wall Street newspaper Richard Fairbank, the discreet CEO of Capital One, is now in the spotlight reluctantly.

Whistles go WOOO. Cisco has agreed to pay $ 8.6 million to settle a claim alleging knowingly selling easily hackable CCTV cameras to hospitals, schools, governments, and other customers. An alert launcher, James Glenn, alerted the computer giant about these issues in 2008, four years before the company tackled security breaches, the company said on Wednesday. regulation.

Rest badured. The cyber insurance sector is disappearing. Premiums reached $ 2 billion last year, an increase of 26% from 2015, according to a report by Moody's Investors Service. CyberScoop, an information media on cybersecurity, exploded in the booming market.

Round of breach. There is Capital One, of course. Poshmark, a used clothing market, warned customers that a recent data breach exposed names, email addresses, hashed pbadwords, and other information from people. A database exposed at Honda could have allowed attackers to see which computer systems of car manufacturers had uncorrected vulnerabilities. And Bank of Cardiff, a San Diego-based financial firm, has left a server containing a million records of phone calls exposed online.

Trinity test. Tom Bossert, former tsar of cybersecurity in the Trump administration, has joined a new startup, Trinity Cyber, as head of the strategy. Intel Capital has provided $ 23 million in venture capital funds to the company. wired has an intriguing profile of the company.

"Your Highness Qiao Biluo" has no clothes.

Share today's cyber today with a friend: http://fortune.com/newsletter/cybersaturday/

Looking for previous data sheets? Click here.

AUTHORIZED ACCESS

Shoot down this firewall. The clearest technical explanation of the probable cause of the Capital One breach was written by Evan Johnson, Product Security Team Leader at Cloudflare, a startup startup of the multi-billion dollar Internet infrastructure. Johnson's message on his personal blog details the problem as he sees it. It calls on public cloud providers, such as Amazon Web Services (AWS), to not do more to solve the underlying problem.

All indicates that the attacker exploited a type of vulnerability called Server Side Request Forgery (SSRF) in order to carry out the attack. SSRF has become the most serious vulnerability faced by organizations that use public clouds. SSRF is not an unknown vulnerability, but it does not receive enough attention and was absent from the OWASP Top 10.

SSRF is a dream for bug hunters because it is an easy attack to perform and regularly gives critical results, such as this bug bonus report to Shopify. The problem is common and well known, but difficult to prevent and no mitigation is built into the AWS platform.

Server Side Request Forgery is an attack in which a server may have to connect to an unplanned server. SSRF is explained in more detail in this article by Hackerone. The impact of SSRF is compounded by the supply of public clouds, and key players like AWS do not do anything about it.

FORTUNE RECON

Pages targeted at cleaning up misinformation on Facebook were supposed to mislead Middle Eastern ideas by Sarah Frier and Kurt Wagner

Victims of a data breach at Equifax drained their settlement fund of $ 31 million in a week by David Z. Morris

Data breach by Capital One could cost the company up to $ 500 million by Lucinda Shen

Apple has a million dollar bug problem and only pays thousands to crush them by Xavier Harding

Recruitment scams are "prolific," experts say. Here's how to avoid becoming a victim by Alyssa Newcomb

Homeland Security Issuing a hacking alert for small planes by Tami Abdollah

Another thing

"Moscow Mitch." Many people criticize Mitch McConnell, Senate Majority Leader, for blocking the pbadage of two election security bills. Critics of the politician have given him a new nickname: "Moscow Mitch", a nickname suggesting that he aids and encourages Russian interference in the elections. Ben Folds, the singer-songwriter, has piled up, debuting a song wearing the unflattering nickname as his title.

[ad_2]
Source link