Tag Archives: social media

Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

Reddit, the immensely popular social news website, has been hacked. Reddit’s CTO Christopher Slowe posted a discussion saying that it discovered the data breach in June, after an attacker compromised a handful of employee accounts.

The employees’ accounts were protected with SMS-based two-factor authentication, meaning that any would-be attacker not only would have to steal a worker’s password but also intercept the authentication verification sent to the employee’s mobile phone. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Slowe shared. Reddit is encouraging users to move to a more secure token-based Two Factor Authentication (2FA).

Compromised Data

After breaking into the employee accounts, the intruder gained access to databases and logs, including usernames and their corresponding email addresses – as well as encrypted passwords dating back to the site’s early days from 2005 through 2007. Continue reading Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

Threat Alert: Extortion Emails about Data Breaches

SCAM ALERT red Rubber Stamp over a white background.
[This alert is from a recent IC3 Threat Alert. Please share with others in your organization and make sure employees are aware of the threats and consequences of these kinds of phishing emails.]

Have you heard about the massive data breaches with LinkedIn, MySpace (no joke, it’s still around), and Tumblr? The Internet Crime Complaint Center (IC3) continues to receive reports from individuals who have received extortion attempts via email related to these recent high-profile data breaches.

Recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient’s social media contacts, family, and friends if a ransom is not paid. Recipients are instructed to pay in Bitcoin, a virtual currency that facilitates anonymous transactions. The recipients are typically given a short deadline, so they do not have the opportunity to verify whether their personal information has actually been compromised.  The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200.

Fraudsters quickly use the news release of a high-profile data breach to initiate an extortion campaign. The FBI suspects multiple individuals are involved in these extortion campaigns based on variations in the extortion emails.

Examples

The following are some examples of the extortion emails:

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, you can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Best Practices

  • Do not open email or attachments from unknown individuals.
  • Use strong passwords, and do not use the same password for multiple websites.
  • Never provide personal information of any sort via email.
  • Ensure security settings for social media accounts are turned on and set at the highest level of protection.
  • When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes “https”, or the status bar displays a “lock” icon.
  • Do not store sensitive or embarrassing photos online or on your mobile devices.

Periscope and Meerkat – New Dangers of Live Streaming

Periscope

Meerkat, a new social networking app, gained traction and popularity at the South by Southwest film festival and conference (SXSW), and not long after, Twitter announced a similar app called Periscope. In the Periscope app, users can rummage through random live streams, letting the user experience the view from the Empire State building, traffic in Los Angeles, a family eating breakfast, and many other live streams.

This new age of social media raises several privacy concerns. Periscope posts the user’s broadcast data publicly by default. According to their privacy policy, “This includes the metadata provided with your broadcast, such as when and where you broadcast.” Another concern comes with the feature of uploading the video to Twitter for 24 hours, moving past the ‘live stream’ aspect.

The implications for organizations can be even more dramatic, and create a new headaches for Privacy Officers. With the ease of use in the workplace, there are streams on Periscope of call centers communicating with clients, employees broadcasting their computer screens, and streams of patients in health care facilities. The potential for sensitive information to be exposed is endless.

With the continued growth of social media, users are not only sharing more information about themselves, but also personal data of others – which could put organizations at risk.

USPS Joins the Long List of Breached Organizations

According a statement released by the US Postal Service (USPS), attackers have likely compromised personal information of some 800,000 current and past employees, as well as data for customers who contacted the USPS Customer Care Center via phone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. Affected employee information includes name, date of birth, Social Security number, address and other contact information.

The USPS explained in a FAQ document that as part of the cyber security intrusion mitigation efforts, the Postal Service took some systems offline over the 11/8-11/9 weekend.

The identity of the attackers is unknown.

Rhode Island Enacts Social Media Law

Rhode Island’s 2014 Student and Employee Social Media Privacy acts (2014-S 2095Aaa and 2014-H 7124Aaa) bar employers from demanding social media-related materials of job applicants, and establish similar prohibitions for colleges as they consider prospective students. The law also includes a Student Data-Cloud Computing act, providing that any cloud computing service to an educational institution may not process any student data for any commercial purpose, such as advertising that benefits the cloud computing service provider.

For more information, see the press release from the State of Rhode Island General Assembly.

 

Oklahoma Enacts Social Media Law

Effective November 1, 2014, Oklahoma law HB 2372 prohibits employers from requiring employees or prospective employees to provide user names, passwords, or access to their personal social media accounts. The law (a) prohibits employers from taking personnel action that negatively affects the terms and conditions of the job (e.g. termination, pay reduction, or assignment changes) of a current employee that refuses to give the employer access to his or her social media account, and (b) makes it illegal to refuse to hire a prospective employee for withholding access. Exceptions include requiring access to an employee’s account for purposes of a work-related investigation.

FFIEC Issues Final Social Media Guidance

The Federal Financial Institutions Examination Council (FFIEC) released its final guidance (announcement) on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau. The guidance is intended to help financial institutions understand potential consumer compliance, legal, and other risks associated with the use of social media, along with expectations for managing those risks. The FFIEC published the guidance in proposed form in January 2013 and invited public comments through March 25, 2013. The agencies took the 81 comments received into account in making certain revisions to the guidance.

Illinois Amends Password Protection Law

Effective January 1, 2014, the Illinois password protection law has been amended to no longer apply when an employer requests access to a “professional account” to “monitor or retain employee communications as required under Illinois insurance laws or federal law or by a self-regulatory organization as defined in Section 3(A)(26) of the Securities Exchange Act of 1934, 15 U.S.C. 78(A)(26).”  A “professional account” is defined as “an account, service, or profile created, maintained, used, or accessed by a current or prospective employee for business purposes of the employer.”  The amendment also permits employers to seek access to a professional account when the employer has “a duty to screen applicants or employees prior to hiring.”