US Citizen Voter Records Hacked and Now for Sale on the Dark Web
So much is going on every month in the world of cybersecurity, online privacy, and data protection. It’s difficult to keep up!
Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in October.
1. Millions of US Voter Records for Sale on Dark Web
The dark web always has “interesting” goodies up for sale. In October 2018, security researchers at Anomali and Intel 471 found 35 million US voter records up for sale. The records, from 19 US states, include full names, phone numbers, physical addresses, voting histories, and other voter-specific information.
State voter registration lists aren’t entirely secret to begin with. Political campaigns, academics, and journalists can request voter registration information, so long as the records are not for commercial use or republished online.
However, in this instance, Anomali note that “When these lists are combined with other breached data containing sensitive information, e.g., social security number and driver’s license, on underground forums it provides malicious actors with key data points for creating a target profile of the US electorate.”
Particularly interesting is the claim from the seller that they “receive weekly updates of voter registration data across the states and that they receive information via contacts within the state governments.” The revelation suggests that the information is targeted, rather than the result of a leak.
Unfortunately, this isn’t the first leak of US voter record information. Back in 2015, the records of some 191 million US voters hit the internet. The database was exposed for several days and contained similar data to October’s leak.
The affected states are: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin, and Wyoming.
2. Google Chose Not to Inform Users of Breach
One of the news stories from October was the death knell for Google’s social media platform, Google+. Google+ never managed to compete with Facebook or Twitter; even after Google forced millions of users to create accounts to post comments to YouTube.
The final nail in the coffin proved not to be the astoundingly short user interaction time with the platform. No. It was the revelation that the private data of Google+ users was left exposed for years—and Google did absolutely nothing about it.
The leak contained data for nearly 500,000 users. Google confirmed the leak includes names, email addresses, dates of birth, gender, occupation, places lived, relationship status, and profile pictures.
While this combination isn’t the end of the world, it’s still enough to attempt to create targeted phishing emails or force entry into other sites using password reset mechanisms.
The biggest news to come from the leak isn’t the exposure of private data, but rather that Google chose not to take the leak public. A memo leaked to the Wall Street Journal suggests that “Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public.”
It is a bad look for Google, that’s for sure. What else are Google potentially hiding or covering up because the revelation would harm its business practices?
3. Torii Modular Botnet Is More Advanced Than Mirai
The phenomenally powerful Mirai botnet hit the headlines after staging consecutive record-breaking DDoS attacks. But a new modular botnet named Torii (because the initial researcher found his honeypot attacked from 52 Tor exit nodes) has built upon the foundations of Mirai, and taken attacks one step further.
But while Torii derives from Mirai, it would be wrong to say they are the same.
Torii stands out for a few reasons. One, unlike other Mirai derivatives, it doesn’t “do the usual stuff a botnet does like DDoS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.” The Avast blog entry continues: “Instead, it comes with a rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.”
Like other modular malware variants, Torii works in several stages. Once installed on a system, it checks the system architecture before dialing home to a command and control server for an appropriate payload. Architecture-specific payloads include ARM, x86, x64, MIPS, PowerPC, and more.
The secret to its success is undoubtedly its versatility. By attacking a huge range of platforms, shutting Torii down is incredibly difficult.
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner…
First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.) pic.twitter.com/r5L0I8PC0h
— Vess (@VessOnSecurity) September 19, 2018
4. Cathay Pacific Suffers Huge Data Breach
Cathay Pacific has suffered a data breach exposing the private data of over 9.4 million customers.
The hack contains the information of 860,000 passport numbers, 245,000 Hong Kong ID card numbers, 403 expired credit card numbers, and 27 credit card numbers without a CCV verification code.
Other stolen data includes passenger names, nationalities, date of birth, email address, home address, and phone numbers, as well as other airline specific information.
Cathay Pacific Chief Executive Officer Rupert Hogg apologized to the airline’s customers, saying, “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.”
The Cathay Pacific hack, however, firmly puts British Airway’s September data leak into perspective. BA immediately alerted customers to the hack and didn’t lose any passport numbers. The Cathay Pacific hack took place between March and May of this year. However, customers are only just finding out about the severity of the breach now.
If you’re just finding out, here’s how to check if anyone is trying to hack your online accounts.
5. 4-Year Old Libssh Vulnerability Discovered
Secure Shell implementation libssh has a four-year-old vulnerability affecting thousands of websites and servers around the globe. The vulnerability was introduced in the libssh version 0.6 update, released way back in 2014. It is unclear as to exactly how many sites are affected, but the internet-connected device search engine, Shodan, shows more than 6,000 results.
Rob Graham, CEO of Errata Security, says the vulnerability “is a big deal to us but not necessarily a big deal to the readers. It’s fascinating that such a trusted component as SSH now becomes your downfall.”
Positively, the major sites that use libssh appear unaffected. Perhaps the largest site is GitHub. However, GitHub security officials tweeted that they use a customized version of libssh for GitHub and GitHub Enterprise, so are unaffected by the vulnerability. Furthermore, it is important to note that this vulnerability does not affect OpenSSH or the similarly named libssh2.
While we use libssh, we can confirm that https://t.co/0iKPk21RVu and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library.
— GitHub Security (@GitHubSecurity) October 16, 2018
Current advice is to patch any libssh devices immediately to version 0.7.6 or 0.8.4.
6. Hackers Target Fortnite Players With V-Bucks Scams
Fortnite is one of, if not the most popular video game in the world right now. The off-the-wall free-to-play battle royale-style game attracts over 70 million monthly players—and hackers have taken note. (Parents, your kids are playing Fortnite!)
Research from ZeroFOX suggests that hackers are targeting Fortnite’s in-game currency, V-Bucks. Players use V-Bucks to purchase cosmetic items for their in-game avatar. Despite the game being free, estimates suggest Fortnite is earning over $300 million per month for developers Epic Games.
Hackers run scam-sites advertising “Free Fortnite V-Bucks Generators” to trick unsuspecting victims into revealing their personal information, such as in-game credentials, credit card data, and home addresses.
“Games with a microeconomy, especially Fortnite, are prime targets for attackers to leverage their security attacks, scams and spam against,” said Zack Allen, director of threat operations at ZeroFOX. “These economies are a great way to make money without attracting too much attention to yourself because of the lack of regulation and the nuances of the economy (try describing a ‘V-Buck’ to any local law enforcement officer, you most likely will get a blank stare).”
It isn’t the first time Fortnite has come under security-scrutiny. In April 2018, Epic Games announced they wouldn’t use the Google Play Store for the Fortnite Android version. Refusing to use the Google Play Store means players lose out on the security offered by Google. You can check out how to safely install Fornite on Android right here.
October 2018 Security News Roundup
Those are seven of the top security stories from October 2018. But a lot more happened; we just don’t have space to list it all in detail. Here are five more interesting security stories that popped up last month:
- IBM acquired Red Hat in a deal worth over $30 billion.
- The Pentagon was hit with a security breach exposing 30,000 employees.
- Ethical hackers uncovered 150 vulnerabilities in the US Marine Corps Enterprise Network.
- Facebook is searching for a cybersecurity company acquisition to boost security and data protection.
- Kaspersky Labs found the NSA DarkPulsar exploit in attacks against Russian, Iranian, and Egyptian nuclear targets.
Cybersecurity is a constantly evolving whirlwind of information. Keeping on top of the malware, data protection, privacy issues, and data breaches is a full-time job—that’s why we round up the most important news for you each month.
Check back at the beginning of next month for your November 2018 security roundup. In the meantime, check out exactly how artificial intelligence will fight modern hackers.