iTWire - iTWire - Security iTWire - Technology news, trends, reviews, jobs http://www.itwire.com Thu, 31 Jul 2014 07:10:41 +1000 Joomla! - Open Source Content Management en-gb What is your ‘quantified self’? And how safe is it? http://www.itwire.com/business-it-news/security/64942-what-is-your-‘quantified-self’?-and-how-safe-is-it? http://www.itwire.com/business-it-news/security/64942-what-is-your-‘quantified-self’?-and-how-safe-is-it? What is your ‘quantified self’? And how safe is it?

Security company Symantec has released a report called ‘How safe is your quantified self?’ It is intended to highlight the security risks in devices and applications such as fitness and health trackers.

“Fuelled by technological advances and social factors, the quantified self movement has experienced rapid growth,” says the report. “Quantified self, also known as self-tracking, aims to improve lifestyle and achievements by measuring and analysing key performance data across a range of activities.

But Symantec says it has found significant security risks in a large number of self-tracking devices and applications. One of the most significant findings was that all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking.

To conduct their analysis Symantec researchers built a number of scanning devices using Raspberry Pi computers, which can pick up on Bluetooth signals. By taking them out to athletic events and busy public spaces, the found it was easy to track data from specific individuals.

Symantec says it found vulnerabilities in how personal data is stored and managed, such as passwords being transmitted in clear text and poor session management. “As we collect, store, and share more data about ourselves, do we ever pause to consider what could be the risks and implications of sharing this additional data?

“The greatest overall risk posed to users by the ‘quantified self’ movement is the risk of the loss of privacy,” says the report. “Never before has such a huge amount and breadth of information been collected, transmitted and stored about people and users.”

“If accessed, this data could be used for identity theft, profiling, locating and stalking the user, embarrassment, extortion or corporate misuse.”

{loadposition graeme}

The report found that 20% of quantified self apps transmitted passwords in the clear, and that more than half (52%) do not make their privacy policies available.

“In recent years the notion of collecting and analysing data has moved from being mainly used in business to a much more personal level. People are now tracking every facet of their lives with the aid of technology and gadgets. This in essence sums up what the quantified self movement is and what it stands for.

“Today self-tracking is big business, experiencing rapid growth.By 2018, the number of wearable computing devices shipped each year will reach 485 million units. The majority of these will have tracking functionality. That number only accounts for tracking devices and does not include smartphones that can run self-tracking apps, which would number in the billions. According to one study, 60% of Americans now regularly track their weight, diet or exercise activity.

“Quantified self is now entering a golden age in its development because of a collision of several forces at play in the world of technology, health, and popular culture. On the technology side, the ever increasing processing power and miniaturization of key technologies such as sensors and processors, as well as improved battery life and the rollout of ubiquitous communications infrastructure, has opened up a new world of possibilities for always-on devices that can be carried around all day.

“Another key technology driver is the idea of big data and the wholesale collection of personal data to gain insight into the behaviour and habits of consumers.”

Symantec says the following steps could help users stay safe when using self-tracking apps:

  •  Use a screen lock or password to prevent unauthorised access to your device
  • Do not reuse the same user name and password between different sites
  • Use strong passwords
  • Turn off Bluetooth when not required
  • Be wary of sites and services asking for unnecessary or excessive information
  • Be careful when using social sharing features
  • Avoid sharing location details on social media
  • Avoid apps and services that do not prominently display a privacy policy
  • Read and understand the privacy policy
  • Install app and OS updates when available
  • Use a device based security solution
  • Use full device encryption if available

The report is available here.

]]>
graeme.philipson@itwire.com (Graeme Philipson) Security Thu, 31 Jul 2014 06:21:28 +1000
Onion ransomware is a huge threat to your Windows computer http://www.itwire.com/business-it-news/security/64914-onion-ransomware-is-a-huge-threat-to-your-windows-computer http://www.itwire.com/business-it-news/security/64914-onion-ransomware-is-a-huge-threat-to-your-windows-computer Onion ransomware is a huge threat to your Windows computer

A new piece of dangeorus ransomware has been uncovered and is potentially the 'next Cryptolocker', according to security researchers with Kaspersky.

The encyprypting ransomware is called 'Onion' due to the fact it uses the anonymous network Tor (the Onion Router) in a bid to hide its malicious nature, and to make it hard to track those behind this ongoing malware campaign," according to Kaspersky.

Onion is being described a successor to the Cryptolocker ransomware, which we reported on last year, that wreaked havok across the world as users infected by the malware were forced to hand over bucketloads of money in Bitcoin form to keep their data.

The new malware, which currently only affects Windows PCs, encrypts files in the same way as Cryptolocker and starts a similar countdown that lasts for 72 hours by which time all the files are deleted forever if a ransom isn’t paid.

Kaspersky Lab senior malware analyst, Fedor Sinitsyn, said the malware demonstrates how Tor has become a proven tool and is being implemented into other types of malware.

“The Onion malware features technical improvements on previously seen cases where Tor functions were used in malicious campaigns,” he said.

{loadposition dswan}

“Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server,” stated Fedor Sinitsyn, senior malware analyst at Kaspersky.

"All this makes it a highly dangerous threat and one of the most technologically advanced encryptors out there."

The Onion transfers secret data and payment information with command and control servers within an anonymous network.

Sinitsyn said this kind of communication architecture existed in the past, though it was limited to banking malware families such as the Tor-enhance 64-bit ZeuS. He said these characteristics add up to a “highly dangerous threat,” as well as one of the “most technologically advanced encryptors” in existence today.

Kaspersky says that by looking at the certain strings within the body of the malware - along with the recent release of a Russian language GUI - this gives them "ground to assume that its creators are Russian speakers".

The first version of the Onion ransomware was targeting English-language users, with the splash screen which is set as the computer's default desktop wallpaper written in English.

The malware demands payment of 0.159999 bitcoins (approximately $130 AUD),  giving users 72 hours to pay up or risk losing data forever.

Kaspersky recommends "your security solution should be turned on at all times and all its components should be active. The solution's databases should also be up to date." For more see the Kaspersky post in question here.

]]>
davidswan@gmail.com (David Swan) Security Tue, 29 Jul 2014 13:02:51 +1000
Fortinet claims 1Tbps firewall first http://www.itwire.com/business-it-news/security/64869-fortinet-claims-1tbps-firewall-first http://www.itwire.com/business-it-news/security/64869-fortinet-claims-1tbps-firewall-first Fortinet claims 1Tbps firewall first

Network security vendor Fortinet says its new FortiGate 5144C firewall is the first to exceed 1Tbps throughput.

The Fortinet FortiGate 5144C is "the world's fastest firewall" according to company officials.

It is said to deliver 1Tbps throughput by incorporating multiple NP6 ASICs, each capable of 40Gbps. 14 blades, each with two ASICs, together provide the record-setting performance.

Functions include deep packet inspection, IPS, application control, and web content filtering.

“Others have claimed to have the fastest firewall, but no other vendor has actually delivered this level of performance and security, which enables customers to build out their data centres for the future, knowing that their firewalls will not be a choke point," said founder and CEO Ken Xie.

{loadposition stephen08}The FortiGate 5000 series - aimed at carriers, service providers and large enterprises - uses the same architecture, ASICs and operating software as the 1000 and 3000 series intended for less demanding customers.

However, the chassis, controller blades and security blades are all new.

Two versions of the networking blade can be fitted to the 5000 series. The FortiController-5913C (available in 4Q14) provides 100 GbE connectivity, while the FortiController-5903C (available now) is the 40 GbE alternative.

]]>
swithers@blackandwrite.com.au (Stephen Withers) Security Thu, 24 Jul 2014 16:16:40 +1000
The questions Catch of the Day won't answer http://www.itwire.com/business-it-news/security/64867-the-questions-catch-of-the-day-wont-answer http://www.itwire.com/business-it-news/security/64867-the-questions-catch-of-the-day-wont-answer The questions Catch of the Day won't answer

Following the very late announcement of a data breach, Catch of the Day is making no further statement on the matter.

After writing an exploratory piece earlier, we approached CotD in the hope that they would expand upon their written comments in both the letter to customers and in their press release.

As iTWire sees it, there are still a number of pressing public-interest questions to be answered.  These were put to the company and not answered.  Instead we received the standard press release on the matter and a statement to the effect that no further comment would be made.

We feel that the questions we asked were very important and therefore put them in the public domain in the hope that the company might see fit to answer them in this forum.  If nothing else, they will help focus public interest in the matter.  In addition, any serious level of public analysis of a breach such as this can only help every organisation better prepare for such an incident; clearly the protection of customer data is something the entire (law-abiding) community has an interest in.

To remind readers of the context of these questions, the previous reporting observed that a consortium of investors (including James Packer) made an investment of $80M in the company just 16 days after the breach.

{loadposition davidh08}The following questions were put to Catch of the Day (CotD) in writing (note that some questions have been edited for style since being sent to CotD, however no substantive changes have been made):

1. Were negotiations with James Packer and the investment consortium already in progress when the breach occurred?

2. (assuming a positive answer to the previous question) What impact did the breach have on negotiations?  Were Packer and the other investors told of the breach?

3. The reference to "technological advances it means there is an increasing risk that those hashed passwords may become compromised" in the letter to all affected customers seems a remarkably strange reason to announce the breach in July 2014 - over 38 months later. Did anything else occur in the past few weeks that caused CotD to make this announcement?

4. What caused CotD's IT team to detect the breach?  It seems that it is possible to identify May 7th 2011 as the date of breach (by the suggestion that only passwords from before that date should be changed), but when was it actually detected?

Continued on the next page.


Questions continued.

5. What IT forensic work was done to trace the perpetrators?  Has the source been confirmed? Could it have been an "inside job"?

6. The recruitment four months after the breach of Seamus Byrne, a well-known IT security expert with legal qualifications is interesting.  Upon who's suggestion was he recruited and what was he asked to do in relation to the breach?  Note we are separately in contact with Mr Byrne in this matter [readers, see below in this regard].

7.  In February 2012, a small number of users reported unsolicited email to addresses which has only been used to communicate with CotD.  Despite a promise to investigate further by Seamus Byrne, these users claimed on Whirlpool that no answer was ever received.

8. The breach was only reported to the Privacy Commissioner in June this year.  Why was that?  It would have been expected that even under the privacy legislation in place at the time of the breach CotD would have been bound to report that Personal Information had been lost to parties unknown.  Clearly, this did not happen.

9.  Your emailed statement to subscribers (this author was one of the many recipients) also claimed that "Only a relatively small portion of users had credit card information compromise."  Press reports around the same time indicated around 10,000 credit cards were re-issued by a variety of Australian banks and commentary on Whirlpool quickly homed in on your organisation as the affected merchant.  What did the breach cost CotD?  It is common for the banks to claim these costs from the affected merchant.  

10. Also, what impact did this have on CotD's PCI-DSS status?  It is generally true that an organisation is instantly declared non-compliant when a breach is detected.

11. What lessons have been learned from the whole event?

{loadposition davidh08}Since putting these eleven questions to CotD, a few additional pertinent questions have arisen.

12. Other reporting suggests that despite CotD's claims, the AFP was not informed of the breach.  Assuming some kind of report was made, to what police authority was the breach reported, and what was its response / involvement in the investigation?

13. Was the breach detected by CotD staff or was the company informed of the breach by external means?

As described previously, iTWire has been in contact with Seamus Byrne, the CIO appointed a few months after the breach to seek his comments.  His entire response, sent identically to two iTWire writers, is as follows:
1. I can't comment on this matter.
2. My longstanding belief is that mandatory data breach notification laws should be introduced in Australia to improve transparency around privacy for consumers and remove the option for owners of a business to choose not to disclose a data breach in a timely manner.

When asked if he was responding in the context of some form of confidentiality agreement, his simple response was, "Thanks for your understanding."

iTWire chooses to make no interpretation of Byrne's words, instead leaving that to the reader.

Any organisation that has close to 10% of the Australian population as subscribers should feel a certain level of pressure to be open in their dealings with any breach of trust.  Subscribers have had personal details stolen by persons unknown and deserve answers.

iTWire urges Catch of the Day to publicly respond to the questions above as a start in the process of repairing some broken trust.

]]>
tritonsecure@gmail.com (David Heath) Security Thu, 24 Jul 2014 13:28:45 +1000
Apple’s half denial confirms iOS ‘back door’ http://www.itwire.com/business-it-news/security/64866-apple’s-half-denial-confirms-ios-‘back-door’ http://www.itwire.com/business-it-news/security/64866-apple’s-half-denial-confirms-ios-‘back-door’ Apple’s half denial confirms iOS ‘back door’

A US researcher has mounted a very strong case that Apple has deliberately left security holes in iOS. Apple’s response is underwhelming.

Apple, stung by allegations that it has deliberately left ‘back doors’ in its iOS iPhone and iPad operating system, has issued a half-denial that is already adding fuel to the fire. A back door is a method of bypassing authentication in a computer system.

Allegations that iOS and other operating systems have such intentionally engineered weaknesses that allow user data to be accessed have been around for some time. They have achieved currency since Ed Snowden’s revelations about how the US and other government conduct massive surveillance programs on their citizenry, and how the NSA has expressly asked software companies to create back doors in their products to make surveillance easier.

Those disclosures have also spurred publicity about the extent to which software and Internet companies are complicit, and even cooperative, with government surveillance efforts. Google, Facebook, Microsoft an d Yahoo, amongst others, have publicly stated that they are not part of such programs.

Now Apple has issued a kind of semi-denial. Its hand has been forced by an extraordinarily detailed analysis from Jonathan Zdziarski, author of Author of ‘Hacking and Securing iOS Applications’ and an experienced student of Apple and iOS forensics.

Zdziarski’s analysis is publicly available and other undocumented services that bypass user backup encryption. His analysis explains in great technical details how this is done.

“Apple is dishing out a lot of data behind our backs. It’s a violation of the customer’s trust and privacy to bypass backup encryption. There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.

“Much of this data simply should never come off the phone, even during a backup.  Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals. Overall, the otherwise great security of iOS has been compromised - by Apple, and by design.”

{loadposition graeme}

"I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."

Apple’s CEO Tim Cook has responded. “We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues.

“A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.

“As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products of services.”

That statement falls well short of a denial. Indeed, Zdziarski’s analysis appears irrefutable. He has since posted his response on his website.

“Apple responded to allegations of hidden services running on iOS devices with this knowledge base article. In it, they outlined three of the big services that I outlined in my talk.

“So again, Apple has, in a traditional sense, admitted to having back doors on the device specifically for their own use. Perhaps people misunderstand the term ‘back doo’ due to the stigma Hollywood has given them, but I have never accused these ‘hidden access method’” as being intended for anything malicious, and I’ve made repeated statements that I haven’t accused Apple of working with NSA.

“That doesn’t mean, however that the government can’t take advantage of back doors to access the same information. What does concern me is that Apple appears to be completely misleading about some of these, and not addressing the issues I raised on others.

The issue has set the blogosphere alight. Some Apple fans say they trust the company implicitly to do the right thing, others say they will never use Apple again. But the main effect seems to have been to sow further seeds of doubt about the extent to which the whole IT industry has, wittingly or unwittingly, helped the wholesale spying on innocent citizens by their own government.

]]>
graeme.philipson@itwire.com (Graeme Philipson) Security Thu, 24 Jul 2014 12:19:07 +1000
Was Catch of the Day afraid of losing Packer's cash injection? http://www.itwire.com/business-it-news/security/64859-was-catch-of-the-day-afraid-of-losing-packers-cash-injection? http://www.itwire.com/business-it-news/security/64859-was-catch-of-the-day-afraid-of-losing-packers-cash-injection? Was Catch of the Day afraid of losing Packer's cash injection?

It seems that the recently-announced CatchOfTheDay data breach happened just two weeks prior to a major cash injection into the company.

iTWire has already reported of the breach in CatchOfTheDay's Internet-facing systems that appeared to result in the loss of their entire user database.  According to their announcement, data lost included "names, delivery addresses, email addresses and hashed (encrypted) passwords."

However, it has now come to light that this breach (assuming the stated date of May 7th 2011) occurred just 16 days prior to the inking of a deal to bring $80M into the company from a group of investors including James Packer.

iTWire is curious to know whether the delicate state of negotiations forced CotD to defer announcing the breach at that time - they certainly claim to have immediately informed Police and Banks of the event; just not their customers or the Privacy Commissioner.

Of further interest is the recruitment of Seamus Byrne, a highly regarded CIO who also holds a law degree.  Byrne joined the company just 4 months after the breach and remained there until April 2013.  Earlier, iTWire approached Byrne for his thoughts on the matter, but he was unable to offer anything useful, "I can't comment on this matter."  iTWire has subsequently requested a more detailed response from Byrne.

{loadposition davidh08}Soon after the breach (on Mat 26th), there were many reports (here for instance) of banks being forced to re-issue credit cards for around 10,000 users.  A parallel discussion on Whirlpool homed in on CatchOfTheDay as the likely affected merchant.

This is clearly the incident referred to in CotD's statement as "Only a relatively small portion of users had credit card information compromised."  Presumably 10,000 is a relatively small proportion out of a customer base of around 2 million subscribers.

Catch of the Day has been contacted to address these and other related issues.

]]>
tritonsecure@gmail.com (David Heath) Security Thu, 24 Jul 2014 01:20:22 +1000
LogRhythm identifies retail cyber attacks http://www.itwire.com/business-it-news/security/64842-logrhythm-identifies-retail-cyber-attacks http://www.itwire.com/business-it-news/security/64842-logrhythm-identifies-retail-cyber-attacks LogRhythm identifies retail cyber attacks

Security company LogRhythm has announced a new set of product features to identify early indicators of cyber-attacks on the payment processing chains of retail organisations.

The privately owned US company has also announced a US$40 million funding round.

The new Retail Cyber Crime Security Analytics Suite is designed to provide a complete forensic view into anomalous and malicious activity so that attacks can be quickly spotted and remediated.

The suite correlates information about POS (point of sale) endpoints, payment processors, back-office systems and networks-systems that have specific purposes and should behave in predictable ways. LogRhythm's machine analytics technology, the AI Engine, spots activity deviant from normal behaviour in real time.

"The Target and PF Chang's data breaches are on a long and growing list of retail industry breaches that might have been detected sooner – or prevented altogether – with better visibility of early threat indicators that were material variances from normal activity," said Mike Reagan, LogRhythm's chief marketing officer, commenting on two recent high profile security breaches in the retail industry.

{loadpostion graeme}

"The Retail Cyber Crime Security Analytics Suite removes a number of significant visibility gaps for retailers, thereby enabling them to detect and respond sooner to advanced threats."

Reagan says the new round of financing signals confidence that demand and market share for its security intelligence solutions will continue to grow amidst an increasingly sophisticated cyber threat environment. The proceeds will be used to accelerate investment in product development, sales and marketing and customer service.

"LogRhythm is thriving in the security intelligence market on several fronts and has accelerated growth over the last year," Reagan told iTWire en route to the RSA security conference in Singapore this week.

“Most organisations understand that if they have not already been breached, it is only a matter of time, and they are increasingly recognizing that preventative technologies are not enough to stop sophisticated attacks.

“In light of this new reality, enterprises around the globe are investing to improve their ability to detect and respond quickly to advanced threats and prevent any damage when the inevitable occurs.”

LogRhythm has recently established a direct presence in Australia appointed Whitegold as its first ‘unified value distributor’. The firm has been positioned as a ‘leader’ in Gartner's SIEM Magic Quadrant report for three years running.

]]>
graeme.philipson@itwire.com (Graeme Philipson) Security Wed, 23 Jul 2014 07:23:56 +1000
RSA Web Threat Detection watches for mobile fraud http://www.itwire.com/business-it-news/security/64832-rsa-web-threat-detection-watches-for-mobile-fraud http://www.itwire.com/business-it-news/security/64832-rsa-web-threat-detection-watches-for-mobile-fraud RSA Web Threat Detection watches for mobile fraud

A new version of RSA Web Threat Detection adds mobile application traffic visibility to crime and fraud monitoring.

RSA Web Threat Detection is intended to provide organisations operating externally-facing web sites with a way of detecting criminal and fraudulent activity, including business logic abuse.

It uses big data analytics to monitor millions of web sessions in real time to reveal threats and potential threats.

The latest version provides improved visibility of activities, additional detections, and new mobile traffic monitoring capabilities (almost one-third of fraudulent transactions detected by RSA during the first half of 2014 originated from mobile devices).

{loadposition stephen08}Once an attack is identified by one client, similar attacks are automatically detected.

RSA officials said Web Threat Detection "shines a spotlight on the 'needle in the haystack', even if an analyst isn’t sure what 'the needle' looks like." Its analyst summary dashboard helps security analysts determine whether an incident warrants further investigation.

RSA Web Threat Detection can automatically communicate with network devices to block apparently malicious users or IP addresses.

"With the proliferation of threats focused on the web portal and mobile channels, organisations need end-to-end visibility into what is occurring to protect their customers and brand. RSA Web Threat Detection is engineered to provide this visibility by analysing click stream data during web and mobile web sessions, translating it into actionable intelligence to help organisations distinguish between legitimate and disruptive use," said RSA Security Analytics vice president Grant Geyer.

"By providing a complete look into online behaviour before, during and after authentication, organisations can detect anomalies in order to effectively mitigate fraud, business logic abuse and other malicious activity in real-time while also strengthening their overall security operations."

The new version of RSA Web Threat Detection will be released this quarter. Pricing was not announced.

]]>
swithers@blackandwrite.com.au (Stephen Withers) Security Tue, 22 Jul 2014 15:38:50 +1000
Online scammers exploit MH17 grief http://www.itwire.com/business-it-news/security/64803-online-scammers-exploit-mh17-grief http://www.itwire.com/business-it-news/security/64803-online-scammers-exploit-mh17-grief Online scammers exploit MH17 grief

Online scam artists, purportedly from Australia, are exploiting goodwill of strangers in the wake of the downed Malaysia Airlines flight MH17 using stolen credit cards and setting up fake social media profiles.

There were 28 Australians onboard the doomed flight MH17, with the current death tally standing at 298 people.

One such victim was Canberra woman Liliane Derden, who has become the subject of a fake Facebook profile.

"We’re a little bit worried, we don’t know who’s out there doing it and we’d prefer that they know the truth and people aren't giving to charities or whatever the people are proposing to be," Derden's friend Carly Taylor told Fairfax.

Fairfax said scammers were vicious, and would set up replacement sites "faster than they could be taken down".

Links on the pages claim to take readers to further information, but instead bombard users with pop-up ads and "get rich quick schemes."

Some even purport to show footage of the MH17 disaster.

'Video Camera Caught the moment plane MH17 Crash over Ukraine.Watch here the video of Crash,' the link read.

"There's a lot of money in click fraud," said Alastair MacGibbon, who heads University of Canberra's Centre for Internet Safety.

"You're really dealing with a base type of person who uses the name of a person recently deceased in a tragedy to monetise. But that's why they're criminals and we're not."

Three of the fake pages have reportedly been set up in the names of young West Australian children who were killed - Otis, Evie and Mo Maslin.

{loadposition dswan}

These scams are sadly nothing new - in the wake of the missing Malaysia Airlines flight MH370 last March SCAMWatch warned Internet users of a malware attack when they click on links to watch videos related to the missing MH370.

Meanwhile admist widespread looting of the crash site in Ukraine, victims' credit cards have been reportedly stolen and banks are taking “preventative measures”, according to the Dutch Banking Association.

A statement from the Assocation said any expenditure will be compensated to next of kin.

]]>
davidswan@gmail.com (David Swan) Security Mon, 21 Jul 2014 13:26:45 +1000
Catch of the Day had chance to disclose breach in 2012, chose not to http://www.itwire.com/business-it-news/security/64794-catch-of-the-day-had-chance-to-disclose-breach-in-2012-chose-not-to http://www.itwire.com/business-it-news/security/64794-catch-of-the-day-had-chance-to-disclose-breach-in-2012-chose-not-to

Evidence exists online that Catch of the Day could have disclosed its May 2011 vulnerability back in February 2012 but chose not to.

Earlier today I wrote about Catch of the Day's startling revelation that it had a security breach in May 2011, but only disclosed this to customers yesterday, Friday 18th July 2014 - over three years later.

During this breach customer data - including names, addresses, email addresses and passwords - and possibly partial credit card information - was stolen. Catch of the Day waited for three years to tell users they should probably change their passwords, not only on Catch of the Day but on other sites where they may use the same credentials.

In that story I posted a link to a forum posting on Apple's web site where one person had their Apple account compromised and noted the only other place they used the same credentials was with Catch of the Day. They viewed it as "unlikely" that was the problem. Not only does it now seem highly likely, the frustrating truth is that if Catch of the Day had told its own customers of this breach much sooner then at least one Apple account most likely would not have been compromised.

Further online investigation reveals another customer who noted unusual activity with an email address they only used with Catch of the Day.

{loadposition david08}Specifically, on the popular Australian technology forum Whirlpool it appears Catch of the Day promised to look into a reported problem - way back in February 2012.

User nachoman stated on February 24th 2012, "I have started receiving spam from 'mynetsale.com.au' to an email address I've used only with catchoftheday.com.au."

User BlueyT followed with "I'm getting crap from them too."

This discussion occurred in the Whirlpool 'Catch of the Day' forum topic where users specifically discussed Catch of the Day sales items, postage, problems, tips and other matters relating to Catch of the Day. As such user BlueyT was also undoubtedly a Catch of the Day user, similarly experiencing the unsolicited email.

A third user EdgeT chimed in "+1 for me as well. I was wondering where that came from."

Nachoman mused, "I wonder then if COTD gave our details to another party, or if they were hacked? I hope my credit card details are safe."

The very same problem was reported by other Whirlpool forum members named Woodrow, SpeedyPete and RayJ. RayJ similarly noted the email address he was receiving spam on was one he had used exclusively with Catch of the Day.

A Catch of the Day representative named Seamus - with username seamus-catch and listed email address of seamus@catchoftheday.com.au - joined the discussion. He requested "Can you please email me any examples (email address is listed in profile)? Catch takes information security very seriously and will investigate as a matter of priority."

Seamus continued posting on Whirlpool, offering support and advice for customer purchases, but never again responded on the matter of alleged spam from mynetsale.com.au.

Yet, despite Seamus' statement that Catch of the Day takes "information security very seriously" Catch of the Day has made clear it knew in May 2011 of a breach of confidential customer information. This breach was still known by Catch of the Day in February 2012 when the Whirlpool postings occurred. Seamus, and Catch of the Day management, chose not to disclose any advice about the breach, even when its own customers were observing their Catch of the Day-exclusive email addresses were being used by other web sites.

Finally, over three years since the breach and over two years since that Whirlpool discussion, Catch of the Day finally came clean, yesterday 18th July 2014.

An official comment has been requested from Catch of the Day.

]]>
david@alivad.com (David M Williams) Security Sat, 19 Jul 2014 22:26:25 +1000