Security Central: FriendFinder Networks Gets Breached, Google Cracks Down on Malicious Sites
In the world of hackers these days, it seems to be all about making private - sometimes super private - information public. Remember the Ashley Madison breach that occurred last year? For this week’s first story, think a bit bigger.
November 17, 2016
In the world of hackers these days, it seems to be all about making private – sometimes super-private – information public. Remember the Ashley Madison breach that occurred last year? For this week’s first story, think a bit bigger. It came to light on Monday that FriendFinder Networks, the parent company of AdultFriendFinder, Cams, Penthouse, iCams.com and Stripshow, had been breached. As a result, according to breach notification website Leaked Source, over 412 million accounts were leaked. For context and comparison, the Ashley Madison breach affected 32 million users. It even tops the MySpace breach of 2013, which affected 360 million accounts.
According to Leaked Source, the hack actually occurred back in October, and the accounts that were hacked represent 20 years of customer’s data. Not a great time to belong to a site or network that bills itself as the “World’s largest sex & swinger community.” According to TechCrunch, FriendFinder’s network was apparently hacked through a local file inclusion exploit, which allowed the hackers to break in and gain access all of the network’s sites.
Related:
Security Central: China Tightens Its Digital Grip, SOMEONE is Taking Down the Internet
Security Central: Webcams Recalled in Cyber-attack Aftermath, NIST Announces CyberSeek Tool
It’s worth noting that this is not the first time that FriendFinder Networks has been breached. It also happened in May of 2015 when 3.5 million accounts were hacked. Let’s do the math on that one – that’s two times in two years. Ouch. Clearly, some rather important t’s and i’s have been left un-crossed and un-dotted, so let’s take a look at what FriendFinder has been doing wrong here. It all essentially comes down to very poor security practices. The first example of such oversights has to do with passwords. The company stored user passwords either in plain visible format, without any protection, or using the notoriously weak SHA1 algorithm. According to Leaked Source, “neither method is considered secure by any stretch of the imagination.” FriendFinder also retained email and passwords for over 15 million people who had deleted their accounts.
Stu Sjouwerman, CEO of KnowBe4, a integrated security awareness training and simulated phishing platform, has voiced some concerns regarding the partner/business side of things. Specifically, he is worried that phishing attacks and bogus websites threatening to expose Adult Friend Finder clients are going to pop up and that clients will panic and click on the links to avoid being caught. He recommends partners and business leaders communicate the threat to their customers (and employees) and consider employee awareness training to prevent exposing their networks.
“AdultFriendFinder has failed to learn from their mistakes and now 412 million people are high-value targets for blackmail, phishing attacks and other cybercrime,” says Sjouwerman. “This is a wakeup call for vendors to ensure their customers and users are protected. Any MSP or service provider should consider this a threat due to multiple-use passwords by their customer’s users and possible exploits that we predict will happen. Allowing for new-school security awareness training is an absolute must these days.”
Leaked Source says it will not make the data set searchable by the general public. For now. In the meantime, FriendFinder appears to be trying to get to the bottom of things and take the necessary steps to become secure. “We are aware of the data hack and we are waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regard to our data,” said Kelly Holland, the site’s chief executive, in an email on Saturday.
In other news, Google is reportedly cracking down on sites that repeatedly violate their safe browsing policies. According to TechNewsWorld, the company stated last week that offending sites will be classified as repeat offenders from here on out. What typically happens is that websites will take corrective actions after Google displays alerts on their landing pages warning visitors that they’re harmful. However, they “typically revert to violating the policies after Google goes through the process of verifying that they’re safe and removes the warnings.” Well, no more.
According to TechNewsWorld, about 1 billion people use Google Safe Browsing and millions of people are protected by warnings on malicious websites, according to Google’s transparency report. While the intentions there are good and it does work for some, it’s still not enough. Malicious spam has skyrocketed. To give you an idea, 61 percent of email Web traffic in September contained spam, the majority of which contained ransomware, malware or links to malicious sites, according to Kaspersky Lab.
“While 30 days may not be strict enough, the behavior [Google is] trying to prevent is malicious intent within the site,” Thomas Pore, director of IT and services at Plixer International, told TechNewsWorld. Google’s strategy “may cause the malicious actor to move on, but the drawback here is that the [actor] may move on and set up another domain, and there will be new victims.”
Adam Meyer, chief security strategist at SurfWatch Labs, stressed that it’s important to remember that cybercrime is a business, and “the more costly we make [it] for the criminal, the better off we will be.” Google’s new internet hall monitors will no doubt have a positive impact and may do a lot of much-needed site housecleaning. However, it is being met with some skepticism among experts. The crackdown “should help shut down sites that are harmful, but it may make people feel safer than they actually are, and it looks like it’s more focused on good PR for Google,” said Rob Enderle, principal analyst at the Enderle Group.
If you’re a partner serving as your customers’ outsourced IT department, take note. With Google’s new procedures, verification procedures may launch automatically, or webmasters can request verification through Google’s Search Console. Webmasters of sites that have been flagged as “repeat offenders” will have to wait for 30 days before being able to request additional reviews through the Search Console under the new rules, which went into effect last week. Web administrators “will need to be more vigilant on correcting vulnerabilities on their websites, and stop sweeping issues under the carpet,” stressed Adam Meyer.
To wrap up the week, a few tidbits on automated and centralized systems. Issues with these systems have peppered tech news off and on over the years, but have increased recently as they becoming more and more prevalent. These types of systems have brought about greater efficiency for businesses over the years. More and more of the tools and devices organizations use on a daily basis are now connected to the internet, allowing business practices to be streamlined and simplified. However, as more devices become part of the Internet of Things (IoT), they make an organization more susceptible to a major hack or cyber-attack – sometimes costing thousands of dollars.
“It’s true that automation has brought about greater speed, efficiency and lowered the cost of these services, but with these advantages comes greater risk,” says Idan Udi Edry, CEO at Nation-E, a global leader in cyber protection for critical infrastructure and the industrial internet of things (IIoT). “The problem is that when these systems were conceived, cyber-attacks were not as prevalent, so they were not designed with internal security measures. But as we become more and more dependent on these networks to control our critical infrastructure, our vulnerabilities become vividly apparent.”
It’s a scary thought. Indeed, considering the amount of control we give to networks and how much we rely on them, if a cyber-attacker were to successfully hack into a system, they would have complete control and the power to do severe damage. In order to keep the progress we’ve made, yet secure our utilities from cyber-attacks, providers need to get on the comprehensive cybersecurity train.
“Cybersecurity methods must stay ahead of the hackers, and we must constantly evolve our practices and strategies to identify different attack methods before they happen,” says Edry. “Having a safe and secure network for our critical infrastructure is paramount to our success as a society.”
About the Author
You May Also Like