STE WILLIAMS

More than 37,000 websites, which were selling counterfeit goods, have been closed down in an effort by global law enforcement.

Operated at the time of the Black Friday and Cyber Monday online shopping extravaganzas, the effort was led by US Immigration and Customs Enforcement’s (ICE)’s Homeland Security Investigations (HSI), which partnered with industry and law-enforcement agencies from 27 countries across the world, including Europol and Interpol, to take action against the sites.

A total of 37,479 sites were shut down by the HSI-led National Intellectual Property Rights Coordination Center (IPR Center), and marks the sixth year of the international effort.

IPR Center director Bruce Foucart said the effort highlights the global commitment to take aggressive action against online piracy.

Foucart said he believed collaboration between international law enforcement and industry was essential to protect consumers from purchasing counterfeit goods online.

Among the most popular counterfeit items sold each year include designer headphones, sports clothing, toiletries, shoes, toys, luxury goods, mobile phones and electronics, and they’re often priced lower than the genuine items.

We spoke about why you shouldn’t buy counterfeit goods in our recent Black Friday article.

Although it’s tempting to believe offers for items priced well below retail, there are number of reasons for concern, not least the threat of data theft and credit card fraud, but also the reality that by buying dodgy items you will likely end up with a bad quality product.

Counterfeit goods are also illegal, so remember that by buying from a counterfeit website, you are funding criminal activities.

Follow @DanRaywood

Follow @NakedSecurity

Image of disguise courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2YzjpudL4G8/

LogMeIn’s purchase by LastPass password manager service was not well received by LastPass users. In fact that outrage was sufficient that LastPass quickly shut down comments on its blog. Why the outrage and who is LogMeIn?

LogMeIn may be best known as the company that shut down its free remote desktop sharing service with a mere week’s warning in early 2014. Even in a web filled with capricious, disappearing services, LogMeIn’s mere week’s notice stands out as almost spiteful. Combine that with LastPass’s history of customer service and it’s not hard to see why users were unhappy about the deal.

For its part, LastPass says its business model is not changing and that the service will remain essentially as-is under its new owners.

Unfortunately for LastPass fans, if you dig around the Internet Archive you can find similar statements from Delicious, Pownce, Bump and countless other small services that were purchased and later abandoned. LastPass may well be different, but since there’s a chance you might only have a week to find something new, now is a good time to start looking for alternatives.

The best alternative to LastPass depends somewhat on how you use LastPass and what, if anything, you’d like to be different.

There are two broad categories of password managers. The cloud-based solutions like LastPass offer automatic syncing between devices, while others like KeePass reside on your local machine and you’re on your own for syncing (which can be done via Dropbox, OwnCloud, SpiderOak, Syncthing or any other you already use). The primary difference between the two approaches comes down to control of your data.

Cloud-based sync services store your data on their servers. The best of these offer zero-knowledge storage, which is to say that your data is encrypted and decrypted only on your devices. That means that these services, the storage system they use behind the scenes and the people working for them have no access to your unencrypted data or your encryption keys.

If you’re looking for a drop-in cloud based replacement for LastPass, there are dozens available, but the big standout is Dashlane. It has everything you’re used to with LastPass – browser plugins, autofill, password strength indicator, secure notes – and throws in a few things LastPass doesn’t offer like the ability to share a password and some digital wallet features.

Dashlane offers a free tier if you just want to try it out, but the free version doesn’t sync between devices, so to really replace LastPass you’ll need to sign up for the premium version, which will set you back $40/year. Also note that there’s no Linux client, but there are browser plugins that make it easy enough to use Dashlane on Linux.

Another noteworthy possibility in the cloud-based category is Encryptr. Encryptr is free, open source (based on the Crypton project, itself an outgrowth of SpiderOak), and reasonably cross platform. It’s currently available for Android, Windows, Linux, and Mac OS X. An iOS version is in the works, but not yet available.

Browser plug ins are a feature of Dashline

The problem with Encryptr is that it currently lacks browser integration, which makes it a considerably less capable LastPass replacement.

Other services worth investigating include the more enterprise-oriented Secret Server and AuthAnvil, as well as ZohoVault (which is offering a year of its business version for free to LastPass users). There’s also the biometric-based Sticky Password.

The problem with replacing LastPass with another, similar cloud-based service is two-fold. First you may well find yourself back here again in a few years when the new service is sold and, second, the only real advantage is the built-in syncing. But chances are you’re already using some kind of sync service – be it SpiderOak, Dropbox, Owncloud, SyncThing, and so on – why not sync your passwords yourself?

If you handle the syncing yourself, all you need to worry about is finding an application that can encrypt and decrypt your data on all your devices. Fortunately there are quite a few apps that can do that, most notably KeePass.

KeePass may be slightly confusing for newcomers since there are two variants, KeePass and KeePass X. There’s not much difference between them, though KeePass seems to have better plugin support if you’d like to add extra features like syncing to Amazon S3, a duplicate checker, or better Ubuntu integration.

KeePass is a database that stores encrypted versions of all your passwords – just like the hosted services above – that you can secure with a master password, key file or both. You can then sync that database file using the syncing tool of your choice and access it on any device that has a KeePass client. There are clients available for Linux, Windows and OS X, as well as unofficial clients for Android, iOS, Windows Phone, Blackberry and most web browsers.

Depending on your platform, KeePass may not be quite a simple as LastPass, but it does place everything directly under your control, which means you won’t have to worry about any web services shutting down or company being sold.

The last possible LastPass replacement that I’ll mention is the password manager I opted for: pass. Pass is primarily a command line tool (there are some GUIs available as well, but all are third-party tools), best thought of as a nice wrapper around GnuPG. Pass stores each site or note as a single file that’s then encrypted and decrypted using a GPG key.

KeyPass database protection with plugin support for synching to services like Amazon S3

The pass community has created clients for Firefox and Android, which are the other two places I need to access my passwords. It’s not for everyone, but if you’re comfortable with the command line and want to keep things simple, pass fits the bill.

In a perfect world, the LastPass acquisition wouldn’t change anything – the service would just continue as it always has. However, experience shows that it often doesn’t work out that way. If you prefer not to wait around and find out, there are, fortunately, plenty of alternatives.

The good news is that LastPass hasn’t changed anything just yet, so you have time to try out the rest and see which one you prefer. I suggest starting out with KeePass or, if you want to stick with something cloud-based and closer to LastPass itself, Dashlane. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/password_manager_get_out_options/

When an organization can identify network and system intrusions in their early phases it takes the advantage away from its adversaries. Here’s how.

In an age where information is the ultimate currency, traditional defense-in-depth focused on malware detection, perimeter protection, and patching of known vulnerabilities is largely ineffective — unless organizations focus on strategic and proactive preparedness. But what steps does a company need to take in order to successfully craft a strategic approach to security?

To help answer this question, CrowdStrike Services recently compiled the Cyber Intrusion Services Casebook, which is an analysis of key data from hundreds of incident responses and proactive service investigations. The Casebook provides evidence of emerging trends observed in attack behavior, as well as a number of actionable takeaways so organizations can utilize lessons learned and best practices to improve their own defenses.

One particularly interesting finding was the marked increase in the number of organizations ‘self-detecting’ breaches — far above what had been previously reported. All too often a company is alerted to the fact that they have been compromised from a third-party source. With self-detection, an organization is far more likely to identify breaches in their early phases, which typically leads to faster recovery and far less rapid data loss.

Our research showed that organizations that invest heavily in improving processes, educate their workforce, and acquire the latest technology to combat advanced threats, were more likely to self-detect breaches. This is mainly due to two factors:

Organizational maturity
According to the Project Management Institute, a high level of maturity is achieved when processes are optimized and projects are directly tied to pre-determined business strategies and needs. By having a clear picture about an organization and its goals, security teams can be integrated into every aspect of the business and make better decisions about cyber defense strategies. Mature security programs don’t utilize a generic plan, but consider the unique aspects of their specific threat landscape and adapt accordingly.

Improved endpoint and network detection capability
Comprehensive, next-generation endpoint detection, prevention, and response tools provide maximum visibility intro intrusion attempts. With a higher level of visibility, incidents can be contained quickly, and attackers thwarted before significant losses occur. Enterprises can invert the traditional reactive security model by actively hunting for indicators of attack within their environment.

To illustrate this trend, let’s take a look at a real-world example:

The organization — a leader within its industry — became increasingly aware and concerned about the threats posed by nation-state adversaries interested in stealing intellectual property for industrial espionage. In the aftermath of a data breach at another organization, this organization called in self-detection services to ensure its systems and networks were protected.

A compromise assessment (by Crowdstrike Services) on the organization’s network showed evidence of past compromise; endpoint monitoring sensors reported alerts indicating preliminary attacker activity. In response, we worked with the organization to design and implement a detailed remediation plan, which included updates to network architecture. This near real-time visibility via host and network sensors enabled rapid identification of where and how attackers were accessing the enterprise environment. For example, we identified multiple attempts to install back doors on employee laptops, which the security team could immediately block without losing track of additional and subsequent attacker activity.

The big payoff
Months later, the attackers attempted to return, exploiting a similar vector — a different web application — to access an Internet-facing system not protected by an endpoint sensor. This is a trend we see across almost all use cases; the attacker used credentials obtained from this system to attempt to move laterally and dump credentials on another system. But because the client now had experience detecting and responding to attacks following its detection assessment — and had developed a stronger response playbook that included detection and response as part of their daily procedures — the entire team moved with much greater agility to respond to the new intrusion.

The incident was quickly analyzed and mitigation actions taken to prevent the new tactics, techniques and procedures (TTPs) from being successful. As a result, the compromise was fully mitigated in less than one hour.

As the example shows, when it comes to security, preparation is key. By achieving a state of awareness through security assessments, organizational maturity and having the right technology in place, organizations can take the advantage away from the adversaries. With this groundwork in place, IT teams can self-detect system and network intrusions, evaluate weak points and implement tools to defend against emerging and enduring adversaries. As is the case in most competitive situations, battles can then be won and lost before adversaries make contact. 

Wendi Whitmore has over 10 years of experience in the computer security industry, including a career with the US military. As the vice president of services for CrowdStrike, Wendi is responsible for all professional services offered by the company. Along with her team, Wendi … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/into-the-breach-why-self-detection-leads-to-faster-recovery-/a/d-id/1323378?_mc=RSS_DR_EDT

Attack simulation emerging as a way to test network security on demand and without exploits.

First came penetration testing, then the tabletop exercise, and now attack simulation — the relatively nascent practice of war-gaming attacks on your network to gauge how prepared (or not) you are, and where your weaknesses reside.

Unlike pen-testing, attack simulation doesn’t run exploit code. It’s more about simulating the way attackers do their dirty work, from composing a phishing email and infecting a machine to the path the take to access and then pilfer credit-card data out of company. Attack simulation startup vThreat today announced free access to its software-as-a-service based applications.

The concept of simulating and providing a detailed postmortem of how an attacker could hack you is capturing some venture capital interest:  Israel-based startup SafeBreach, which provides attack simulation via a platform model, recently raised some $4 million via Sequoia Capital and serial entrepreneur and angel investor Shlomo Kramer.

vThreat was founded by Marcus Carey, a former security researcher with Rapid7 and one of the architects of the US Department of Defense Cyber Crime Center’s live network investigations course. Carey says vThreat simulates what an attacker could actually do to an organization’s infrastructure, and shows the attack sequence through the hacker’s eyes.

It’s not a replacement for penetration testing. “We don’t replace pen testing, but we do augment it and give blue teamers an opportunity to simulate adversaries, between penetration tests,” Carey says.

“We do 80 percent of what a pen tester does, without exploitation,” he says. The goal is to keep on top of your security posture between pen tests and attacks or attack attempts.

Carey says vThreat uses a JavaScript agent in its tools. The various attack apps can imitate the techniques and movements of an attacker, including the scanning of local systems and the theft of information. “We concentrate on the movements an attacker makes on the network,” he says.

The new free vThreat Apps SaaS doesn’t provide all of the detailed reporting and analytics and exclusive apps that the paid subscription offers, but it does include a full enterprise-wide breach option, with limited reporting, Carey says. A vThreat Pro annual subscription costs $4,995, and vThreat Enterprise is priced based on the size of an organization, he says.

Aside from a full enterprise-wide attack, the apps include specific attack scenarios such as SSN exfiltration, executable download, DNS tunneling, egress scanning, and a tool for testing the organization’s incident response.

Andrew Hay, director of research, OpenDNS, says attack simulation lets companies more regularly  probe at the security of their network, especially as changes are made to the infrastructure. “If you add a new network security device, does it actually make a difference to your overall attackable surface area? Does one product work better than another for detecting or blocking specific threats?” he says. “[It] also provides a way to test the efficacy of your security program and that of your organization’s ability to respond to incidents,” he notes.

Services like vThreat’s are more affordable for midsized companies that can’t afford to hire full-time security testing talent, he says.

Guy Bejerano, CEO and co-founder of SafeBreach, describes his firm’s attack simulation platform as a way for companies to deploy offensive security in order to root out their vulnerabilities to attack. In a recent blog post, he called it a “‘red team’ on a platform.”

Here Are Your Security Holes. Now What?

The simulation service has a botnet that vThreat controls, according to Carey, for a realistic attack scenario. “We’re not dropping any code or backdoors,” he says, but the tests produce RAR files with sample credit-card files if the attack was able to find “blind spots” in the network.

The catch with these attack simulations is the response side of the equation, however. OpenDNS’s Hay says what you do with the information and problems these tests expose is the big challenge for companies. “If you see that DNS tunneling can be used to exfiltrate data from your network, how do you stop it? What’s the best course of action?” he says.

Carey says companies in the financial services, energy, healthcare, and software startup sectors are currently using its SaaS.

“The primary benefit I see is that these types of  simulations allow for ongoing and scheduled testing of deployed technical controls” such as those of firewalls, IPS, proxies, and other systems, OpenDNS’s Hay says. It also provides a way to measure whether adding a new security tool actually makes a difference, or which ones work better than others, he says.

“It’s a fantastic ‘product bake-off simulator,'” Hay says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/startup-offers-free-cyberattack-simulation-service/d/d-id/1323382?_mc=RSS_DR_EDT

Sweet-talking ransomware making rounds in attacks originating from Ukraine-based hosts.

CryptoWall 4.0, the newest version of the CryptoWall ransomware, is being packed into the Angler exploit kit and spreading through a new drive-by download campaign, according to researchers at Heimdal Security. 

Heimdal first discovered CryptoWall 4.0 in the wild just one month ago. It’s stealthier than earlier versions of the ransomware — it encrypts not just files, but filenames too.

It also uses a strikingly different ransom message. Instead of demanding payment and trying to frighten the user, the new variant tries to convince a user to buy a $700 “software package” and delivers veiled threats within a message that begins “Congratulations! You have become a part of large community CryptoWall!” 

The new attack campaign uses what Heimdal calls a “stack of drive-by campaigns,” that hit the victim with multiple payloads, including the Pony information stealer, the Angler exploit kit, and ultimately, CryptoWall. 

The victim is first hit the the Pony information stealer, which scrapes all the usernames and passwords it can find off the victim’s system and sends them back to the attackers command-and-control server. Heimdal researchers state that the purpose is to find credentials for Web servers or content management systems and use them to inject malicious scripts into new sites, thus further broadening the attack campaign.

The victim is then redirected to another site that drops Angler, which scans the system for vulnerabilities and feeds it CryptoWall 4.0.

Heimdal has found over 200 new domains being used by attackers in the past 24 hours alone. The campaign originates from a hosting environment in the Ukraine, and has thusfar hit websites in Denmark particularly hard — over 100 sites there have been injected with malware.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/cryptowall-40-spreading-via-angler-drive-by-download-campaign/d/d-id/1323380?_mc=RSS_DR_EDT

The language of the web is the Hypertext Transfer Protocol (HTTP) and like a lot of really important technology it’s actually more than a little, um, unexciting.

HTTP is maintained by the IETF (The Internet Engineering Task Force) and it’s so sensible and unexciting that it’s remained almost unchanged for about 25 years. In technology terms it’s a time capsule from the same era as Windows 3.1 (ask your Dad.)

Now, after a quarter of a century, it is finally going through its first significant upgrade, as 1997’s minor update (version 1.1) gives way to 2015’s twenty first century revamp – version 2.

Version 2 is faster, sexier, more efficient and, like many young things, mildly rebellious.

HTTP/2’s youthful exuberance was spotted by programmer John Graham-Cunningham who noticed that when the protocol introduces itself during a phase called the connection preface, it does it with the name of the NSA’s internet-gobbling surveillance programme; PRISM.

Thanks to some line breaks the message is broken in two, making it more snarky back chat than full-throated yawp:

PRI * HTTP2.0

SM

The IETF’s HTTP working group Chair Mark Nottingham took to the comments on Graham-Cunningham’s blog to confirm that yes, the change dates from 2013 and was made shortly after Snowden told the world about PRISM.

We needed two pseudo-HTTP requests for the “magic” to assure it wasn’t being interpreted as HTTP/1 … we were looking at “STA” and “RT .

However, PRISM had just broken, and it was all that was being discussed in the hallway. People were pissed. It didn’t get into the minutes, but it came up as an idea to replace START since it had five letters, and people were unlikely to ever want a “PRI” or “SM” method.

Take that NSA.

Personally I’m not much of a fan of these digital micro-protests. This is just a geek version of changing your Twitter avatar and, while I suppose it does no harm, I’d hate to think that anyone laboured under the illusion that this was doing something either.

A far more meaningful protest would have been to enshrine a dependency on TLS in the HTTP/2 specification so that anything sent using the new protocol would be encrypted.

The NSA and its ilk couldn’t care less about snarky easter eggs but they’d surely notice if absolutely everything was under lock and key instead of out in the open.

Indeed, in the heady days after Snowden revealed the existence of PRISM, that was actually the plan. As IETF member Mike Belshe put it when talking to the FT:

There has been a complete change in how people perceive the world … not having encryption on the web today is a matter of life and death

The sentiment didn’t last though. Unable to agree among themselves, the IETF’s HTTP working group climbed down from the barricades and left a note in the FAQ:

After extensive discussion, the Working Group did not have consensus to require the use of encryption (e.g., TLS) for the new protocol.

The idea of a web that is encrypted by default didn’t die though.

For good or ill the web’s quarter century of progress has not been driven by standards but by the dominant browser vendors’ selective interpretation of them. The situation on the ground is described by Nottingham in his own blog:

Apple is joining Firefox and Chrome in requiring HTTP/2 to be used over an encrypted connection … Microsoft’s HTTP/2 implementation will also only support encrypted HTTP/2, and Blink-based browsers (such as Yandex and Opera) are also supporting HTTP/2 over TLS.

…the upshot is that HTTP/2 is (or will be soon) supported by all of the “major” browsers, and if you want them to use it with your web site, you’ll need to have HTTPS URLs. If that’s too difficult for you, you can use Opportunistic Security, but know that it’ll probably only work with Firefox for the foreseeable future.

In other words, HTTP/2 works without encryption in theory but you’ll have to hunt high and low to find a web browser that doesn’t encrypt it in practice.

Now that’s what I call sending a message about surveillance.

Follow @NakedSecurity
Follow @MarkStockley

Image of Easter Eggs courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/o9dv0F0lK18/

Chinese hackers who previously popped Western financial firms are now using Dropbox to target Hong Kong based journalists, FireEye says.

The group, suspected to be an outfit known as “admin@338”, is using the cloud service to host command and control for its infection operations.

Its attacks drop the backdoor payload dubbed Lowball delivered through an old and since-patched Microsoft Office vulnerability (CVE-2012-0158) communicating over secure sockets to Dropbox.

FireEye researchers say the targeting of Hong Kong scribes is not out of character for the group or hackers based in China.

“The group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China,” the researchers say .

“The threat group’s latest activity coincided with the announcement of criminal charges against democracy activists.”

“The media organisations targeted with the threat group’s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor.”

Some 50 individuals have been targeted. The company tells El Reg the phishing emails went straight to editorial departments.

They say the attacks if perpetrated by state-supporting attackers could provide Beijing with “advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the internet”.

Phishing emails were sent to newspapers, radio, and television stations, that sported references to the anniversary of the 2014 Umbrella Movement protests in Hong Kong and alleged fears by a Hong Kong University alumni organisation that a Vice-Chancellor appointment may be hijacked by pro-Beijing interests.

The group has previously attacked financial services firms in Western countries. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/hong_kong_hacks_hacked_in_democracy_protest_yap_flap/

Criminals are selling ‘lifetime’ Netflix, HBO, and cable sports streaming accounts for less than US$10 on sites hidden within Tor.

Premium sports accounts sell for about $10 while streaming TV can be bought for as low as 50 cents, far less than the $10 monthly subscription.

Comic fans can buy a stolen Marvel Unlimited lifetime account – meaning the victim is unlikely to shutter it – for 50 cents compared to the $10 monthly fee.

El Reg found the stolen accounts on the AlphaBay Marketplace accessible via the Tor network, on the back of the Intel report The Hidden Data Econonomy [pdf] which listed a few similar but more pricey offerings on another unnamed site.

Sellers are also flogging Premium Spotify, ComCast Xfinity, Uber, Apple, and Lynda training video accounts.

Some are offering Christmas specials including ‘buy one get one free’ stolen credit card deals.

Prolific vendor SkypeMan has sold more than 5300 Spotify accounts since September for less than $2 each, and 517 Xfinity accounts for $4 over the same time.

The seller has flogged more than 24,000 accounts since March.

Plenty of paid pornography accounts are also on sale in the very grey markets.

Skypeman’s profile; Like eBay for fraud. The Register.

Buyers are advised to not change passwords on stolen accounts as this will alert and lock out the legitimate owner.

Drugs, weapons, malware, and credit card are also available. Australian credit cards replete with personal information including security question data, home addresses and complete card data, dubbed “fullz” in fraud circles, are being sold for $15.

Those cards appear to be stolen from compromised computers as IP address and browser information is also included.

Other odds and ends include an email bomb service that promises to “f**k any email account instantly” by signing up the victim to more than 1500 newsletters, and counterfeit cash, passport, and driver’s licences. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/carder_xmas_gifts_hacked_netflix_spotify_sports_accounts_for_50c/

Google has quietly announced it will end support for its Chrome browser on 32-bit Linux. This doesn’t affect the 64-bit build.

“To provide the best experience for the most-used Linux versions, we will end support for Google Chrome on 32-bit Linux, Ubuntu Precise (12.04), and Debian 7 (wheezy) in early March, 2016,” writes Googler Dirk Pranke on the Chromium developers list.

“Chrome will continue to function on these platforms but will no longer receive updates and security fixes,” he writes, adding: “We intend to continue supporting the 32-bit build configurations on Linux to support building Chromium. If you are using Precise, we’d recommend that you to upgrade to Trusty.”

Thus, the open-source version of Chromium isn’t impacted by this decision, so those who really want to keep using a Chrome-family browser on 32-bit Linux can continue to do so.

Those who want to kick up a fuss about this decision are also, of course, free to do so. But with Linux owning a tiny desktop market share, it’s not hard to see why Google would focus its energies elsewhere when considering the packaged version of Chrome. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/googles_chrome_32bit_linux/

Toymaker VTech has admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared.

On Tuesday, the Hong Kong biz confessed in an updated FAQ page that it did not properly secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.

That admission comes four days after it emerged that a hacker had raided the entertainment company’s customer database.

After families buy VTech’s computer-like toys, which are aimed at preschool tykes, they are encouraged to sign up for online accounts to download apps, music, books and more to the gizmos.

That requires handing over sensitive information, such as parents’ names, email addresses and home addresses, and the birthdays, names, and genders of youngsters. All this data – plus MD5-hashed passwords, secret answers to personal questions for password resets, IP addresses, and download histories – was snatched by an intruder who bypassed VTech’s poor online security.

“Regretfully our database was not as secure as it should have been,” VTech’s FAQ admitted.

“Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks.”

Here’s how many accounts were pwned in each nation affected:

The data was swiped from VTech’s online store called the Learning Lodge and the KidConnect system that lets children chat to their parents electronically; the toymaker has killed both of those, and a number of other services, while it cleans up the mess.

After the weekend, it further emerged that the hacker was able to grab a year’s worth of unencrypted chat logs from KidConnect, files of audio recorded from VTech gadgets, and pictures sent via the messaging system.

The toymaker said it encrypted copies of the sound files and photos. However, infosec bods analyzing VTech’s apps found the encryption can be easily broken due to poor programming and weak keys.

“As the investigation is ongoing, we cannot confirm at this stage [that the hacker has taken photos and chats of children and their parents]. However, we can confirm these images are encrypted by AES128,” the FAQ states.

“Audio files are encrypted by AES128, whereas chat logs are not encrypted. Kid Connect is similar to a WhatsApp service. Our security protocols require that only undelivered messages are stored temporarily in our server. These messages are set to expire in 30 days.”

No credit card information or state ID numbers (such as driver’s license or social security numbers) were accessed, though, we’re told. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/vtech_breach_breakdown/