STE WILLIAMS

Our sympathies to Paul McCartney, Annie Lennox, Placido Domingo and David Guetta, as well as to newspapers and other outlets whose music and content are sucked from them for nary a dime in recompense by internet giants including Google and Facebook.

For better (and there’s a lot of that) and worse (sorry, again, content creators), the European Parliament on Thursday voted down proposed legislation known as the Copyright Directive.

The EU’s rejection of the controversial legislation – the vote was 318 against 278 with 31 abstaining – isn’t the end of the fight. It now goes back to the drawing board before it faces a second vote in September.

The purpose of the legislation is to drag copyright law into the digital age and ensure that content creators get paid for their work, be it newspaper copy, music or other copyrighted content.

The Copyright Directive encompassed two highly controversial articles: the first was Article 11, intended to protect newspapers and the like from having their material used without payment. Opponents dubbed it the Link Tax, given that it would have given media giants the power to charge licensing fees for posting links such as this one.

According to an opposing group, Save the Link, Article 11 would have required websites to install bots to monitor posts for copyrighted content and to censor posts to filter it out. That would have had a major impact on the quotidian work of scores of internet content producers, including journalists looking up and citing sources and professional reviewers discussing the latest film, the group says.

The second controversial piece of the Copyright Directive was Article 13, also known as the Censorship Machine.

Article 13 will throw a monkey wrench into the internet, according to the people who actually created the internet. They sent a letter against the legislation to the president of the European Parliament last month.

The signatories included a who’s who of internet somebodies: the inventor of the World Wide Web, Tim Berners-Lee; Wikipedia co-founder Jimmy Wales; and internet pioneer Vint Cerf. Together with a slew of other experts, they warned that Article 13 “takes an unprecedented step towards the transformation of the internet, from an open platform for sharing and innovation, into a tool for the automated surveillance and control of its users.”

Checking every piece of content uploaded would be impossible for humans, critics said. Rather, it would require automated copyright systems, the astronomical cost of which might not make Google blink but would cripple small or medium-sized online businesses. According to the BBC, the one YouTube uses costs $60m (£53m).

And this is how it could transform your normal day on the web, they say:

Us europeans are in a shit hole basically. If article 13 goes through this is how it’s going to be. Please share ar… twitter.com/i/web/status/1…

—
rebecca ♡ (@snapbackjb) July 04, 2018

Even if all social media platforms were to spring for the automated systems that would create that type of internet dystopia, such systems are known for having high error rates. As of January, one musician who created a 10-hour white noise video had been hit with five copyright claims coming from YouTube’s automated Content ID system.

So too was a YouTube user who captured birdsong in the background of one of his videos.

Critics of Article 13 also dubbed it a war on memes, given that automated copyright systems can’t tell when copyrighted content is legally used, such as in parody.

While the Copyright Directive’s champions have lost the battle, the war isn’t over. Alyn Smith MEP, SNP member of the European Parliament for Scotland:

The rejection, for now, of the mandate means the Parliament has another few months to get it right. I look forward to supporting colleagues in that and will continue to be active in efforts to strike a balance that works for everyone.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qAiyhE6KlHQ/

SD cards – those tiny devices that go into your camera or tablet – may be small, but they can hold a lot of revealing information. Because they are often used for storing photos, that information can be highly visual. A research team from the University of Hertfordshire just bought 100 second-hand SD cards and found two thirds of them carrying incriminating files.

The team, commissioned by consumer device advisory site Comparitech, found that 65% of the SD cards still had sensitive files ranging from pornography and intimate personal photos through to passport pictures.

SD cards use a different technology to hard drives, but they have some commonalities. One of these is that deleting a file or even using the standard quick format option in your operating system doesn’t really erase the data. It only marks the file as deleted in the drive’s index, which tells the operating system that the space occupied by that file is now available. The file’s data is still there, and curious users – or organizations wanting to prove a point – can recover it with freely-available forensics tools.

The researchers’ report on the project explains that the cards came from various sources including second hand shops, auctions, and eBay. Researchers typically bought the cards one at a time, and then used a free data forensics tool called FTK Imager to create a bit-for-bit copy of each card. This enabled them to work from a copy without disturbing the original. Then, they used WinHex and OSForensics to work out what data was in the imaged disk.

Four of the drives couldn’t be read at all, four of them had no data present, 25 had been properly wiped with a data erasing tool, and 29 had been improperly formatted, leaving the data easily recoverable. On two of the disks, files had only been deleted (again, leaving the files exposed). Alarmingly, 36 of the drives’ former owners had taken no steps to remove their data. This enabled the researchers to recover data from 65% of the cards.

What was on the cards?

The most common content (around 37%) was photographic, followed by multimedia. ‘Sexualised content’ came third, accounting for just over 5%. Business documentation and CVs came last.

One card contained a large collection of photos, some of them intimate, from a female student at a UK university. A photograph of her passport was on the same card. On others, the researchers found photographs of a woman together with her email address and phone number, and the names and phone numbers of friends. On yet another was personal details including vehicle registration numbers, credit card PIN numbers, home addresses and phone numbers from another UK university student, the report said.

Why are people leaving sensitive information on SD cards for others to find? Alarmingly, some of them seem to think that it isn’t their job to remove it, the report suggested:

While the sellers had, in some cases, claimed prior to sale that the media had been formatted or wiped, in other cases they had included a disclaimer saying that there may be data present and that they buyer should remove it.

These cards come from smart phones and tablets, but also from satnav systems, drones, and dash cams. The researchers warned of growing attack footprints as the number of devices containing these cards grows.

For example satellite navigation systems (SatNav) data can be used to determine the home location of the user, and also the routes that they regularly use and locations that they have identified as being of interest, which may include their place of work and the homes of family and friends.

Securing your SD cards

So, how can you avoid becoming report-fodder and erase the data from the SD cards in your own systems securely? While the UK’s National Cyber Security Centre has some good tips for wiping other electronic media, when it comes to cheap, removable flash media of this kind it essentially tells you not to bother.

These are generally inexpensive and can be destroyed locally using an affordable office shredder or disintegrator designed to produce particles no greater than 6 mm. As with SSD, it is almost impossible to remove every bit of user data from these devices, so thorough destruction must take place at end-of-life to avoid residual data from posing a risk to your business.

That’s all well and good, but some people may want to make a little money back on their cards by selling them, especially as the capacity and cost increases. The most popular card size in the Comparitech/University of Hertfordshire study was just 2Gb in size, but there were some 128Gb monsters in there. There are even 400Gb SD cards now available, which will cost you £200 or more out of the box. That’s a lot of money to run through the shredder.

Luckily, there are other options. Comparitech suggests a full format, which writes zero values to the entire drive as opposed to a quick format, which just marks the entire drive as available. However, it warns that some forensics tools may be able to detect data even after writing those zero-values.

For the truly paranoid, there are dedicated tools for wiping removable media. Comparitech lists some on its secure wiping guidance page. The SD Association also offers an SD card formatter that it says will do the job.

Finding sensitive data on old devices has become something of a sport in the cybersecurity marketing business. The National Association for Information Destruction did one last year, as did Kroll Ontrack. Here’s another from 2009. Back in 2006, one research project found child abuse imagery, causing the academics involved to bring in the police.

They’re great fodder for companies needing a quick bit of easy PR because finding consumers with poor OPSEC is like shooting fish in a barrel. As this latest report says:

Despite advice from various governments and media organisations, and the media exposure of the issue, the message about data security risks from remnant data is being ignored. Vendors/sellers are either not responding to the warnings or are disregarding them.

People will continue leaving personal files on removable storage because for many security unsavvy users, the steps involved will be too big – and the understanding of the potential consequences too small.

Given that users aren’t stepping up with better security, the report concluded by asking for vendors to fill the gap.

Given the short life cycle of current digital devices, with users regularly replacing and upgrading their mobile devices, it is perhaps an omission that better advice on data disposal tools (factory reset options or encryption) and advice are not issued by the original vendors.

Unless someone figures out a better way to force-wipe that data, we’ll be seeing plenty more of these surveys for years to come.

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7-Mq5D3X7R4/

Remember Timehop, the “digital nostalgia” app?

No, nor do we, but the company still has a database of about 21,000,000 users who have given the app permission to sift through their digital photos and social media posts – even if they no longer actively use Timehop service.

The idea is that the app turns every day into an anniversary, reminding you of what you were doing on this day last year, three years ago, five years ago, and so on.

The app was briefly popular a few years ago, before Facebook built a similar feature, known as On This Day, into its own social network.

The good news is that a third-party app like Timehop can’t work without your permission.

The Timehop app has to be authorised by you, and furnished with cryptographic keys (known in the jargon as access tokens), to get into the various online services from which you want it to scrape photos and posts.

Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn’t let crooks wander in and steal them.

The bad news is that Timehop just announced a data breach.

On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.

Timehop says that the following information was stolen:

• Access tokens to your social media and online photo services. (All 21,000,000 users affected.)
• Any or all of your signup name, email address and phone number. (Not all users had all these fields filled in. For example, only 4.7 million users – fewer than a quarter – had handed over their phone numbers.)

Timehop has already invalidated all the access tokens it had on file, effectively disconnecting every Timehop account from every service and preventing any more harm being done.

If you’re a Timehop user and you want the app to keep on working, you’ll have to reconnect it to the various services of your choice.

The company says there is no evidence that any of the stolen data has been used for criminal purposes, though of course any stolen email addresses and phone numbers could be abused in the future, dumped online for free, or sold on to other crooks in due course.

Fortunately, the crooks didn’t get any further:

No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.

As you can imagine, a service that scrapes your digital photos and old posts so it can replay them later will inevitably end up with a big stash of user data, but those databases, so far as we know at the moment, were not accessed by the crooks.

What happened?

Just as in the Gentoo Linux breach we wrote about recently, this SNAFU seems to boil down to what you might call “cloud carelessness”.

Timehop, it seems, had sysadmin accounts hosted on other people’s servers that weren’t locked down tightly enough:

At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.

If you remember the Gentoo Linux incident, which caused us to say that “Linux experts are crap at passwords,” you will see that history has repeated itself here.

In fact, the Timehop breach happened before the Gentoo one.

Even though the company refers repeatedly to 4 July 2018 in its breach notification, it has also published a more detailed analysis in which it admits that the crooks first got on 19 December 2017 (for three days), and then came back briefly in both March 2018 and June 2018 before the Fourth of July 2018 attack, when data is known to have been stolen.

Successful cyberattacks often turn out to have been brewing for some time – after all, it’s hard to know where to look, and what to look for, if you’re not aware that bad things have been happening in the first place.

What to do?

If you’re a service provider:

• Pick proper passwords. If you need help to choose and remember strong passwords, use a password manager.
• Insist on two-factor authentication. The inconvenience of putting in a a one-time code every time you logon is enormously outweighed by the additional security your organisation gets out of the deal.
• Look at your logs. There’t not much point in going to the trouble of keeping system logs if you aren’t going to use them until it’s too late.

If you’re a Timehop user:

• Review any apps that have access to accounts such as Twitter, Facebook, Google Photos, and so forth. Revoke access to ay apps you aren’t actively using any more.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/x1DEOaRQ6d0/

News reaches us that will leave password management outfits quaking in their boots. The Conran Shop has a solution for forgetful users, and it is a snip at a mere £22.

Users need to remember a bewildering array of passwords just to get through an average day, which can lead to some pretty shoddy practices as revealed in the multitude of credential leaks over the years.

Solutions have ranged from the biometric, courtesy of fingerprint reading or gawping dead-eyed at the camera of a mobile phone, to vault-based, where one uses a service such as LastPass or Dashlane to keep track of accounts and login information.

However, those solutions require having a charged and connected mobile phone to hand, and occasionally also remembering a password to get into the password storage service itself.

Help is at hand, courtesy of the store founded by design guru Terence Conran back in 1974. The 8cm x 6cm black leather pocket book allows users to undermine the IT industry’s attempts at online security by, er, writing everything down. Helpfully labelled “Logins Passwords”, the pocketbook also includes a helpful index to assist thieves users in retrieving confidential account information in no time at all.

For those with a little less cash to splash and who may be less concerned about their high-end design credentials, Amazon will happily sell you something similar, in dayglo orange, and will even throw in a pen.

Well, actually…

In fairness, there are good reasons for writing down account information on paper. It isn’t subject to the same malware that plagues computing. Nor will it suddenly disappear when a service unexpectedly runs out of money.

Paper also doesn’t need battery power and is easier to work with for users that are not confident with using password vaults.

However, without some sort of user-generated obfuscation, putting the keys to the kingdom in a paper book that can be lost or stolen is a bad idea. And that’s without the inevitable tumble of the book into a toilet at the worst possible moment.

The continued existence of password books that are actually labelled as such, in big friendly letters, indicates the IT industry needs to try harder when it comes to helping users to follow good practice. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/09/conran_amazon_password_notebooks/

Acquisition continues the MSP’s push into security services.

Claranet, a managed service provider with services focused on western Europe and Brazil, has purchased NotSoSecure, a firm specializing in penetration testing and ethical hacker training.

The purchase follows Claranet’s 2017 acquisition of SEC-1, a security firm based in the United Kingdom. According to a Claranet statement announcing the purchase, the security acquisitions, together with the opening of a security operations center in Portugal, are part of the company’s intention to increase their overall security services capabilities.

At the same time, NotSoSecure executives stated that they intend to use the resources of Claranet to build their business globally, with a special focus on expanding their presence in the US market.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/claranet-buys-notsosecure/d/d-id/1332241?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Take the time to learn about your assets. You’ll be able to layer in multiple prevention and detection solutions and have a highly effective security architecture.

The Internet is constantly growing, giving birth to an age of network interconnection unlike anything we have ever known. Devices such as refrigerators, security cameras, and baby dolls have joined the ranks of Internet of Things (IOT) devices. These devices are made to be cheap and indispensable, resulting in insecure configurations and settings. The result: mass compromise and misuse for evil at a scale not been seen before.

To be specific, the attack surface is larger than ever due to the IoT. But this also is due to the lack of surface reduction within any given network. Routine patching, security hardening, and defensive network designs exist but are not in effect. Organizations flock to purchase the latest “next-generation” security technology but meanwhile ignore the basic tenants of security. A mature, secure architecture design does not require the most expensive best-of-breed solutions. However, it does involve taking time to think about one’s environment and to design a secure architecture accordingly.

The concept of taking the time to do things right is much akin to the financial problems we face today. One large solution to a financial problem is taking the time to implement a budget and then sticking with it. And yet, many individuals have never taken the time to do this. Which feels more impactful — spending the last of your $200 in cash based on your grocery budget or swiping a credit card? The same holds true in network security. Security is not an accident. Similar to a credit or debit card, hoping money is in the bank is not enough; that is a failed approach. Security should be intentional and the result of careful planning.

Succeeding in Security
Modern attacks, the cloud, the IoT, and web applications have drastically changed the security landscape. They have created a world of deperimeterization where the old boundaries of “inside” and “outside” or “trusted” and “untrusted” no longer apply. To succeed in security in this new landscape requires a modern spin on security architecture. What may be surprising is that you likely own many of the technologies you need to win. However, these technologies need to be re-engineered to be effective.

Take, for example, a next-generation firewall (NGFW). The firewall comes with intrusion prevention, antivirus, application control, data loss prevention, denial-of-service protection, URL filtering, malware sandboxing, and more. Out of the box, this solution is highly ineffective. To be effective, it must be tuned according to your business needs. What usually happens is that the box is tuned by professional services or, in some cases, internal staff, but the end configuration is a generically tuned system that protects against Internet traffic.

Instead, the firewall should also be configured to implement internal layers of network segmentation. Controls should not only face the Internet but implemented to secure authorized access from internal assets to internal assets. Basic adjustments such as this allow for far superior prevention controls and, more importantly, detection controls. Think about this for a moment: If a computer on a subnet or zone A attempts to talk to any system found in zone B and the system from A is not allowed, then the connection will be denied, and you will be notified of that. Basic firewall rules aren’t rocket science, but they are highly effective controls.

Modern challenges also must be overcome. For instance, consider an intrusion detection/prevention device, web proxy, data loss prevention sensor, network antivirus, or any other Layer 7 network inspection solution. These are all crippled by network encryption. Your brand-new shiny NGFW may not be configured to handle 70%+ of the traffic going through it. Basically, without understanding technologies like Secure Sockets Layer (SSL) inspection, SSL decrypt mirroring, HTTP Strict Transport Security (HSTS), certificate transparency, HTTP Public Key Pinning (HPKP), how can you handle modern encryption? A good architecture accounts for and handles network communication.

If you take the time to learn about your assets, you will be able to layer in multiple prevention and detection solutions and have a highly effective security architecture. Doing so will keep you prepared, even as your data traverses your network or the cloud. Understanding how to implement such an architecture by taking many of the security technologies you already own and implementing them with a fresh mindset and modern approach is essential in the creation of a defensible security architecture

Want to learn more? Check out the new SANS SEC530: Defensible Security Architecture course or research these concepts online.

Related Content:

• The Best and Worst Tasks for Security Automation
• 5 Tips for Integrating Security Best Practices into Your Cloud Strategy
• ‘Strutting’ Past the Equifax Breach: Lessons Learned
• The Argument for Risk-Based Security

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Justin Henderson is a SANS Instructor and course author of SEC555: SIEM with Tactical Analytics, and CEO of H A Security Solutions. He is a passionate security architect and researcher with over decade of experience working in the Healthcare industry. He has also had … View Full Bio

Article source: https://www.darkreading.com/cloud/creating-a-defensible-security-architecture/a/d-id/1332169?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Sinovel Wind Group has been sentenced for stealing trade secrets from the company formerly known as American Superconductor Inc.

The Sinovel Wind Group, a Chinese manufacturer and exporter of wind turbines, must pay the maximum fine for stealing trade secrets from AMSC, a US company previously known as American Superconductor Inc., the Department of Justice announced last week.

Sinovel had agreed to purchase $800 million in products and services from AMSC prior to the March 2011 theft. Instead of completing the sale, it launched an operation to steal proprietary AMSC software designed to regulate electricity flow from wind turbines to electrical grids. Evidence indicates Sinovel worked with AMSC Windtec Gmbh, a subsidiary of AMSC, to get hold of copyrighted information and trade secrets.

The Chinese company then used stolen intellectual property to build its own turbines instead of paying AMSC $800 million. Its actions cost AMSC more than $1 billion in shareholder equity and nearly 700 jobs – more than half its global workforce, the DoJ reports.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/chinese-wind-turbine-manufacturer-gets-max-fine-for-source-code-theft/d/d-id/1332243?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Japanese man has received a suspended sentence for using a cryptominer in a failed attempt to turn an illicit profit.

Masato Yasuda, 24, was told he’d be jailed for a year if he reoffended in the next three years over a scam that earned him just £34. The case is thought be the first criminal prosecution over so-called cryptojacking worldwide.

Yasuda, an unemployed man from the city of Amagasaki in Hyōgo Prefecture, had hoped to, er, coin it in by planting Coinhive’s Monero-mining JavaScript on the PCs of third-party victims in January and February. Instead of making bank, he made what would have been barely enough to cover any taxi fare home from the police station.

Yasuda is said to have embedded the Coinhive JavaScript library inside a supposed game cheat tool that was offered for download, his defence lawyer told Bitcoin.com. The 90 resulting downloads brought in around 5,000 Japanese yen worth of Monero cryptocurrency (£34 or $45).

“The defendant regretted what he did, learning information ethics and other matters,” the sentencing judge Ryo Kato said, according to Japanese news outlet The Mainichi.

“This is the first criminal case of cryptojacking in the world that I’m aware of,” Troy Mursch, a security researcher active in tracking cryptojacking abuse, told El Reg. “Tracking down perpetrators can be difficult as Coinhive doesn’t require any user identification verification. After the mined Monero is paid out to a wallet, it’s basically untraceable beyond that.”

Adware, cracked games and pirated software have all been used by cybercriminals to secretly infect PCs with crypto-mining malware. Even more commonly, hackers plant code on compromised web pages so that the PCs of visiting surfers are press-ganged into mining, a practice most associated with the growing problem of cryptojacking.

Japanese authorities last month arrested 16 cryptojacking suspects as part of a local clampdown, according to reports.

Prosecutors reckon the 16 suspects hacked sites and inserted the Coinhive library into their code. The biggest earner among the 16 suspects allegedly made about 120,000 Japanese yen (£819, $1,085). ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/06/coinhive_conviction_japan/

A service named “Timehop” that claims it is “reinventing reminiscing” – in part by linking posts from other social networks – probably wishes it could go back in time and reinvent its own security, because it has just confessed to losing data describing 21 million members and can’t guarantee that the perps didn’t slurp private info from users’ social media accounts.

“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data,” the company wrote. “We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken.”

Names and email addresses were lifted, as were “Keys that let Timehop read and show you your social media posts (but not private messages)”. Timehop has “deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our App.”

The breach also led to the loss of access tokens Timehop uses to access other social networks such as Twitter, Facebook and Instagram and the posts you’ve made there. Timehop swears blind that the tokens have been revoked and just won’t work any more.

But the company has also warned that “there was a short time window during which it was theoretically possible for unauthorized users to access those posts” but has “no evidence that this actually happened.”

It can’t be as almost-comforting on the matter of purloined phone numbers, advising that for those who shared such data with the company “It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.” Oh thanks for that, Timehop. And thanks, also, for not using two-factor authentication, because that made the crack possible. “The breach occurred because an access credential to our cloud computing environment was compromised,” the company’s admitted. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

All of which leaves users in the same place as usual: with work to do, knowing that if their service providers had done their jobs properly they’d feel a lot safer. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/09/timehop_data_breach/

German hosting company Domainfactory has taken down its forums after someone posted messages alleging to have compromised the company.

Acknowledging the attack, the GoDaddy-owned (via Host Europe, acquired in 2016) company has advised customers to change their passwords and detailed the extent of the data breach claimed by the hackers.

“While we investigate this data breach, we already know that third parties could have had unauthorised access to the following categories of data: Customer name; Company name; Customer number; Address; E-mail addresses; Phone number; DomainFactory Phone password; Date of birth; Bank name and account number (eg IBAN or BIC); and Schufa score”

The company says it has secured the systems the attacker accessed.

Details of the data breach first emerged via Heise, which viewed the now-deleted forum posts in which the attacker said he had accessed the systems.

Journalist Fabian Scherschel also posted on Twitter (in German) that he was also watching a Twitter thread “in which Lauter #Domainfactory customers ask a hacker about their data because DF does not respond to their requests” (all before Domainfactory’s disclosure).

The Heise article said “when he realised that Domainfactory did not want to communicate the fact that he had broken into the company’s servers, he disclosed his hack”.

Heise said the attacker used a Dirty Cow variant to access the systems, but that wasn’t addressed in Domainfactory’s post.

Domainfactory’s disclosure puts the date of the data breach as January 28, 2018. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/09/domainfactory_in_germany_confirms_brdata_breach/