Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Privacy commissioner points finger at Cupid Media for huge data breach

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 25, 2014

Click here to order the best dedicated server and at a great price.

'You need to encrypt all your stored passwords'. That's the simple message coming from Australia's privacy commissioner, at the conclusion of his long investigation of a gigantic data breach of the Cupid Media dating operation last year.

Among the 42 million customers whose data was exposed in the breach of the Queensland-headquartered company were 245,000 Australians, commissioner Timothy Pilgrim added.

The most serious security breach was that the compromised passwords were not hashed or otherwise encrypted before the data breach. Instead they were stored insecurely, in plain text, the commissioner's report states.

“The Commissioner therefore found Cupid's storage of passwords in plain text to be a major failure to take reasonable security steps,” the report warned.

Finding that Cupid Media – which operated a network of 35 dating sites so as to cover niches of ethnicity, religion, sexual preference and location – had breached Australia's privacy regulations, the commissioner's report states-- “Cupid had breached the Privacy Act by failing to take reasonable steps to secure personal information it held.”

During the investigation, the company told the commissioner it didn't hold credit card data, and asserted that since it doesn't check registrations to demonstrate that people are using real names, the data was less sensitive than for example financial information.

But the investigation did find that the preferences collected by the niche sites, along with e-mail addresses and user passwords that were compromised in the data breach, added up to breaches serious enough to bring the company under the remit of the Privacy Act.

Worse, Cupid even quibbled over the original reports that the breached database held 42 million user accounts, asserting that “this figure is not accurate because it includes 'junk' accounts and duplicate accounts”.

That statement didn't satisfy the commissioner one bit, who found that the company was retaining personal data that it didn't require-- “Cupid failed to take reasonable steps to destroy or permanently de-identify the personal information it held in relation to user accounts that were no longer in use or needed”, the commissioner warned.

The company did co-operate with the investigation, notified its users, reset their passwords, and applied patches to fix the security issues.

In other internet security news

Cisco said that it has had a rather large list of products recently certified as secure by the GCHQ's information security arm, the Communications & Electronics Security Group (CESG).

The new certification covers IPsec security gateway products in Cisco's ASA v9.1 family, hardware models 5505, 5510, 5520, 5540, 5550, 5580, 5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X.

The certification only covers the products to handle information up to Britain's government “Official” classification – that is, most government information.

But as the company's product certification engineer Clint Winebrenner writes-- “This award represents the first Foundation Grade IPsec VPN product capable of supporting both the CESG interim and PRIME cipher suites, enabling public sector customers to take full advantage of the very latest cryptographic algorithms.”

Winebrenner also notes that the classifications in Britain-– Official, Secret and Top Secret were redone in April of this year with the goal of letting off-the-shelf products handle data at the lowest classification.

That means that there will be a lot of similar certifications being granted in the near future, we can assume.

“This business model includes two grades of assurance-- Foundation Grade and High Grade. Foundation Grade products are COTS products designed to provide protection against threats to information classified as OFFICIAL and certification is achieved through the completion of either a Common Criteria or Commercial Product Assurance (CPA) evaluation,” Winebrenner writes.

The certification covers deployments of IPsec VPN technologies both between government sites, and for remote access. Cisco also has its AnyConnect client currently going through certification for mobile access applications.

In other IT news

Cisco said earlier this morning that it's offering an experimental cipher which, among other things, could help preserve the anonymity of data in specific cloud environments.

In putting what it calls FNR (Flexible Naor and Reingold) into the hands of the public, the work is currently experimental rather than production software.

Cisco software engineer Sashank Dara explains that FNR is a block cipher that works without the need for padding, as happens in ciphers such as AES.

Since AES works on a fixed block length – be it 128, 192 or 256 bits – small blocks of data get bloated when they're encrypted, and that's a major cause for concern.

However, this isn't much of an issue for person-to-person messages, given their relatively low volume.

But a cloud provider seeking to gather IP address information for analysis and other purposes will see an awful lot of 32-bit inputs turning into 128-bit outputs, quadrupling the storage requirements if they try to protect the privacy of their customers.

To be sure, FNR is designed to encrypt small objects while preserving their input length, making it applicable to IPv4 addresses, MAC addresses and other arbitrary strings.

It could also encrypt legacy databases containing fields that need their length preserved, reducing the amount of re-engineering required.

The FNR specification explains that privacy of fixed-length fields (such as collected in NetFlow formats) is an emerging challenge for cloud providers, who collect lots of telemetry for analysis and don't want to change their field formats to encrypt the information.

FNR proposes “invertible matrices to provide a neat and generic way to achieve pair-wise independence for any arbitrary length”, the paper states.

Cisco provides a demonstration application using IPv4 address encryption as the example.

In other internet security news

Various reports in the blogosphere this morning say that hackers have successfully attacked a hedge fund, delaying several trades and then stealing profitable secrets in a rare but very direct raid on the United States financial services sector.

BAE Systems Applied Intelligence says that the clever attack cost the unnamed US-based hedge fund millions of dollars over two months, the firm alleges.

Hackers apparently lifted large chunks of data on complex high speed trades from the financial firm, then sent the details to external servers using malware which implanted itself on the victim's network.

For now, the identity of the attackers is unknown, said BAE product director Paul Henninger, but the stolen data could be immensely profitable for smaller hedge fund firms looking for a leg up into the market.

The assumption of espionage was given further weight because attackers added slight delays to the time between the issuance and execution of the victim's trades-- a feat which would certainly lead to the discovery of the attacks but may have provided a competing firm with a much needed trading advantage.

Henninger said that the attacks occurred in January 2013 and was escalated to the company board. Why it took so long for the news to become public isn't known at this time.

"This was something that was getting reviewed at the board level of this hedge fund precisely because it was having a material impact on performance across the whole portfolio," said Henninger.

Incredibly, the attacks began with a successful by very simple spear phishing email campaign against a staffer from where malware was deployed to gain a direct foothold in the company.

The attackers knew exactly what they were doing. Henninger didn't know if the hack was reported to the Securities and Exchange Commission or FBI and noted that the fund would have little incentive to do so.

Attacks against hedge funds don't often make it onto the public record. More than three years ago, Cyber Engineering Services founder Joe Drissel tipped off one hedge fund that it was compromised after he discovered its stolen data on a hacked server.

The unnamed company, which initially laughed off the disclosure, later disconnected its entire enterprise network from the Web when Drissel sent its IT manager a copy of a stolen file.

Attackers had installed no less than three trojans on the victims' machines which went completely undetected by anti-virus software.

Internet security teams have since reported phishing emails targeted towards hedge funds that lured victims to open malicious documents purportedly discussing carried interest fees.

In other internet security news

Exactly a year ago, Edward Snowden leaked the NSA's Advanced Network Technology catalog, a complete listing of the hardware and software tools the agency makes available to its agents for its spying activities.

Since then, enterprising security experts are using the same extensive catalog to build similar tools using low-cost and readily available electronics that anybody can easily get.

Led by Michael Ossmann of Great Scott Gadgets, his team examined the leaked catalog and discovered that a number of the devices the NSA developed can be very simple to recreate.

To be sure, Ossmann was able to build a simple software-defined radio (SDR) system capable of recording and transmitting data from a target PC using a Kickstarter project, and says that the hardware can be bought from the market for $300 or less.

"SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format," he added.

Ossmann said that he was also able to build two devices from the NSA's catalog using little more than a few transistors and a two-inch length of wire as an antenna. These mimic the NSA products Ragemaster, a plug that sits on the monitor cable of a computer and broadcasts screen images.

And of course there's also the Surlyspawn keystroke logger, built at a small fraction (less than 5 percent) of the cost the U.S. government gets charged for the same thing.

In a presentation at the Hack In The Box conference in Amsterdam last month, Ossmann detailed some of his creations and the methods he and his team used to build them using off-the-shelf components.

Those devices aren't as small as the NSA's hardware, but are just as effective, he said. The team has now set up a website,, detailing the different spying products they have reverse-engineered, and more details will be given out at presentations at the DEFCON hacking conference being hosted in Las Vegas in August.

Ossmann's goal isn't to help hackers conduct their own spying operations, nor to make it easier for the government to get low-cost surveillance hardware. While he has developed tools for the federal government, the goal of his project is to help the security industry understand the range of threats it should be protecting against.

"Showing how such devices exploit weaknesses in our systems means we can make them more secure in the future," he added.

In other internet security news

It was revealed this morning that LinkedIn accounts can easily be hijacked through simple man in the middle (MITM) attacks due to a failure to promptly patch a SSL stripping vulnerability.

The security flaw is described as a zero-day vulnerability and it allows attackers to gain full control of a user's account after they had logged in via SSL.

Attackers could jump between the user and the service and replace the secure protocol with HTTP allowing access to their account.

User IDs, passwords and all LinkedIn data could then be siphoned off by hackers. All users outside of Europe and the United States who didn't tick a box to activate optional HTTPS beyond the login screen were vulnerable to the attack, said Zimperium CEO Zuk Avraham.

"Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user’s credentials and gain full control of the user’s account," Avraham said.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Australia's Privacy Commissioner.

Click here to order the best dedicated server and at a great price.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.