Four new caches of stolen logins put Collection #1 in the shade

Tomáš Foltýn

The recently discovered tranches of stolen login credentials freely floating around the internet total 2.2 billion records

Two weeks ago, reports that a vast compilation of stolen access credentials was being widely circulated, not only in the internet’s dark recesses, made the headlines. Before long, additional reports began to pour in that this trove of data, dubbed Collection #1, was far from the only massive and readily available aggregation of stolen logins.

Security journalist Brian Krebs, for one, wrote that Collection #1, which comprises 773 million login names and associated passwords, was just a portion of a far larger stash of stolen or leaked credentials that was circulating on hacking forums and via torrents. Besides, by some accounts at least a portion of the latter caches contains more recent data, thus potentially posing greater risks for users. Enter Collections #2 through #5, so nicknamed by their creator(s).

Research by Germany’s Hasso Plattner Institute (HPB) has shed some more light on the data sets. HBP found that the number of purloined login credentials that have been cobbled together into the five tranches totals 2.2 billion, reads the HBP’s press release (in German).

Importantly, the institute operates a service that is similar to Troy Hunt’s Have I Been Pwned (HIBP) site. Unlike HIBP (as of the day of writing, anyway), the Identity Leak Checker includes data from all five caches in their entirety, and then some – 8.16 billion data records.

You can use the tool to check if any of your email accounts, or an online account associated with your email account(s), may have been impacted by a known leak. In addition to login names and passwords, the tool can also show some other sensitive information of yours that may have also been exposed.

Databases of stolen login data can have far-reaching implications particularly because of the rampant practice of many netizens to reuse their passwords across multiple services. Attackers can exploit this with an automated technique known as ‘credential stuffing’ that can give them access to other and possibly higher-value online accounts where the victim uses the same access credentials.

Beyond using a unique and strong password for each account, it’s also worth setting up two-factor authentication (2FA) wherever possible. That extra factor is a simple measure that is very likely to help thwart account-takeover attempts.

https://www.welivesecurity.com/2019/02/01/four-new-caches-of-stolen-logins-put-collection-1-in-the-shade/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Hear me out! Thousands tell UK taxman to wipe their voice IDs

Tomáš Foltýn

Even so, the database has grown to seven million voiceprints amid a controversy that puts the spotlight on the privacy implications of the collection of biometric information

In June 2018, a British privacy campaign group called Big Brother Watch accused the country’s tax authority of amassing the voiceprints of millions of people without asking for their explicit consent.

Within six months, more than 162,000 people would opt out of the voice ID scheme of Her Majesty’s Revenue and Customs (HMRC) and would have their biometric data deleted. While the thousands exercised their right to be forgotten as enshrined in the European Union’s General Data Protection Regulation (GDPR), another 2.1 million people joined the scheme between June and December 2018, bringing the number of people with voiceprints on file to around 7 million.

These developments come on the heels of a controversy that came to a head last summer when Big Brother Watch accused HMRC of “creating biometric ID cards by the back door” for 5.1 million taxpayers. The campaigners alleged that “HRMC has in fact railroaded taxpayers into this unprecedented ID scheme”, without providing a straightforward opt-out method. HMRC introduced the voice recognition system in January 2017.

Although there was a way to say ‘no’ to the scheme – it required saying ‘no’ to automated requests three times in a row – the opt-out route was not, in fact, immediately obvious (as detailed here). Instead, HMRC’s automated helpline instructed millions of callers to repeat the phrase “My voice is my password” up to five times in order to create a unique voiceprint for each of them and use it to verify the caller’s identity in the future.

The issue has also prompted the privacy campaigners to file a complaint with the Information Commissioner’s Office (ICO). The UK’s data protection watchdog has yet to decide on whether HMRC has been seeking user consent that is “freely given, specific, informed and unambiguous”, another requirement set out in the GDPR.

Either way, HMRC revamped the recording in July, introducing a clear option for callers to turn down the voice ID, as well as delete their existing voiceprints. By the taxman’s own admission, this option had not been stated explicitly before. As noted in HMRC’s Voice ID privacy notice, callers who reject the biometric option can continue to answer security questions to access their HMRC accounts.

ESET UK cybersecurity specialist Jake Moore views the news as a positive, but also sounded a warning: “It’s very promising that people can now delete their biometric voice data if they choose to. However, if HMRC took such data without consent then this is a different story. People should be given the option from the start whether to have their biometric data stored by the provider or not. Usually, people will assume this data will also be encrypted and kept highly secure, too”.

Meanwhile, the tax agency has also had to respond to concerns about the security of the collected data, not least because of the size of its database. HMRC has said that the data is encrypted, stored in a data center in the UK, and is never shared with anyone outside the agency.

HMRC is no stranger to biometrics, having also embraced the technology on its mobile app both for Android and iPhones. Besides authentication relying on a PIN code, people can also prove their identity using face recognition and fingerprint scanning.

https://www.welivesecurity.com/2019/01/29/hear-me-out-thousands-uk-taxman-wipe-voice-ids/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Le Forum International de la Cybersécurité 2019 : la connaissance comme première ligne de défense

Gabrielle Ladouceur Despins

L’importance de la transmission des connaissances marque la 11e édition du FIC, espace de réflexion sur la vision et les enjeux européens en matière de cybersécurité.

L’année 2019 s’amorce à peine et est déjà marquée par une brèche de sécurité d’envergure gargantuesque, ainsi que la publication d’informations confidentielles touchant des personnalités politiques allemande de premier plan. De nombreux incidents ont déjà marqué cette année et rappellent à tous le rôle prépondérant des questions de sécurité numérique, tant pour les utilisateurs que pour les organisations privées et même, les gouvernements et États. C’est dans ce contexte que se clôture la 11^e édition du Forum International de la Cybersécurité (FIC) 2019, à Lille, en France. Cet événement annuel regroupe tant les experts et les représentants de l’industrie que les gouvernements au sein d’un espace d’échanges et de réflexion sur les enjeux et la vision de l’Europe en matière de cybersécurité.

Dès le départ, le ton était donné : les participants ont pleinement conscience de l’importance des enjeux actuels; qu’on parle par exemple de la privacy by design ou du RGPD, sans oublier la cyberdéfense au niveau national. Ainsi, Laurent Nuñez, Secrétaire d’État auprès du ministre de l’Intérieur français, soulignais l’importance majeure des questions de sécurité numérique, dès l’ouverture du FIC 2019. Son propos était sans équivoque: « Pour le gouvernement et le ministère de l’Intérieur, 2019 sera une année décisive en matière de cybersécurité. »

La tenue du FIC 2019 coïncidait d’ailleurs avec le premier bilan annuel de la plateforme cybermalveillance.gouv.fr, programme lancé à l’automne 2017 par le gouvernement français, afin de contribuer à la sensibilisation, à la prévention et au soutien en matière de sécurité numérique à travers la France.

Ce premier bilan annuel montre bien l’importance que revêt la mission de la plateforme. En effet, soulignons notamment que pour 2018, « 28 855 victimes sont venues chercher de l’assistance sur la plateforme en 2018 dont 24 574 particuliers, 3 650 entreprises et 631 collectivités. » La notoriété et la popularité de la plateforme est d’ailleurs en augmentation.  En effet, celle-ci a connu une croissance de « +500% de personnes » des personnes la consultant entre le début et la fin de 2018. Depuis le lancement du 1er volet du kit de sensibilisation, en juin 2018, celui-ci a été téléchargé plus de 21 000 fois.

Parmi les tendances observées, les principales menaces soulevées dans ce bilan comprennent les tentatives d’hameçonnage, le piratage de compte, l’envoi de spam (ou pourriel) et les virus, notamment les rançongiciels.

Vu la place de plus en plus prépondérante et menaçante de plusieurs menaces, il va de soi que la préparation en amont est essentielle. L’un des thèmes marquants du FIC 2019 était d’ailleurs le privacy by design. Alors que de plus en plus d’objets connectés nous entourent et modifient nos façons de faire, il est de plus en plus fondamental que la cybersécurité soit au cœur de l’ensemble du processus de conception de ces appareils, afin d’a sécurité et la vie privé des usagers.

Alors que les plusieurs cybermenaces se complexifient, une chose demeure. Plusieurs présentateurs ont souligné, à juste titre, qu’aucune couche de protection technologique ne peut se substituer à la formation et vigilance de chaque utilisateur. Il suffit en effet d’observer du côté des attaques de rançongiciel ou de cyberpiratage pour constater que l’ingénierie sociale vit toujours de beaux moments. Mais il n’en tient qu’à chaque individu, et à chaque organisation, de se préparer adéquatement pour éviter de devenir malencontreusement son propre adversaire.

https://www.welivesecurity.com/fr/2019/01/24/fic-2019/