The other big hack of 2016?

Obligatory stock photo of masked hacker.

According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people.  The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:

…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.

In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.

Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).

There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.

The price for this treasure trove?  US$600.

With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision.  They could choose victims to concentrate their effects on for maximum profit.  Real world attackers could also use this information to plan crimes such as burglaries or kidnappings.  Governments (both foreign and domestic) could use this information to select targets for surveillance.

The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use.  If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection.  If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.

This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real.  If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.

Stay tuned.

The other big hack of 2016?

Today, I want to be a Canadian

canadaflagThis morning, I read an amazing story in the New York Times about a Syrian refugee family building a new life in Canada.  As you would expect, the piece highlighted the many challenges they are facing, from cultural differences to finding work.  What really stood out for me however was that Canada not only took these people in, but that everyday Canadians “adopt” each family and volunteer their time to help them make the transition.

When I contrast the attitudes expressed here in the US about taking in these refugees, who are truly fleeing persecution and death, it makes me very sad.  Canada’s response seems much more in keeping with American values than anything I have heard down here in a long time.  I fear that the US has lost its place in the world as a beacon of hope and democracy.

If I wore a hat, it would be off to the government and people of Canada.

Today, I want to be a Canadian

Sometimes the helpers need help too


I received some very sad news this morning – Melissa Claros (one of my colleagues at the Weehawken Volunteer First Aid Squad) lost her husband, Robert, suddenly this weekend.  Melissa and Rob shared love and a common desire to help their communities.  Rob was an EMT for the West New York ambulance squad and a volunteer fireman in their town in Pennsylvania and Melissa is a volunteer EMT here in Weehawken.   Rob was just 28 years old and he leaves Melissa not only with a broken heart, but also two young children to raise while she attends nursing school.

While there is nothing we can do to fill the void in Melissa’s heart left by Rob’s untimely passing, we can help her and her kids deal with some of the financial burdens which they face now and in the future.

Rob’s colleagues in West New York have set up a GoFundMe page to help the family out at this difficult time.  Rob and Melissa have consistently stepped up to help their communities.  Rob was and Melissa is “good people” who could use some help.

If you would like to help out someone who has spent a lot of time helping out others, please consider making a donation at



Sometimes the helpers need help too

Best infosec quote of all time…


Sometimes, saving money can cost you money (like $81 million)…  Apparently the hackers who made off with millions from the Central Bank of Bangladesh had some help from the bank’s IT department, who decided to save money by foregoing firewalls and purchasing used routers that could not segregate private from public traffic.   My new favorite information security quote of all time was in this article:

A firewall would have made attempts to hack the bank more “difficult” Mohammad Shah Alam, a forensic investigator who works on the Bangladesh team investigating the theft, told Reuters.

Yes.   Yes it would.  Can’t get anything past this guy.


Best infosec quote of all time…

malware strikes non jailbroken iOS devices

Walled gardens don’t provide 100% protection.

A reminder that while iOS still seems to be safer from malware threats (as long as you don’t jailbreak your device), Apple’s walled garden is not totally weed free.  Researchers found malicious apps in Apple’s App Store which use vulnerabilities in iOS’s digital rights management software to install malware on standard (non jailbroken) devices.  This particular family of malware only targets devices located in mainland China, but there is no guarantee that others may try and exploit this issue to infect other users.

Apple removed the malicious apps from the App Store when they were informed of the issue, but it is important to note that the apps stayed up in spite of multiple reviews by Apple until then.

We iDevice users have been quite lucky when it comes to malware, but it is important to remember that iOS is not immune to malware attacks.  The best defense is to be choosy about the apps you install – if you have not heard of an app, look for reviews and information out on the net before downloading it to your phone.

Of course, Donald Trump promises to build a “terrific” wall around Apple’s App Store and make Mexico pay for it…

malware strikes non jailbroken iOS devices

People are still your best defense

spellingOK, I already tweeted this story with a snarky comment about spelling, but there is an interesting lesson to be learned from this incident.  It was plain old human intervention that kept an $80 million dollar fraud from becoming an $800 million plus fraud against Bangladesh Bank.  Educating your people to recognize out of the ordinary behavior is one of the best security investments you can make.  (Not that losing $80 million is a great outcome).