data breach – Rogue Security

Compromised: How To Know When Your Email/Password Has Been Stolen

By Justin Robinson / July 14, 2021 July 14, 2021 / Password Security, Personal Cybersecurity / Leave a Comment

We research Information Security incidents every day and we can tell you one thing for certain; your data is worth a lot of money to cyber criminals. A day doesn’t pass where we don’t read about another breach where an organizations employee or customer data has been stolen. This data often includes email addresses and sometimes even passwords. Even a password that has been encrypted before it’s stored can potentially be valuable in the right hands. So, is it possible to know if your email or password has been compromised? Yes!

Finding Compromised Accounts

Information security professionals have been able to utilize similar methods to collect details on data breaches including, in some cases, the data within those breaches. Unlike cyber criminals, security professionals have created ways to safely and securely use that data to help consumers, like you, identify if their accounts have been compromised. In most cases you simply enter your email address or common username(s), and the tool with identify whether or not that email address and/or username has been found in any known data breaches.

Disclaimer

We don't recommend that you go around and enter your email address and password into different websites. The below list of lookups have been reviewed by Rogue Security, both in terms of technical controls, and privacy controls.

Account Leak Lookup Services

Here is our trusted list of sites that you can use to search for whether or not your accounts have been compromised. All of the below resources are 100% completely free!

Enter an email address (or even username/phone number) and these services will return a list of data breaches that the email address (or other artifact) was found.

What Do I Do If My Email Comes Back As Being In A Breach?

If you haven’t already, you should change the password on your account on that individual service. Also, if you use that same password elsewhere then you should change the password on those accounts, as well. This is the reason why we don’t recommend the practice of re-using passwords between services. Not only does it put all of your accounts at risk if just one of them is breached, but it also makes it a lot harder for you to remember all of the places that you used that password. In summary:

Reset your password on the account that was breached.
Reset your password on any other accounts that might share the same password as the breached service.
If any important accounts such as government or financial services accounts might be affected, contact each institution advising them so they may monitor your accounts more closely.

Your accounts are almost guaranteed to fall victim to a data breach at some point in your lifetime. Using separate passwords, and being aware of possible leaks is the best way to protect yourself as a consumer.

Canada Post Large Business Data Breach and Supply Chain Attacks

By Justin Robinson / May 26, 2021 June 8, 2021 / Security News, Vulnerabilities and Exploits

Update 2021-05-31

Linking to the official announcement by Canada Post.

Update 2021-05-28

The new player in town, Lorenz, has taken credit for the attack. It also appears that Commport Communications did not pay the ransom, estimated to be between $500,000 to $700,000 for the Lorenz group according to estimates provided by BleepingComputer. Like other newer groups, Lorenz, has a public website available via the Tor network to pressure victims into paying. The data, totaling a compressed 35.3 GB, for Commport Communications is now openly available for download via that website, which suggests that Commport refused to pay the ransom.

Interesting to note is the date on the upload. Commport previously released an attack back in November of 2020, but did not believe any data to be compromised at that time. Apparently, they were wrong.

Commport Communications data available from the Lorenz public repository.

The Attack

Canada Post has announced a data breach of shipping manifest data associated with 44 of its large business users. The impact is recorded at more than 950,000 records relating customers of those businesses. Shipping manifests contain sender and recipient information that usually includes both names and addresses, and less often email addresses, and phone numbers.

According to CTV News, the data comprised of 97% names and addresses, while the final 3% of records contained an email address and/or a phone number. The attack occurred on May 19th, according to Commport Communications Inc., however, the data compromised was from between July 2016 and March 2019.

Apparently, Commport Communications Inc., notified Innovapost, Canada Post’s IT Service Provider, in November 2020, of a ransomware attack on the organization, but a review at that time determined that no customer data was leaked from Canada Post at that time. I’d be interested in seeing the lessons-learned from that attack, as well as the steps taken to prevent this time of incident from happening again.

At this time the May 19th event hasn’t been attributed to a specific attack vector and may not be related to the November, 2020 ransomware attack, at all.

Supply Chain Attacks

This very well could have been a crime opportunity as we don’t know if any other data was stolen from the Commport Communications environment. Other than Canada Post, they have reference to working with companies such as Walmart, Pepsi, Coca-Cola, P&G, Lowe’s and even Amazon on their website. Regardless of the original intent, this is what is known as a supply chain attack. A supply chain attack is an attack that targets a less-secure element of an organization’s ecosystem. This could be anything from a HVAC provider to a software vendor, or, yes, even an IT provider.

The 2020 Solarwinds attack was a series of supply chain attacks that led to, suspected, Russian-sponsored state actors, believed to be either SVR or Cozy Bear (APT29) gaining access to a number U.S. Government systems including parts of the NSA and the Cybersecurity and Infrastructure Security Agency. Not to mention a number of private and public businesses and governments that we’ll never know about.

Supply chain attacks are the real deal and they work because as business owners we often make the mistake of trusting the security and the systems of the third-parties that we do business with, and sometimes have elevated access within your businesses systems. They’re also complex when done with an intended target, and are therefore oftentimes the mark of an APT (Advanced Persistent Threat).

The National Cyber Threat Assessment 2020 by the Canadian Centre for Cyber Security lists supply chain attacks as one of seven threats to Canadian financial and economic health.

Supply Chain Attack Risk Reduction

The issue here, of course, is that if we wish to build our businesses weÂ must rely on third-parties to provide things such as manufacturing, operations, financial services and support.Â Information and Cybersecurity isn’t about making it difficult for the business to operate, it’s about creating opportunities!

A third-party risk program can be as complex or as simple as you need, but is really all about governance around your vendors and suppliers. Develop processes and procedures for every transaction between your organization and your third-parties, and ensure that staff are appropriate trained in executing and managing them.

Creating a vendor risk assessment, or by using one of the many available online, you can easily create a risk inventory of your vendors and suppliers that can give your business self-assurance that your suppliers and vendors are employing the necessary security controls. Some questions that you may find on such a form might be, “Does the 3rd party provide information security training to all employees, contractors, and vendors?”, and “Does the 3rd party employee firewalls at all points of network egress?”.

This isn’t a one-time process, unfortunately, and should be reviewed and updated annually for maximum benefit. Both, the ISO-27001 and the CyberSecure Canada Certification require reviews on an annual basis so getting into the habit, and documenting that you’re doing it, can be very beneficial in the long-term.

For further reading, the Canadian Centre for Cyber Security provides an excellent two-page PDF on Supply Chain Security.

Prince Edward Island Data Breach: Synopsis and Opinion

By Justin Robinson / March 9, 2020 June 8, 2021 / Security News / 1 Comment

Ransomware is hitting governments hard. Besides the event that Prince Edward Island experienced, the Canadian territory of Nunavut also experienced a ransomware attack in November of 2019 that crippled systems within that entire government.

Ransomware is a type of Malware that, when introduced to a system, can lock the user out of local system files. The ransomware enumerates through the directories on a victim’s computer to build a file hierarchy of the device. Once a list of files is built, the ransomware uses Windows own cryptography API to encrypt the files (in most cases). The encryption keys are then sent back to the attacker for long-term storage and where you can’t access them.

Earlier iterations of many ransomware strains focused on spread and relied on quantity of infections to drive a successful campaign. This was the case with Wannacry and NotPetya whereby the intent was to cripple the victim into paying the ransom. Newer ransomware is using a level of human control that amounts to an attacker silently having control of a victim network prior to the attacker locking out the system files. What this has allowed is for the attacker to ex-filtrate data from the victim’s system. So not only is the victim locked out of their files, but the attacker also has a copy of any number of those same files to hold over you.

Paying the ransom is not the answer to ransomware. Paying the ransom only perpetuates the effectiveness of ransomware and conditions the attackers to continue the attacks. Ransomware has become big business for these attackers. Unfortunately, the obvious result of not paying the ransom is that your files will likely be released to wider audiences. Prevention should be the number one focus, but having strong incident response and business continuity/disaster recovery plans that include an approved and well structure communications plan is also essential.

Regardless of whether you pay the ransom or not, it should be assumed that the data will eventually be released. Without consignment it’s simply impossible to know otherwise.

The P.E.I. Ransomware

The Prince Edward Island government was impacted by a ransomware called Maze. Maze has been attributed to Threat Actor 2101, or simply TA2101, by Proofpoint. This ransomware is notable for its use of publishing ex-filtrated files to the internet via their website if victims don’t pay instead of selling the data on dark web forums.

In addition, threat actors can use this trove of data to phish other businesses, which should definitely be a big concern for P.E.I. businesses.

Timeline

2020-02-23 — The government reported a 90-minute ransomware incident before it was contained. At that time the province did not believe that any Islanders’ personal information had been affected.

2020-03-03 — Government documents began showing up online when approximately 800MB (uncompressed) of data showed up on Internet. According to the Maze ransomware website, they have approximately 200GB of archives.

What’s Next?

The inevitability of the release of the rest of the files can’t prevent recovery, which will almost certainly involve a hard look at the information security of the province. A forensics audit will need to take place in order to determine the extent of files that may have been accessed. Communications will then need to take place to any impacted individuals and businesses so that they may take appropriate actions, if deemed necessary.

Both CreditKarma and Borrowell offer free credit scores and credit reports every quarter. Freezing your credit can be done by calling all major credit bureaus.

A recent article by Forbes stated that the average cost of a ransomware incident has skyrocketed to over $84,000. This is likely on the low-end as most incidents go unreported and there is no clear measurement baseline for what ransomware incident costs should include. The ransomware attack on the City of Atlanta could have cost tax-payers an estimated $17 million dollars, but I wasn’t able to find any exact numbers. It’s not infeasible to suggest that this incident may cost the P.E.I. government over $1 million dollars when all is said and done.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.