Almost five million gmail credentials were posted to a Russian language bitcoin forum a few days ago. Google’s official position is that these credentials were harvested externally and that gmail itself does not have a vulnerability that has allowed credential disclosure.
This seems like a reasonable position given the limited (relative to the massive number of gmail users) number of credentials leaked. I believe the list was harvested through the use of password stealing malware or through social engineering (e.g. phishing) and/or a combination of such techniques. Some of the leaked passwords appeared unlikely to have been dictionary cracked so a leak of hashed passwords from Google looks even more unlikely.
UPDATE: A site has appeared – isleaked.com (unfortunately also Russian language) to allow concerned users to search the list of leaked credentials to see if they are affected. I would not personally enter my gmail address into a web resource published by an unknown party, as while the author’s intent may be benevolent it is also equally likely that form submits are being harvested for unsolicited email lists.
UPDATE: PC World and the mainstream tech media have taken up the story.
Many of the documents that Edward Snowden leaked have been in the public domain for quite some time yet a detailed analysis of the content within them has yet to occur. Sure, the affiliated newspapers have singled out what they believe are the most interesting parts of the story and folks like Bruce Schneier have done an excellent job dissecting some of the leaked slides on his blog over the last few months, but we haven’t seen the kind of intense interest that I personally expected. Perhaps this was a direct result of Greenwald and Co’s decision to slowly dribble out the information. Although this tactic was good for selling papers, it probably wasn’t optimal as far as Snowden was concerned if he was (and we must assume he was) primarily concerned with getting all of the information into the hands of the public, as these delays allowed authorities to severely curtail the ability of the news agencies involved to effectively continue leaking the documents, and thus actual informed discussion was replaced with editorials with speculation and inaccuracies. Clearly, this was mishandled – as was the decision to redact some of the most important information from the leaked material. Snowden gave up a well paying job in Hawaii to become persona non-grata; effectively he will need to watch his back for the remainder of his life, and his future safety is far from certain. Snowden was no Manning. He knew well in advance what the consequences of his actions would be, and he was forced to entrust members of the supposedly ‘free’ press to complete a task; that task being to spread the word about these unconstitutional programs, and in practical terms it was a success, but unfortunately due to the way the disclosures were conducted the small sample of documents released were far from edifying.
The redactions that were in many of the documents released were entirely un-necessary, and the explanations given as to their necessity were baffling. These were not names of secret agents who could be identified and killed abroad – no, these were names of VPN appliance vendors and software companies. The cynical observer would note that the redactions are likely due to the Guardian and friends aversion to process servers appearing in their offices. Unfortunately, this makes the leaked document pretty much useless when the vulnerable product is not identified. This is not an isolated example.
That said – I believe that in the case of a wholesale government document release like the Wikileaks/Manning disclosure before it, it is essential that we carefully go through each of the leaked documents with a fresh set of eyes to see if we can extract something ‘new’ out of material we have already seen. So I will be doing my best to examine the raw material that is available from both the Guardian’s website and, thankfully, a much more complete collection available for search and direct download from the ACLU. The most interesting documents I will devote a blog post to. Yes, I will apply experience and trade knowledge to editorialize on information not present to draw conclusions that may be inaccurate. Perhaps this makes me no better than those who I critized in the preceding paragraphs. Nonetheless, unlike the newspapers who had both access to raw material and the source himself to interview should any questions arise, I have none of the above and must try and understand what is going on – and in some of these documents – the lack of context and use of NSA codewords and jargon makes it quite difficult. In any case, I will try and make a weekly feature out of this – and we will examine known NSA operations and have a look at the source material, along with cooberating evidence already in the public domain.
Chinese restaurant chain P.F Chang’s has apparently had quite a serious data breach, with credit card details of customers appearing on an online marketplace for dumps and other material. Brian Krebs has a brief summary as to what he discovered. The nationwide chain, which is based in Scottsdale, AZ has over two hundred locations. The company has responded by creating an online clearinghouse for information relating to the breach.
A statement placed on the aforementioned page by CEO Rick Federico claims that they first learned of the breach on June 10 and that they – with help from the Secret Service have “have concluded that data has been compromised,” which I guess officially confirms that the information that has been leaked is indeed genuine. The statement continues to describe their efforts at mitigation which include their chains falling back to “a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States.” Unfortunately this is rapidly turning into a P.R. nightmare for the chain, with the story today being picked up by USA Today, amongst others.
This again goes to show that failing to secure your customer’s sensitive information can result in very real consequences that far exceed the damage of the initial compromise. This can include potential legal action, compliance investigations and perhaps most importantly – potentially irrepreable damage to the trust that your business with your clients. If you can avoid storing the card data in house and can offload that risk to your card processing organization, then all the better.