SN 988: National Public Data - Big Patch Tuesday, The Biggest Data Breach

Last week's Patch Tuesday brought about 99 security fixes, and this episode of Security Now will discuss a few of them, including an update on certificate revocation and the largest personal data breach in history. Steve Gibson also shares his excitement about Security Now's 19th birthday and the ongoing development of GRC's email service, Is Boot Secure. Additionally, they will delve into the background and impact of the massive data breach, helping listeners understand how to protect themselves. Furthermore, they will present a "picture of the week" that is sure to be a geek favorite. Security Now, now in its 988th episode, continues to provide listeners with essential security news and insights.

Open source software, such as Bitwarden, is vital for enhancing security. During our discussion, Steve shared his appreciation for Bitwarden's open-source nature and expressed gratitude for its support of security. As a demonstration, he presented a creative water cooler diagram explaining various RAID configurations. Meanwhile, a listener named Andrew raised concerns about the industry's potential abandonment of the Online Certificate Status Protocol (OCSP) in favor of certificate revocation lists (CRLs). Andrew argued that OCSP appears to be working effectively, but the industry plans to make its support optional. In response, Steve suggested testing CRLs as a replacement and expressed agreement with Andrew's sentiment, labeling it "insanity." Lastly, Steve introduced the concept of OCSP must staple, which allows a website to ask its certificate authority to include a flag in the TLS certificate that requires the stapling of an up-to-date OCSP status. This flag is immutable and once issued, cannot be changed.

The Online Certificate Status Protocol (OCSP) is a crucial component of certificate validation in secure web communications. However, its effectiveness relies on the availability and reliability of OCSP stapling, which is not yet universally adopted. The industry's move towards mandatory OCSP must staple would force all web servers to support it, ensuring fast revocation notification with zero privacy risk. However, this solution depends on the robustness and reliability of OCSP services, which have been a challenge in the past. The plain vanilla certificate system, while elegant and minimal, lacks a mechanism for real-time communication to check certificate revocation, making it necessary to add OCSP or another solution to the system. The current reliance on browser-side OCSP checking for performance reasons and the vulnerability of certificates without must staple to long-term abuse pose significant security concerns.

The online aspect of certificate validation systems, such as OCSP stapling and querying OCSP responders, can pose significant risks and challenges. The discussion highlighted the issue of expired stapled OCSP responses, which can lead to certificates being trusted even after revocation. This problem is not limited to specific servers or certificate authorities and can affect a large number of servers and browsers. The danger of making stapling mandatory was also discussed, as an OCSP outage could result in a massive number of certificates becoming untrusted. The alternative, certificate revocation lists, was found to be less online and less prone to these issues. A practical demonstration was provided by blocking access to Digisert's OCSP service, which resulted in various browsers trusting the revoked certificate. Only Firefox, which queries OCSP responders, correctly refused to show the revoked website. The discussion emphasized the importance of online certificate validation systems, but also highlighted their limitations and the potential risks they pose. It is crucial to consider these factors when implementing and relying on certificate validation systems.

Foundational knowledge is crucial for understanding complex topics, as evidenced by the early episodes of the podcast discussing how the internet and CPUs work. Microsoft's August patch Tuesday addressed 90 security vulnerabilities, six of which were zero-day flaws that were actively being exploited. These zero-day flaws included local privilege escalation vulnerabilities and a remote code execution vulnerability in Microsoft Edge's Internet Explorer mode. The importance of timely patching was emphasized, as enterprises have been known to hesitate due to potential app disruptions. An exciting discovery was the resurfacing of old audio tapes from a 1980s radio show, "The Famous Computer Cafe," featuring interviews with tech luminaries like Bill Gates, Douglas Adams, and Timothy Leary. These recordings, now available at the Internet Archive, provide a unique glimpse into the history of the home computer revolution.

While technology advances provide solutions for various issues, there are still challenges to overcome. For instance, in the discussion, the preservation of old computer media was highlighted, but it was noted that these real-to-reels have a limited lifespan due to factors like heat, humidity, and magnetic coating flaking off. On the other hand, in the tech world, new tools like GRC's Boot Secure Freeware were introduced to help organizations check their PCs' boot time status and secure boot enabled/disabled status silently. However, even with this advancement, there are obstacles like over-restrictive Wi-Fi firewalls that block non-web traffic, making it difficult for users to communicate through them. Another topic touched upon was the importance of updating DNS server entries when switching domain registrars. Lastly, the trade-offs of certificate expiration and revocation were explored, with Let's Encrypt's choice of 90-day certificates being explained by their need to reduce infrastructure load when starting out. Overall, the conversation underscored the importance of continuous innovation and adaptation to overcome technological challenges.

The validity and length of digital certificates, whether for websites or UEFI firmware, play a crucial role in ensuring online security. Expired certificates can lead to decreased traffic and potential security vulnerabilities. In the case of UEFI firmware, the expiration date does not directly impact the certificate's functionality unless the root certificate is deliberately distrusted. However, for websites, serving an expired certificate can result in traffic loss and potential security concerns. Additionally, a major data breach involving personal information, including names, addresses, and partial social security numbers, has highlighted the importance of protecting sensitive data. The breach, which affected individuals in the US, Canada, and the UK, emphasizes the need for robust cybersecurity measures to prevent such incidents in the future.

The National Public Data breach, which exposed the personal information of nearly three billion individuals, is a significant data security incident. The data aggregator, which provides criminal reports, background checks, and more, had its database allegedly breached by a cybercriminal group called U.S. DOD. The data, which includes Social Security numbers, current and past addresses, full names, and more, was put up for sale on the dark web for $3.5 million. The breach is already the subject of a class action lawsuit, and it's unclear exactly when or how the breach occurred. The company, named in the lawsuit as Jericho Pictures Inc, did not immediately respond to a request for comment. Troy Hunt, a well-known cybersecurity expert, has been collecting information related to the incident and has noted inconsistencies in the reported data, such as the discrepancy between the reported 2.9 billion records and the estimated population of the affected countries. The financial motive behind the breach is clear, and it's important for individuals to take steps to protect their personal information, such as freezing their credit reports at the three primary credit reporting agencies.

A large data set, titled National Public Data, containing approximately 2.9 billion rows, was put up for sale on the dark web. While the headline number might be misleading, representing rows of data rather than unique individuals, the data did contain sensitive information such as first and last names, addresses, and Social Security numbers. Notably, individuals who had opted out of data collection services were not included in the breach, suggesting that the data originated from a legally operating data aggregator that was hacked. This underscores the importance of data privacy and the need for individuals and businesses to take steps to protect their personal information. In fact, using a service like Delete Me can help remove your information from hundreds of data brokers and reduce the risk of identity theft and cybersecurity threats.

A massive data breach involving personal information, including names, addresses, and Social Security numbers, affecting potentially up to 2.9 billion people occurred and was publicly posted last week. The data, which had been circulating in limited circles for months, contains a large number of email addresses, making it a significant risk for identity theft and financial fraud. The company, Jericho Pictures Inc, is facing potential lawsuits and legal challenges due to the incident. The data, which was initially believed to be 4 terabytes, has been released in parts, with some containing as many as 134 million unique email addresses. However, the legitimacy and origin of the data are still unclear, making it difficult to verify and add to databases designed to help protect against data breaches. The breach serves as a reminder of the importance of securing personal information and the risks associated with data aggregation and circulation, even if it's not directly obtained through illegal means.

The National Public Data (NPD) breach, which exposed a massive amount of personal data, likely includes invalid and low-quality data that was possibly collected and sold by NPD to enhance their offerings. Troy Hunt, the cybersecurity expert who discovered the breach, emphasizes that the data, which includes social security numbers, addresses, and other sensitive information, is now public and cannot be recalled. He advises individuals to take action to protect themselves, such as freezing their credit and using opt-out services. The breach has also highlighted the need for changes in laws and policies to better protect personal data and prevent its unauthorized collection and sale. The incident serves as a reminder that individuals must remain vigilant and proactive in safeguarding their personal information.

Sensitive data continues to be a significant risk, with breaches occurring despite efforts to secure it. The NPD data breach is just one example, and it's possible that the attackers created a fake site to obtain administrator credentials. Meanwhile, FlightAware also reported a breach, exposing customer information including social security numbers. The best defense against such attacks is to freeze credit reports, which is free under federal law. However, this is just a reactive measure. To stay ahead of cybercriminals, organizations need to invest in proactive security measures, such as automation and orchestration tools like Tines. These solutions help security teams respond more effectively and efficiently to threats, saving valuable time and resources. Tines is used by major companies like McKesson, Canva, and Mars to automate and streamline their security workflows. To learn more and start building for free, visit tines.com/twit.