Archive | May, 2018

iDrive doesn’t take security seriously

24 May

I’ve mentioned before how I’m able to act as a canary in the email-database coal mine. …And how companies often don’t take my free, valuable chirps seriously. It happened again.

The unique email address I use to access iDrive started receiving spam in February 2018. It wasn’t just any spam; these sophisticated phishing emails were sent to an email address only iDrive had, and also contained my username/login.

When I contacted iDrive, they blew me off.

Then they blew me off again. More accurately, they gave me plenty of lip service, denial, and smoke far up my ass. (All the while admitting other people had contacted them regarding the phishing). This continued for several calls over several weeks. Until I posted publicly on twitter.

iDrive CEO Raghu Kulkarni promptly contacted me.

We talked about the difference between companies reacting appropriately to breaches:

twitter had just announced a big breach and contacted millions upon millions of users asking them to change their passwords

…and companies reacting poorly:

idrive trying to convince a whistle-blower there wasn’t a breach, despite hard evidence. (How does one prove a negative, anyhow?)

In exchange for deleting my tweet, Mr. Kulkarni agreed to set up a crisis communications plan. Within a week’s time, he promised to get all levels of iDrive customer support on board with an appropriate response, should a similar problem arise in the future.

More lip service

Weeks later a friend who signed up for iDrive because of my recommendation contacted them regarding the phishing attempt. He received the same brush-off I did.

iDrive does not take data security seriously.

I only have evidence of a third party accessing email addresses and usernames. Did they also gain access to other allegedly secure bits? I don’t know. Probably not. All the more reason to just react appropriately, and send an email warning customers that somebody gained access to a subset of clients’ usernames and email addresses. …With a little note about how to avoid sophisticated phishing attempts. …Phishing they have hard evidence of. iDrive doesn’t want to do this, clearly.

How did this iDrive breach happen?

Maybe an employee had this info on their laptop or PC, which was then infected with malware. The malware shared the data.

Maybe a former or current employee sold the data to spammers or used it for personal gain?

Maybe it was a good old fashioned breach by some 1990s movie-style hackers.

I can tell you one thing for sure; as in many cases, nobody seems to know. I don’t know how it happened. iDrive won’t even admit there was a breach. What we do know is that iDrive would rather brush evidence of a minor breach under the rug than address it properly.

What would iDrive do after a more serious breach?

I don’t trust them with my data anymore. I’m looking for a new data backup provider. I’ve been with iDrive for years. I really wanted them to do the right thing so I could stay with them. Alas, I don’t trust them, now.

Screenshots of both phishing spams I received are included below. I can only assume the spam continued for others; I set my iDrive email address to return a server error upon message receipt, so I can’t tell you. Spam sucks. So do companies that don’t take security seriously.

idrive phishing spam

First evidence of iDrive hack

idrive email breach

Second evidence of iDrive breach.

Dan Dreifort consults on SEO, UX, and sometimes crawls out of the woodwork to opine on infosec, too, it would seem. His band Cat Shit’s new album (Make America Shit Again) hits in June 2018.

 

 

Redirector Browser Extension Takes You Where You Want to Go

2 May

AT&T just installed fiber to my house. It’s fast. I get a steady 949 Mbps up and down. I had no complaints about the 160 Mbps/14 Mbps I was getting from Cox, but my inner geek couldn’t say no to faster-for-the-same-price.

attdnshijackThe install was pretty smooth, but during the bumps, I would type nonsense URLs in to see if things were working. Most of the domains actually existed, but when I hit something that wasn’t live, I got the AT&T-branded page telling me the page I’m looking for isn’t available. Well, it said that somewhere within the mess of ads. Call it what you will, it’s DNS hijacking. Amazingly, AT&T allows users to opt-out of “this service”. But some ISPs don’t.

End ISP DNS Hijacking

Before I noticed that opt-out, I took a minute to update my Redirector settings appropriately. No more AT&T DNS hijacking. (I’d previously used it to prevent Cox from hijacking my DNS).

It works in FireFox, Chrome, and Opera, and Redirector is good for more than stopping DNS hijacking. It’s a versatile browser usability enhancer.

Use Redirector to Help Your Favorite Charity

I don’t have a car, and I loathe shopping, so I regularly shop with Amazon for things I can’t get by foot or on my bike. I made a valiant effort to remember to use Amazon’s Smile program special URLs to help my favorite charity (Death With Dignity National Centers,) but I’d usually forget. The AmazonSmile Foundation will donate 0.5% of the purchase price of eligible products to the charitable organization of your choice.

I didn’t want to leave those easy donations on the table, so I searched for something that could remember for me. Enter Redirector. Now, every time I click an amazon link, or type amazon.com into my browser, I’m taken to the smile.amazon.com version of that page, instead.

I’ve uploaded an image of my Redirector settings at the bottom of this post in case you too want to more frequently, passively donate to your fave cause, or if you want to stop your ISP from hijacking your DNS. It’s easy. For the latter, you can use the same DNS hijacking forwarding URL I use, or copy the PHP snippet from that page.

<?php
if(isset($_SERVER['HTTP_REFERER'])) {
 echo $_SERVER['HTTP_REFERER'];
} 
?>

…Not that you need the php on the page you load instead of your ISP’s branded page, but it helps to be able to see a printout of the potentially improperly typed URL. e.g. below.

icurdDNSerror

Above: This is the plain-Jane message I get when I type in a bad URL, e.g. doesthisdomainexist.com

 

Redirector settings below. Click for larger image.

 

redirector

Let me know if you have problems. I’ll add more detail to this post as needed.

 

Dan Dreifort consults on UX and SEO.  I also make music, and enjoy biking and walking around San Diego, when I’m not broken.

 

Swine Flu Tracker

Swine Flu News and Information

Grown Up Book Reports

Book reviews with a healthy dollop of snark

Ethan McCarty

Digital strategy | Social business | People-centric biznology

%d bloggers like this: