Cyber breaches abound in 2019
https://techcrunch.com/2018/12/26/cyber-breaches-abound-in-2019/
News of high-profile cyber breaches has been uncharacteristically subdued in recent quarters.
Is this a harbinger of a worse hacking landscape in 2019?
The answer is unequivocally yes. No question, cyber breaches have been a gigantic thorn in the global economy for years. But expect them to be even more rampant in this new year 2019 as chronically improving malware will be deployed more aggressively on more fronts. Also data-driven businesses simultaneously move into the “target zone” of cyber attacks.
On the cybersecurity side, a growing number of experts believe that multi-factor authentication will become the standard for all online businesses.
Here are links to some articles that can hopefully help you to handle your cyber security better:
Cybersecurity 101: Why you need to use a password manager
https://techcrunch.com/2018/12/25/cybersecurity-101-guide-password-manager/
Cybersecurity 101: Five simple security guides for protecting your privacy
https://techcrunch.com/2018/12/26/cybersecurity-101-security-guides-protect-privacy/
622 Comments
Tomi Engdahl says:
T-Mobile confirms customers’ personal data accessed in hack
https://www.engadget.com/2019/11/22/t-mobile-data-breach/
Tomi Engdahl says:
Magento Marketplace Suffers Data Breach Exposing Users’ Account Info
https://thehackernews.com/2019/11/magento-marketplace-data-breach.html
Tomi Engdahl says:
https://it.slashdot.org/story/19/12/02/0210237/millions-of-sms-text-messages-exposed-in-unencrypted-database
“A massive database storing tens of millions of SMS text messages, most of which were sent by businesses to
potential customers, has been found online,” reports TechCrunch. The database belongs to a company that
works with over 990 cell phone operators and reaches more than 5 billion subscribers around the world, according to the researchers.
https://www.vpnmentor.com/blog/report-truedialog-leak/?=truedialog-exposed-data
https://techcrunch.com/2019/12/01/millions-sms-messages-exposed/
Tomi Engdahl says:
Smartwatch exposes locations and other data on thousands of children
https://www.welivesecurity.com/2019/11/29/smartwatch-exposes-location-data-children/
A device that is supposed to help parents keep track of their children
and give them a peace of mind can be turned into a surveillance device
Tomi Engdahl says:
Data of 21 million Mixcloud users put up for sale on the dark web
https://www.zdnet.com/article/data-of-21-million-mixcloud-users-put-up-for-sale-on-the-dark-web/
A hacker has breached online music streaming service Mixcloud earlier
this month, and is now selling the site’s user data online, on a dark
web marketplace.. The Mixcloud data is currently sold for a price of
$2,000.
Tomi Engdahl says:
Millions of SMS messages exposed in database security lapse
https://techcrunch.com/2019/12/01/millions-sms-messages-exposed/
Tomi Engdahl says:
TrueDialog Leaks 600GB of Personal Data, Affecting Millions
https://securityboulevard.com/2019/12/truedialog-leaks-600gb-of-personal-data-affecting-millions/
Another day, another unsecured cloud database. But this one’s huge and opens up multiple risks.
Who’s responsible this time? “Enterprise-Grade SMS Solutions” company TrueDialog describes itself as “an innovative communications-as-a-service company.” And its products “are ideal for businesses serious about scalability, security and compliance.”
The database stored years of sent and received text messages … none of the data was encrypted.
…
The data … contained detailed logs of messages sent by customers who used TrueDialog’s system, including phone numbers and SMS message contents. [It] contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.
Tomi Engdahl says:
A Sprint contractor left thousands of US cell phone bills on the internet by mistake
https://techcrunch.com/2019/12/04/sprint-contractor-cell-phone-bills-exposed/?tpcc=ECFB2019
A contractor working for cell giant Sprint stored on an unprotected cloud server hundreds of thousands of cell phone bills of AT&T, Verizon and T-Mobile subscribers.
The storage bucket had more than 261,300 documents, the vast majority of which were phone bills belonging to cell subscribers dating as far back as 2015. But the bucket, hosted on Amazon Web Services (AWS), was not protected with a password, allowing anyone to access the data inside.
In some cases we found other sensitive documents, such as a bank statement, and a screenshot of a web page that had subscribers’ online usernames, passwords and account PINs — which in combination could allow access to a customer’s account.
Tomi Engdahl says:
Hacker Accessed Private Reports on HackerOne
https://www.securityweek.com/hacker-accessed-private-reports-hackerone
A hacker was able to access private customer reports on HackerOne after one of the platform’s security analysts inadvertently shared a session cookie.
The incident occurred last week during an online exchange about a bug bounty report that the hacker submitted to HackerOne. Specifically, the HackerOne Security Analyst copied a cURL command from a browser console and sent it to the hacker without removing sensitive information from it.
This resulted in the Analyst’s security cookie being shared with the hacker. The session cookie is obtained after the HackerOne staff member goes through multi-factor Single Sign-On (SSO) and provides access to all platform features, including all of the reports that the Analyst supports.
With the session cookie in hand, the hacker was able to access a broad range of sensitive information, such as HackerOne customer reports, including some from private bug bounty programs.
Tomi Engdahl says:
3,000 Fort Worth Water Department Customers Victims of Data Breach
https://www.nbcdfw.com/news/local/3000-Fort-Worth-Water-Department-Customers-Victims-of-Data-Breach-565838632.html?_osource=SocialFlowFB_DFWBrand
A city contractor, CentralSquare, determined that someone hacked into the software used to process credit card information, water department spokeswoman Mary Gugliuzza said Thursday.
The customers whose data may have been stolen are being notified, she said.
Tomi Engdahl says:
Moscow Cops Sell Access to City CCTV, Facial Recognition Data
https://www.bleepingcomputer.com/news/security/moscow-cops-sell-access-to-city-cctv-facial-recognition-data/
Anyone with a little money can buy access to Moscow’s surveillance system of tens of thousands of cameras along and check footage stored over the previous five days.
Sellers on forums and messenger groups that trade illegal data also provide facial recognition lookup services.
Tomi Engdahl says:
BMW and Hyundai hacked by Vietnamese hackers, report claims
https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/
Hacks linked to Ocean Lotus (APT32), a group believed to operate with
orders from the Vietnamese government. German media is reporting that
hackers suspected to have ties to the Vietnamese government have
breached the networks of two car manufacturers, namely BMW and
Hyundai. The report, coming from Bayerischer Rundfunk (BR) and
Taggesschau (TS), claims that hackers breached the network of a BMW
branch sometime this spring. Read also (in German):
https://www.tagesschau.de/investigativ/br-recherche/bmw-hacker-101.html
and
https://www.br.de/nachrichten/wirtschaft/fr-autoindustrie-im-visier-von-hackern-bmw-ausgespaeht,
RjnLkD4
Tomi Engdahl says:
Ransomware at Colorado IT Provider Affects 100+ Dental Offices
https://krebsonsecurity.com/2019/12/ransomware-at-colorado-it-provider-affects-100-dental-offices/
A Colorado company that specializes in providing IT services to dental
offices suffered a ransomware attack this week that is disrupting
operations for more than 100 dentistry practices, KrebsOnSecurity has
learned. Multiple sources affected say their IT provider, Englewood,
Colo. based Complete Technology Solutions (CTS), was hacked, allowing
a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be
installed on computers at more than 100 dentistry businesses that rely
on the company for a range of services including network security,
data backup and voice-over-IP phone service.
Tomi Engdahl says:
Over 1 billion people’s data leaked in an unsecured server
https://yle.fi/uutiset/3-11104203
Tomi Engdahl says:
AT&T, Verizon Subscribers Exposed as Mobile Bills Turn Up on the Open
Web
https://threatpost.com/att-verizon-subscribers-exposed-mobile-bills/150867/
Names, addresses, phone numbers, call and text message records and
account PINs were all caught up in a cloud misconfiguration. Hundreds
of thousands of mobile phone bills for AT&T, Verizon and T-Mobile
subscribers have been laid open to anyone with an internet connection,
thanks to the oversight of a contractor working with Sprint. According
to a media investigation, the contractor misconfigured a cloud storage
bucket on Amazon Web Services (AWS), in which more than 261, 300
documents were stored mainly cell phone bills from Sprint customers
who switched from other carriers.
Tomi Engdahl says:
Over 1 billion people’s data leaked in an unsecured server
https://www.pandasecurity.com/mediacenter/news/billion-consumers-data-breach-elasticsearch/
The dangers inherent to data enrichment were put in the spotlight in
the middle of October when it was discovered that the personal data of
1.2 billion people had been exposed online. Bob Diachenko and Vinny
Troia discovered an Elasticsearch server containing around 4 billion
user accountsaround 4TB of data in total, in four datasets. This data
is believed to belong to two data enrichment companies. Three of the
datasets were tagged with the name of a company of this kind called
“People Data Labs”, while the third set is tagged “EXY”, which the
security researchers believe could be Oxydata, another data enrichment
firm.
Tomi Engdahl says:
Over 750,000 applications for US birth certificate copies exposed online
https://tcrn.ch/38nFGRJ
An online company that allows users to obtain a copy of their birth and death certificates from U.S. state governments has exposed a massive cache of applications — including their personal information.
More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket. (The bucket also had 90,400 death certificate applications, but these could not be accessed or downloaded.)
The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data.
The applications dated back to late-2017 and the bucket was updating daily. In one week, the company added about 9,000 applications to the bucket.
Fidus and TechCrunch sent several emails prior to publication to warn of the exposed data, but we received only automated emails and no action was taken.
Tomi Engdahl says:
Satojen ihmisten palkkatiedot vahingossa kuukausia julkisia verkossa – ladattiin yli 50 osoitteeseen
https://www.iltalehti.fi/digiuutiset/a/dd4e3702-607a-4f59-8075-699fbb6cfb87
Suomalaisten palkkatietoja kokoavan Tulorekisterin sivuilla olleen virheen takia kuka tahansa pystyi katsomaan lähes 400 ihmisen arkaluonteisia tietoja.
Tomi Engdahl says:
Data leak exposes 750, 000 birth certificate applications
https://www.welivesecurity.com/2019/12/10/data-leak-exposes-750000-birth-certificate-applications/
A variety of sensitive information has been there for the taking due
to an unsecured cloud storage container. Over 752, 000 birth
certificate applications have been exposed online by an unnamed
company that enables people to obtain copies of their birth and death
records from state governments in the United States, TechCrunch
reports.
The applications were found on the Amazon Web Services (AWS) cloud
computing platform, sitting out in the open with no password
protection whatsoever. This means anyone who could guess the
relatively simple web address, including bad actors, could access the
records. Read also:
https://techcrunch.com/2019/12/09/birth-certificate-applications-exposed/
Tomi Engdahl says:
Thousands of iPR Software Users Exposed on Amazon S3 Bucket
https://www.securityweek.com/thousands-ipr-software-users-exposed-amazon-s3-bucket
A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal.
The data collection contained, among various other files, 477,000 email addresses, and hashed passwords for around 35,000 of them. Business entity account information, documents, and administrative system credentials were also discovered.
Tomi Engdahl says:
Data Leak Week: Billions of Sensitive Files Exposed Online
https://www.darkreading.com/cloud/data-leak-week-billions-of-sensitive-files-exposed-online/d/d-id/1336574
A total of 2.7 billion email addresses, 1 billion email account
passwords, and nearly 800, 000 applications for copies of birth
certificate were found on unsecured cloud buckets. Revelations this
week of separate data exposure incidents a billion passwords displayed
in plaintext as well as hundreds of thousands of US birth certificate
applications shared a common thread: unsecured cloud-based databases
that left the sensitive information wide open for anyone to access
online. An epidemic in the past year or so of organizations
inadvertently leaving their Amazon Web Services S3 and ElasticSearch
cloud-based storage buckets exposed and without proper security has
added a new dimension to data breaches. Organizations literally aren’t
locking down their cloud servers, researchers are finding them en
masse, and it’s likely cybercriminals and nation-state are as well.
Misconfigured online storage has led to an increase of 50% in exposed
files this year over 2018, according to data from Digital Shadows
published in May. “Cloud services are inexpensive ways to do things
we’ve done expensively for years, so it makes sense why so many people
are moving their resources to the cloud. The problem is that it’s
still far too easy to make mistakes that expose all your data to the
Internet, ” says John Bambanek, vice president of security research
and intelligence at ThreatStop. Security researcher Bob Diachenko last
week discovered a massive ElasticSearch database of more than 2.7
billion email addresses, 1 billion of which included passwords in
plaintext. Most of the stolen email domains were from Internet
providers in China, such as Tencent, Sina, Sohu, and NetEase, although
there were some Yahoo, Gmail, and Russian email domains as well. The
pilfered emails that came with the passwords were confirmed to be part
of a previous massive breach from 2017, when a Dark Web vendor had
them for sale.
Tomi Engdahl says:
A thief took Facebook hard drives with payroll data from a worker’s car
https://engt.co/2qNzv8o
They contained payment info for around 29,000 current and former workers.
It seems Facebook just couldn’t make it through to the end of the year without another privacy-related incident. Only this time around, its own employees are affected. A thief broke into a payroll worker’s car and stole hard drives that reportedly contained unencrypted payroll information for around 29,000 current and former US employees.
Tomi Engdahl says:
Satojen ihmisten palkkatiedot vahingossa kuukausia julkisia verkossa – ladattiin yli 50 osoitteeseen
https://www.iltalehti.fi/digiuutiset/a/dd4e3702-607a-4f59-8075-699fbb6cfb87
Tomi Engdahl says:
During the first six months of 2019, more than 4 billion records were exposed by data breaches. That’s a shocking statistic that’s made even more so when you realize that passwords were included in droves. On December 4, a security researcher discovered a treasure trove of more than a billion plain-text passwords in an unsecured online database.
https://www.forbes.com/sites/daveywinder/2019/12/14/ranked-the-worlds-100-worst-passwords/
Tomi Engdahl says:
Cyberattack exposes information of 15 million LifeLabs customers in B.C. and Ontario
https://www.cbc.ca/news/canada/british-columbia/lifelabs-cyberattack-15-million-1.5399577
Breach exposes names, addresses, emails, logins, passwords, health card numbers, tests, company says
The private and personal information of millions of medical patients living in Ontario and B.C. has been breached in a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs.
LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services.
Tomi Engdahl says:
South African IT firm Conor behind the leak of 1 million web browsing
records
https://www.zdnet.com/article/south-african-it-firm-conor-behind-the-leak-of-1-million-web-browsing-records/
Over 890GB of browsing log data of all online activities of over 1
million users has been revealed due to an unencrypted database hailing
from a web filter app built by Conor. A database containing highly
sensitive and private information and activity, including porn
browsing history, has been exposed, with users in South Africa mostly
affected. Read also:
https://www.vpnmentor.com/blog/report-conor-leak/?utm_source=MyBroadband
Tomi Engdahl says:
Cloud flaws expose millions of child-tracking smartwatches
https://tcrn.ch/35BTNAO
Parents buy their children GPS-enabled smartwatches to keep track of them, but security flaws mean they’re not the only ones who can.
This year alone, researchers have found several vulnerabilities in a number of child-tracking smartwatches. But new findings out today show that nearly all were harboring a far greater, more damaging flaw in a common shared cloud platform used to power millions of cellular-enabled smartwatches.
The cloud platform is developed by Chinese white-label electronics maker Thinkrace, one of the largest manufacturers of location-tracking devices. The platform works as a backend system for Thinkrace-made devices, storing and retrieving locations and other device data.
.All of the devices made or resold use the same cloud platform, guaranteeing that any white-label device made by Thinkrace and sold by one of its customers is vulnerable.
research found at least 47 million vulnerable devices.
Each tracking device sold interacts with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller.
The researchers disclosed the vulnerabilities to several white-label electronics makers in 2015 and 2017, including Thinkrace.
Tomi Engdahl says:
Tietomurtoepäily sähköpotkulautayritys VOI:ssa – yli miljoonan
käyttäjän tiedot saattaneet vuotaa
https://www.iltalehti.fi/ulkomaat/a/d31bd30f-5646-4151-92c4-c4165b6b4775
Sähköpotkulautoja tarjoava ruotsalaisyhtiö VOI on joutunut tietomurron
kohteeksi, minkä seurauksena yli miljoonan ihmiset tiedot ovat
saattaneet vuotaa. Tietomurto tapahtui marraskuussa ja sen kuviteltiin
aluksi olevan pienempi, kertoo ruotsalainen teknologiauutisiin
keskittyvä sivusto Di Digital.
Tomi Engdahl says:
More than 267 million Facebook user IDs, phone numbers and names were exposed online.
Millions of Facebook user phone numbers exposed online, security researchers say
https://www.cnet.com/news/millions-of-facebook-user-phone-numbers-exposed-online-security-researchers-say/?ServiceType=facebook_page&PostType=link&TheTime=2019-12-19T16%3A33%3A57&UniqueID=5AD77B1C-227D-11EA-8646-9B103A982C1E&ftag=COS-05-10aaa0a
More than 267 million Facebook user IDs, phone numbers and names were in an unsecured database.
Security researcher Bob Diachenko discovered the trove of Facebook user data on Dec. 14. The database, which has been pulled down, wasn’t protected by a password or any other safeguard. Access to the database was removed, but by then the information had been out in the open for nearly two weeks. Someone had also made the data available for download on a hacker forum, according to Comparitech, a UK technology research firm that worked with Diachenko.
Facebook’s latest privacy mishaps raises questions about whether the company is doing enough to protect the data of its billions of users.
The revelation also comes after UK political consultancy Cambridge Analytica harvested the data of up to 87 million Facebook users without their consent.
A Facebook user ID contains unique numbers that can be used to figure out a person’s Facebook username and other profile information.
Diachenko thinks that criminals in Vietnam obtained the user records through two possible ways.
To help protect your Facebook data from getting scraped, you can change your privacy settings so search engines outside of Facebook can’t link to your profile. You can also deactivate or delete your Facebook account.
Tomi Engdahl says:
Unprotected public databases have been a problem for Facebook. In
Tomi Engdahl says:
Over 1,500 Ring passwords have been found on the dark web
https://tcrn.ch/2PDzQEf
A security researcher has found on the dark web 1,562 unique email addresses and passwords associated with Ring doorbell passwords.
The list of passwords was uploaded on Tuesday to an anonymous dark web text-sharing site commonly used to share stolen passwords or illicit materials. A security researcher found the cache of email addresses and passwords, which can be used to log in to and access the cameras, as well as their time zone and the doorbell’s location, such as “driveway” or “front door.”
The researcher reported the findings to Amazon — which owns the Ring brand — but Amazon asked that the researcher not discuss their findings publicly.
At the time of writing, the dark web listing is still accessible.
A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users
https://www.buzzfeednews.com/article/carolinehaskins1/data-leak-exposes-personal-data-over-3000-ring-camera-users
“This gives a potential attacker access to view cameras in somebody’s home — that’s a real serious potential invasion of privacy right there.”
Tomi Engdahl says:
267 million – mostly American – Facebook users’ IDs, names and phone numbers are exposed online and shared on the dark web
https://trib.al/hxqSyGG
Cybersecurity firm found an unsecure database of Facebook user data online
Approximately 267,140,436 records were exposed and shared on the dark web
The database included IDs, phone numbers and full names of mainly US users
The database has since been shut down, but was live on the web for two weeks
Experts warned that people identified in the database could be targeted by spam messages or phishing schemes
Although it is not yet clear how the sensitive information was exposed, Diachenko traced the database back to Vietnam and speculated that it may have been compiled through an illegal process called ‘scraping’ – where automated bots copy public information from Facebook profiles – or stolen directly from Facebook’s developer API.
Tomi Engdahl says:
Wawa announces massive data breach, ‘potentially all’ locations affected, CEO says
https://6abc.com/wawa-announces-data-breach-potentially-all-locations-affected-ceo-/5769537/
The CEO of Wawa says they are investigating a data breach that has potentially affected all of their locations.
This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained last week.
This malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers.
Tomi Engdahl says:
Honda Leaks Data of 26K North American Customers
https://threatpost.com/honda-leaks-data-26k-north-american-customers/151283/
The leaky database was online for about a week, exposing customers
vehicles information and personal identifiable information. An exposed
database was discovered leaking the personal information of 26,000
North American Honda owners and their vehicles. The Elasticsearch
database in question is owned by the American Honda Motor Co., a North
American subsidiary of the Honda Motor Co.
Tomi Engdahl says:
Bank of England audio leak followed loss of key cybersecurity staff
https://www.theguardian.com/business/2019/dec/21/bank-of-england-audio-leak-followed-loss-of-key-cybersecurity-staff
Exclusive: former employees say at least 20 security staff were reassigned or left in past year
The Bank of England restructured its security department and lost multiple senior employees in charge of protecting some of Britain’s most critical financial infrastructure shortly before it suffered a major breach, the Observer can reveal.
central bank admitted that hedge funds had gained early access to its market-moving press conferences via a backup audio feed
Watchdog investigates Bank of England security breach
https://www.theguardian.com/business/2019/dec/19/hedge-funds-hacked-into-bank-of-england-briefings
Raising questions over whether hedge funds managed to profit from accessing the market-sensitive press conference seconds ahead of others, the breach comes after years of efforts to prevent misconduct in financial markets in the wake of the 2008 financial crisis.
Threadneedle Street said that the misuse of the back-up audio feed – which is up to eight seconds faster than its main video feed – was “wholly unacceptable” and had been done without the Bank’s knowledge or consent. The video feed is the main vehicle for broadcasting the press conference, and is handled by the financial news and data company Bloomberg.
The third-party supplier was reportedly connected to a market news service that charged clients between £2,500 and £5,000, according to the Times.
Statisma tweeted in April that it could provide customers with feeds “up to 10 seconds faster than watching them on live TV”, including for press conferences held by the Bank, the US Federal Reserve and European Central Bank.
company received advance copies of speeches and other market-moving publications while it was linked to an unnamed, accredited news organisation
The breach will be of particular embarrassment to the Bank, given its recent focus on the security policies of the companies it regulates
Tomi Engdahl says:
Hackers keep dumping Ring credentials online ‘for the giggles’
Three cache of Ring user credentials have surfaced this week.
https://www.zdnet.com/article/hackers-keep-dumping-ring-credentials-online-for-the-giggles/
Over the past two weeks, hackers have published thousands of valid Ring camera account credentials on hacking forums and the dark web.
In most cases, they did it to gain a reputation in the hacking community, but also “for the giggles,” in the hopes that someone else would hack Ring users, hijack their accounts, play pranks, or record users in their homes.
These lists of credentials were compiled using a technique called credentials stuffing. Hackers used special tools and apps that took usernames and passwords leaked via data breaches at other sites and tested their validity against Ring’s account system.
The username-password combos that matched, they published online.
BuzzFeed reported yesterday about a list of 3,600+ Ring accounts. TechCrunch reported on another list of 1,500 Ring accounts. ZDNet also received the list that TechCrunch received.
The company said that of the 100,000 credentials only 4,000 entries were for valid Ring accounts. The company wasn’t aware of this particular list but said they’ve already reset passwords and notified account owners in the past
We tested many against the Have I Been Pwned service, and they were all listed in various breaches were combinations of emails and passwords had been leaked in the past.
Some of the Ring users from the list who we contacted confirmed they reused passwords
A Ring spokesperson told ZDNet yesterday that there was no breach of its internal servers, and from its side, the accounts are compromised due to credential stuffing attacks and because of users reusing passwords across online services.
Tomi Engdahl says:
A Twitter app bug was used to match 17 million phone numbers to user accounts
https://tcrn.ch/2PV9EVG
A security researcher said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter’s Android app.
Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France, and Germany, he said, but stopped after Twitter blocked the effort on December 20.
Tomi Engdahl says:
Hackers keep dumping Ring credentials online ‘for the giggles’
Three cache of Ring user credentials have surfaced this week.
https://www.zdnet.com/article/hackers-keep-dumping-ring-credentials-online-for-the-giggles/
Tomi Engdahl says:
https://www.forbes.com/sites/alexwood/2019/12/24/green-revolution-deepfakes-and-special-relationships-forbes-europe-trends-for-2020/
The devastating impacts of data breaches have made explosive headlines in recent years and 2019 has been no exception. According to a report published by Risk Based Security, the first nine months of 2019 saw over 5,000 reported breaches—up 33% from 2018—and the exposure of 7.9 billion records. Those numbers are staggering and pose a serious question for organizations who think they are otherwise protected—what business vulnerabilities still exist?
Much of this data—financial and business forecasts, salary data, M&A modeling, customer and prospect insights—is shared through spreadsheets. These spreadsheets are handled by countless employees on a daily basis. They’re shared via email, saved to desktops, uploaded and downloaded across servers. They’re worked on in coffee shops, on airplanes and viewed on-the-go.
Spreadsheets are flexible, easy to use, and easy to modify, but they are not designed to store and protect corporate data
The expensive cost of convenience
Historically, spreadsheets have been viewed as an accommodating business tool. Users looking to escape the limitations of source systems—particularly around planning processes—turn to spreadsheets instead. While certainly convenient, this can be quite perilous since spreadsheets are meant to be personal productivity tools.
However, there is an extreme danger in this approach to data handling. Once that data escapes the stewardship of the applicable data security policies, all bets are off. Spreadsheets do not enforce data management policies and security standards. They lack restrictions and protections meant to safeguard information. Don’t believe me? When’s the last time you opened a spreadsheet that required a password?
Tomi Engdahl says:
The Uncommon Becomes Ordinary: 4 Trends That Defined Data Breaches in 2019
https://securityintelligence.com/articles/the-uncommon-becomes-ordinary-4-trends-that-defined-data-breaches-in-2019/
1. Big Breaches Get Bigger
It wasn’t long ago when mega-breaches were big news. Today, such incidents are commonplace.
Risk Based Security reported this summer that 2019 was on track to be the worst year on record for breach activity, with 4.1 billion records compromised in the first six months alone. At least 10 data breaches in 2019 involved the theft or exposure of databases containing at least 100 million records, including several instances where data was left exposed on unsecured servers.
2. Sometimes, the Enemy Is Us
Cloud platforms can support world-class protection against attacks on their infrastructure — too bad the same can’t always be said for their customers. Misconfigured cloud storage instances, unpatched applications and lax access controls were frequent culprits in cases of unintentional exposure of sensitive data this year.
In many cases, sensitive data was left out in the open for anyone to access, and the guilty parties included some of the largest hyperscale companies. Often, the culprits in these instances weren’t infrastructure-as-a-service (IaaS) providers, but rather customers who didn’t understand the standard shared responsibility model, under which cloud providers secure their infrastructure but customers are responsible for applications and data.
3. Ransomware Gets Smarter
The volume of ransomware attacks had been declining for nearly two years, but that may be because criminals are focusing more strategically on their targets.
IBM X-Force Incident Response and Intelligence Services (IRIS) reported a 200 percent increase in destructive attacks over the first half of this year compared to 2018, with organized criminals taking over from nation-states as the principal growth drivers
4. Cryptocurrencies Struggle for Legitimacy
This should have been cryptocurrencies’ year to shine. Big name financial institutions finally bought into the allure of lower costs and faster transactions based on the blockchain protocol, led by JP Morgan’s launch of JPM Coin for institutional clients and a $63 million investment in the utility settlement coin project by a consortium of big banks.
Tomi Engdahl says:
IoT vendor Wyze confirms server leak
Details for 2.4 million users were exposed online for 22 days.
https://www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/
Tomi Engdahl says:
Thai Officials Say Prison Cameras Were Hacked, Broadcast
https://www.securityweek.com/thai-officials-say-prison-cameras-were-hacked-broadcast
Authorities in Thailand say they are investigating an apparent online break-in by a computer hacker that allowed him to broadcast surveillance video from inside a prison in the country’s south.
Thai media reported that the video was broadcast live on YouTube for several hours Tuesday by an account with the name BigBrother’s Gaze. It showed prisoners’ activities from several different security cameras.
Tomi Engdahl says:
Wawa Facing Lawsuits Over Data Breach at All of its Stores
https://www.securityweek.com/wawa-facing-lawsuits-over-data-breach-all-its-stores
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
HappyHotel, a Japanese site for booking rooms in “love hotels”, says hackers breached its servers and may have accessed users’ real names, addresses, and more — The 2010s decade ends with a major security breach at a search engine for finding love hotels across Japan.
Search engine for Japanese sex hotels announces security breach
https://www.zdnet.com/article/search-engine-for-japanese-sex-hotels-announces-security-breach/
The 2010s decade ends with a major security breach at a search engine for finding love hotels across Japan.
HappyHotel, a Japanese search engine for finding and booking rooms in “love hotels,” disclosed a security breach at the end of last year.
Love hotels are hotels built and operated primarily for allowing guests privacy for sexual activities. Love hotels, also known as sex hotels, are used by both married couples and cheating spouses, alike
HappyHotel.jp is a website that operates similarly to Booking.com, but lets registered users search and book rooms in love hotels across Japan.
The security incident is as bad as it gets, and hackers appear to have gotten their hands on a wealth of sensitive user information.
According to Almex, the type of data that hackers might have accessed includes details such as real names, email addresses, login credentials (usernames and passwords), birth dates, gender information, phone numbers, home addresses, and payment card details.
Loveinn Japan, a second love hotel search engine managed by Almex was also shut down, but the site did not feature a data breach notice, and it is unclear if hackers stole user data from this portal as well.
Data not leaked online — yet
The website’s data doesn’t appear to have been leaked online, at the time of writing,
The website’s data is incredibly sensitive. The entire incident is reminiscent of the Ashley Madison hack of 2015 when a hacker stole and dumped online user data from AshleyMadison.com, a dating website marketing itself as a go-to place for having an affair.
The HappyHotel data will, without a doubt, contain information about individuals who booked rooms for extramarital sex and affairs.
If the site’s data leaks online, those individuals will face extortion attempts, similar to how Ashley Madison users faced blackmail attempts for years. These extortion attempts had a severe toll on some Ashley Madison users, with a few ending up taking their own lives.
Tomi Engdahl says:
I’m the queen of Gibraltar and will never get a traffic ticket… just
two of the things anyone could have written into country’s laws thanks
to unsanitised SQL input vuln
https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/
A malicious person using the information exposed by the government
website could have deleted and uploaded PDF files to the official
online repository of Gibraltar’s laws.
Tomi Engdahl says:
Why is a 22GB database containing 56 million US folks’ personal details sitting on the open internet using a Chinese IP address? Seriously, why?
If CheckPeople could take a look at this, that would be great
https://www.theregister.co.uk/2020/01/09/checkpeoplecom_data_exposed/
Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough.
The information silo appears to belong to Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone’s name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
1B+ medical images of patients found online, as hospitals and doctors’ offices ignore security and upload X-rays, ultrasounds, and CT scans to unsecured servers
https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/
Every day, millions of new medical images containing the personal health information of patients are spilling out onto the internet.
Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world.
About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.
Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.
“It seems to get worse every day,”
The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.
If doctors fail to take action, he said the number of exposed medical images will hit a new high “in no time.”
Researchers say the problem is caused by a common weakness found on the servers used by hospitals, doctors’ offices and radiology centers to store patient medical images.
A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices.
DICOM images are typically stored in a picture archiving and communications system, known as a PACS server
many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password.
These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.
Yet, patients are unaware that their data could be exposed on the internet for anyone to find.
exposed data can be used to infer a picture of a person’s health, including illnesses and injuries.
In an effort to get the servers secured, Greenbone contacted more than a hundred organizations last month about their exposed servers. Many of the smaller organizations subsequently secured their systems, resulting in a small drop in the overall number of exposed images. But when the security company contacted the 10 largest organizations, which accounted for about one-in-five of all exposed medical images, Schrader said there was “no response at all.”
Schrader said if the remaining affected organizations took their exposed systems off the internet, almost 600 million images would “disappear” from the internet.
Experts who have warned about exposed servers for years say medical practices have few excuses. Yisroel Mirsky, a security researcher who has studied security vulnerabilities in medical equipment, said last year that security features set out by the standards body that created and maintains the DICOM standard have “largely been ignored” by the device manufacturers.
Schrader did not lay blame on the device manufacturers. Instead, he said it was “pure negligence” that doctor’s offices failed to properly configure and secure their servers.
“If the data is personal health information, it is required to be secured from unauthorized access, which includes finding it on the internet,” said Savage. “There is an equal obligation to lock the file room that contains your paper medical records as there is to secure digital health information,” she said.
Medical records and personal health data are highly protected under U.S. law. The Health Insurance Portability and Accountability Act (HIPAA) created the “security rule,” which included technical and physical safeguards designed to protect electronic personal health information by ensuring the data is kept private and secure. The law also holds healthcare providers accountable for any security lapses. Running afoul of the law can lead to severe penalties.
The government last year fined one Tennessee-based medical imaging company $3 million for inadvertently exposing a server containing over 300,000 protected patient data.
Tomi Engdahl says:
HONDA IS HACKED; PERSONAL DETAILS OF MORE THAN 976 MILLION CUSTOMERS LEAKED
https://www.securitynewspaper.com/2019/12/20/honda-is-hacked-personal-details-of-more-than-976-million-customers-leaked/
As a result of a recent massive data breach involving about 976 million records, nearly one million files were exposed in a Honda automotive company database, which contained various details about thousands of vehicles and their owners, as reported by web application security specialists.
The report mentions that it was not necessary to enter a password or any other authentication method to access the compromised database, so it was completely exposed to any user.
identifying an unprotected Elasticsearch cluster, which stored 976 million records, all belonging to Honda in North America
Diachenko mentions that the database would have been exposed for at least a week, long enough for any threat actor to access, copy and store the information for malicious purposes.
Personal details exposed during the incident include:
Full names
Addresses
Phone numbers
Email addresses
Make and model of the vehicle
Number of vehicle plates
Records on maintenance services
Web application security firms have previously reported similar incidents due to omissions by Honda staff.
Incorrect security configurations when enabling a database are the primary cause of information exposure incidents, as it is estimated that more than half of these incidents could be avoided if the staff in charge of managing these incidents implementations will enable appropriate measures.
Tomi Engdahl says:
NYT: Russians hacked Ukraine gas company at center of Trump’s impeachment
https://www.msnbc.com/hardball/watch/nyt-russians-hacked-ukraine-gas-company-at-center-of-trump-s-impeachment-76641349851?cid=sm_npd_ms_fb_ma
The New York Times reports that Russians have hacked the Ukrainian gas company “Burisma,” the company linked to Hunter Biden: “Experts say the timing and scale of the attacks suggest that the Russians could be searching for potentially embarrassing material on the Bidens…”
Tomi Engdahl says:
P&N Bank Data Breach Exposes Trove of User Data
https://www.securityweek.com/pn-bank-data-breach-exposes-trove-user-data
P&N Bank has notifed customers of a data breach that resulted in a large amount of sensitive information being compromised.
According to information shared on Twitter by Australian security researcher @vrNicknack, the incident took place on December 12, 2019, during a server upgrade on a third-party hosting provider.
P&N has since confirmed the incident.
The Australian bank, a division of Police & Nurses Limited, informed customers that unknown threat actors managed to access personal information stored within its customer relationship management (CRM) system.