Your curated list of Data Security News happening across the world, in a simple yet intuitive form for the fast-paced cybersecurity professionals.
WEEK OF OCTOBER 27, 2020
Morgan Stanley Fined $60m Over Data Disposal
Among the issues flagged by the OCC were inadequate risk assessment and monitoring of third-party vendors and a failure to keep track of customer information.
Morgan Stanley, which is headquartered in New York City, was also found to have failed to exercise adequate due diligence in selecting the third-party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.
Three years on from the decommissioning of the two data centers, the OCC found data disposal at the banks was still not as it should be.
US retailer Made in Oregon confirms website data breach
- Customer credit card details included in list of potentially stolen information.
According to the retailer, an unauthorized third party accessed information in an attack dating from February to August this year. Information including names, billing addresses, email addresses, and credit card details entered through the site was potentially accessed.
In a breach notification to consumers that was also posted on the Vermont Attorney General’s Office website, the company said it wasn’t aware of any other information being accessed.
Dr Reddy’s suffers cyber-attack, isolates all its data center services
- In the wake of a detected cyber-attack, we have isolated all data center services to take required preventive actions, the company said.
Commenting on the development, Mukesh Rathi, CIO, Dr Reddy’s Laboratories said, “We are anticipating all services to be up within 24 hours and we do not foresee any major impact on our operations due to this incident.”
- The share price of Dr Reddy’s Laboratories fell on the report of the data breach. The stock was trading 1.19 percent lower at Rs 4,986.90 on the BSE, at 10: 55 am.
U.S.: Russian hackers targeting state, local governments on eve of election
The attackers may be trying to gain footholds in U.S. computer networks to aid subsequent efforts to undermine the American political process, the federal advisory warned.
A Russian hacking team best known for attacks on energy companies “has conducted a campaign against a wide variety of U.S. targets” including “dozens” of state and local governments, the FBI and DHS’s Cybersecurity and Infrastructure Security Agency said in an alert.
The FBI and CISA initially disclosed on Oct. 9 that sophisticated hackers were targeting state and local governments and had gained “unauthorized access to elections support systems,” but at the time they did not attribute the activity to Russia.
How AI Will Supercharge Spear-Phishing
- To keep pace with intelligent, unpredictable threats, cybersecurity will have to adopt an intelligent security of its own.
- But AI won’t just be used for good. Inevitably, it will also open the door for sophisticated cyberattacks like the threat spelled out above. Indeed, AI will supercharge spear-phishing with automated, intelligent technology. Hyper-realistic, machine-written copy is not some distant fiction. Rather, the technology required for this already exists today.
- Artificial intelligence won’t just power phishing attacks either. It will augment every kind of cyberattack with adaptive decision-making capabilities. Automatically crafting a well-informed, well-written email containing a malicious payload is just the start; the inbox is simply a gateway into the organization.
Credential-Stuffing Attacks Plague Loyalty Programs
- But that’s not the only type of web attack cybercriminals have been profiting from.
- Between July 2018 and June 2020, Akamai observed more than 63 billion credential-stuffing attacks lobbied against the retail, travel, and hospitality industries, all of which rely heavily on consumer awards programs.
- Loyalty program accounts are easy pickings for credential stuffing because “many consumers don’t think of them as high risk and are more likely to use weak passwords or mirror accounts they’re using with another organization.”
WEEK OF OCTOBER 19, 2020
Personal data of Bharatmatrimony users breached says security firm Cyble Inc
The data leaked includes sensitive personal information like names, phone numbers, user IDs and date and time of account creation.
Customer data worth 1.7 GB belonging to thousands of users was up for sale in exchange for $500 in cryptocurrency, according to researchers at the firm.
The firm said that the parameter “themeid” was injected onto one of the website’s URLs. “We identified the breach and notified the company,” the cybersecurity firm said.
Breach at Dickey’s BBQ Smokes 3M Cards
- KrebsOnSecurity has learned the data was stolen in a lengthy data breach at more than 100 Dickey’s Barbeque Restaurant locations around the country.
Multiple companies that track the sale in stolen payment card data say they have confirmed with card-issuing financial institutions that the accounts for sale in the BlazingSun batch have one common theme: All were used at various Dickey’s BBQ locations over the past 13-15 months.
Gemini says its data indicated some 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing malware, with the highest exposure in California and Arizona.
British Airways fined £20m over data breach
- British Airways has been fined £20m ($26m) by the Information Commissioner’s Office (ICO) for a data breach which affected more than 400,000 customers.
The breach took place in 2018 and affected both personal and credit card data. The fine is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019.
- The company breached data protection law and failed to protect themselves from preventable cyber attack. It then failed to detect the hack until the damage was done to hundreds of thousands of customers.
Haldiram’s crucial data stolen; hackers demand ₹7.50 lakh to release information
A Haldiram’s representative claimed the hacker(s) have demanded a ransom of ₹7,50,000 in order to decrypt the servers of the company including all its files.
The unidentified accused hacked the server of the company based in the industrial Sector 62 of Noida using a cyber malware popularly called ‘Ransomware Attack’, the police said.
It said that the hackers, to give effect to a pre-planned criminal conspiracy, have not only stolen data from the servers and systems of the company but have also contacted company officials through certain servers to illegally extort money to provide back the access to the company’s own data and to delete the stolen data from the servers and systems.
Chinese hackers using fake McAfee software to trick users into installing virus, says Google
- Google in a blog post noted that China state-sponsored hackers are tricking people into installing malware by posing as the antivirus provider McAfee ahead of US elections.
- But the company was storing hundreds of large spreadsheets packed with sensitive patient data in a storage bucket, hosted on Amazon Web Services (AWS), without a password, allowing anyone to access the data inside.
- Google noted previous instances where attempts were made to hijack the email accounts of campaign staffers with President Donald Trump and Democratic nominee Joe Biden in June which it had successfully prevented.
Cybercrime Losses Up 50%, Exceeding $1.8B
- Fewer companies are being hit by cyber incidents, but those that do get hit are hit harder and more often.
- According Hiscox, a Bermuda-based insurance provider, cyber losses rose nearly sixfold worldwide over the past 12 months. Its recently released “Cyber Readiness Report 2020” pins the total cyber losses among affected firms at $1.8 billion — up a sobering 50% from the previous year’s total of $1.2 billion. Overall, more than 6% of the respondents in the report paid a ransom, and their collective losses totaled $381 million.
- Cybercriminals demanded ransoms from roughly 17% of the companies they attacked, and caused dire financial consequences for the targets. The highest loss from ransom was more than $50 million for one unfortunate organization.
WEEK OF OCTOBER 06, 2020
IT guy whose job was to stop ex-staff running amok on the network is jailed for running amok on the network
After he was demoted and fired, idiot logged into office PC from home and wiped storage systems.
On the day he was terminated, Stafford didn’t return his work-issued MacBook Pro, went home, and that evening used the laptop and his home internet connection to repeatedly attempt to log into the company’s network using his credentials and those of a former colleague.
A couple of days later, in the early hours, he managed to get into his office PC remotely using the coworker’s details. From there he was able to “delete all of the file storage drives used by the Washington office, then changed the password to access the storage management system.
An unspecified US government agency was hacked by a miscreant who appears to have made off with archives of information.
- Hacker had set up shop on network using stolen Office 365 accounts.
- Armed with those stolen Office 365 credentials, the attacker logged into one of the agency’s O365 accounts, made a beeline for a SharePoint server, and browsed its pages and downloaded a file. Shortly after, the intruder connected to the unnamed agency’s VPN, presumably using information gleaned so far from snooping around.
- Next, the miscreant enumerated the network using standard Windows command-line tools, connected to an external virtual server via SMB, and then, using their administrator credentials, sought to gain a persistent presence on the network.
85% of COVID-19 tracking apps leak data
- 71% of healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data, according to Intertrust.
The report investigated 100 publicly available global mobile healthcare apps across a range of categories—including telehealth, medical device, health commerce, and COVID-tracking—to uncover the most critical mHealth app threats.
- Cryptographic issues pose one of the most pervasive and serious threats, with 91% of the apps in the study failing one or more cryptographic tests. This means the encryption used in these medical apps can be easily broken by cybercriminals, potentially exposing confidential patient data, and enabling attackers to tamper with reported data, send illegitimate commands to connected medical devices, or otherwise use the application for malicious purposes.
German privacy watchdog fines H&M $41M for spying on workers
A German privacy watchdog is fining clothing retailer H&M 35.3 million euros ($41 million) after the company was found to have spied on some of its employees in Germany.
Hamburg’s data protection commissioner said in a statement that the Swedish company collected private information about employees at a customer service center in Nuremberg, “ranging from rather harmless details to family issues and religious beliefs.”
- The data protection commissioner, Johannes Caspar, said that “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
After breach, Twitter hires a new cybersecurity chief
- Following a high-profile breach in July, Twitter has hired Rinki Sethi as its new chief information security officer.
- Twitter had left the role of chief information security officer vacant since the departure of its previous security chief, Mike Convertino, who left in December to join cyber resilience firm Arceo.
- In July, the company was hit by a very public cyberattack on the company’s internal “admin” tools that played out on the social media platform in real time, as hackers hijacked high-profile Twitter accounts to spread a cryptocurrency scam. The hackers used voice phishing, a social engineering technique that involves tricking someone on the phone to hand over passwords or access to internal systems.
Emerging challenges and solutions for the boards of financial-services companies
- Mature boards are making themselves valuable partners for management in the effort to make firms more resilient.
- A growing number of firms—22 percent overall, and as many as 35 percent in some segments—have a technology committee to oversee cybersecurity.
- Mature firms are also streamlining their metrics and linking KPIs and key risk indicators (KRIs) by implementing metrics that measure both inputs and outputs. Inputs are a company’s risk-reduction efforts, and outputs are the resulting reduction in enterprise risk.
WEEK OF SEPTEMBER 29, 2020
US Staffing Firm Hit by Ransomware Again
One of the largest IT staffing companies in America has been hit by a second ransomware attack in nine months.
At the start of September, Artech Information Systems disclosed a data breach caused by a ransomware attack perpetrated between January 5 and 8, 2020.
Attackers deployed the ransomware three days after gaining unauthorized access to some of the company’s systems. The incident was picked up by the company following reports of suspicious activity on the user account of an Artech employee.
Medical group announces data breach of patient information at Montana hospitals
- SCL Health Medical Group announced on Sept. 10 a data breach of patient information that occurred earlier this year, including personal information of patients at three Montana hospitals.
The information that may have been accessed includes patient names, dates of birth, addresses, phone numbers, email addresses, admission dates, hospital locations, service locations and treatment providers.
- Encrypted information, like social security numbers, financial accounts and credit card information stored in Blackbaud was not accessed after a forensic investigation was conducted by the company. The incident did not involve any access to medical system or electronic health records.
The Real Cost of a Data Breach for Your Brand
- The aftermath can hurt in more ways than just a bank balance.
Customer trust is the cornerstone of any brand’s success, and a failure of data security impacts this all-important area immediately. Studies show that private data such as credit card and social security numbers are top targets and that 48 percent of consumers have cut ties with brands that have had a security breach.
- A data breach can drive a promising day straight into the gutter and leave your business in pain for much longer. A data breach blows the doors off any sense of security for your customer base and is blood in the water to competitors. The best way to attend to both issues is to ensure your internal systems are prepared to meet the moment.
Minnesota Suffers Second-Largest Data Breach
Hundreds of thousands of Minnesotans are receiving letters warning them that their data may have been exposed in the second-largest healthcare data breach in state history.
Attackers gained access to copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud computing systems. Individuals impacted by the breach have been warned to monitor their medical bills for any instances of fraud.
- To date, over 3 million people in the United States have been impacted by the attack on Blackbaud, which has also impacted a number of universities, charities, and organizations in the United Kingdom.
SFU ransomware attack exposed data from 250,000 accounts, documents show
- Officials didn’t disclose number in March when personal data of students, faculty, alumni were compromised.
- The information included student and employee identification numbers, full names, birthdays, course enrolments and encrypted passwords. Accounts were also linked to staff and retirees.
- The loophole arose when a developer replaced a software tool on an SFU computer and assumed the new version behaved the same way. The previous version had allowed local network access only, but the new software was open globally to the internet.
Shopify announces data breach affecting fewer than 200 merchants
- The e-commerce giant (SHOP) (SHOP.TO) says the data breach was a result of “two rogue members” on a support team who allegedly “engaged in a scheme to obtain customer transactional records of certain merchants.”
- Shopify added this was not a result of technical issues or vulnerabilities and that “the vast majority of merchants using Shopify are not affected.”
- It did note that data of customers related to those merchants could have been exposed, including contact information like email and names, addresses, order details, and products and services purchased.
WEEK OF SEPTEMBER 21, 2020
Magecart Attack Impacts More Than 10K Online Shoppers
Close to 2,000 e-commerce sites were infected over the weekend with a payment-card skimmer, maybe the result of a zero-day exploit.
According to Sansec Threat Intelligence, online stores running Magento versions 1 and 2 are being targeted in a classic Magecart attack pattern, where e-commerce sites are hacked, either via a common vulnerability or stolen credentials.
Researchers recently reported that they have seen an uptick in the number of e-commerce sites that are being attacked by Magecart and related groups, dovetailing with new tactics.
Staples discloses data breach exposing customer order data
- The office retail giant sent out a data breach notification letter to the impacted customers, the incident took place around September 2.
According to the notification, no sensitive data was exposed and an unauthorized party only accessed a limited amount of order data for customers of Staples.com.
- Staples revealed that exposed order data includes customers’ names, addresses, email addresses, phone numbers, last four credit card digits, cost of the products, delivery and product ordered. The data accessed by the hackers did not include account credentials and full payment card data.
Hackers working for China have successfully compromised US government systems, according to a federal cybersecurity agency
- Hackers linked to the Chinese government have successfully infiltrated US government systems across “many sectors,” according to the Cybersecurity and Infrastructure Security Agency and the FBI.
The report suggests that, after vulnerabilities are discovered and publicized by US defenders, hackers are often able to exploit the vulnerabilities before government agencies patch them.
- CISA did not specify which agencies were compromised or how many records were potentially stolen, but says that hackers were frequently successful using “low-complexity” methods.
Blackbaud hack: US healthcare organizations confirm data breach impacted 190,000 patients
So far, the Blackbaud incident has affected hundreds of organizations from healthcare providers to universities and other charities.
Children’s Minnesota, one of the largest children’s healthcare organizations in the US, recently announced that the personal data of more than 160,000 patients may have been compromised in the incident.
- Joseph Carson, chief security officer at Thycotic, added: “It is essential to perform a data impact and risk assessment on any software a company decides to use such as what data is being collected, what security controls it has, data integrity and availability such as a strong data backup and resiliency.
Ransomware warning: Hackers are launching fresh attacks against universities
- Cybersecurity agency warns about a spike in ransomware attacks targeting universities and colleges.
- With colleges and universities gearing up to start the new academic year and welcome new students – while already facing challenges because of the ongoing coronavirus pandemic – they’ve been urged to make sure their cybersecurity infrastructure is ready to defend the additional challenge of a ransomware attack.
- The warning from the UK’s National Cyber Security Centre (NCSC) – the cyber arm of GCHQ – comes following a recent spike in hackers targeting universities with ransomware attacks during August. In some instances, hackers have not only demanded a significant bitcoin ransom from victims of attacks, but they’ve also threatened to leak stolen personal data of students if they’re not paid.
Brazil’s LGPD now in effect — what does this mean for enforcement?
- The LGPD, strongly inspired by the EU General Data Protection Regulation, establishes various obligations and principles regarding the treatment of people’s personal data.
- Simply and objectively speaking, the entry into force of the LGPD now generates the immediate need for companies to adjust their practices to the law because its rules are valid without delay.
- With the postponement of the penalties until 2021, companies need to be aware that the law can already be applied by the courts or other competent authorities, making it a valuable instrument to protect personal data.
WEEK OF SEPTEMBER 14, 2020
Service NSW reveals 738GB of customer data was stolen during email breach
Attack accessed 47 staff email accounts and affected 186,000 customers.
Service NSW said it would now progressively notify affected customers by sending personalised letters via registered post containing information about the data that was stolen and how they could access support, including access to an individual case manager to help with possibly replacing some documents.
Service NSW said in light of the incident, it has added additional security measures to protect against future attacks, such as partnering with IDCare that will provide the agency with additional “cyber support”.
China Launches Initiative to Set Global Data-Security Rules
- Move, unveiled Tuesday is meant to counter U.S. Clean Network effort.
- China’s initiative has eight key points including not using technology to impair other countries’ critical infrastructure or steal data, and making sure service providers don’t install backdoors in their products and illegally obtain user data.
- It is unclear if any country has signed up to China’s initiative and how it will be implemented and policed. But the world’s second-largest economy has been looking to increase its role in setting standards around the world.
Cyberattackers Go Global To Steal Company Cash
- With cyberattacks skyrocketing amid the pandemic, new data is rolling out to paint a picture of just how damaging the ramped-up thievery has become.
$80,000 is now the average amount phishers demand from their business email compromise targets, according to new research from the Anti-Phishing Working Group (APWG) in its second-quarter 2020 Phishing Activity Trends Report.
- Yet, as researchers pointed out, the amount of funds sought vary significantly from one attack to the other, with one particular BEC-attack group seeking an average of $1.27 million per targeted attack. The average sought in a BEC scam is up from $54,000 in the first quarter of the year.
How can the C-suite support CISOs in improving cybersecurity?
The shift to widespread remote work has made a compelling case for the need to bring security within the remit of other departments.
While CISOs continue to spearhead the development of the organization’s security program and define the security mission and culture, other C-suite executives can vocally support these programs to ensure their integrity throughout the whole process, from vision and development to implementation and ongoing enforcement.
- One likely companion for this type of cross-department alignment is the Chief Operating Officer (COO). This means a good COO today needs to encourage a business culture that supports security efforts thoroughly, while also ensuring security is prioritized at a tactical level.
Gaming hardware manufacturer Razer suffered a data leak
- An unsecured database managed by the company containing gamers’ info was exposed online.
- Discovery made by the security researcher Bob Diachenko found that the unsecured database exposed the information of approximately 100,000 individuals who purchased items from Razer’s online store.
- The unsecured database was discovered on August 19, it contained customers’ info, including a name, email address, phone number, order numbers, order details, and billing and shipping addresses.
Inova Suffers Third-Party Data Breach
- The breach occurred as part of a ransomware attack against service provider Blackbaud.
- According to Blackbaud, data was exfiltrated between February 7, 2020, and May 20, 2020. The exfiltration was part of a ransomware attack that did not succeed in encrypting significant data at Blackbaud.
- Ultimately, though, the company says that it paid a ransom in order to have the exfiltrated data destroyed, which it says was done.
WEEK OF AUGUST 31, 2020
Marriott International faces class action suit over mass data breach
- Technology consultant leads legal action after hackers stole personal details of 300m guests.
- Martin Bryant, a technology consultant, is leading the legal action on behalf of people living in England or Wales who made a reservation to stay at one of Marriott International’s Starwood properties before 10 September 2018.
The UK’s data watchdog, the Information Commissioner’s Office (ICO), revealed in July 2019 its intention to fine Marriott International almost £100m as a result of the data breach. The ICO proposed a £99.2m fine for Marriott, after finding that about 7 million of the customers whose records were hacked were UK residents.
Russian National Arrested for Conspiracy to Hack Nevada Company
- The defendant allegedly planned to pay an employee $1 million to infect the company network with malware.
- The complaint alleges that between July 14, 2020, and Aug. 22, 2020, Kriuchkov conspired with associates to recruit an employee to infect the company’s network with malware.
- While the report does not specify the target company, it does note this malware would have given the attackers access to the company’s system. Following the infection, they would steal data from the network and threaten to publish it unless the organization paid their demanded ransom.
Higher Education CISOs Share COVID-19 Response Stories
- Security leaders from Stanford, Ohio State, and the University of Chicago share challenges and response tactics from the COVID-19 pandemic.
Among the core threats CISOs are most concerned about are dramatic increases in phishing and vulnerability of user devices given the lack of visibility and control mechanisms.
- Looking ahead, CISOs are concerned about what may happen if employees stay remote for the long haul. While there are things students can do to stay safe in the meantime – applying OS updates, not reusing passwords, patching apps – permanent remote work will bring challenges.
iPhone flaw lets hackers steal your personal data — don’t do this in Safari
Safari exploit can trick you into sharing personal data with malicious websites on iPhones and Macs.
An unpatched flaw in the Apple Safari browser lets hackers steal your browsing history, bookmarks, downloads or any other file that Safari can access, a Polish security researcher claims. The problem seems to exist on both Macs and iPhones.
- To avoid falling victim to this sort of thing, don’t use Web Share in Safari for the time being. If you want to share a link with friends, fall back on the tried ‘n’ true method of selecting the link in the browser address bar, copying it, opening up an email or messaging app and pasting it the body of the text.
Paytm Mall suffers massive data breach as hackers gain ‘unrestricted access’ into database: Report
- The breach potentially affects all accounts and related information at Paytm Mall. Paytm is yet to make an official statement on the breach.
- Global cyber intelligence agency Cyble stated that the John Wick hacker group gained unrestricted access to Paytm Mall’s entire production database through a backdoor, which potentially affects all accounts and related information at Paytm Mall.
It’s never the data breach — it’s always the cover-up
- The felony charges levied against former Uber CSO paints him as actively masterminding and executing a plan to cover up a major data breach. This serves as a reminder that CSOs and CISOs must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact.
- In November 2016, Uber learned of a data breach. Hackers threatened to expose the stolen data. Uber paid a ransom to the hackers under its bug bounty program and made the hackers sign NDAs to avoid the breach becoming public knowledge.
WEEK OF AUGUST 24, 2020
Jack Daniel’s-Maker Suffers REvil Ransomware Breach
- The Jack Daniel’s-maker has released few details about the incident but claimed it successfully prevented attackers from encrypting its files.
- Attackers told Bloomberg that 1TB of corporate data is now in their hands and it will most likely be leaked online in batches to turn up the pressure on the Louisville, Kentucky-headquartered firm.
The group apparently responsible for this attack is Sodinokibi (REvil), which, like Maze and other gangs, maintains a dedicated leak site to post stolen data on. As per previous attacks, it has already shared screenshots of file names as proof of its claims, some dating back over 10 years.
Firms Still Struggle to Prioritize Security Vulnerabilities
- Security debt continues to pile up, with 42% of organizations attributing remediation backlogs to a breach, a new study shows.
- Every six months the average firm fails to patch 28% of the vulnerabilities in their hardware and software, leading to a backlog of more than 57,000 unfixed security issues, a new study found.
- The underlying problem is that once vulnerabilities have been identified by automated systems, the prioritization and patching process is mostly manual, which slows an organization’s response.
Free photos, graphics site Freepik discloses data breach impacting 8.3m users
- Freepik is one of the most popular websites on the internet, currently ranked #97 on the Alexa Top 100 sites list.
According to the company’s official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data. Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.
- The company says it notified authorities as soon as it learned of the incident, and began investigating the breach, and what the hacker had accessed.
Experian South Africa discloses data breach impacting 24 million customers
Experian said the attacker was identified and its data deleted from the fraudster’s devices.
While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses.
- Experian said it reported the incident to local authorities, who were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, “which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”
Stolen Data: The Gift That Keeps on Giving
- Users regularly reuse logins and passwords, and data thieves are leveraging that reality to breach multiple accounts.
- When mega-leaks occur, many other ecosystems become endangered due to the tendency of users to reuse the same credentials on other sites. Not only well-known brands but even small to midsize organizations with an online presence should consider the issue of password reuse stemming from previous mega-leaks as a primary threat vector.
IBM Db2 Flaw Gives Attackers Read/Write Access to Shared Memory
- Researchers discover a lack of explicit memory protections around the shared memory used by the Db2 trace facility.
- CVE-2020-4414 exists because developers neglected to add explicit memory protections around shared memory used by the Db2 trace facility. This allows any local users to have read and write access to that memory area.
- All Db2 instances of current version (11.5) on Windows are affected. IBM has released a patch to address this vulnerability and other security issues. It’s difficult to tell whether the vulnerability has been exploited.
WEEK OF AUGUST 17, 2020
Canon suffers ransomware attack, Maze claims responsibility
- Reports based on an internal memo suggest an external security firm has been hired to investigate.
- As reported by Bleeping Computer, a six-day outage beginning July 30 on the image.canon website, a service for uploading and storing photos through Canon’s mobile applications, led to suspicions that a cyberattack may have taken place.
It is believed that Maze is to blame, after the threat group said they had stolen 10TB in data after launching a successful ransomware attack against the tech giant. Maze, however, denied responsibility for the image.canon issues, and so the timing of the outage and the ransomware infection may simply be coincidental.
Major tech corporations face multi-billion-euro cases for alleged GDPR breaches
- The damages could exceed €10 billion if the legal proceedings are successful, the NGO said.
- The Privacy Collective, a non-profit Foundation that pursues claims for violations of privacy rights, is suing Oracle and Salesforce in action representing millions of individuals objecting to the use of their personal data.
- “Everyone who has ever used the internet is at risk from this technology,” said Dr Rebecca Rumbul, class representative and claimant in England & Wales.
Google ‘Spying’ On People’s App Use, Lawsuit Claims
- The lawsuit centers on “Android Lockbox,” a program that “allows Google employees to spy on how Android Smartphone users interact with non-Google apps.
- Android Lockbox came to public attention to weeks ago, when The Informationreported that Google drew on data about people’s use of outside apps, like TikTok, for competitive purposes.
- Google says in an online support page the company uses that data “to improve products and services, like Google apps and Android devices.” This lawsuit marks at least the fourth separate privacy case brought against the company in the last several months.
Doki Backdoor Infiltrates Docker Servers in the Cloud
The malware is a new payload that uses Dogecoin wallets for its C2, and spreads via the Ngrok botnet.
A fresh Linux backdoor called Doki is infesting Docker servers in the cloud, researchers warn, employing a brand-new technique: Using a blockchain wallet for generating command-and-control (C2) domain names.
- To avoid infection, Docker admins should check for any exposed ports, verify there are no foreign or unknown containers among the existing containers,and monitor excessive use of resources.
List of data breaches and cyber attacks in July 2020 – 77 million records breached
- This includes the Twitter hack on 130 people, including Bill Gates, Barack Obama and Elon Musk, as well as the less flashy but equally concerning attack on dozens of universities and charities across the UK, US and Canada.
- You can view the complete list by clicking on the source link.
Business Email Compromise Attacks Involving MFA Bypass Increase
- Adversaries are using legacy email clients to access and take over accounts protected with strong authentication, Abnormal Security says.
- Researchers from Abnormal Security this week reported observing a recent increase in attacks where threat actors used legacy apps with old email protocols, such as IMAP, SMTP, and POP, to access and take over business email accounts protected with MFA.
- MFA, or MFA with Single Sign On (SSO), is a great way to provide a secure access policy to a network. But organizations need to be aware that legacy protocols do not all support modern authentication methods.
WEEK OF AUGUST 10, 2020
Intel investigating breach after 20GB of internal documents leak online
- Leak confirmed to be authentic. Many files are marked “confidential” or “restricted secret.”
- The data was published by Till Kottmann, a Swiss software engineer, who said he received the files from an anonymous hacker who claimed to have breached Intel earlier this year. The Swiss engineer said today’s leak represents the first part of a multi-part series of Intel-related leaks.
- None of the leaked files contain sensitive data about Intel customers or employees, based on ZDNet’s review. However, the question remains to what else the alleged hacker had access to before stealing and releasing Intel’s confidential files.
Online Exam Tool Suffers Data Breach
- According to a spokesperson, the data exposed relates to ProctorU users who registered on or before 2014.
- A database of 440,000 ProctorU user records was published by hacker group ShinyHunters over the past week along with hundreds of millions of other user records.
- ProctorU user data exposed includes usernames, unencrypted passwords, legal names, and full residential addresses.
Capital One fined $80 million for 2019 hack of 100 million credit card applications
- The Capital One hack was one of the largest data breaches ever to hit a financial services firm.
- The OCC said in a statement that the Capital One fine was “based on the bank’s failure to establish effective risk assessment processes” before it moved a major portion of its computer data to a cloud storage system, “and the bank’s failure to correct the deficiencies in a timely manner.”
- When it announced the breach last year, Capital One emphasized that no credit card numbers or log-in credentials were compromised.
Trump Signs Executive Order That Will Effectively Ban Use Of TikTok In the U.S.
A move that steps up pressure on the Chinese-owned app to sell its U.S. assets to an American company.
Since the Trump administration began turning up the heat on TikTok, software giant Microsoft has confirmed it is among a handful of companies in early talks to acquire the short-form video service.
- Officials at Microsoft say it is examining a TikTok acquisition that would potentially buy TikTok’s American, Canadian, Australian and New Zealand services, but officials close to the deal say the final offer may include operations in even more countries.
Macy’s sued over use of Clearview facial-recognition software
- It was targeted in one of the first lawsuits against users of the controversial facial-recognition software made by startup Clearview AI.
- Clearview’s software allows users to try to match a face against a database of images it scrapes from the internet, including sites like Youtube and Facebook.
- Though it is marketed primarily as a tool for law enforcement, the New York Times and Buzzfeed News reported earlier in the year that it had also been used by several major retailers, with Macy’s conducting more than 6,000 searches.
Nine in ten Americans view data privacy as a human right, according to new report
- Americans are becoming increasingly concerned with, and distrustful of, how companies use, manage and protect their personal data.
- KPMG surveyed 1000 Americans in May 2020. It reveals that nine out of ten respondents think that companies should be held responsible for corporate data breaches (91%), take corporate data responsibility seriously (91%), and take the lead in establishing corporate data responsibility (91%)
- Nine out of ten (91%) respondents agree that the right to delete personal data and the right to know how their data is being used should be extended to all US citizens – similar to the GDPR regulations for European citizens.
WEEK OF AUGUST 03, 2020
The Data Privacy Loophole Federal Agencies Are Still Missing
- The knowledge-based authentication is leaving federal contact centers vulnerable to an increasingly sophisticated hacker community.
- One of the most immediate risks to customer data privacy on the federal level lies in an over-reliance on knowledge-based authentication across a number of government agencies.
- Regardless of which road a federal agency takes in 2020 when it comes to data privacy, it’s become clear in the fed tech community that KBA is a relic, one that leaves contact centers vulnerable to an increasingly sophisticated hacker community.
GEDmatch confirms data breach after users’ DNA profile data made available to police
- In a statement on Wednesday, the company told users by email that it was hit by two security breaches on July 19 and July 20.
- The site, which lets users upload their DNA profile data to trace their family tree and ancestors, rose to overnight fame in 2018 after law enforcement used the site to match the DNA from a serial murder suspect against the site’s million-plus DNA profiles in the site’s database without first telling the company.
- GEDmatch issued a privacy warning to its users and put in new controls to allow users to opt-in for their DNA to be included in police searches.
Slack credentials abundant on cybercrime markets, but little interest from hackers
- Security researchers find more than 17,000 Slack credentials for roughly 12,000 Slack workspaces being sold online.
- Reporters claim the hacker found a username and password for an internal Twitter admin tool pinned to one of the Slack channel’s chat rooms, which the hacker later used to wreak havoc on Twitter by defacing high-profile accounts with a cryptocurrency scam.
- Slack credentials might not be as useful as G Suite or Microsoft 365 accounts, but hackers usually work by mimicking successful hacks, and the Twitter hack showed that Slack workspaces might be a good place to lurk in search for sensitive data.
Hackers wipe out more than 1000 databases, leaving only the word “Meow”
The attack saw a database that had details of the UFO VPN. UFO VPN, and other products from seemingly the same company, had recently been in the news for exposing user information.
The attack seems to have come from a bot, according to Forbes, as the attack script overwrites database indexes with random numerical strings and the word ‘Meow’. It is unclear who is the source of the attacks.
- It appears that the attackers are running searchers for servers which expose information by not being password protected – like how security companies conduct research and reports.
Clever hackers are making ATMS spit out all their money
- Jackpotting involves attaching rogue devices called “black boxes” to open up programming interfaces inside the ATM machine’s software and issue commands, forcing it to, proverbially, make it rain.
- Previous jackpotting approaches involved the use of black boxes that were even able to change the maximum amount a given ATM was authorized to spit out.
- There is a silver lining to the latest hack, as Ars Technica points out. The thieves’ new approach doesn’t seem to target the retrieval of personal banking information, as has been the case with previous schemes.
Blackbaud Hack: Universities lose data to ransomware attack
- At least 10 universities in the UK, US and Canada have had data stolen about students and/or alumni after hackers attacked a cloud computing provider.
- Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software, has been criticised for not disclosing this externally until July and for having paid the hackers an undisclosed ransom.
- The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.