Week of August 31, 2018


Week of August 31, 2018

Two French Location Data Companies Receive GDPR Consent Warnings*:

The French privacy regulator CNIL recently issued official notices to two French data companies: Fidzup and Teemo.

CNIL said that both companies were non-compliant with consumer consent rules under the General Data Protection Regulation (GDPR) and French privacy law.

Both are location intelligence vendors that work with retailers and brands on online-to-offline advertising and measurement.

Both companies have SDKs (Software Development Kits) that help them collect persistent location data from partner apps.

App publishers are paid for their location data (and other data) by companies such as Fidzup and Teemo.

CNIL discussed each company individually in its notices, which were made public (and provided to us by the Future of Privacy Forum).

The bottom line for both companies was that when the partner apps were downloaded, consumer consent was obtained for use of location by the app — but not for transfer of that data to third parties Fidzup and Teemo, whose SDKs were integrated into the apps.

In other words, users were not being asked to consent to the use of their location data by someone other than by the app publisher, even though that was happening.

CNIL said that consent to use of location by the app did not equal consent to data collection for advertising and marketing purposes by third parties.

In Teemo’s case, CNIL found the company also retained its data too long for “processing.”

Both companies are required to come into compliance with GDPR within 90 days.

If the companies fix their consent defects CNIL said there would be no penalty, but failure to comply will potentially result in sanctions.

*Source: MarTech Today, August 29, 2018


ABBYY Exposed Over 200,000 Scanned Documents on an Open Server*:

ABBYY – a Russian OCR developer and text recognition firm – has reportedly left exposed a treasure trove of scanned documents.

The database remained online without password protection, allowing anyone to view the data.

A researcher found the data using Shodan who then reported it to the firm.

As disclosed by Bob Diachenko, an independent security researcher, via his article on LinkedIn, ABBYY left a large number of official documents exposed online on an open server.

He found some files named “documentRecognition” or “documentXML” that hinted the owner to be a data recognition company.

Later, while analyzing the user details from the exposed data, he identified the owner to be ABBYY – a content intelligence solutions provider.

After finding the open database, Diachenko informed the firm by sending notifications on some email addresses he took from the database.

ABBYY responded by acknowledging the temporary breach and stating that the issue had been corrected.

However, ABBYY did not disclose the affected customer’s name, nor did they say anything regarding anyone else’s access to their database previously.

*Source: Latest Hacking News, August 30, 2018


Over 70 Universities Targeted by Iranian Hackers*:

Reportedly Iranian hackers have been targeting universities and educational institutions among 14 nations in an attempt to steal intellectual property.

The SecureWorks Counter Threat Unit (CTU) announced on Friday that this attempt may be likely to work as it is as it is performed by Cobalt Dickens which is one of the most advanced persistent threat (APT) actors.

Cobalt Dickens was connected to the Iranian government which was discovered by the researchers.

In March, the group was indicted for conducting a series of attacks on universities and organisations on behalf of Islamic Republic of Iran’s Islamic Revolutionary Guard Corps (IRGC).

The Institute of Mabna has been working with Cobalt Dickens who allegedly stole data from 76 universities over 21 nations and also 47 US and foreign private sectors companies which include US Department of Labor and the UN.

In their latest series of attacks, over 76 universities in 14 nations have been affected including institutions in the UK, US, Canada, China and Switzerland.

There are 16 domains that have been used by the bad actors to host more than 300 spoofed websites, which include university logins pages and online libraries.

The hackers have sent many spoofed links through phishing emails, if the victim falls for the messages and enters their login information they are redirected to the real service while the data is obtained by the malicious script.

Most of the domains were bought between May and August 2018, and the attacks are continuing as further registrations are being made.

*Source: Latest Hacking News, August 27, 2018


Security Researchers Found Vulnerabilities at AT&T, T-Mobile and Sprint That Could Have Exposed Customer Data*:

It hasn’t been a good week for telecommunications companies: security researchers have uncovered security flaws with systems at AT&T, Sprint, and T-Mobile that could have left customer data accessible to bad actors.

In each unrelated case, the attackers could have used brute force attacks to guess customer PINs or personal information.

In T-Mobile’s case, an “engineering mistake” between Apple’s online storefront and T-Mobile’s account validation API allowed for an unlimited number of attempts on an online form, which would allow a hacker to use commonly-available tools to guess an account PIN or the last four digits in a customer’s social security number, in what’s called a brute-force attack.

A similar problem occurred with phone insurance company Asurion and its AT&T customers. An online claims form would allow anyone with a customer’s phone number to access a form that allowed them unlimited guesses to guess a customer’s passcode, leaving it vulnerable to another brute-force attack.

In each case, both companies fixed the vulnerabilities when contacted by BuzzFeed News.

In another instance this weekend, TechCrunch reported that security researchers were able to access an internal staff portal at Sprint because of “weak, easy-to-use usernames and passwords,” compounded with the lack of two-factor authentication.

Once in, the researcher was reportedly able to access customer account information for Sprint, Boost Mobile, and Virgin Mobile.

The researcher also reported that anyone who gained access could make changes to customer accounts, and that customer PINs could be brute-forced.

A Sprint spokesperson confirmed the vulnerability to TechCrunch, and noted that it didn’t believe that any customers were affected by the vulnerability, and noted that they’re working to fix the issue.

It’s worth noting that vulnerabilities aren’t necessarily breaches, but it’s vulnerabilities such as these that allow bad actors to gain access to a system and exploit the customer data that they access.

These systems are by necessity complicated: companies like AT&T, Sprint, and T-Mobile have to balance providing access for employees to do their jobs and for customers to gain access to their information.

Given the harm that a malicious actor can play with the vast amounts of data these companies have, it’s clear that they need to be more proactive in protecting their customers.

*Source: The Verge, August 25, 2018


Bank of Spain’s Website Hit by Cyber Attack*:

The Bank of Spain’s website has been hit since Sunday by a cyber-attack which has temporarily disrupted access to the site, a spokesman for the central bank said on Monday.

The spokesman said that the attack has not had any effect on the bank’s services or its communications with the European Central Bank or other institutions and that there was no risk of a data breach.

It is a denial of service attack that intermittently affects access to their website, but it has had no effect on the normal functioning of the entity

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

*Source: Reuters, August 28, 2018


Spyware Company Leaves Terabytes of Selfies, Text Messages and Location Data Exposed Online*:

A company that markets cell phone spyware to parents and employers left the data of thousands of its customers—and the information of the people they were monitoring—unprotected online.

The data exposed included selfies, text messages, audio recordings, contacts, location, hashed passwords and logins, Facebook messages, among others, according to a security researcher who asked to remain anonymous for fear of legal repercussions.

Last week, the researcher found the data on an Amazon S3 bucket owned by Spyfone, one of many companies that sell software that is designed to intercept text messages, calls, emails, and track locations of a monitored device.

Motherboard was able to verify that the researcher had access to Spyfone’s monitored devices’ data by creating a trial account, installing the spyware on a phone, and taking some pictures.

Hours later, the researcher sent back one of those pictures.

The exposed data also included 44,109 unique email addresses.

The company’s backend services were also left wide open, not requiring a password to log into them, according to the researcher, who said he was able to create admin accounts and see customer data.

Spyfone also left one of its APIs completely unprotected online, allowing anyone who guesses the URL to read what appears to be an up-to-date and constantly updating list of customers.

The site shows first and last names, email and IP addresses. As of Thursday, there were more than 11,000 unique email addresses in the database, according to a Motherboard analysis.

A Spyfone representative said the company is investigating the leak, and expressed relief that the person who found it had good intentions.

They have now partnered with a leading data security firm to assist in their investigation.

*Source: Motherboard, August 23, 2018


Microsoft Windows Zero Day Vulnerability is Disclosed on Twitter*:

Microsoft has reacted quickly when a Twitter user disclosed a zero-day vulnerability in the Windows OS.

A Twitter user named SandboxEscaper tweeted about the bug by providing proof-of-concept code for the vulnerability.

Will Dormann, a vulnerability analyst at CERT/CC verified the bug was a zero-day flaw for the Windows Operating System.

The vulnerability of the bug escalates the security flaw in the Windows OS due to the flaw in the platform’s task scheduler which was caused by handling the Advanced Local Procedure Call (ALPC) systems.

This zero-day Windows vulnerability allows the users to get system privileges, as it involves the ALPC of the local system’s the scope of an attack is little, but it is not going to look small for a company like Microsoft.

At present, there are no workarounds to this vulnerability and it has been awarded the CVSS Score of 6.4–6.8.

The Sandbox Escaper’s tweet has been deleted but Microsoft has acknowledged the zero-day flaw.

The patch for this flaw is going to be released on the 11th next month.

*Source: Latest Hacking News, August 29, 2018


Air Canada Data Breach Affects 20,000 Users of its Mobile App*:

After targeting various companies belonging to the telecom, financial, educational, and medical industries, hackers have now turned their attention to an airline to satiate their craving for data.

According to the reports, some unknown attackers accessed the database of Air Canada.

Supposedly, the Air Canada data breach affected around 20,000 customers using their mobile app.

On August 28, 2018, Air Canada uploaded a notice on their website about a security breach incident after noticing unauthorized access to its mobile app.

As a result, this Air Canada data breach exposed personal details of around 1% of the airline’s customers.

As claimed by the airline, they have around 1.7 million mobile app users, which hint up to 20,000 customers affected in the incident.

According to their notice, Air Canada noticed “unusual login behavior” on their mobile app between August 22 and 24, 2018.

They suspect that this unauthorized access may have inadvertently exposed customer details to the attackers.

This may include personal details that the users enter on the app, such as names, contact numbers, email addresses, genders, dates of birth, residence, nationality, passport numbers, country of issuance of passports and their expiration dates, NEXUS numbers, Aeroplan number, Known Traveler Number, and credit card details.

However, the company states that the credit card numbers remained unaffected in the breach.

The airline still advises the customers to keep a check on all transactions.

After noticing the unusual activity, Air Canada officials quickly blocked the unauthorized accesses; they also had to lock out customers from the app as a precaution.

Therefore, all 1.7 million customers of Air Canada have to sign in again to the apps.

Air Canada has begun sending emails to the customers with instructions to reset logins, and they are also sending emails to the customers affected by the breach.

While Air Canada adequately disclosed the breach in their notice, the source behind the attack still needs to be identified.

It is not yet known whether the attackers directly targeted the airline’s systems, or if Air Canada has become another victim of third-party data breach.

*Source: Latest Hacking News, August 30, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top