Week of June 3, 2019


Week of June 3, 2019

2.3BN Files Have Been Exposed Online Since GDPR*:

  • Digital risk protection firm Digital Shadows says roughly 2.3 billion data files – containing business IT system access credentials, customer passport data, bank records and medical information, have been leaked online in the last 12 months.
  • That means the number of exposed files rose more 50 per cent year-on-year, from 750 million files same time last year.
  • Here's the breakdown: 98 million records were exposed from companies in the UK, 121 million from Germany, and 326 million from the States.
  • Half of these were exposed via the server message block (SMB) protocol, it was said.
  • Harrison Van Riper, a Photon Research analyst, says businesses are too focused on making data available on remote servers, disregarding security in the process.

*Source: IT Pro Portal, June 03, 2019


Chinese Database Exposes 42.5 Million Records Compiled From Multiple Dating Apps*:

  • Tens of millions of records about users of different dating apps have been discovered in a single database that doesn’t include any password protection, according to new research findings.
  • The records discovered by researcher Jeremiah Fowler mostly were about American users, based on accessible IP addresses and geolocation information.
  • Other data included age, location and account names — a roadmap Fowler followed to identify users across multiple other platforms and dating apps to verify they were real.
  • A sampling of 10,000 users revealed that 8,063 were from the U.S., 356 were from the U.K., 219 from Canada and 151 from Australia and other random English-speaking countries.
  • About 42.5 million records were exposed. Dating logs made up 38.3 million records, while 3.87 million consisted of “geonames,”.
  • While it’s not clear who controls the leaky database, Fowler accessed the site’s Whois domain registration to find that a subway line in Lanzhou, China was given as the owner’s address.
  • Apps mentioned in the database seemed meant to appeal to as many people as possible, the researcher wrote in a blog post Tuesday, with names ranging from “Christiansfinder” and “Cougardating” to “Mingler” and “Fwbs,” shorthand for “friends with benefits.”
  • The database, which was still online at press time, did not include financial information, though it did provide a path for outsiders to view personal details about an app user.
  • Fowler’s findings are yet another example of sloppy database-security practices potentially affecting unsuspecting victims.
  • A security researcher in February told CyberScoop about an unrelated database containing information from roughly 14 million Instagram accounts
  • Motivation in that case could have included targeted marketing or combining leaked usernames with stolen passwords to breach social media identities.

*Source: CyberScoop, May 29, 2019


Microsoft Issues ‘Update Now’ Warning To Windows Users

  • Microsoft really does not have the greatest track record when it comes to those security and system fixes that are usually referred to as Patch Tuesday updates.
  • These updates have recently caused Windows to freeze or simply decided to install themselves and cause unexpected restarts.
  • Microsoft is now urging to apply one particular set of updates released May 14, warning that unless they do at least a million computers might be exploited by a security threat that could be as damaging and costly as WannaCry was two years ago.
  • The warning, which reads almost as if Microsoft wrote it on bended knee, was posted on the Microsoft Security Response Center blog.
  • Referring to the critical Remote Code Execution vulnerability, CVE-2019-0708, that has become better known as BlueKeep, Simon Pope, director of incident response at Microsoft, states that "Microsoft is confident that an exploit exists for this vulnerability."
  • What's more, Pope says that such an exploit could "propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017."
  • An internet-scale port scanner has already determined that there are at least 923,671 internet-facing machines which are vulnerable to BlueKeep on port 3389 which is used by the Microsoft Remote Desktop feature.
  • It is worth reading between the lines here, especially concerning that apparent confidence that a BlueKeep exploit exists.
  • While it is not clear if Microsoft has intelligence that suggests active malware has been weaponized in this way, what we do know is that there is proof of concept (PoC) code available already.
  • One BlueKeep demo on GitHub will crash a system that is vulnerable but does not execute the wormable threat that Microsoft is obviously so worried about.
  • We also know, through the information security community on Twitter, that there are denial of service (DoS) exploits available, and that security researchers have been successful in developing wormable exploit code.
  • While Windows 8 and Windows 10 users are not impacted by this vulnerability, Windows 2003, Windows XP and Windows Vista all are.
  • Despite all of those vulnerable systems being unsupported for some years, Microsoft made the patch available to users which shows just how concerned it is by the "WannaCry 2" threat.
  • Windows 7 and Windows Server 2008 are also vulnerable.

*Source: Forbes, June 01, 2019


Security Systems Of Major Hotel Chains Exposed By Huge Data Breach

  • Self-styled "hacktivist" researchers have this week revealed a truly huge data breach with implications for many major hotel chains around the globe.
  • Rather than revealing financial or guest information, as is the norm for breaches involving the travel and hospitality industry, this time the data exposed was actually far more valuable: some 85.4GB of security audit logs.
  • The breach itself was discovered by the same vpnMentor research team, led by Noam Rotem and Ran Locar, that discovered the 11 million photo leak.
  • vpnMentor reports that on May 27 the researchers discovered an unsecured server connected to hotel and resort management company the Pyramid Hotel Group.
  • The researchers say that the leaked data includes, but is not limited to, the following which reads like a cybercriminal's dream shopping list: Server API key and password, Device names, IP addresses of incoming connections to the system and geolocation, Firewall and open ports information, Malware alerts, Restricted applications, Login attempts, Brute force attack detection, Local computer name and addresses, including alerts of which of them has no antivirus installed, Virus and malware detected on various machines, Application errors, Server names and OS details, Information identifying cybersecurity policies and Employees' full names and usernames.
  • Due to an open threat window of more than a month, it is unknown if anyone other than the good guys stumbled across it and stepped right through.
  • What I do know is that if the security researchers could find it so easily, then the threat actors certainly could have as well.
  • If they did, then access to the data contained may have allowed them to perform in-depth surveillance of any hotel network implicated in the exposure.
  • This would enable them to "build an attack vector targeting the weakest links in the security chain," according to the vpnMentor research team.
  • It is of huge concern as it also means the attacker could, in effect, see what the hotel security team sees and learn from their attempted attack methodologies based upon the alerts returned by the system.
  • It's also possible that the physical security of guests could be impacted by the data leak.
  • The researchers point to the fact that the data goes back to April 19 which could indicate that a system setup, reconfiguration or maintenance may have impacted the server to make it open and available to anyone that looked.
  • The server in question was running an open source intrusion detection system called Wazuh.
  • It was also leaking 85.4GB of security audit logs.
  • Because Pyramid Hotel Group clients include some of the biggest hotel chains across many countries, and the data that was exposed relates to their operating systems, security policies, internal networks and cybersecurity event information, this becomes a potentially very serious incident indeed.
  • It's not all bad news. According to the disclosure timeline revealed by vpnMentor, the breach was discovered on May 27 and the Pyramid Hotel Group notified on May 28.
  • The vulnerability was fixed on May 29, so the response was a quick and efficient one.
  • Jake Olcott, the vice president of government affairs at BitSight, who has previously served as legal advisor to the Senate Commerce Committee and counsel to the House of Representatives Homeland Security Committee, says that while other sectors such as finance have been focused on measuring and monitoring third-party cyber risk, "the hospitality sector does not face the same regulatory pressures."
  • Incidents such as this need to act as a wake-up call to the entire travel and hospitality sector according to Olcott.

*Source: Forbes, May 31, 2019


One Of New York’s Largest Non Profits Suffers From Data Breach

  • People Inc., one of western New York's largest non-profit agencies, has revealed a data breach which has exposed sensitive medical information belonging to current and former clients.
  • This week, the non-profit human services agency said that an employee email account appears to be the source of the leak, in which a vast array of client data has been exposed.
  • In total, it is reported that up to 1,000 clients may be involved.
  • People Inc. offers residential care, employment assistant, community outreach programs, healthcare, and recreation schemes for seniors, the vulnerable, and both the families and those who have disabilities.
  • The non-profit discovered the breach on February 19, 2019.
  • An unknown hacker had managed to infiltrate an email account belonging to an employee of the organization.
  • A second email account may have also been compromised, but People Inc. has not been able to verify whether or not this is the case.
  • The accounts in question contained personal, sensitive information belonging to clients.
  • Names, addresses, Social Security numbers, financial data, medical information, health insurance details, and government IDs have potentially been compromised and stolen.
  • However, the non-profit has not received any reports of this information being actively abused, as of yet.
  • The first compromised account may have permitted entry due to a weak password and could have been susceptible to a brute-force attack, as People Inc. said that a password reset was enough to secure the email account.
  • The second account has been disabled outright.
  • People Inc. hired a cyber forensics firm to investigate the case and has informed the FBI.
  • Clients were made aware of the data breach on May 29 and free credit monitoring services to those impacted are on offer.

*Source: ZDNet, May 31, 2019


The NSA Makes Ghidra, A Powerful Cybersecurity Tool, Open Source

  • The National Security Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn't leaked in recent years.
  • But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source.
  • And while NSA cybersecurity adviser Rob Joyce called the tool a "contribution to the nation’s cybersecurity community" in announcing it at RSA, it will no doubt be used far beyond the United States.
  • You can't use Ghidra to hack devices; it's instead a reverse-engineering platform used to take "compiled," deployed software and "decompile" it.
  • In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does.
  • Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild—like malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from.
  • Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.
  • "If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end," Joyce said.
  • "Ghidra is a software reverse-engineering tool built for our internal use at NSA. We're not claiming that this is the one that’s going to be replacing everything out there—it's not. But it helped us address some things in our workflow."
  • Similar reverse-engineering products exist on the market, including a popular disassembler and debugger called IDA.
  • But Joyce emphasized that the NSA has been developing Ghidra for years, with its own real-world priorities and needs in mind, which makes it a powerful and particularly usable tool.
  • Products like IDA also cost money, whereas making Ghidra open source marks the first time that a tool of its caliber will be available for free—a major contribution in training the next generation of cybersecurity defenders.
  • Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.
  • The NSA announced Joyce’s RSA talk, and Ghidra’s imminent release, in early January.
  • But knowledge of the tool was already public thanks to WikiLeaks’ March 2017 “Vault 7” disclosure, which discussed a number of hacking tools used by the CIA and repeatedly referenced Ghidra as a reverse-engineering tool created by the NSA.
  • The actual code hadn’t seen the light of day, though, until Tuesday—all 1.2 million lines of it.
  • Ghidra runs on Windows, MacOS, and Linux and has all the components security researchers would expect.
  • But Joyce emphasized the tool's customizability.
  • It is also designed to facilitate collaborative work among multiple people on the same reversing project—a concept that isn't as much of a priority in other platforms.
  • Ghidra also has user-interface touches and features meant to make reversing as easy as possible, given how tedious and generally challenging it can be.
  • The NSA has made other code open source over the years, like its Security-Enhanced Linux and Security-Enhanced Android initiatives.
  • But Ghidra seems to speak more directly to the discourse and tension at the heart of cybersecurity right now.
  • By being free and readily available, it will likely proliferate and could inform both defense and offense in unforeseen ways.
  • If it seems like releasing the tool could give malicious hackers an advantage in figuring out how to evade the NSA, though Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, said that that isn't a concern.
  • No matter what comes next for the NSA's powerful reversing tool, Joyce emphasized on Tuesday that it is an earnest contribution to the community of cybersecurity defenders—and that conspiracy theorists can rest easy. There’s no backdoor in Ghidra.

*Source: Wired, June 03, 2019


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top