- New research just presented at the Def Con security conference reveals how companies, startups, and governments are inadvertently leaking their own files from the cloud.
- You may have heard of exposed S3 buckets — those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to “public” for anyone to access.
- But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk.
- “When you get rid of the hard disk for your computer, you know, you usually shredded or wipe it completely. But these public EBS volumes are just left for anyone to take and start poking at,” said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox.
- Morris built a tool using Amazon’s own internal search feature to query and scrape publicly exposed EBS snapshots, then attach it, make a copy and list the contents of the volume on his system.
- “If you expose the disk for even just a couple of minutes, our system will pick it up and make a copy of it,” he said.
- Morris found dozens of snapshots exposed publicly in one region alone, he said, including application keys, the critical user or administrative credentials, source code and more.
- He estimates the figure could be as many as 1,250 exposures across all Amazon cloud regions.
- An Amazon spokesperson said customers who set their Amazon EBS snapshots to the public “have been notified and advised to take the snapshot offline if the setting was unintentional.”
*Source: Techcrunch, August 09, 2019
- A data breach detailing more than 800 current and former Charleston County employees’ identifying information was caused by a Human Resources employee accidentally sending a list of information to a former county employee.
- The Charleston County Sheriff’s Office was notified of the situation Aug. 6. The county on Monday began alerting employees whose information was included in the e-mail, said spokesman Shawn Smetana.
- Smetana said the county also alerted the three major U.S. credit reporting agencies about the incident.
- The breach included employees’: Name, Date of birth, Social Security number, Gender, Salary,Hire date,Whether they were eligible for retiree health care, Whether they are an active or inactive employee.
- No bank account information was released in the breach, according to Miller’s note.
- It is unclear why or how the information was sent through HR to a former county employee. The employee who sent the information will be subject to a disciplinary process, Smetana said.
*Source: Postandcourier, August 13, 2019
- Canadian financial services co-operative Desjardins has set aside C$70 million in expenses to cover second-quarter costs for a data breach that exposed the accounts of 2.9 million customers.
- The special charge covers the costs of providing credit monitoring along with a promise to reimbursement customers up to $50,000 for expenses incurred in recovering stolen identities.
- Desjardins confirmed in June that a rogue employee stole and disseminated the personal information of more than 2.9 million members.
- The stolen data includes first and last name, date of birth, social insurance number, address, phone number, email address and details about individual banking habits and Desjardins products.
- In July, the firm announced that 530,627 Caisse members had signed up for the Equifax credit monitoring plan, representing 19.65% of customers affected by the privacy breach.
*Source: finextra, August 14, 2019
- The personal and private information of over 1 million citizens has been compromised following a biometrics system data breach.
- Fingerprints, facial recognition ID, personal data and unencrypted login credentials are among the information compromised on the database maintained by the security company, Suprema, reports reveal.
- The firm is responsible for the online Biostar 2 biometrics locking mechanism which provides centralized control for entry to high-security buildings.
- The technology employs facial recognition and fingerprint data to help identify individuals as they attempt to enter official secure premises.
- Last week, Israeli cyber-security researchers, Noam Rotem, and Ran Locar discovered Biostar 2’s database to be openly accessible to the public, holding data that was largely unprotected. The duo could easily navigate the data mine via search details entered into Elasticsearch.
- Over 27.8m records and 23 GB of data were at the researchers’ fingertips – a huge hoard of information that comprised dashboards, users’ face photos, unprotected usernames, passwords, facility logs, staff personal details, and administration panels.
- In a paper submitted to the Guardian, the pair describe how they were able to search through data from co-working organizations in the States, Indonesia, as well as businesses in India, the UK, and Finland.
- Rotem and Locar say the size of the data breach was particularly concerning because the database service operates in 1.5 million locations worldwide.
- The breach of fingerprint data is a major worry because fingerprints cannot be altered or reset, unlike passwords.
- “Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the researchers stated.
- “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.
*Source: Wired, April 06, 2019
- The number of reported breaches has gone up by 54% and the number of exposed records by 52% compared to the first six months of 2018 according to the 2019 MidYear QuickView Data Breach Report, released by Risk Based Security.
- This The research shows that eight breaches reported within Q1 and Q2 of 2019 accounted for 3.2 billion records exposed; three of these being among the largest breaches of all time.
- “Looking over the first six months of 2019, it is hard to be optimistic on the outlook for the year,” commented Inga Goddijn, Executive Vice President of Risk-Based Security.
- The key findings state that The Business Sector accounted for 67% of reported breaches, which continues the trend observed in the Q1 2019 report.
- From these breaches, the further analysis states that The Business Sector was then responsible for 84.6% of records exposed.
- Unauthorized access of systems or services, referred to as hacking in the report, is still the number one breach type with phishing being a tried and true first step for gaining access to systems and services.
- Interestingly enough, phishing for credentials often leads to providing attackers with access to users’ email accounts.
- While the data held in an email may not be as easily monetized as other datasets, it does lead to the exposure of unusual or unexpected types of data.
- Some of the more unusual data elements exposed this year include electronic signatures, calendars, marriage certificates, and company-issued employee ID numbers.
- The most recent example of this came up just a few days ago when Monzo Bank opted to report customers’ account PINs being inadvertently stored in internal logs that were accessible to their engineering teams. Once the issue was identified, the bank had it corrected and disclosed within 5 days.
- Goddijn said, A breach is rarely good news but a fast response coupled with open communication speaks well of the organization. We hope to see more organizations following Monzo’s lead as the year unfolds.
*Source: Helpnetsecurity, August 16, 2019
- A European Central Bank (ECB) website is offline after attackers inserted malicious code that could have stolen the names, titles, and email addresses of subscribers to one of its industry newsletters.
- According to ECB officials, the website for the Banks’ Integrated Reporting Dictionary (BIRD), which publishes information useful to those preparing regulatory and statistical reports, was infected in December 2018.
- The infection was discovered this week during site maintenance.
- The ECB reports that BIRD is hosted by a third party and that no market-sensitive data or internal ECB systems were affected.
- The bank is in the process of contacting all individuals whose information might have been stolen in the attack.
*Source: Darkreading, August 16, 2019