Data Breach At Amazon India Exposes Seller’s Financial Data*:

  • Not long back US-headquartered Amazon had faced a massive data breach that left many of its customer names and email addresses exposed.
  • Now, Amazon India has admitted to yet a technical glitch.
  • This time around, though, the privacy breach has affected sellers and vendors on the ecommerce site, exposing their private financial information to other competing sellers.
  • There are close to 4 million merchants selling on the retail giant’s online platform and another 150 million registered users.
  • Although the company did not mention anything about the extent of the leak and how many sellers were exposed, the official statement said their technical team had resolved the issue on Tuesday.
  • The merchant tax reports in question basically comprise data relating to sales, category-wise split and inventory data, reports Business Standard.
  • While Amazon claims to have resolved the situation and fixed the glitch on a priority basis, sellers and vendors have raised concerns about the exposure of the competitive business information and if it could prove detrimental in any way.
  • This is not the first time the company has been hit by such technical glitches.
  • Earlier in November, Amazon.com faced a similar situation after a data breach exposed user information on the website.
  • At the time, Amazon didn’t reveal anything about the extent of the leak.
  • In the following month, reports surfaced that the ecommerce retailer had severed ties with several of its employees based in India and the US over the alleged leak of internal company information to merchants.

*Source: Your Story, January 10, 2019

 

Your Data Can Still Be Identified Even If It’s Anonymized*:

  • Thanks to the near-complete saturation of the city with sensors and smartphones, we humans are now walking, talking data factories. 
  • Passing through a subway turnstile, sending a text, even just carrying a phone in your pocket: we generate location-tagged data on an hourly basis.
  • All that data can be a boon for urban planners and designers who want to understand cities–and, of course, for tech companies and advertisers who want to understand the people in them.
  • Questions about data privacy are frequently met with a chorus of, It’s anonymized! Any identifying features are scrubbed from the data!
  • The reality, a group of MIT scientists and urban planners show in a new study, is that it’s fairly simple to figure out who is who anyway.
  • In other words, anonymized data can be deanonymized pretty quickly when you’re working with multiple datasets within a city.
  • Carlo Ratti, the MIT Senseable City Lab founder who co-authored the study in IEEE Transactions on Big Data,says that the research process made them feel “a bit like ‘white hat’ or ‘ethical’ hackers” in a news release.
  • First, they combined two anonymized datasets of people in Singapore, one of mobile phone logs and the other of transit trips, each containing “location stamps” detailing just the time and place of each data point.
  • Then they used an algorithm to match users whose data overlapped closely between each set–in other words, they had phone logs and transit logs with similar time and location stamps–and tracked how closely those stamps matched up over time, eliminating false positives as they went.
  • In the end, it took a week to match up 17% of the users and 11 weeks to get to a 95% rate of accuracy.
  • While the MIT group wasn’t trying to unmask specific users in this dataset, they proved that someone acting in bad faith could merge such anonymized datasets with personal ones using the same process, easily pinning the timestamps together to figure out who was who.
  • The takeaway is not just that a malicious actor or company could use this process to survey citizens.
  • It’s that urban planners and designers who stand to learn so much from these big urban datasets–for instance, Ratti’s own lab recently used such data for a project on reducing parking, while other groups use it to study everything fromurban poverty to accessibility–need to be careful about whether all that data could be combined to deanonymize it.
  • In other words, as urban planners, tech companies, and governments collect and share data, we now know that “it’s anonymized” is never a guarantee of privacy.
  • And as they dig deep into the data we generate; cities and citizens need to demand that this data can never be reidentified.

*Source: Fast Company, December 10, 20198                   

 

An Unsecured Database Exposed The Personal Details Of 202 Million Job Seekers In China*:

  • The personal details belonging to more than 202 million job seekers in China, including information like phone numbers, email addresses, driver licenses and salary expectations, were freely available to anyone who knew where to look for as long as three years due to an insecure database.
  • That’s according to findings published by security researcher Bob Diachenkowho located an open and unprotected MongoDB instance in late December which contained 202,730,434 “very detailed” records.
  • The database was indexed in data search engines Binary Edgeand Shodan, and was freely visible without a password or login.
  • It was only made private after Diachenko released on Twitter informationabout its existence.
  • Diachenko, who is director of cyber risk research at Hacken, wasn’t able to match the database with a specific service, but he did locate a three-year-old GitHub repository for an app that included “identical structural patterns as those used in the exposed resumes.
  • Again, ownership is not clear at this point, although the records do seem to contain data that was scraped from Chinese classifieds, including the Craigslist-like 58.com.
  • A 58.com spokesperson denied that the records were its creation.
  • They instead claimed that their service had been the victim of scraping from a third-party.
  • We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us.
  • It seems that the data is leaked from a third party who scrape[d] data from many CV websites,” a spokesperson told Diachenko.
  • TechCrunch contacted 58.com but we have not yet received a response.
  • While the database has now been secured, it was potentially vulnerable for up to three years and there’s already evidence that it had been regularly accessed. Although, again, it isn’t clear by whom.
  • It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline.
  • There’s plenty of mystery here — it isn’t clear whether 58.com was behind the hole, or if it is a rival service or a scraper — but what is more certain is that the vulnerability is one of the largest of its kind to be found in China.

*Source: Tech Crunch, January 11, 2019

 

Hackers Using Zero-Width Spaces To Bypass MS Office 365 Protection*:

  • Security researchers have been warning about a simple technique that cybercriminals and email scammers are already being using in the wild to bypass security features of Microsoft Office 365, including Safe Links, which are originally designed to protect users from malware and phishing attacks.
  • Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs.
  • Therefore, every time users click on a link provided in an email, Safe Links first sends them to a Microsoft owned domain, where it immediately checks the original link for anything suspicious.
  • If Microsoft’s security scanners detect any malicious element, it then warns the users about it, and if not, it redirects them to the original link.
  • However, researchers at the cloud security company Avanan have revealed how attackers have been bypassing both Office 365’s URL reputation check and Safe Links URL protection features by using Zero-Width SPaces (ZWSPs).
  • Supported by all modern web browsers, zero-width spaces are non-printing Unicode characters that typically used to enable line wrapping in long words, and most applications treat them as regular space, even though it is not visible to the eye.
  • According to the researchers, attackers are simply inserting multiple zero-width spaces within the malicious URL mentioned in their phishing emails, breaking the URL pattern in a way that Microsoft does not recognize it as a link.
  • However, when the end-users clicked on the link in the email, they were landed to a credential harvesting phishing website.
  • Researchers also provided a video demonstration showing what happened when they sent a malicious URL to an Office 365 inbox without any ZWSP characters inserted in the URL and with ZWSP characters inserted into the URL.
  • The Z-WASP attack is another chain in a list of exploits, including the base Strikerand ZeroFont attacks, that are designed to obfuscate malicious content and confuse Microsoft Office 365 security.
  • The security firm discovered the Z-WASP attack on more than 90 percent of Avanan’s Office 365 customers and reported the issue to Microsoft on November 10th last year after confirming its nature.
  • Avanan then worked with the Microsoft security team continuously on assessing the scope of the vulnerability, which was then addressed on January 9th.

*Source: The Hacker News, January 10, 2019

 

Reddit Alerts Users To Possible Account Breaches*:

  • Popular social media platform Reddit has notified users that some of them have been locked out of their accounts because of suspicious activity.
  • It was most likely the users’ own fault, the company said, but engineers were working to fix the problem.
  • Some security experts noted that the reported activity fit the profile of a specific attack.
  • In an emailed statement to Dark Reading, Jarrod Overson, director of engineering at Shape Security, wrote, “Whenever there is a massive account takeover wave unrelated to a system compromise, it is very likely it is due to a credential stuffing attack.”
  • He explained that credential stuffing involves using automated tools to use usernames and passwords stolen from one site to try to gain access to another.
  • Overson noted, “Accounts that have built up credibility on services like Reddit are extremely valuable for criminals.
  • They can use those accounts to push malicious content, to exploit other users, and coordinate masses of accounts can make content appear to go viral legitimately.”
  • In the blog post notifying users of the issue, Reddit recommended that users use strong passwords unique to each service they frequent, and enable two-factor authentication whenever possible.

*Source: Dark Reading, January 10, 2019