An Email Marketing Company Left 809 Million Records Exposed Online*:

  • Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes of detailed, plaintext marketing data—including 763 million unique email addresses.
  • The trove is not only massive but also unusual; it contains data about individual consumers as well as what appears to be “business intelligence data,” like employee and revenue figures from various companies.
  • This diversity may stem from the information’s source.
  • The database, owned by the “email validation” firm Verifications.io, was taken offline the same day Diachenko reported it to the company.
  • Validators play a crucial role in the email marketing industry.
  • They don’t send out marketing emails on their own behalf, or facilitate automated mass email campaigns.
  • Instead, they vet a customer’s mailing list to ensure that the email addresses in it are valid and won’t bounce back.
  • Some email marketing firms offer this mechanism in-house.
  • But fully verifying that an email address works involves sending a message to the address and confirming that it was delivered—essentially spamming people.
  • In general, the 809 million total records in the Verifications.io trove include standard information like names, email addresses, phone numbers, and physical addresses.
  • But many also include things like gender, date of birth, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses, and characterizations of people’s credit scores (like average, above average, and so on).
  • Meanwhile, other records in the collection seem related to generating sales leads at businesses, including company names, annual revenue figures, fax numbers, company websites, and industry identifiers for categorizing companies called “SIC” and “NAIC” codes.
  • The data doesn’t contain Social Security numbers or credit card numbers, and the only passwords in the database are for Verifications.io’s own infrastructure.
  • Overall, most of the data is publicly available from various sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams, or expand their target pool.
  • In the exposed database, the researchers also found some of what appear to be Verifications.io’s own internal tools like test email accounts, hundreds of SMTP (email sending) servers, the text of emails, anti-spam evasion infrastructure, keywords to avoid, and IP addresses to blacklist.
  • Much remains unknown about the database and Verifications.io, because the company is difficult to track. 
  • Much of the data in the database is publicly available, though it’s not clear that all of it is.
  • When the researchers asked in the portal for the name of the owner of the company and the legal name of the company, someone wrote back declining to answer.
  • Security researcher Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned, which helps people check whether their data has been compromised in data exposures and breaches.
  • He says that 35 percent of the trove’s 763 million email addresses are new to the HaveIBeenPwned database.
  • The Verifications.io data dump is also the second-largest ever added to HaveIBeenPwned in terms of number of email addresses, after the 773 million in the repository known as Collection 1, which was added earlier this year.
  • Hunt says some of his own information is included in the Verifications.io exposure.
  • As with recent data exposures from the business data aggregator Apollo and the marketing firm Exactis, there’s not a lot you can do to individually protect yourself when vast repositories of data compiled from both public and private sources leak.
  • Check HaveIBeenPwned to see if your data was in the Verifications.io exposure, and continue your general vigilance about using strong, unique passwords, monitoring your financial statements, and giving out your Social Security number as infrequently as possible.
  • But also know that none of those measures provide a full solution to this society-scale problem.
  • The disjointed nature of the exposed Verifications.io data speaks to the chaotic state of the data industry overall. 
  • People’s personal information is shared by massive companies like Facebook, bought and sold by shady marketers, or stolen from data giants and doomed to circulate endlessly in the purgatory of criminal forums.
  • The churn makes it difficult for consumers to control who has their data and where it ends up.

*Source: Wired, March 07, 2019

 

Facebook Messenger Bug Let Other People See Who You’d Been Talking To*:

  • In November, researchers discovered a Facebook bug that allowed websites to extract data from users’ profiles thanks to a security flaw relating to cross-site frame leakage (CSFL).
  • In a blog post, Imperva security researcher Ron Masas explains how a CSFL attack could exploit the properties of iFrame elements to determine the state of an application.
  • Running this process through individual Messenger contacts would yield one of two states, full or empty, indicating whether a user had ever communicated with that contact or not.
  • That’s essentially the extent of the flaw.
  • It wasn’t able to retrieve conversations or pull data from chat histories— it simply produced binary data with very limited applications for nefarious individuals.
  • Nonetheless, Masas made Facebook aware of the bug, and given its connection to the previous, more serious flaw, Facebook has since decided to remove all iFrames from the Messenger user face completely.

*Source: EnGadget, March 07, 2019                        

 

Top 7 Security And Risk Management Trends For 2019 – Gartner*:

  • Risk appetite statements are becoming linked to business outcomes
    • As IT strategies become more closely aligned with business goals, the ability for security and risk management (SRM) leaders to effectively present security matters to key business decision makers gains importance.
    • Create simple, practical and pragmatic risk appetite statements that are linked to business goals and relevant to board-level decisions.
  • Security operations centres are being implemented with a focus on threat detection and response
    • The shift in security investments from threat prevention to threat detection requires an investment in security operations centres (SOCs) as the complexity and frequency of security alerts grow.
    • The need for SRM leaders to build or outsource a SOC that integrates threat intelligence, consolidates security alerts and automates response cannot be overstated.
  • Data security governance frameworks will prioritise data security investments
    • Data security is a complex issue that cannot be solved without a strong understanding of the data itself, the context in which the data is created and used, and how it is subject to regulation.
    • Rather than acquiring data protection products and trying to adapt them to suit the business need, leading organisations are starting to address data security through a data security governance framework (DSGF).
  • Passwordless authentication is achieving market traction
    • Passwordless authentication, such as Touch ID on smartphones, is starting to achieve real market traction.
    • The technology is being increasingly deployed in enterprise applications for consumers and employees, as there is ample supply and demand for it.
  • Security product vendors are increasingly offering premium skills and training services
    • The number of unfilled cyber-security roles is expected to grow from 1 million in 2018 to 1.5 million by the end of 2020, according to Gartner.
    • While advancements in artificial intelligence and automation certainly reduce the need for humans to analyse standard security alerts, sensitive and complex alerts require the human eye.
  • Investments being made in cloud security competencies as a mainstream computing platform
    • The shift to cloud means stretching security teams thin, as talent may be unavailable and organisations are simply not prepared for it.
    • Gartner estimates that the majority of cloud security failures will be the fault of the customers through 2023.
  • Increasing presence of Gartner’s CARTA in traditional security markets
    • A key component to CARTA is to continuously assess risk and trust even after access is extended.
    • Email and network security are two examples of security domains where solutions increasingly focus on detecting anomalies even after users and devices are authenticated.

*Source: Fin24, March 09, 2019

 

Cookie Walls Don’t Comply With GDPR, DUTCH DPA*:

  • Cookie walls that demand a website visitor agrees to their internet browsing being tracked for ad-targeting as the “price” of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified yesterday.
  • The DPA said it has received dozens of complaints from internet users who had had their access to websites blocked after refusing to accept tracking cookies — so it has taken the step of publishing clear guidance on the issue.
  • It also says it will be stepping up monitoring, adding that it has written to the most-complained-about organizations (without naming any names) — instructing them to make changes to ensure they come into compliance with GDPR.
  • Europe’s General Data Protection Regulation, which came into force last May, tightens the rules around consent as a legal basis for processing personal data — requiring it to be specific, informed and freely given in order for it to be valid under the law.
  • Of course consent is not the only legal basis for processing personal data, but many websites do rely on asking internet visitors for consent to ad cookies as they arrive.
  • And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained.
  • So, in other words, a “data for access” cookie wall isn’t going to cut it.
  • In light of this clarification, the cookie wall on the Internet Advertising Bureau (IAB)’s European site looks like a textbook example of what not to do — given the online ad industry association is bundling multiple cookie uses under a single “I AGREE” option.
  • It does not offer visitors any opt-outs at all.
  • If the user does not click “I I AGREE” they cannot gain access to the IAB’s website. So there’s no free choice here. It’s agree or leave.
  • The IAB told us no data protection agencies had been in touch regarding its cookie wall.
  • Asked whether it intends to amend the cookie wall in light of the Dutch DPA’s guidance, a spokeswoman said she wasn’t sure what the team planned to do yet — but she claimed GDPR does not “outright prohibit making access to a service conditional upon consent”; pointing also to the (2002) ePrivacy Directive which she claimed applies here, saying it “also includes recital language to the effect of saying that website content can be made conditional upon the well-informed acceptance of cookies.”

*Source: Tech Crunch, March 08, 2019

 

Data Privacy, Right To Delete Rule Passes Washington Senate*:

  • The Washington Senate has passed a broad package of data privacy protections, including rules that would give consumers the right to delete data about them held by private companies.
  • The measure would require businesses or other entities that control or process the identifiable data of more than 100,000 people to allow consumers to find out what data is stored about them, correct errors or request deletion.
  • The measure would also set rules for facial recognition technology for both state and private users.
  • Lawmakers approved the proposal on a 46-1 vote Wednesday, with even legislators normally critical of government intervention voting in favor.
  • It now goes to the House for consideration.
  • The measure also garnered support from many Senate Republicans.
  • Doug Ericksen, a Ferndale Republican, voiced concerns about the measure, saying that he would prefer a unified federal regulatory scheme, and that he worried about overcomplicated regulations creating compliance costs that box out smaller businesses.
  • But Ericksen said Wednesday that he thought the merits of the bill outweighed its risks, and that he would vote for it.
  • Along with the data protection rules, the proposal also includes rules for the use of facial recognition technology.
  • Businesses that want to use the software to analyze the faces of customers or others in public places would have to post signs warning that the technology was in use, and employ human reviewers before making decisions based on facial matches.
  • And state agencies would be restricted from using the technology without a warrant.
  • Along with the 100,000-person threshold for the data handling rules, including the option for consumers to delete their data, the proposal also contains a provision for entities that control or use smaller amounts of consumer data.

*Source: AP News, March 07, 2019

 

Citrix Investigating Unauthorized Access To Internal Network*:

  • On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.
  • Citrix has taken action to contain this incident.
  • We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.
  • Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly.
  • In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.
  • While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents.
  • The specific documents that may have been accessed, however, are currently unknown.
  • At this time, there is no indication that the security of any Citrix product or service was compromised.
  • While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords.
  • Once they gained a foothold with limited access, they worked to circumvent additional layers of security.
  • Citrix deeply regrets the impact this incident may have on affected customers.
  • Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities.

*Source: Citrix Press Release, March 08, 2019