Bought A Car Recently? 198 Million Car Buyer Records Exposed In Massive Data Leak*:

 

  • Jeremiah Fowler, a senior security researcher at Security Discovery, turned detective after coming across the same 413GB dataset multiple times.
  • “It was clear that this was a compilation of potential car buyers wanting more information,” Fowler said, as the data included “loan and finance inquiries, vehicles that were for sale, log data with IP addresses of visitors, and more.”
  •  Initially, he wondered if this could be an automobile sales directory of some kind, as there were links to websites that appeared to be a mixture of lead-generation sites and small dealerships.
  • However, further investigation revealed that all the website domains linked back to the same place; dealerleads.com
  • According to the DealerLeads website, the company has “collected and purchased popular automobile relevant domains based on search terms used by car buyers,” for 20 years.
  • The DealerLeads system aims to drive 1st generation leads directly to the websites of car dealers, claiming conversion rates of 18% compared to 3rd party leads that convert at 5%-7%.
  • The unsecured database was found to contain 198 million records including names, email addresses, phone numbers, street addresses along, “other sensitive or identifiable information exposed to the public internet in plain text.”
  • “This breach once again highlights the advantage adversaries have against defenders,” Israel Barak, the chief information security officer at Cybereason.
  • Jonathan Knudsen, a senior security strategist at Synopsys, said that “all that was needed was a simple policy that every internet-facing system needs password protection, data encryption, or other fundamental protections.
  • ” These simple, fundamental security policies, costing little to implement, “can dramatically reduce risk and provide a springboard to implementing a more comprehensive software security initiative,” Knudsen said.

*Source: Forbes, September 15, 2019

 

Database leaks data on most of Ecuador’s citizens, including 6.7 million children*:

 

  • The personal records of most of Ecuador’s population, including children, have been left exposed online due to a misconfigured database, ZDNet has learned.
  • The database, an Elasticsearch server, was discovered two weeks ago by vpnMentor security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet.
  • The leaky server is one of the, if not the biggest, data breaches in Ecuador’s history, a small South American country with a population of 16.6 million citizens.
  • The Elasticsearch server contained a total of approximately 20.8 million user records, a number larger than the country’s total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.
  • There’s data that appears to have been gathered from government sources, and data that appears to have been gathered from private databases.
  • ZDNet verified the authenticity of this data by contacting some users listed in the database. The database was up to date, containing information as recent as 2019.
  • We were able to find records for the country’s president, and even Julian Assange, who once received political asylum from the small South American country, and was issued a national ID number (cedula).
  • When it came time to track down the source of this leak, both ZDNet and vpnMentor independently reached the same source, namely a local company named Novaestrat.
  • The database was eventually secured later last week, but only after vpnMentor reached out to the Ecuador CERT (Computer Emergency Response Team) team, which served as an intermediary.
  • This is the second major leak of user data originating from a South American country in as many months. In August, ZDNet reported about a similar Elasticsearch server that exposed the voter records of 14.3 million Chileans, around 80% of the country’s entire population.

*Source: ZDnet, September 16, 2019

Chicago brokerage to pay $1.5 million for cyber attack lapses: U.S. CFTC*:

 

  • The U.S. Commodities Futures Trading Commission (CFTC) said on Friday that a Chicago-based futures brokerage will pay a total of $1.5 million for letting cybercriminals breach the firm’s email systems and withdraw $1 million from a customer’s account.
  • Phillip Capital Inc (PCI) neither admitted nor denied the CFTC’s findings or conclusions, the CFTC said in a settlement with the firm.
  • The case, which stems from a February 2018 phishing attack, illustrates the vulnerability of financial services firms to cyber-attacks and how lapses in the following procedures for responding to a cyber attack can spur trouble with regulators.
  • PCI violated U.S. regulations by, among other things, failing to disclose the breach to customers, the CFTC said.
  • The penalty includes $1 million in restitution to the customer defrauded by the attack and a $500,000 penalty.
  • In the attack, PCI’s information technology engineer received an email from a hacked financial security company account, then entered login details in response, not knowing that cybercriminals would receive the information.
  • PCI, part of Singapore-based Phillip Capital Group, learned about the transfer three days later, when the defrauded customer called to ask why $1 million had been wired from its account.
  • The agency found that PCI’s chief compliance officer was not familiar with technology or cybersecurity and could not adequately evaluate whether the firm’s cybersecurity policies and training were adequate, the CFTC said.
  • PCI has since notified customers about the breach and taken steps to improve its cybersecurity, the CFTC said.

*Source: Reuters, September 13, 2019

Lion Air the Latest to Get Tripped Up by Misconfigured AWS S3*:

 

  • A breach that reportedly exposed data on millions of passengers of two Lion Air airline subsidiaries is another example of the massive exposure that organizations face from leaving data in poorly secured cloud storage.
  • The breach — like hundreds of others — resulted when files containing the Indonesian airlines’ passenger names, passport numbers, birth dates, home addresses, and other data — was left openly accessible in an Amazon Web Services (AWS) storage bucket.
  • The data belonged to passengers of Malindo Air and Thai Lion Air. A Dark Web operator known as Spectre later dumped four files — two containing data from Malindo and two with data on Thai Lion Air — online, South China Morning Post (SCMP) reported this week.
  • Malindo Air confirmed the breach in a statement on its website but did not provide any details on the scope of the compromise.
  • The company said it was in the midst of notifying passengers about the data compromise while adding that no payment card details had been exposed in the incident.
  • The Lion Air breach is one of many involving Amazon’s S3 storage service. Some of them have been massive in scope and resulted from victim organizations themselves not properly securing access to their data in S3.
  • In an August blog, UpGuard pointed to two product features it said could trip up S3 users.
  • One of them is a feature that, if not used correctly, would allow an authenticated user with an AWS account to see content in another user’s storage bucket.
  • The second issue has to do with people misunderstanding how S3 settings for access control lists (ACLs) and policies governing access to storage buckets work, the vendor said.
  • “There’s no excuse for leaving data unprotected in AWS storage,” says Tim Erlin, vice president of product management and strategy at Tripwire. “This isn’t a new problem, and it’s not a technically complex issue to address.”

*Source: DarkReading, September 19, 2019

Court Rules That ‘Scraping’ Public Website Data Isn’t Hacking*:

 

  • Scraping public data from a website doesn’t constitute “hacking,” according to a new court ruling that could dramatically limit abuse of the United States’ primary hacking law.
  • The ruling comes after a lengthy battle between data analytics firm HiQ Labs and Microsoft owned LinkedIn, which have been at each other’s throats for several years over HiQ Labs’ practice of scraping the business social networking website’s public-facing data, then selling it (fused with other datasets) to a laundry list of employers.
  • In the ruling by the Ninth Circuit Court of Appeals, the court shot down LinkedIn’s claim that access to this public data violated the Computer Fraud and Abuse Act (CFAA).
  • In its declaration, the court ruled that to violate the CFAA, somebody would need to actually “circumvent [a] computer’s generally applicable rules regarding access permissions, such as username and password requirements,” meaning it’s not really hacking if you’re not bypassing some kind of meaningful authorization system.
  • As a result, the law is quite often abused by creative prosecutors to bring charges against targets that may not actually have much to do with computer hacking.
  • HiQ Labs makes its money by scraping information on LinkedIn profiles that LinkedIn users have set be viewable to the broader internet.
  • Wanting monetization of this data all to itself, LinkedIn sent a cease-and-desist letter to HiQ and other companies starting in 2016, threatening to sue.
  • This latest decision finally puts many questions to bed, pending appeal. Electronic Frontier Foundation Senior Staff Attorney Andrew Crocker told Motherboard that the ruling was by and large a good thing.
  • Dylan Gilbert, a privacy expert at the consumer group Public Knowledge also applauded the ruling but told Motherboard that the United States still needs a cohesive privacy law giving consumers not only transparency into the scope of datasets being collected but control over how this data is used.
  • LinkedIn is likely to file an appeal and given there remains some circuit court splits on the scope of the CFAA, a Supreme Court ruling will likely have to clarify things down the road.

 

*Source: Vice, September 11, 2019

Hacker Exposes Data of 24 Million Lumin PDF Users*:

 

  • A hacker has published a download link to the entire user database of Lumin PDF, totaling more than 24 million users, on a hacking forum.
  • The hacker claimed the data was obtained from a MongoDB database belonging to Lumin PDF, which was left exposed without a password in April this year.
  • “Vendor was contacted multiple times, but ignored all the queries,” wrote the hacker on the forum, adding: “The data was later destroyed by ransomware, and the server was taken down soon after.”
  • Most of the published data showed the users’ names, email addresses, (language) locale settings, and a hashed password string or Google access token.
  • However, the data of nearly 120,000 users contained “password strings that appear to have been hashed using the Bcrypt algorithm, suggesting these are users who registered an account on the Lumin PDF website.”
  • Lumin PDF users are advised to revoke the app’s access to their Google Drive account.

*Source: SecAlerts, September 16, 2019