- Incident -

Last update 09.10.2017 13:51:08

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8



HR Software company PageUp victim of a Data Breach, experts fear a domino effect
6.6.2018 securityaffairs Incindent

HR Software Firm PageUp is the last victim of a data breach, the company has 2.6 million active users across over 190 countries.
Another day another data breach makes the headlines, this time the victim is the HR Software Firm PageUp. PageUp is an Australian company with 2.6 million active users across over 190 countries.

The company notified the incident to its customers, informing them that it has launched a forensic investigation with the support from an independent 3rd party firm.

The company has notified the breach to law enforcement and data regulators in Australia and the United Kingdom.

According to the firm, on May 28 attackers accessed to internal records may continuing customer data, including names, contact information, usernames, and password hashes. Other sensitive data, including signed employment contracts and resumes, are not affected because they are stored on servers that were not affected by the security breach.

“On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.” reads the data breach notification published by the company.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,”

At the time, the firm did not disclose technical details about the security breach, it only confirmed that its systems were infected by a malware.

“we can share that the source of the incident was a malware infection. The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment.” continues the notification.

Just after the news of the breach, some of the company that uses the PageUp service have shut down their online recruitment pages and notified job applicants

According to the Australia Post, data potentially impacted by the incident may include:

Bank details
Tax File Number and superannuation details
Diversity information
Emergency contact information
Conditions of offer and employment
Address
Mobile phone number
Questions relevant to the job such as if you have Work Rights or an Australian citizenship
Education and work experience
License number
PageUp

After the incident, the Australian telecoms giant Telstra suspended its online recruitment and notified the issue to the applicants.

“The online recruitment system we use is currently unavailable.
We are aware of a security incident with one of our vendors, PageUp, a company that provides us software services used as part of our employee recruitment processes.” states the security advisory published by Telstra,

“We are among a number of organisations who use PageUp. PageUp has provided more information here. We have held discussions with PageUp to understand any possible impact to the security of the services they provide”

Unfortunately, many other organization may have been impacted by the incident.


At least 90,000 Canadian bank customers may have been affected by two data breach
30.5.2018 securityaffairs Incindent  

On Monday, Two Canada’s five largest banks, the Bank of Montreal (BMO) and Simplii Financial, informed their customers they are investigating a data breach.
The security breach suffered by the Bank of Montreal (BMO) may have impacted less than 50,000 of the overall 8 million customers, the incident suffered by Simplii Financial may have exposed information of 40,000 clients.

“Two Canadian banks warned Monday they have been targeted by hackers, and that the personal information of tens of thousands of customers may have been stolen — something that appeared to be confirmed in a letter to the media from someone who said they were demanding a $1-million ransom from the banks.” reads the post published by CBC.

“CIBC-owned Simplii Financial was the first to warn on Monday morning that hackers had accessed the personal and account information of more than 40,000 of the bank’s customers.”

Exposed data allegedly includes social insurance numbers, dates of birth, and financial information.

Canadian Banks data breach

In both cases, hackers contacted the bank trying to blackmail them and requested a $1 million ransom from each bank to avoid data disclosure.

BMO excluded the involvement of insiders, it has contacted authorities and notified the incident to potentially affected customers.

“On Sunday, May 27, fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers. We believe they originated the attack from outside the country.” reads a press release published by BMO.

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation.”

Simplii has not yet confirmed the data breach but informed customers that it’s investigating the issue and has already implemented “enhanced online fraud monitoring and online banking security measures.”

“Simplii Financial is advising clients that it has implemented additional online security measures in response to a claim received on Sunday, May 27, 2018 that fraudsters may have electronically accessed certain personal and account information for approximately 40,000 of Simplii’s clients.” states the security advisory published by the bank.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, Senior Vice-President, Simplii Financial. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

The bank has reassured its customers that any economic damage will be fully reimbursed.

In addition, Simplii recommends that clients:

Always use a complex password and pin (e.g. not 12345)
Monitor their accounts for signs of unusual activity
At the time, we cannot exclude that hackers were able to obtain customer data of the two Canadian Banks in other ways, for example collecting them from other data breaches or by targeting customers with spear phishing campaign.


Major Canadian Banks Investigating Data Breach Claims
29.5.2018 securityweek Incindent 

Two major Canadian banks informed customers on Monday that they launched an investigation after hackers claimed to have obtained personal and account information as a result of a data breach.

The targeted organizations are the Bank of Montreal (BMO) and Simplii Financial, the direct banking brand of the Canadian Imperial Bank of Commerce (CIBC). Both BMO and CIBC are among Canada’s five largest banks.

BMO believes the incident impacts less than 50,000 of its 8 million customers, and Simplii Financial says hackers may have obtained information on roughly 40,000 clients.

Both banks were contacted by hackers on Sunday. Individuals claiming to be behind the attacks told Canadian media outlets they had demanded a $1 million ransom from each bank. If the organizations refuse to pay, the information, which allegedly includes social insurance numbers, dates of birth, and financial information, would be sold to fraudsters.

BMO, which believes the attack originated from outside the country, says it has contacted authorities and potentially impacted customers.

While neither of the banks have confirmed suffering a data breach, BMO says it’s “confident that exposures identified related to customer data have been closed off.” Simplii says it’s taking the claim seriously and it has quickly implemented “enhanced online fraud monitoring and online banking security measures.”

Simplii has found no evidence that customers who bank through CIBC directly are impacted. “If a client is a victim of fraud because of this issue, we will return 100% of the money lost from the affected bank account,” the company stated.

While hackers may have gained access to the systems of Simplii and BMO, overblown claims are not uncommon in extortion schemes. There is also the possibility that the data is legitimate, but was obtained by cybercriminals through other means, such as phishing, rather than by directly breaching the banks.

On the other hand, hackers breaching the systems of banks is not unheard of. Financial organizations in the United States, Mexico, India, Russia, and Taiwan were targeted recently in sophisticated cyberattacks and had either millions of dollars or sensitive customer information stolen.


A bug in T-Mobile site allowed anyone see any customer’s account details
27.5.2018  securityaffairs  Incindent  Hacking

A flaw in T-Mobile’s website allowed anyone to access the personal account details of any customer by providing their mobile number.
The bug discovered by the researcher Ryan Stevenson resides in the T-Mobile subdomain promotool.t-mobile.com used by the staff as a customer care portal to access the company’s internal tools.

The promotool.t-mobile.com subdomain contained a hidden API that would return customer data simply by invoking it with the customer’s cell phone number as a parameter.

The data leak was caused by the lack of any authentication mechanism for calling the API, in this way anyone could have had access to any customer record including full name, postal address, billing account number, and in some cases information about tax identification numbers.

The exposed records also included references to account PINs used by customers as a security question when they contact the customer case, this means that an attacker could use that information to impersonate a customer and take over its account.

“Although the API is understood to be used by T-Mobile staff to look up account details, it wasn’t protected with a password and could be easily used by anyone.” reported ZDnet.

“The returned data included a customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers’ account information, such as if a bill is past-due or if the customer had their service suspended.”

t-mobile-data leak

Searching for the portal on the Wayback Machine we can verify that the subdomain is online at least since October.

Stevenson reported the flaw to the telco giant in early April, the company quickly disabled the API and awarded the researcher of $1,000 under its bug bounty program.

“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure.” said T-Mobile spokesperson.

“The bug was patched as soon as possible and we have no evidence that any customer information was accessed,” the spokesperson added.

This isn’t the first time that T-Mobile discovered such kind of issues, in October Motherboard reported another API accessible from a different T-Mobile subdomain.

In February, Motherboard journalist Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking reporting that T-Mobile customers were victims of an info disclosure exploit.


Coca-Cola data breach has affected about 8,000 workers
27.5.2018  securityaffairs Incindent

Coca-Cola discovered a security breach in September when law enforcement officials notified it that a former employee at a Coca-Cola subsidiary was found in possession of an external hard drive containing worker data.
Coca-Cola announced a data breach after a former employee was found in possession of worker data on a personal hard drive. In compliance with state laws, the company is notifying the data breach to the affected employees via letter.

The company discovered the security breach in September when law enforcement officials notified it that a former employee at a Coca-Cola subsidiary was found in possession of an external hard drive.

Coca-Cola supported the investigation conducted by law enforcement, it confirmed the authenticity of the documents that contained personal information of some workers.

The company did not disclose the incident immediately at the request of authorities who were investigating the data breach.

Following state laws, the company is now sending notification letters to affected employees.

According to a company spokesman, the data breach has affected about 8,000 workers.

“We are issuing data breach notices to about 8,000 individuals whose personal information was included in computer files that a former employee took with him when he left the company,” a company spokesperson told Bleeping Computer.

“We take information security very seriously, and we sympathize with everyone whose information may have been exposed. We regret any inconvenience or concern this may be causing them. We do not have any information to suggest that the information was used to commit identity theft.”

As usually happens in these cases, Coca-Cola is offering free identity monitoring for one year to affected employees.

Back in 2014, Coca-Cola warned some 74,000 employees and other individuals that their personal information was compromised due to the theft of several company laptops.


200 Million Sets of Japanese PII Emerge on Underground Forums
19.5.2018 securityweek Incindent

A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.

Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.

The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.

The data, which the security researchers believe to be authentic, appears to have been acquired between May and June 2016, though data in one folder suggests some of it was obtained in May and July 2013, FireEye explains in a report shared with SecurityWeek.

Apparently, several actors commented on the advertisement, saying they were interested in purchasing the dataset, but they also provided negative feedback, claiming they did not receive the advertised product.

The dataset contains “at least 200 million lines of data from a possible range of 11 to 50 Japanese websites,” and FireEye discovered that the data is highly varied and not available through publicly available data sources.

Furthermore, analysis of the leak suggested that much of the data was genuine, given that most of the email addresses out of a random sample of 200,000 were previously seen in major leaks, thus unlikely to have been fabricated.

“Since we did not observe most of the leaked data in any dataset as coming from one specific leak or on any publicly available website, this also indicates that the actor is unlikely to have bought or scraped the information from data leaks and resold it as a new product,” FireEye explains.

In another sample of 190,000 credentials, 36% contained duplicate values, the researchers say. Furthermore, a significant number of fake email addresses was observed, suggesting that the actual number of real and unique credentials and sets of PII is lower than advertised.

Filenames in the dataset included “a Japanese food brand, an unnamed online handbag shop, an unnamed adult website, an unnamed shipping company, a gaming website, a beauty company, and other references,” the researchers reveal.

The exfiltrated data includes information usually associated with websites with customer login and profile information, and the actor appears to have had access only to data normally stored on servers connected to a website or web portal.

What the security researchers couldn’t verify, however, was that the exfiltrated data indeed came from the claimed sources. The actor might have labeled the files in the data leak using the names of Japanese websites, but the researchers believe the individual had little incentive to falsify the data sources.

The hacker appears to have been actively selling website databases on Chinese underground forums since at least 2013 and FireEye experts found two personas likely tied to the individual through a common QQ address connected to a person living in China’s Zhejiang province.

The actor was observed selling data stolen from websites in China, Taiwan, Hong Kong, European countries, Australia, New Zealand, and North American countries.

However, because the actor has a “significant portion of negative reviews on underground forums,” the sold information could be fabricated or might have been sold before. The negative reviews claimed that the individual either did not deliver data or did not provide the expected product.

“Since much of this information has been previously leaked in large-scale data leaks, as well as the possibility that it has been previously sold, we anticipate that this dataset will not enable new large scale malicious activity against targeted entities or individuals with leaked PII,” FireEye says.


Hackers Steal '$15.3 Million' From Mexico Financial System
17.5.2018 securityweek Incindent

Hackers who targeted Mexico's interbank payment system made off with more than $15 million in the past several weeks, the Bank of Mexico said Wednesday.

The amount of funds involved in the irregular activity totaled "approximately 300 million pesos ($15.3 million)," central bank governor Alejandro Diaz de Leon told reporters.

He said commercial bank customers' accounts were never in danger.

An investigation is under way, the governor said, without indicating if the suspected hackers were domestic or international.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Lorenza Martinez, director general of the corporate payments and services system at the central bank, said on Monday.

Martinez revealed that at least five attacks had occurred but, at that time, said the amount taken was still being analyzed.

After the attacks were detected, banks switched to a slower but more secure method.


Rail Europe North America hit by payment card data breach
16.5.2018 securityaffairs Incindent

Rail Europe North America (RENA) notifies customers of a security breach, crooks compromised its website with a malware used to siphon payment card data.
The website allows users to buy European train tickets, according to the company the data breach lasted at least three months (between November 29, 2017 and February 16, 2018), the incident exposed also customers’ payment card data.

“Rail Europe North America Inc. (“RENA” or “we”) is writing to let you, as a customer of RENA, know about a recent data security incident that may have involved your credit card or debit card information and other personal information” reads the notice sent by the company to its customers.

“On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our ecommerce websites’ IT platform. Upon discovery that this malicious intrusion may have compromised users’ personal information, we immediately cut off from the Internet all compromised servers on February 16, 2018, and engaged information security experts to assist with forensic analysis, system restoration and security hardening”

According to the notice of data breach, hackers accessed registered users’ personal information including name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password.

Rail Europe North America hack

The security breach was discovered after a bank inquiry informed the organization of an attack.

“In this case, however, the hackers were able to affect the front end of the Rail Europe website with ‘skimming’ malware, meaning customers gave payment and other information directly to the hackers through the website,” said Comparitech privacy advocate Paul Bischoff. “While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.”

RENA replaced and rebuilt all compromised systems from known safe code, it also removed any potentially untrusted components. The IT staff changed passwords on all systems and applications, improved security controls and renewed digital certificates.

“RENA has also provided notice to the credit card brands and our credit/debit card transaction processors.” continues the notice.
“In addition, we are offering identity theft protection services through ID Experts®, the data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: 12 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed id theft recovery services.”


Chili's Restaurants Hit by Payment Card Breach
14.5.2018 securityweek Incindent

People who recently paid with their credit or debit card at a Chili’s restaurant may have had their information stolen by cybercriminals, according to Dallas-based Brinker International.

Brinker, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries, issued a notice shortly after the data breach was discovered on May 11.

While the investigation is ongoing, initial evidence suggests that a piece of malware collected payment card data from some Chili’s restaurants in March and April 2018. The malware apparently harvested credit and debit card numbers as well as cardholder names from payment systems used for in-restaurant purchases.

Brinker noted that it does not collect social security numbers, dates of birth or other personal information.

“We immediately activated our response plan upon learning of this incident,” the company stated. “We are working with third-party forensic experts to conduct an investigation to determine the details of what happened.”

Brinker believes the incident has been contained, but advised customers to keep an eye on their bank and credit card statements for any suspicious activity.The company has set up a web page where it will provide updates on this incident.

Chili’s is not the only major restaurant chain to disclose a payment card breach this year. RMH Franchise Holdings revealed in March that malware had been found on point-of-sale (PoS) systems at over 160 Applebee’s restaurants it operates as a franchise.

Several major restaurant chains disclosed payment card breaches last year, including Arby’s, Chipotle, Sonic Drive-In, and Shoney’s. Amazon's Whole Foods Marketalso informed customers that taprooms and full table-service restaurants at nearly 100 locations were hit by a breach.


iVideon Russian-based video surveillance solution leaked data, hundreds of thousands of records exposed
13.5.2018 securityaffairs Incindent

Security researchers from Kromtech Security discovered a MongoDB install belonging to the Russian-based video surveillance firm Did iVideon open online.
The database included personal information for over 825,000 subscribers and partners.

Leaked records include logins, email addresses, password hashes, server names, domain names, IP addresses, sub accounts, software settings, and payment settings information (we did not see any credit card data) for both individual subscribers and partners.

iVideon is a multi-platform solution that allows subscribers to aggregate, access, view over the Internet, and record locally or to iVideon’s secure cloud storage, nearly any Internet capable CCTV camera, DVR system, baby monitor, web cam, nanny cam, or even phone, computer, and tablet cameras.

Below the tables included in the MongoDB archive:

servers.info: 12533 records
ivideon.servers: 810871 records
ivideon.partners: 132 records
ivideon.users: 825388 records
The experts reported their discovery to firm that promptly took the archive down.

According to iVideon the server was used for load testing of our auth APIs in Feb 2016, in 2017 the testing policy has been revised, so that such kind of security issues won’t happen again.

The Russian firm added that the archive included password hashes using the Bcrypt algorithm that is considered secure.

“The DB was populated with accounts & devices of several hundreds of Ivideon users marked for participation in beta-testing (Ivideon employees & external early adopters, mostly from Russia), copied multiple times to simulate some growth scenarios.” states the reply from iVideon shared by Kromtech Security.

“User info only included email, IP address and password hashes produced by a strong Bcrypt algorithm. No information related to payments, usage stats or means of getting access to user’s private data was present in the compromised DB. Partner data seen in the DB was real, containing only partner companies’ names and UI settings for their apps.”

The company was also the victim of an attack, hackers tried to blackmail it, unfortunately, attackers have left no info in the logs. Crooks demanded a .2 bitcoin ransom, the wallet they used received two payments probably made by other victims of the gang.

iVideon believes that exposed data do not pose a threat to its users or partners and downplayed the incident.

Kromtech Security applauded the company for its rapid response to the incident.

“We also definitely agree that one should not pay ransom in cases such as this, we’ve seen that it’s nothing but a scam. Their ability to quickly ascertain that only some of the deleted data was real and that aggregate traffic statistics on a router prove to them that it was not stolen will come as a relief to those who had real data in that database.” concluded Kromtech Security.

“Those users should also be pleased to know that they solved this issue in 2017 so that the data we found this year won’t be found again.”

Kromtech experts confirmed that data included in the archive appeared to be legitimate.

The researchers noticed that after they discovered and reported it to iVideon, and prior to the company taking it down, this database was compromised in the same fashion.

iVideon data leak


Australia's Biggest Bank Loses 20 Million Customer Records
4.5.2018 securityweek  Incindent

Australia's troubled Commonwealth Bank admitted Thursday it had lost financial records for almost 20 million customers in a major security blunder -- but insisted there was no need to worry.

The nation's biggest company said it could not find two magnetic data tapes that stored names, addresses, account numbers and transaction details from 2000 to 2016.

National broadcaster ABC said the records were supposed to have been destroyed by a sub-contractor after the decommissioning of a data centre, but the bank never received documentation to confirm this happened.

The lender assured customers there was no need to worry as the tapes did not contain passwords, PINs or other data that could be used for fraudulent purposes.

It said in a statement after the incident was exposed by Australian media that an independent forensic investigation in 2016 "determined the most likely scenario was the tapes had been disposed of".

It said the issue was not cyber-related and there was no compromise of its technology platforms, systems, services, apps or websites and no evidence of customer harm.

But ongoing monitoring of the 19.8 million customer accounts involved is continuing, just in case.

"We take the protection of customer data very seriously and incidents like this are not acceptable," said Angus Sullivan, acting group executive for the lender's retail banking services.

"I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause."

He added customers had a 100 percent security guarantee against fraud where it was not their fault.

"The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion," Sullivan added.

"We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred.

"We concluded, given the results of the investigation, that we would not alert customers."

But Prime Minister Malcolm Turnbull called it "an extraordinary blunder" and said people should have been told.

"It's hard to imagine how so much data could be lost in this way," he said.

"Maintaining data security is of vital importance for everybody, whether it's the private sector or governments and if there is a serious data breach or loss, the people affected should be advised so they can take steps to protect themselves," he said.

The latest revelations cap a troublesome few months for Commonwealth Bank.

On Tuesday, a report by the country's financial services regulator slammed it for a complacent culture and ineffective board after a series of scandals.

The banking giant has been embroiled in claims it broke anti-money laundering and counter-terrorism financing laws and is also facing court over alleged rigging of the benchmark interest rate, which is used to set the price of domestic financial products.

Alongside Australia's three other major lenders -- National Australia Bank, Westpac and ANZ -- it is also under scrutiny in a royal commission looking into misconduct in the finance industry.


Australia’s Commonwealth Bank lost 20 Million customer records
4.5.2018 securityaffairs Incindent

Australia’s biggest bank, the Commonwealth Bank, disclosed a major security incident that exposed financial records for almost 20 million customers.
According to the Commonwealth Bank representatives, two magnetic data tapes were lost, both stored customers’ records, including names, addresses, account numbers and transaction details from 2000 to 2016.

According to the broadcaster ABC, the data were supposed to have been destroyed when a sub-contractor after the dismantled a data centre. The sub-contractor did not provide the bank the documentation to confirm this the disruption of the magnetic data tapes, anyway the bank tried to downplay the situation confirming that the records don’t include passwords, PINs or other financial or sensitive information.

Commonwealth Bank

According to an independent forensic investigation conducted in 2016 “the most likely scenario was the tapes had been disposed of,” anyway it was not a data breach and banking systems were not compromised by attackers.

“We take the protection of customer data very seriously and incidents like this are not acceptable,” announced Angus Sullivan, acting group executive for the lender’s retail banking services.

“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”

The Commonwealth Bank is continuing to monitor the accounts of the affected customers providing them full coverage against frauds and other fraudulent activities.

“The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion,” said Sullivan.

“We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred.

“We concluded, given the results of the investigation, that we would not alert customers.”

Prime Minister Malcolm Turnbull defined the case “an extraordinary blunder.”

“It’s hard to imagine how so much data could be lost in this way,” he said.

“Maintaining data security is of vital importance for everybody, whether it’s the private sector or governments and if there is a serious data breach or loss, the people affected should be advised so they can take steps to protect themselves,” he said.

The case is the last of a string of adverse events that affected the Commonwealth Bank. the banking giant “has been embroiled in claims it broke anti-money laundering and counter-terrorism financing laws and is also facing court over alleged rigging of the benchmark interest rate, which is used to set the price of domestic financial products.”


Former SunTrust Employee Steals Details on 1.5 Million Customers
23.4.2018 securityweek Incindent

A former employee stole data on 1.5 million customers, Atlanta-based SunTrust Banks announced on Friday.

The employee appears to have stolen data from some of the company's contact lists, the company says. SunTrust is already informing impacted clients and is working with outside experts and coordinating with law enforcement on investigations.

The stolen information includes names, addresses, and phone numbers, along with certain account balances, as this was the data included in the contact lists, the company confirmed.

Personally identifying information such as social security numbers, account numbers, PINs, User IDs, passwords, or driver's license information wasn’t included in the lists.

“We apologize to clients who may have been affected by this. We have heightened our monitoring of accounts and increased other security measures. While we have not identified significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result,” Bill Rogers, SunTrust chairman and CEO, said.

Rogers also underlined that the company is focused on protecting its customers and that it is determined to help all SunTrust clients to combat the increasing concern about identity theft and fraud. SunTrust is now offering Identity Protection for all current and new consumer clients, the company announced.

In an emailed comment to SecurityWeek, Brian Contos, CISO at Verodin, pointed out the importance of ensuring that security solutions aren’t merely designed to detect and report suspicious activity, but are also optimized to protect against the theft of sensitive data.

“Organizations need to be able to validate the efficacy of their security controls across their production environments and instrument them in order to get value. Anything else is simply guesswork and assumptions, and as long as that’s the norm, data theft will continue to be commonplace,” Contos said.

James Lerud, head of the Behavioral Research Team, Verodin, pointed out to SecurityWeek that organizations spend a lot of time and energy into preventing hackers from penetrating their systems, but often forget about internal threats.

“Companies should ask themselves if those controls can be applied internally as well. For example, do their SQL injection prevention measures work when the source is internal rather than external? Defending against adversaries with internal access is arguably more important because it restricts lateral movement while also protecting against insider threats," Lerud said.


Health Stream left exposed online a database containing contact data for roughly 10,000 medics
23.4.2018 securityweek Incindent

An IT professional has discovered that the US healthcare company Health Stream left exposed online contact information for roughly 10,000 medics.
The IT expert Brian Wethern has discovered that the US healthcare company Health Stream left exposed online a database containing contact information for roughly 10,000 medics.

Wethern reported his discovery to Health Stream ten days ago, he explained that the data are hosted one of the websites that have been removed.

Health Stream

Records in the archive left open online includes last names of medics connected to Health Stream’s Neonatal Resuscitation Program, their email addresses, and ID numbers.Health Stream

The site hosting the medics’ records was taken offline shortly after Wethern reported the data leak, but even if the website is no more accessible, leaked data are still available in different online caches.

Leaked data could be used by threat actors to launch a spear phishing campaign against medics at Health Stream.

“What I found was a front-side database,” Wethern told El Reg. “I don’t need their passwords … because I have the front-side database.”

Wethern decided to disclose the data leak to warn of the risks of such kind of incidents and highlight the importance of reserving a budget for cybersecurity of IT infrastructure.

“Hire a basic researcher, first and foremost. Allow your company to budget for these types of intrusions,” Wethern added.

“And before this all happens, make sure to have a data breach summary in place. Be current with bug bounty programs, own up to your mistakes, and honor the fact that security researchers can be good people out to do good things.”

Health Stream did not comment the data leak.


SunTrust unfaithful employee may have stolen data on 1.5 Million customers
22.4.2018 securityaffairs Incindent

SunTrust Banks Inc announced it discovered that a former employee may have attempted to download information on nearly 1.5 million clients and share it a criminal organization.
A former employee at the SunTrust Bank may have stolen data on 1.5 million clients, including names, addresses, phone numbers, and account balances.

“The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed.” reads the press release published by the bank.

“The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information. SunTrust is also working with outside experts and coordinating with law enforcement.”

The bank said it believes the information doesn’t include personally identifiable information, such as social security numbers, account numbers, pins, user IDs, passwords or driver’s license numbers.

SunTrust is notifying approximately 1.5 million clients that certain information may have been exposed.

SunTrust

According to the Reuters agency, the unfaithful employee tried to download the client data a few weeks ago in an attempt to sell it to a criminal.

“Chief Executive Officer William Rogers brought the incident to light on a post-earnings call with analysts on Friday. He said the attempt to download client information was made six to eight weeks ago.” reported the Reuters.

SunTrust CEO William Rogers said that there was no indication of fraudulent activity using the exposed information, likely the data had not been sent outside the bank.

The SunTrust is now offering free identity protection services to all of its clients.

“SunTrust Banks, Inc. (NYSE: STI) is now offering Identity Protection for all current and new consumer clients at no cost on an ongoing basis. Experian IDnotify™ will be provided to those who sign up for the service.” continues the press release.

“The IDnotify product by Experian is being offered in addition to existing SunTrust security protocols: ongoing monitoring of accounts, FICO score program, alerts, tools and zero liability fraud protection.”


Data Aggregator LocalBlox Exposes 48 Million Records
20.4.2018 securityweek Incindent

48 million records containing detailed personal information of tens of millions of people were exposed to the Internet after data-gathering company LocalBlox left a cloud storage repository publicly available.

The personal and business data search service gathered and scraped the exposed data from multiple sources, UpGuard security researchers discovered. The exposed information includes individuals’ names, physical addresses, and dates of birth, along with data scraped from LinkedIn, Facebook, Twitter, and more.

LocalBlox co-founder Ashfaq Rahman has already confirmed that the exposed information indeed belongs to the company.

Because the exposed information combines personal data with details on the people’s Internet usage, it builds “a three-dimensional picture of every individual affected,” UpGuard says.

Armed with this data, one would not only know who the affected individuals are, but also what they talk about, what they like, even what they do for a living. This information can be used to target users with ads or political campaigning, but can also expose them to identity theft, fraud, and social engineering scams.

The exposed data was stored in an Amazon Web Services S3 bucket that was configured for Internet access and was publicly downloadable. On February 18, when UpGuard discovered it, the bucket contained a 1.2 TB ndjson (newline-delineated json) file that was compressed to a 151.3 GB file.

After downloading and analyzing the file, UpGuard discovered that it belonged to LocalBlox. The company was informed on the issue on February 28 and the bucket was secured later that day.

The file was found to contain 48 million records, each in json format and separated by new lines. The security researchers also discovered that the real estate site Zillow was used in the data gathering process, “with information being somehow blended from the service's listings into the larger data pool.”

Exposed source fields revealed where the scraps of data were collected from.

“Some are fairly unambiguous, pointing to aggregated content, purchased marketing databases, or even information caches sold by payday loan operators to businesses seeking marketing data. Other fields are more mysterious, such as a source field labeled ‘ex’,” the security researchers note.

Some of the data came from Facebook and included data points such as pictures, skills, lastUpdated, companies, currentJob, familyAdditionalDetails, Favorites, and mergedIdentities, along with a field labeled allSentences, which suggested that the information was scraped from the Facebook html and not through an API.

The main issue that this incident reveals is the ease at which data can be scraped from Facebook.

“In the wake of the Facebook/Cambridge Analytica debacle, the importance of massive sets of psychographic data is becoming more and more apparent,” UpGuard notes.

Another issue this incident brings to the spotlight is that third-parties often target data from popular websites and monetize the information in new ways, perhaps without the knowledge of the impacted individuals (and likely without the website’s – in this case Facebook – knowledge either).

LocalBlox says it is “the First Global Customer Intelligence Platform to search, combine and validate deep business and people profiles.” Thus, the exposed data represents the actual product the company offers: psychographic data that can be used to influence users.

There’s a clear business interest in this type of data harvesting, processing, and resale, meaning that massive and intrusive data sets clearly exist, for both companies and political parties to leverage when looking to influence people.

“What should be a wonder is that these datasets aren’t better secured and administered. This exposure was not the result of a clever hack, or well-planned scheme, but of a simple misconfiguration of an enterprise asset— an S3 storage bucket— which left the data open to the entire internet. The profitability gained by data must come with the responsibility of protecting its integrity and privacy,” UpGuard also points out.


Nigerian Hackers Attempt to Steal Millions From Shipping Firms
20.4.2018 securityweek Incindent

Secureworks has recently discovered a threat actor whose business email compromise (BEC) campaigns focus solely on global maritime shipping companies and their customers.

Named GOLD GALLEON, the group is said to have attempted to steal at least $3.9 million from their intended victims between June 2017 and January 2018 alone. Overall, the group attempts to steal an average of $6.7 million per year, the security researchers say.

As part of the BEC social engineering scheme, actors usually employ spear-phishing emails to steal email credentials of individuals responsible for handling business transactions. This allows them to intercept emails between involved parties, modify financial documents, and redirect funds to attacker-controlled bank accounts.

Alongside business email spoofing (BES) fraud, BEC continues to cause significant losses globally, in the order of billions of dollars per year.

To gather email account credentials and launch attacks, GOLD GALLEON uses various commodity remote access tools featuring keylogging and password-stealing functionality. However, the attackers also test malware on their own systems and keep track of their tools’ detection rates, Secureworks reports.

Likely based in Nigeria, the group targets not only shipping organizations, but also companies that provide ship management services, port services, and cash to master services.

Typically located all around the world and operating in different time zones, companies involved in shipping industries often rely entirely on email for conducting business transactions, which makes some of these organizations highly susceptible to BEC fraud methods.

GOLD GALLEON consists of at least 20 criminals collectively carrying out BEC campaigns targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. They use tools, tactics, and procedures (TTPs) similar to those of other BEC/BES groups, including publicly available remote access Trojans (RATs), crypters, and email lures.

The organization has several senior individuals who coordinate and allocate tasks to other individuals, who often handle the purchase of new tools, and also coach inexperienced members. Each member is responsible for a different task, such as RAT obfuscation, victim email monitoring, and the like.

The group uses a proxy and privacy services to disguise its origin, but evidence strongly suggests the attackers operate out of Nigeria. They appear to be regularly connecting to the Internet via Nigeria-based infrastructure, and were observed using Nigerian Pidgin English in conversations carried out via instant messenger services.

While analyzing the group's usernames, passwords, and other artifacts, Secureworks researchers concluded that members of GOLD GALLEON are strongly connected to a popular fraternity in Nigeria dubbed the Buccaneer Confraternity (originally established to support human rights and social justice, a subgroup of the fraternity is said to have engaged into criminal activities).

“The group follows a common operational pattern often relying on low-tier, free, or inexpensive tools. What it lacks in technical prowess is made up for in social engineering, agility, and persistence. Despite technical challenges and minimal investments in cybercrime tools, infrastructure, and automation, the group's profit margins are orders of magnitude greater than its initial investment,” Secureworks says.

The group likely identifies target email addresses through reconnaissance of publicly available contact information, but it might also use commercially available marketing tools that scrape email addresses from company websites. The threat actors occasionally purchase email lists of target businesses, the researchers say.

After accessing a target’s inbox, the attackers use the free tool EmailPicky to extract contacts from the address book and all of the email addresses the target has had an exchange with. The tactic appears to have been extremely fruitful for the actors, as many of the harvested contacts are in the maritime shipping industry.

Spear-phishing emails carrying malicious attachments are delivered to the intended victims in an effort to deploy a RAT. The group uses tools such as the Predator Pain, PonyStealer, Agent Tesla, and HawkEye keyloggers. Next, the attackers monitor the victim’s email account to intercept business transactions and redirect funds by simply modifying the bank details in the seller’s invoice.

The group also purchased domains closely resembling the buyer’s or seller's company name and also registered email accounts containing a variation of the target's name, which allowed them to impersonate either party.

During their investigation, Secureworks researchers were able to interrupt dozens of BEC fraud attempts and notify victims to prevent transfers. They also reported the identified attacker-controlled accounts to banks, to stop fraudulent use. Overall, the researchers averted losses of more than $800,000.

“The monetary losses [caused by BEC] can be significant to the victims and the affected businesses. In some cases, the victims are unaware of what is happening until it is too late. Organizations in some industries (in this case shipping) may be exposed to heightened risk as threat actors focus their attempts toward industries that are more susceptible to these techniques,” Secureworks concludes.


At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store
20.4.2018 securityaffairs Incindent

A security researcher has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.
The security researcher Andrey Meshkov, co-founder of Adguard, has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.

The fake Ad blockers are

AdRemover for Google Chrome™ (10 million+ users)
uBlock Plus (8 million+ users)
[Fake] Adblock Pro (2 million+ users)
HD for YouTube™ (400,000+ users)
Webutation (30,000+ users)
The five extensions are clone versions of well-known Ad Blockers, searching for Ad Blockers in Google Chrome Store we can notice that crooks used popular keywords in the extension description in the attempt to display them in the top search results.

“t’s been a while since different “authors” started spamming Chrome WebStore with lazy clones of popular ad blockers (with a few lines of their code on top of them).” wrote Meshkov.

“Just look at the search results. All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the “authors”. Instead of using tricky names they now spam keywords in the extension description trying to make to the top search results.”

malicious ad blockers

The analysis of the code of the Ad Blockers revealed that the developers just added a few lines of code and some analytics code to the code of the legitimate extension.

Meshkov reported his discovery to Google that immediately removed all from the Chrome Store.

The malicious code includes a modified version of jQuery library that hides the code to load the coupons.txt a strange image from a third-party domain http://www[.]hanstrackr[.]com.
The jQuery library includes a script that is able to send information about some websites visited by the users back to a remote server.

“This hidden script was listening to every request made by your browser and compared md5(url + “%Ujy%BNY0O”) with the list of signatures loaded from coupons.txt. When the said signature was hit, it loaded an iframe from the g.qyz.sx domain passing information about the visited page, and then re-initialized the extension.” continues the expert.

The expert noticed that the default image/script does nothing malicious, but it can be changed at any time to perform malicious activity. It is executed in the privileged context (extension’s background page), in this way it has full control of the browser.

The remote server sends commands to the malicious extension, which are executed in the extension ‘background page’ and can change your browser’s behavior in any way.

“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov added. “The browser will do whatever the command center server owner orders it to do.”

Meshkov has scanned other extensions on the Chrome WebStore and found four more extensions developed with a very same approach.

Be careful of what you install, install only necessary extensions from trusted developers and company.


Private Intelligence agency LocalBlox leaked 48 Million personal data records
20.4.2018 securityaffairs Incindent

The private intelligence agency LocalBlox has left unsecured online an AWS bucket containing 48 million records that were also harvested from Facebook, LinkedIn, and Twitter.
Oops … another data breach made the headlines and once again it was discovered by data leak hunters at Upguard. The private intelligence agency LocalBlox has left unsecured online an AWS bucket containing 48 million records that were collected in part from Facebook, LinkedIn, and Twitter.

“The UpGuard Cyber Risk Team can now confirm that a cloud storage repository containing information belonging to LocalBlox, a personal and business data search service, was left publicly accessible, exposing 48 million records of detailed personal information on tens of millions of individuals, gathered and scraped from multiple sources.” reads the blog post published by UpGuard.

The AWS S3 bucket was discovered by the popular expert Chris Vickery, director of cyber risk research at UpGuard, on February 18, it was exposed at the subdomain “lbdumps.”

The bucket contained a single 151.3 GB compressed file titled “final_people_data_2017_5_26_48m.json,” which, once decompressed, revealed a 1.2 TB ndjson (newline-delineated json) file.

Localblox data leak 2

The analysis of metadata in a header file allowed the researchers to attribute it to LocalBlox.

The records include names, physical addresses, dates of birth harvested from the social media. The first thought is for the recent Cambridge Analytica case.

“In the wake of the Facebook/Cambridge Analytica debacle, the importance of massive sets of psychographic data is becoming more and more apparent. The exposed LocalBlox dataset combines standard personal information like name and address, with data about the person’s internet usage, such as their LinkedIn histories and Twitter feeds.” continues the blog post.

The leaked data were collected from multiple sources and aggregated by IP addresses, for example, names, street addresses, dates of birth, job histories were harvested from LinkedIn, Facebook, Twitter, and Zillow real estate data.

Other sources are purchased databases and payday loan operators. This discovery demonstrates that many other entities scrape social media to gather user data for different purposes.

“Some are fairly unambiguous, pointing to aggregated content, purchased marketing databases, or even information caches sold by payday loan operators to businesses seeking marketing data. Other fields are more mysterious, such as a source field labeled “ex.”” continues the post.

“The presence of scraped data from social media sites like Facebook also highlights an important fact: all too often, data held by widely used websites can be targeted by unknown third parties seeking to monetize this information,”.

This case is double-shocking … the company not only harvests user data from social networks that are not able to detect its activity but is also failed security this data.

LocalBlox still hasn’t commented the data leak.


Great Western Railway asks users to reset passwords due to a security breach
14.4.2018 securityaffairs Incindent

The British train company Great Western Rail announced it has suffered a security breach that affected at least 1,000 accounts out of more than a million.
The company owned by the FirstGroup transport business runs trains between London, Penzance, and Worcester

Great Western Rail is urging affected customers to change the password used to access the GWR.com portal, it also informed the UK Information Commissioner’s Office.

Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.

The company is now extending the incident response measure to other account holders.

“We have identified unauthorised automated attempts to access a small number of GWR.com accounts over the past week,” a spokesman told the BBC.

“While we were able to shut this activity down quickly and contact those affected, a small proportion of accounts were successfully accessed.”

“The success rate of the automated logins was extremely low, suggesting any passwords used were likely harvested elsewhere,”

In the following image is reported a data breach notification received by a customer.

GWR notification

The messages inform users that Great Western Rail has reset all GWR.com passwords as a precaution.

“To ensure the security of your personal information you will need to do this when you next log in to the GWR.com website.” reads the message.

“You should use a unique password for each of your accounts for security, and we recommend you review all of your accounts for maximum security, and we recommend you review all your online passwords and change any that are the same.”

If you are a Great Western Rail user change your password and change the password for each website where you used the same credentials.

As usual, let me suggest using a strong password and enable two-factor authentication when available.


25 Million U.S. Individuals Impacted by 2016 Uber Hack
14.4.2018 securityweek Incindent

The 2016 data breach that Uber made public in November 2017 impacted over 25 million riders and drivers in the United States, the Federal Trade Commission (FTC) reveals.

The hack, which the ride-sharing company kept silent about for a year, impacted more than 57 million users globally. Hackers managed to access data stored on an Amazon Web Services (AWS) account and steal names, email addresses and mobile phone numbers of customers around the world.

In February this year, Uber chief information security officer said that two individuals living in Canada and Florida were responsible for the massive data breach.

In an attempt to cover up the hack, Uber paid the attackers $100,000 through its third-party “bug bounty” program, which was designed to reward those who responsibly disclose vulnerabilities, rather than those who maliciously exploit them.

The company came under scrutiny after the hack was made public in November 2017, and even became the target of a US criminal investigation. The data breach was revealed only three months after Uber agreed to implement new data protection measures in a settlement with the FTC over a 2014 incident.

Now, the Commission says the ride-sharing company has agreed to expand the proposed settlement and that it will be subject to additional requirements. Under the new settlement, Uber could be subject to civil penalties if it doesn’t notify the FTC of future breaches in due time.

In a revised complaint (PDF) issued this week, the FTC claims hackers used an access key an Uber engineer had posted on a code-sharing website to access consumer data on a third-party cloud provider’s servers in November 2016.

The complaint alleges that attackers downloaded unencrypted files that provided them with access to over 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. individuals.

The revised order (PDF) not only compels Uber to disclose certain future incidents involving consumer data, but also requires the company to submit to the Commission “all the reports from the required third-party audits of Uber’s privacy program rather than only the initial such report.”

Uber is also required to retain records related to bug bounty reports on security bugs that could result in unauthorized access to consumer data.

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” Acting FTC Chairman Maureen K. Ohlhausen said.

“The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future,” Ohlhausen continued.


Uber agrees to new FTC settlement over 2016 data breach
13.4.2018 securityaffairs Incindent

Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach, the authorities could assign civil penalties against the company if it will fail to share incident data with FTC.
Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach.

“Uber Technologies, Inc. has agreed to expand the proposed settlement it reached with the Federal Trade Commission last year over charges that the ride-sharing company deceived consumers about its privacy and data security practices.” states the FTC.

“Due to Uber’s misconduct related to the 2016 breach, Uber will be subject to additional requirements. Among other things, the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.”

In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed

uber

In 2017 the FTC charged the company for deceiving customers with its privacy and data security practices.

The first settlement dated back August 2017, according to the FTC, the company failed to apply security measures to protect customers and drivers data, later while investigating the settlement, the Commission discovered that the company did not disclose the 2016 data breach before 2017.

According to the new settlement with the Federal Trade Commission, Uber is obliged to disclose any future breach affecting consumer data and share reports from required third-party audits of its privacy program.

The company must maintain records related to bug bounty activities, the authorities could assign civil penalties against the company in case it will fail to implement the above actions.

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”


Finland's 3rd Largest Data Breach Exposes 130,000 Users' Plaintext Passwords
12.4.2018 thehachernews Incindent 

Over 130,000 Finnish citizens have had their credentials compromised in what appears to be third largest data breach ever faced by the country, local media reports.
Finnish Communications Regulatory Authority (FICORA) is warning users of a large-scale data breach in a website maintained by the New Business Center in Helsinki ("Helsingin Uusyrityskeskus"), a company that provides business advice to entrepreneurs and help them create right business plans.
Unknown attackers managed to hack the website (http://liiketoimintasuunnitelma.com) and stole over 130,000 users’ login usernames and passwords, which were stored on the site in plain-text without using any cryptographic hash. Right after knowing of the breach on 3rd April, the company took down the affected website, which is currently showing "under maintenance" notice with a press release about the incident on its homepage.
"We are very sorry for all the people who have been subjected to crime and who may be affected by mental or financial disadvantages. Unfortunately, we are not yet able to know exactly how many people are and what information this information breaks. We have filed an offense report, and the parties do not need to report to the police separately," says Jarmo Hyökyvaara, Chairman of the Board of the New Business Center of Helsinki.
"The maintenance and security of our service was the responsibility of our subcontractor, our long-term partner. Unfortunately, the security of the service has not been enough to prevent this kind of attack. This is, in part, our mistake, and as a subscriber and owner of the service we are responsible for this."
The company also ensures that the detailed information of its customers was stored on a different system, which was not affected by the data breach.
The incident has been reported to the Helsinki police, who is currently investigating the case as a gross fraud.
As soon as the website returns, users who have an account with the affected website are strongly recommended to change their passwords.
Since the plain-text passwords have been exposed to hackers, it would be a great idea for users to change their passwords for any other website, in case they are using identical to the one used on this website.


Sodexo Filmology data breach – Users need cancel their credit cards
9.4.2018 securityaffairs Incindent

Sodexo food services and facilities management company notified a number of customers that it was the victim of a targeted attack on its cinema vouchers platform Sodexo Filmology.
Sodexo food services and facilities management company notified a number of customers that it was the victim of a targeted attack on its cinema vouchers platform, Filmology and it is urging them to cancel their credit cards.

The service rewards UK employee via discounted cinema tickets, the website was taken down in response to the incident “to eliminate any further potential risk” to consumers and to protect their data.

Sodexo Filmology

Sodexo Filmology reported the incident to the Information Commissioner’s Office and hired a specialist forensic investigation team.

“We would advise all employees who have used the site between 19th March-3rd April to cancel their payment cards and check their payment card statements,” reads the data breach notification issued by Sodexo Filmology.

“These incidents have been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists.”

“We sincerely apologise for any inconvenience this has caused you and are doing all that we can to provide access to your benefits via alternative means. We will share more information on this with you, or your provider, in the coming days.”

Making a rapid search online, we can verify that the attack has been going on for several months, several employees reported fraudulent activities on the Money Saving Expert forum in February.

“After speaking to Filmology to ask exactly what had happened, I was informed that my bank details were stolen from the payment page and that the incident has been reported to the ICO. The hack on the payment page was carried out over 2 months and involved many accounts.” wrote the user Chris.


Best Buy Impacted by Payment Card Breach
7.4.2018 securityweek  Incindent

After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider [24]7.ai.

Similar to Delta and Sears, Best Buy contracted [24]7.ai for online chat/support services. The retailer says it will contact impacted customers and provide free credit monitoring if needed.

Best Buy has not specified exactly how many of its customers are impacted, but noted that “only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

San Jose, CA-based [24]7.ai provides customer acquisition and engagement solutions to organizations in a wide range of sectors and any of them could be impacted by this incident. Its website lists several major firms, but some of them apparently no longer do business with the company.

Delta has set up a dedicated page on its website and it has provided some new information regarding the incident. According to the airline, cybercriminals planted a piece of malware in [24]7.ai software, which captured some payment card data between September 26 and October 12, 2017.

“[The malware] made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date,” Delta explained.

The airline believes the incident may impact hundreds of thousands of customers, but it cannot say definitively whether any information has actually been stolen by the attackers.

It appears that the malware involved in this attack is capable of harvesting payment card information entered on websites that use the [24]7.ai chat software. Consumers may be impacted even if they have not directly used the chat functionality, which has only been leveraged as a point of entry to the websites of major organizations. These types of attacks have been common in the past years.

Sears Holdings, the company that owns the Sears and Kmart retail store brands, says the incident has impacted the credit card information of less than 100,000 customers.

Sears and Delta said they were only notified by [24]7.ai in mid and late March, several months after the breach had been supposedly contained.

Contacted by SecurityWeek, [24]7.ai said it could not provide any additional information about the breach, citing client confidentiality agreements.


Best Buy Hit by [24]7.ai Payment Card Breach
6.4.2018 securityaffairs Incindent

After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider [24]7.ai.

Similar to Delta and Sears, Best Buy contracted [24]7.ai for online chat/support services. The retailer says it will contact impacted customers and provide free credit monitoring if needed.

Best Buy has not specified exactly how many of its customers are impacted, but noted that “only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

San Jose, CA-based [24]7.ai provides customer acquisition and engagement solutions to organizations in a wide range of sectors and any of them could be impacted by this incident. Its website lists several major firms, but some of them apparently no longer do business with the company.

Delta has set up a dedicated page on its website and it has provided some new information regarding the incident. According to the airline, cybercriminals planted a piece of malware in [24]7.ai software, which captured some payment card data between September 26 and October 12, 2017.

“[The malware] made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date,” Delta explained.

The airline believes the incident may impact hundreds of thousands of customers, but it cannot say definitively whether any information has actually been stolen by the attackers.

It appears that the malware involved in this attack is capable of harvesting payment card information entered on websites that use the [24]7.ai chat software. Consumers may be impacted even if they have not directly used the chat functionality, which has only been leveraged as a point of entry to the websites of major organizations. These types of attacks have been common in the past years.

Sears Holdings, the company that owns the Sears and Kmart retail store brands, says the incident has impacted the credit card information of less than 100,000 customers.

Sears and Delta said they were only notified by [24]7.ai in mid and late March, several months after the breach had been supposedly contained.

Contacted by SecurityWeek, [24]7.ai said it could not provide any additional information about the breach, citing client confidentiality agreements.


1.5 Billion Sensitive Documents on Open Internet: Researchers
5.4.2018 securityweek Incindent

Some 1.5 billion sensitive online files, from pay stubs to medical scans to patent applications, are visible on the open internet, security researchers said Thursday.

Researchers from the cybersecurity firm Digital Shadows said a scanning tool used in the first three months of 2018 found mountains of private data online from people and companies across the world.

The unprotected data amounted to some 12 petabytes, or four thousand times larger than the "Panama Papers" document trove which exposed potential corruption in dozens of countries.

"These are files that are freely available" to anyone with minimal technical knowledge, said Rick Holland, a vice president at Digital Shadows.

Holland told AFP his team scanned the web and found unsecured files, adding "we didn't authenticate to anything."

The availability of open data makes it easier for hackers, nation-states or rival companies to steal sensitive information, Holland said.

"It makes attackers' jobs much easier. It shortens the reconnaissance phase," he added.

The researchers said in the report that even amid growing concerns about hackers attacking sensitive data, "we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured cloud storage, file exchange protocols, and file sharing services."

A significant amount of the data left open was from payroll and tax return files, which accounted for 700,000 and 60,000 files respectively, Digital Shadows said.

It noted medical files and lists were also weakly protected, with some 2.2 million body scans open to inspection.

Many corporate secrets were also out in the open including designs, patent summaries and details of yet-to-be-released products.

"While organizations may consider insiders, network intrusions and phishing campaigns as sources of corporate espionage, these findings demonstrate that there is already a large amount of sensitive data publicly available," the report said.

The researchers said about 36 percent of the files were located in the European Union. The United States had the largest amount for a single country at 16 percent, but exposed files were also seen around the world including in Asia and the Middle East.

About seven percent of the data was in "misconfigured" cloud Amazon cloud computing storage. Holland said the main problem was not in the cloud computing itself but how users manage their data.

In some cases, users "are backing up their data to the (open) web without knowing it," Holland said.

The majority of the files found by Digital Shadows were exposed by poor security practices in servers and file-sharing protocols.

"Third parties and contractors were among the most common sources of sensitive data exposure," the report said.


Delta, Sears Hit by Card Breach at Online Services Firm
5.4.2018 securityweek Incindent

Delta Air Lines, Sears Holdings and likely other major companies have been hit by a payment card breach suffered last year by San Jose, CA-based online services provider [24]7.ai.

In a brief statement published on Wednesday, [24]7.ai revealed that it had notified a “small number” of client companies of a security incident impacting payment card information. According to the firm, the intrusion occurred on September 26 and it was contained on October 12, 2017.

“We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers' online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed,” [24]7.ai said.

[24]7.ai provides customer acquisition and engagement solutions to organizations in a wide range of sectors, including agencies, education, financial services, healthcare, insurance, retail, telecom, travel and hospitality, and utilities. Its customers include Adobe, Copa Airlines, Duke Energy, Grainger, Merrill Lynch, Scotiabank, and Vodafone.

Two of [24]7.ai’s customers have come forward to date to inform customers that they have been hit by the security breach.

One of them is Delta, which told customers that their payment card information may have been compromised. The company said no other information, such as government IDs, passports, security or Skymiles details, was impacted.

“At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers' information was actually accessed or subsequently compromised,” Delta stated.

The airline, which used [24]7.ai’s online chat services, has promised to set up a dedicated page at delta.com/response where it will post updates regarding this incident.

Sears Holdings, the company that owns the Sears and Kmart retail store brands, says [24]7.ai has provided online support services. Sears believes the incident has impacted the credit card information of less than 100,000 customers.

“We believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised,” Sears stated. “Customers using a Sears-branded credit card were not impacted. In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible. [24]7.ai has assured us that their systems are now secure.”

Sears and Delta said they only learned of the data breach from [24]7.ai in mid and late March, respectively. SecurityWeek has reached out to the vendor to find out why it has waited so long to notify impacted companies.


Female Suspect Dead, Several Hurt in YouTube Shooting
4.4.2018 securityweek Incindent

Chaos Amid Shooting at YouTube Headquarters

[UPDATE] Gunfire erupted at YouTube's offices in California Tuesday, leaving at least three people injured and sparking a panicked escape before the suspected shooter -- a woman -- apparently committed suicide.

Amid a chaotic scene in the city of San Bruno, a woman believed to be the shooter was found dead at the scene of the Google-owned video sharing service.

"We have one subject who is deceased inside the building with a self-inflicted wound," San Bruno Police Chief Ed Barberini told reporters. "At this time, we believe it to be the shooter."

Barberini mentioned "four victims" but it was not immediately clear if that included the shooter.

There was no immediate word on any motive.

Shootings by women are an extremely rare occurrence in the United States where the overwhelming majority of gun violence is carried out by men.

According to an FBI study that looked at 160 incidents involving one or more shooters in public places between 2000 and 2013 -- just six of the people who opened fire were women, a share of 3.8 percent.

Amid conflicting reports on casualties, Barberini said the injured "have been transported and are being treated for injuries that are treatable."

He said police had sealed off the building as they pursued the investigation and searched for any additional possible victims.

- Frantic escape -

Employees recounted frantic scenes as they fled YouTube's headquarters near San Francisco, with one saying he saw blood on the floor as he escaped.

"We were sitting in a meeting and then we heard people running because it was rumbling the floor. First thought was earthquake," employee Todd Sherman tweeted.

Sherman said that as he headed for an exit "someone said that there was a person with a gun," and added "at that point every new person I saw was a potential shooter."

Sherman's tweets continued: "I looked down and saw blood drips on the floor and stairs. Peeked around for threats and then we headed downstairs and out the front."

One image posted by a Twitter user showed employees being led out of the building with their hands up, with no further explanation.

Another YouTube employee, Vadim Lavrusik, tweeted: "Active shooter at YouTube HQ. Heard shots and saw people running while at my desk. Now barricaded inside a room with coworkers."

Later, Lavrusik said he had escaped to safety.

Witnesses reported helicopters on the scene as well as police SWAT teams.

The White House said President Donald Trump had been briefed and that his administration was monitoring the ongoing situation in San Bruno.

Shortly afterward, Trump tweeted, "Our thoughts and prayers are with everybody involved. Thank you to our phenomenal Law Enforcement Officers and First Responders that are currently on the scene."

YouTube headquarters is located some 30 miles (50 kilometers) from the main Google campus in Mountain View.

The shooting, which follows a series of deadly gun incidents at schools and elsewhere, comes amid heated debate on gun control measures in the United States.

An estimated 1.5 million people participated in demonstrations March 24 calling for stricter firearms measures following a deadly shooting in Parkland, Florida.

Organizers of the March for Our Lives sent a message of solidarity to the employees hit by Tuesday's shooting, tweeting "Our hearts are with you, @YouTube."


Panera Bread left millions of customer records exposed online for months
4.4.2018 securityaffairs Incindent

The website belonging to the Panera Bread restaurant chain, Panerabread.com, exposed personal information in plain text for months.
The company has more than 2,100 retail locations in the United States and Canada, its customers could order food online for pickup in stores or for delivery.

Panera Bread exposed the data at least for eight months after the company was first notified of the data leak.

On Monday, the popular security expert Brian Krebs reported a bug affecting the Panera’s website that left millions of customer records exposed in plain text.

Exposed data included names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards.

The company also exposed customer’s Panera loyalty card number, which could be used by scammers to spend prepaid accounts or to steal value from Panera customer loyalty accounts.

Panera Bread data breach

The disconcerting aspect of the story is that the issue was first notified to Panera Bread by the security researcher Dylan Houlihan on August 2, 2017.

In a first time the IT staff did not acknowledge the flaw, but after further investigation, the director of information technology Mike Gustavison told to the expert that the issue was fixed.

Houlihan verified that the issue was not fixed and on April 2nd reported it to Brian Krebs.

“Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.” states the blog post published by Krebs.

This incident is disconcerting for many aspects, such as the response of the company and the way it managed customers’ data.

Only after Brian Krebs contacted Panera Bread, the company took the website offline.

“It is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million.” continues Krebs.

“It’s also unclear whether any Panera customer account passwords may have been impacted.”

Panera told Fox Business that the data leak affected only about 10,000 records but experts at Hold Security estimated that the number of affected accounts is approximately 37 million.

In a written statement, Panera declared it had fixed the problem within less than two hours of being notified by Brian Krebs, but the expert correctly asked why Panera did not explain why it has taken eight months to fix the issue after Houlihan reported it.


Grindr gay-dating app exposed millions of users’ private data, messages, locations
31.3.2018 securityaffairs  Incindent

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.
Every day we read of a new data breach, in some cases, exposed data could have a severe impact on the victim.

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.

An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.

The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.

Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.

NBC noted that C*ckblocked exploited a “similar security loophole” to one that was recently used by Cambridge Analytica to create a profile of more than 50 million Facebook users.

“Grindr makes public the location of many of its users, but allows for users to opt out of this feature. Faden found that he could find the location of users who had opted out if they connected their Grindr profiles through his third-party website.” reported NBC.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden explained.

Grindr gay-dating app

Grindr confirmed it was aware of the issue discovered by Faden and it had addressed them. Faden shut down his service after Grindr changed its policy on access to data on which users had blocked other users.

Grindr recommends its users to avoid using Grindr logins for other apps or web services.

“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”

The company published the following statement on its official Twitter account:

Grindr

@Grindr
As a company that serves the LGBTQ community, we understand the delicate nature of our users’ privacy. Ensuring safety and security of our users is of paramount importance to us and will continue to be our top priority.

5:40 AM - Mar 29, 2018
88
23 people are talking about this
Twitter Ads info and privacy
In the past, other experts found similar issues in the Grindr service, in 2014 researchers at cybersecurity firm Synack found that it allowed any user see the profiles and locations of people. Unfortunately, the problems were not completely fixed and two years after Wired published an interesting article about the experiments of experts that were still able to figure out users’ locations.


Hackers took down Baltimore 911 system during the weekend
29.3.2018 securityaffairs Incindent

Another US city hit by hackers, over the weekend, a cyber attack took down part of Baltimore 911 system for seventeen hours.
Part of its 911 service at the US city of Baltimore was taken down during the weekend by a cyber attack. The attackers targeted a specific server and took down the CAD system from 8.30am Saturday until around 2 am Sunday.

“Baltimore’s 911 dispatch system was hacked by an unknown actor or actors over the weekend, prompting a temporary shutdown of automated dispatching and an investigation into the breach, Mayor Catherine Pugh’s office confirmed Tuesday.” reported the Baltimore Sun.

“James Bentley, a spokesman for Pugh, confirmed that the Sunday morning hack affected messaging functions within the computer-aided dispatch, or CAD, system, but said the mayor would not otherwise comment on the matter Tuesday.”

911

The cyber attack shut down the emergency service’s Computer Aided Dispatch (CAD) that is used by 911 operators. No systems beyond the one CAD server were hit in the cyber attack, according to the media no data was exposed.

The function of the 911 service is essential to respond to any emergency and to direct police, fire, and ambulance to the place of an emergency.

During the attack, the 911 operators were forced to manually dispatch responders. 911 and 311 “were temporarily transitioned to manual mode.”

The attack was launched while thousands of protesters were participating in the nationwide march against gun violence.

City personnel were able to “isolate and take offline the affected server, thus mitigating the threat” of the hack, said Frank Johnson, chief information officer in the Mayor’s Office of Information Technology.

No systems beyond the one CAD server were hit by the cyber attack, and no data was exposed or stolen.

A few days ago, the networks of another major US city, Atlanta, were infected with a variant of the SamSam ransomware.


Thousands of etcd installs leak 750MB worth of passwords and keys
25.3.2018 securityaffairs Incindent

Thousands of etcd installations are currently leaking 750MB worth of passwords, keys, and sensitive data.
Thousands of servers belonging to private businesses and organizations are leaking credentials and potentially sensitive data.

It is quite easy for hackers to use the credentials to access the servers and steal sensitive data or use the machines to power cyber attacks.

According to the researcher Giovanni Collazo, querying the popular Shodan search engine he found almost 2,300 servers exposed online that were running etcd, which is a distributed key value store that provides a reliable way to store data across a cluster of machines.

This kind of database is usually used to store and distribute passwords and configuration settings among various servers and applications.

etcd implements a programming interface that could be queried and that by default return administrative login credentials without authentication.

Collazo wrote a simple script that ran through the 2,284 etcd servers he found open online by querying Shodan search engine and obtained all credentials stored on the servers.

“I did a simple search on shodan and came up with 2,284 etcd servers on the open internet. So I clicked a few and on the third try I saw what I was hoping not to see. CREDENTIALS, a lot of CREDENTIALS. Credentials for things like cms_admin, mysql_root, postgres, etc.” reads the post published by Collazo.

“In order to try to get a sense of the issue I downloaded the full shodan report and wrote a very simple script that basically called the etcd API and requested all keys. That’s basically equivalent to doing a database dump but over their very nice REST API.

GET http://<ip address>:2379/v2/keys/?recursive=true

This will return all the keys stored on the servers in JSON format.”

The expert stopped the script after it collected about 750 megabytes of data from 1,485 IPs. In the following table are reported the data retrieved by the researchers:

password 8781
aws_secret_access_key 650
secret_key 23
private_key 8
Collazo did not test the credentials but it is likely that many of them work and could be used to hack into the systems.

“Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data, or perform ransomware attacks.” Collazo wrote.

In order to keep etcd installs secure it is necessary to enable authentication and get them offline if not required. Another mitigation consists of setting a firewall rule to avoid unauthorized people querying etcd server.


Frost Bank Says Data Breach Exposed Check Images
21.3.2018 securityweek Incindent

Frost Bank, a subsidiary of Cullen/Frost Bankers, Inc., announced on Friday that it discovered the unauthorized access to images of checks stored electronically.

According to the company, it discovered last week that a third-party lockbox software program had been compromised, resulting in unauthorized users being able to view and copy images of checks stored electronically in the image archive. Frost Bank systems weren’t impacted in the incident, Frost says.

Customers can use lockbox services to send payments to a central post office box. The bank receives the payments and credits them directly to a business’s account.

The information that was accessed as part of the incident could be used to forge checks, the company says.

The company says it stopped the identified unauthorized access immediately after discovering it, and that it also launched an investigation into the matter. Frost says it is working with an unnamed cybersecurity firm to investigate the incident and that the law-enforcement authorities have been informed as well.

“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.

According to the company, the unauthorized access was limited to a software program serving around 470 commercial customers using the electronic lockbox. The fraction of impacted Frost customer base might experience forgeries on accounts or could be informed of compromised check images.


Oil and Gas Sector in Middle East Hit by Serious Security Incidents
21.3.2018 securityweek Incindent

Many oil and gas companies in the Middle East reported suffering at least one serious security incident in the past year, according to a study conducted by Ponemon Institute on behalf of German industrial giant Siemens.

Nearly 200 individuals responsible for overseeing cybersecurity risk in oil and gas companies in the Middle East have taken part in the study and the results show that many organizations are unprepared to address the risks faced by their operational technology (OT) networks.

According to Siemens, three-quarters of respondents said their organizations had suffered at least one security incident that resulted in disruption to operations in their OT environment or loss of confidential information in the past 12 months. Eleven percent of respondents said they had experienced more than 10 OT network intrusions, and nearly half believe they may not be aware of all breaches.Oil and gas industry in Middle East not prepared for cyberattacks

Roughly two-thirds of the individuals who took part in the survey believe the risk of attacks on industrial control systems (ICS) has increased considerably over the past few years, and 60 percent say there is a greater risk to OT environments compared to IT.

Outdated and ageing control systems pose a serious risk, according to 42 percent of respondents. The areas most at risk in Middle Eastern oil and gas companies are believed to be exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data collected by sensors.

While insider threats are the main concern, only 21 percent of respondents are concerned about malicious insiders, while 68 percent are more worried about the cybersecurity impact of careless employees.

Companies appear aware of the risks, but many of them are not prepared to deal with them. Less than half of respondents say they continually monitor their entire infrastructure, and only a quarter are confident in their ability to address security risks and allocate the resources necessary for addressing them. On average, companies have allocated only a third of their cybersecurity budget to protecting OT environments, the report shows.

Siemens says many organizations are still attempting to air gap their ICS environments in an effort to mitigate threats, but only 39 percent plan on hardening endpoints, and 20 percent plan on adopting analytics solutions over the next year.

Cyberattacks on oil and gas and petrochemical companies can have a devastating impact. Researchers discovered recently a piece of malware that leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS). The attack is said to have targeted a petrochemical company in Saudi Arabia and one of the main suspects is Iran. According to some reports, the attackers may have been trying to trigger a deadly explosion at the targeted plant.


Orbitz Data Breach Impacts 880,000 Payment Cards
21.3.2018 securityweek Incindent

Expedia-owned travel website Orbitz announced on Tuesday that it has discovered and addressed a data security incident affecting hundreds of thousands of users.

In a statement provided to SecurityWeek and other news websites, Orbitz revealed that malicious actors apparently gained access to a legacy platform between October 1 and December 22, 2017. The attackers may have stolen personal and financial data from this platform, which stored both consumer and business partner information.

The breach was discovered on March 1 following an investigation conducted by Orbitz. The company said in contracted forensic investigation and other cybersecurity experts to help it analyze the incident and eliminate vulnerabilities. Law enforcement has also been notified.

Orbitz has highlighted that the hackers targeted a legacy platform and there is no evidence that the current Orbitz.com website is affected.

The investigation showed that the attackers may have accessed personal information submitted by consumers who made certain purchases between January 1 and June 22, 2016. Information on Orbitz partners who made purchases between January 1, 2016 and December 22, 2017 may have also been stolen.

The exposed information includes full name, gender, date of birth, phone number, email address, physical and billing address, and payment card data. The company said the breach impacted roughly 880,000 payment cards.

There is no evidence that passport and travel itinerary information has been compromised, and Orbitz does not store social security numbers (SSNs) for customers in the United States.

“We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” Orbitz stated.

“Anyone who is notified is encouraged to carefully review and monitor their payment card account statements and contact their financial institution or call the number on the back of their card if they suspect that their payment card may have been misused,” the company added.

Potentially impacted customers can obtain more information by calling 1-855-828-3959 (toll-free in the U.S.) or 1-512-201-2214 (international), or by visiting orbitz.allclearid.com.

Orbitz.com is used by millions of people to search for and book hotels, flights, cruises, cars and other vacation-related activities. The company was acquired by Expedia in 2015 for $1.6 billion.


Frost Bank announced it has suffered a data breach that exposed check images
21.3.2018 securityaffairs  Incindent
On Friday, Frost Bank announced that it has suffered a data breach that exposed check images, crooks could use them to forge checks.
Frost Bank announced on Friday that it has suffered a data breach that exposed check images.

The bank is a subsidiary of Cullen/Frost Bankers, Inc., its staff discovered an unauthorized access to its systems containing images of checks.

Attackers compromised a third-party lockbox software program, in this way they were able to access the images of checks stored electronically in the database.

“In March 2018, Frost detected unauthorized access into a third-party lockbox software program that allowed unauthorized users to view and copy images of checks stored electronically in the image archive.” reads the security advisory published by the company.

“The identified incident did not impact other Frost systems. We have stopped the unauthorized access, and have reported the incident to and are cooperating with law-enforcement authorities.”

The lockbox services are normally used by customers to send payments to a central post office box, once the bank will receive the payments it will credit them to a business’s account.

According to Frost Bank, its systems weren’t impacted by the security breach.

The bad news is that crooks once obtained the images could use them to forge checks.

“Information from the accessed images can be used to forge checks.” continues the advisory.

Frost Bank

According to Frost Bank, the unauthorized access was limited to one software program serving about 470 commercial customers who use the electronic lockbox,

The company confirmed it stopped the identified unauthorized access once discovered the breach.

Law enforcement is investigating the case, while Frost Bank hired an unnamed cybersecurity firm to investigate the security breach,

“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.


Expedia-owned travel website Orbitz says 880,000 payment cards hit in data breach
21.3.2018 securityaffairs  Incindent
Orbitz, the travel website owned by Expedia announced on Tuesday that it has suffered a security breach that affected hundreds of thousands of users.
Orbitz.com has millions of users, it was acquired by Expedia in 2015 for $1.6 billion.

Orbitz confirmed that attackers gained access to a legacy platform between October 1 and December 22, 2017, and stole personal and financial data belonging to consumers and business partners.

The exposed data includes full name, date of birth, gender, phone number, email address, physical and billing address, and payment card data. According to Orbitz, the security breach affected roughly 880,000 payment cards.

There is no evidence that the current Orbitz.com website is affected, passport and travel itinerary information were not exposed in the incident.

The company discovered the breach on March 1 following an internal investigation, Orbitz hired security experts to investigate the issue and identify the flaws exploited by hackers.

The company also notified the incident to the law enforcement that is investigating the case too.

According to the investigators, the hackers may have accessed personal information of customers that made certain purchases between January 1 and June 22, 2016.

orbitz

Attackers may have obtained information on Orbitz partners who made purchases between January 1, 2016, and December 22, 2017.

“We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” reads the statement issued by the company.

“Anyone who is notified is encouraged to carefully review and monitor their payment card account statements and contact their financial institution or call the number on the back of their card if they suspect that their payment card may have been misused,”

Customers can contact the firm by calling 1-855-828-3959 (toll-free in the U.S.) or 1-512-201-2214 (international), or by visiting the website orbitz.allclearid.com.

Expedia’s shares fell as much as 1.9 percent to $108.99.

This is the last incident in order of time that affected the travel sector, other companies that suffered security breaches are the hotel chain InterContinental Hotels Group Plc and Hyatt Hotels Corp in 2017.


Unsecured AWS S3 bucket managed by Walmart jewelry partner exposes data of 1.3M customers
18.3.2018 securityaffairs Incindent

An unsecured Amazon S3 bucket, managed by a Walmart jewelry partner MBM Company Inc, left personal and contact information of 1.3 million customers exposed to the public internet.
A new case of an Amazon S3 bucket left open online, this time personal data belonging to 1.3 million customers of Walmart jewelry partner MBM Company have been exposed.

Experts at Kromtech Security discovered in February an Amazon S3 bucket named “walmartsql” containing an MSSQL database backup, named MBMWEB_backup_2018_01_13_003008_2864410.bak. The name suggests that the backup may have been public since January 13, 2018, some of the records included in the archive are dated back 2000.

The archive contained names, addresses, zip codes, phone numbers, e-mail addresses, IP addresses, and, most also plain text passwords of MBM Company. The archive contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders.

“On February 6th, 2018 researchers at Kromtech security came across another publicly accessible Amazon s3 bucket. This one contained a MSSQL database backup, which was found to hold the personal information, including names, addresses, zip codes, phone numbers, e-mail addresses, ip addresses, and, most shockingly, plain text passwords, for shopping accounts of over 1.3 million people (1,314,193 to be exact) throughout the US and Canada.” reads a blog post published by Kromtech.

“At first glance the data appeared to belong to Walmart as the storage bucket was named ‘walmartsql’, but upon further investigation by Kromtech researchers it was discovered that the MSSQL database backup inside actually belonged to MBM Company Inc., a jewelry company based in Chicago, IL, which operates mainly under the name Limogés Jewelry.”

Walmart jewelry partner MBM Company Inc data leak

This is another case of poor security, the IT staff that was managing the archive left the backup exposed online through an unsecured Amazon S3 bucket, and they did not adopt any further measure to protect information stored in the database.

“Passwords were stored in the plain text, which is great negligence, taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.” said Bob Diachenko, head of communications for Kromtech.

Kromtech experts notified Walmart of the public Amazon S3 bucket, the company promptly secured the storage bucket but was unable to comment on MBM Company Inc.


Time of death? A therapeutic postmortem of connected medicine
18.3.2018 Kaspersky Incindent

#TheSAS2017 presentation: Smart Medicine Breaches Its “First Do No Harm” Principle

At last year’s Security Analyst Summit 2017 we predicted that medical networks would be a titbit for cybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing. According to public data, this year is no exception.

For a year we have been observing how cybercriminals encrypt medical data and demand a ransom for it. How they penetrate medical networks and exfiltrate medical information, and how they find medical data on publicly available medical resources.

The number of medical data breaches and leaks per year (source: HIPAA Journal)

Opened doors in medical networks
To find a potential entry point into medical infrastructure, we extract the IP ranges of all organizations that have the keywords “medic”, “clinic”, “hospit”, “surgery” and “healthcare” in the organization’s name, then we start the masscan (port scanner) and parse the specialized search engines (like Shodan and Censys) for publicly available resources of these organizations.

Masscan report extract

Of course, medical perimeters contain a lot of trivial opened ports and services: like web-server, DNS-server, mail-server etc. And you know that’s just the tip of the iceberg. The most interesting part is the non-trivial ports. We left out trivial services, because as we mentioned in our previous article those services are out of date and need to be patched. For example, the web applications of electronic medical records that we found on the perimeters in most cases were out of date.

The most popular ports are the tip of the iceberg. The most interesting part is the non-trivial ports.

The most popular opened ports on medical perimeters (18,723 live hosts; 27,716 opened ports)

Using ZTag tool and Censys, we identify what kinds of services are hidden behind these ports. If you try to look deeper in the embedded tag you will see different stuff: for example printers, SCADA-type systems, NAS etc.

Top services on medical network perimeters

Excluding these trivial things, we found Building Management systems that out of date. Devices using the Niagara Fox protocol usually operate on TCP ports 1911 and 4911. They allow us to gather information remotely from them, such as application name, Java version, host OS, time zone, local IP address, and software versions involved in the stack.

Example of extracted information about Niagara Fox service

Or printers that have a web interface without an authentication request. The dashboard available online and allows you to get information about internal Wi-Fi networks or, probably, it allows you to get info about documents that appeared in “Job Storage” logs.

Shodan told us that some medical organizations have an opened port 2000. It’s a smart kettle. We don’t know why, but this model of kettle is very popular in medical organizations. And they have publicly available information about a vulnerability that allows a connection to the kettle to be established using a simple pass and to extract info about the current Wi-Fi connection.

Medical infrastructure has a lot of medical devices, some of them portable. And devices like spirometers or blood pressure monitors support the MQTT protocol to communicate with other devices directly. One of the main components of the MQTT communication – brokers (see here for detailed information about components) are available through the Internet and, as a result, we can find some medical devices online.

Not only Smart Home components, but also medical devices are available via MQTT Spirometer

Threats that affect medical networks
OK, now we know how they get in. But what’s next? Do they search for personal data, or want to get some money with a ransom or maybe something else? Money? It’s possible… anything is possible. Let’s take a look at some numbers that we collected during 2017.

The statistics are a bit worrying. More than 60% of medical organizations had some kind of malware on their servers or computers. The good news is that if we count something here, it means we’ve deleted malware in the system.

Attacks detected in medical organizations, 2017

And there’s something even more interesting – organizations closely connected to hospitals, clinics and doctors, i.e. the pharmaceutical industry. Here we see even more attacks. The pharmaceutical industry means “money”, so it’s another titbit for attackers.

Attacks detected in pharmaceutical organizations, 2017

Let’s return to our patients. Where are all these attacked hospitals and clinics? Ok, here we the numbers are relative: we divided the number of devices in medical organizations in the country with our AV by the number of devices where we detected malicious code. The TOP 3 were the Philippines, Venezuela and Thailand. Japan, Saudi Arabia and Mexico took the last three spots in the TOP 15.

So the chances of being attacked really depend on how much money the government spends on cybersecurity in the public sector and the level of cybersecurity awareness.

Attacked devices in medical organizations, TOP 15 countries

In the pharmaceutical industry we have a completely different picture. First place belongs to Bangladesh. I googled this topic and now the stats look absolutely ok to me. Bangladesh exports meds to Europe. In Morocco big pharma accounts for 14% of GDP. India, too, is in the list, and even some European countries are featured.

Attacked devices in pharmaceutical organizations, TOP 15 countries

On one in ten devices and in more than 25% of medical and 10% of pharmaceutical companies we detected hacktools: pentesting tools like Mimikatz, Meterpreter, tweaked remote administration kits, and so on.

Which means that either medical organizations are very mature in terms of cybersecurity and perform constant audits of their own infrastructure using red teams and professional pentesters, or, more likely, their networks are infested with hackers.

Hacktools: Powerpreter, Meterpreter, Remote admin, etc.

APT
Our research showed that APT actors are interested in information from pharmaceutical organizations. We were able to identify victims in South East Asia, or more precisely, in Vietnam and Bangladesh. The criminals had targeted servers and used the infamous PlugX malware or Cobalt Strike to exfiltrate data.

PlugX RAT, used by Chinese-speaking APT actors, allows criminals to perform various malicious operations on a system without the user’s knowledge or authorization, including but not limited to copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as well as Cobalt Strike, is used by cybercriminals to discreetly steal and collect sensitive or profitable information. During our research we were unable to track the initial attack vectors, but there are signs that they could be attacks exploiting vulnerable software on servers.

Taking into account the fact that hackers placed their implants on the servers of pharmaceutical companies, we can assume they are after intellectual property or business plans.

How to live with it
Remove all nodes that process medical data from public
Periodically update your installed software and remove unwanted applications
Refrain from connecting expensive equipment to the main LAN of your organization


Mossack Fonseca law firm shuts down operations 2 years after Panama Papers
16.3.2018 securityaffairs Incindent

News of the day is that the Mossack Fonseca law firm would shut down operations due to the reputational damage caused by the Panama Papers security breach.
The Panama Papers is a huge trove of strictly confidential documents from the Panamanian law firm Mossack Fonseca that was leaked online on April 3, 2016.

The Panama Leaks were acquired from a confidential resource by the German paper Süddeutsche Zeitung, which discussed them with the International Consortium of Investigative Reporters (ICIJ). The ICIJ after that discussed them with a huge network of worldwide companions, consisting of the Guardian as well as the BBC.

The entire archive of the firm contains more than 11.5 Million files including 2.6 Terabytes of data related the activities of offshore shell companies used by the most powerful people around the world, including 72 current and former heads of state.

Law enforcement worldwide launched investigations into possible tax evasion and money laundering that might have involved their citizens.

“Last month, Panamanian prosecutors raided the offices of Mossack Fonseca, seeking possible links to Brazilian engineering company Odebrecht. The Brazilian construction firm has admitted to bribing officials in Panama and other countries to obtain contracts in the region between 2010 and 2014.” reported CNBC.

“Ramon Fonseca, a partner at Mossack Fonseca, denied last month that his firm had a connection to Odebrecht, while accusing Panamanian President Juan Carlos Varela of directly receiving money from Odebrecht, Latin America’s largest engineering company.”

News of the day is that the company would shut down operations due to the reputational damage caused by the security breach.

“Reputational deterioration, the media campaign, the financial consequences and irregular actions by some Panamanian authorities have caused irreparable damage, resulting in the total ceasing of public operations at the end of this month,” Mossack Fonseca said in a statement.

The company will maintain a smaller group of employees to address requests from authorities and other public and private groups.

As consequence of the incident, the firm had closed most of its offices abroad, but the security breach has also a severe impact on some illustrious customers of the firm.

The Panama Papers case exposed the offshore activities of hundreds of politicians and public figures around the world, including Vladimir Putin and Iceland’s prime minister David Gunnlaugsson. Gunnlaugsson was forced to resign after it was revealed his family had offshore accounts.

The former Pakistani prime minister Nawaz Sharif was disqualified for life from office for similar reasons.

Panama Papers


'Panama Papers' Law Firm Shuts Down Operations
15.3.2018 securityweek Incindent

The law firm at the heart of the "Panama Papers" global tax evasion scandal that brought down two world leaders announced Wednesday it would shut down operations, citing negative press and what it called unwarranted action by authorities.

"Reputational deterioration, the media campaign, the financial consequences and irregular actions by some Panamanian authorities have caused irreparable damage, resulting in the total ceasing of public operations at the end of this month," Mossack Fonseca said in a statement.

But it added a smaller group would continue working to address requests from authorities and other public and private groups.

Last August, co-founder Jurgen Mossack acknowledged the firm had closed most of its offices abroad after its damaged credibility caused business to flounder.

Related: Panama Papers - Massive Data Leak Exposes Corrupt World Leaders and Tax Havens

April 3, 2016 marked the beginning of the "Panama Papers" scandal -- a leak of 11.5 million files from Mossack Fonseca's digital archive that revealed how wealthy and influential figures across the world had created offshore businesses to safeguard assets.

The information was obtained by German newspaper Sueddeutsche Zeitung, who shared it with the International Consortium of Investigative Journalists. It was released as a searchable database, with revelations continuing to be unearthed to this day.

Icelandic prime minister Sigmundur David Gunnlaugsson was forced to resign after it was revealed his family had offshore accounts -- while former Pakistani prime minister Nawaz Sharif was disqualified for life from office after being implicated in the documents.

Other figures implicated included former British premier David Cameron, football star Lionel Messi, Argentina's President Mauricio Macri, Spanish filmmaker Pedro Almodovar, to name but a few.

At least 150 investigations were opened in 79 countries to examine possible tax evasion and money laundering, according to the US-based Center for Public Integrity.


U.S. Energy Firm Fined $2.7 Million Over Data Security Incident
14.3.2018 securityweek Incindent

An energy firm in the United States has been fined $2.7 million over a data security incident that resulted in the exposure of critical cyber assets.

The North American Electric Reliability Corporation (NERC) revealed last month that an unnamed power company had agreed to pay the massive penalty and take action to avoid future leaks.

The affected entity has not been named, but the penalty notice published by NERC provides some details about the incident and clarifies that while the energy firm agreed to pay the fine, it neither admitted nor denied violating Critical Infrastructure Protection (CIP) NERC reliability standards.

The incident, which has been assigned a risk rating of “serious,” involved a third-party contractor that improperly copied data from the energy firm to its own network. Despite receiving training, the contractor failed to comply with the company’s information protection program.

A security researcher discovered that the contractor allowed anyone to access the data without a username or password. According to NERC, more than 30,000 records were exposed, including critical cyber assets (CCAs), IP addresses, and server host names. The information was available online for 70 days.

E&E News, which first reported on the fine, pointed out that one suspect is Pacific Gas and Electric (PG&E), a California-based natural gas and electric utility that exposed a lot of information back in 2016.

Researcher Chris Vickery, who at the time worked for MacKeeper, discovered a misconfigured database containing information on 47,000 computers, servers, virtual machines and other devices. PG&E initially said the data was fake, but later admitted that a vendor had exposed its records.

Many of the details mentioned in the NERC document match the PG&E incident. Vickery told E&E that PG&E had him delete the data and sign an affidavit, which is exactly what the NERC document describes.

SecurityWeek has reached out to PG&E for comment and will update this article if the company responds.

Following the significant cyberattacks that hit Ukraine a few years ago, the energy sector in the United States has been taking steps to prevent such incidents. The U.S. Energy Department announced recently its intention to invest over $20 million in cybersecurity projects, and the launch of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER).

The Federal Energy Regulatory Commission (FERC) also recently proposed new cyber security management controls designed to enhance the reliability and resilience of the nation’s bulk electric system.

A bill introduced last year by senators, the “Securing Energy Infrastructure Act,” aims to establish a pilot program to identify vulnerabilities in the energy sector. The bill, which according to Nextgov recently passed the Senate Committee on Energy and Natural Resources, focuses on the development and deployment of protections for industrial control systems (ICS), particularly through analog and non-digital control systems, and physical controls.


Former Equifax CIO Charged With Insider Trading
14.3.2018 securityweek Incindent

The United States Securities and Exchange Commission (SEC) said it has charged Jun Ying, former chief information officer (CIO) of a business unit of Equifax, with insider trading in connection with the massive data breach disclosed in late 2017 that put millions of customers at risk.

The SEC alleges that before Equifax’s public disclosure of the breach in September 2017, Ying exercised all of his vested Equifax stock options and then sold the shares, taking proceeds of roughly $1 million.

By selling his shares before public disclosure of the data breach, Ying avoided more than $117,000 in losses, the SEC says.

According to the SEC’s complaint, Jun Ying, who reportedly was next in line to be the company’s global CIO, allegedly used confidential information provided to him by the company to conclude that Equifax had suffered a serious breach that exposed sensitive personal information of more than 148 million U.S. customers.

The Atlanta-based company has been under fire for not explaining why it waited more than a month to warn affected customers about a risk of identity theft and fraud. Questions were also raised after four Equifax executives sold stock worth $1.8 million just prior to public disclosure of the hack. Equifax claimed that the execs had been unaware of the breach when they sold shares.

“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC’s Atlanta Regional Office. “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”

Ying has been charged with violating the antifraud provisions of the federal securities laws and seeks repayment of ill-gotten gains plus interest, penalties, and injunctive relief.

“Upon learning about Mr. Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company and reported our findings to government authorities," Interim Chief Executive Officer, Paulino Do Rego Barros, Jr., said in a statement in response to the charges announced against Ying. "We are fully cooperating with the DOJ and the SEC, and will continue to do so."

Late last month, the SEC announced updated guidance on how public companies should handle the investigation and disclosure of data breaches and other cybersecurity incidents, suggesting that executives should refrain from trading securities while in possession of non-public information regarding a significant cybersecurity incident.

The SEC itself admitted last year that it was the victim of a cyberattack in 2016 that may have allowed hackers to profit through trading on non-public information obtained from its EDGAR filing system.


CCleaner Incident Investigation Reveals Possible Stage 3 Payload
8.3.2018 securityweek Incindent

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The investigation into the September 2017 CCleaner incident has revealed what appears to be a stage three payload that attackers supposedly intended to deliver to infected users.

The attack was disclosed on September 18, when security firm Avast revealed that 2.27 million users worldwide had downloaded an infected CCleaner installation file between August 15 and September 12. Hackers had added a backdoor to the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases, Avast revealed.

What led to this was the compromise of the distribution servers of Piriform, the company developing CCleaner, in the months before Avast purchased the software firm. The code in the modified installers could collect non-sensitive information from the infected machines, and could also deliver a second stage binary.

This revealed that the incident was in fact a highly targeted attack, as the second-stage payload was delivered to only 40 computers out of the millions that downloaded stage one. While no stage three binary was found on the affected systems, Avast now says that the attackers, the Chinese hacking group Axiom (also known as APT17 or DeputyDog), apparently had plans to deliver such malware as well.

During its investigation of the Piriform infrastructure, the security firm discovered not only stage one and stage two binaries on the network, but also evidence of a third stage on four computers. Dubbed ShadowPad, this is a specialized tool that provides cybercriminals with remote control capabilities.

In an August 2017 report, Kaspersky revealed that the ShadowPad backdoor was found in NetSarang’s products, which are used by hundreds of companies in the financial, software, media, energy, electronics, insurance, industrial, construction, manufacturing, retail, telecoms, pharmaceutical, and transportation sectors.

“The tool was installed on the four Piriform computers on April 13h, 2017, while the preliminary version of the second stage had been installed on the computers March 12th, 2017,” Avast says.

The command and control (C&C) server the older second stage variant was attempting to connect to was no longer up during the investigation and the researchers don’t know exactly what it was supposed to download. However, given the timeline of events, they assume that it “had downloaded and installed ShadowPad on the four Piriform computers.”

The fact that ShadowPad is believed to have been developed by the Axiom group, the same actor behind the CCleaner attack, is also a strong indicator that this malware was intended to become the third stage payload, Avast says.

The ShadowPad version used in the attack was custom-built, leading investigators to suspect it was explicitly created for Piriform.

The security firm also discovered ShadowPad log files containing encrypted key strokes from a keylogger that became active on the infected machines on March 12, 2017. Other tools were also installed on the four computers, including a password stealer, along with tools that could install more software and plugins on the infected machines.

“While ShadowPad was installed on the Piriform network itself and, as far as we can tell through our investigations today, not on any of the CCleaner customers’ computers, we believe that this tool was the intended third stage for the CCleaner customers,” Avast says.

The second-stage malware deployed to only 40 computers of the millions that downloaded the infected CCleaner versions, but Avast couldn’t determine whether the third stage payload was meant for all of them or only a few, if any.


Report Highlights Challenges of Incident Response
23.2.2018 securityweek Incindent

False Positives Lead to a Surprising Number of Incident Response Investigations

Helsinki, Finland-based security firm F-Secure has analyzed a random sample of incident response investigations conducted by its security consultants. The resulting report (PDF) cannot be considered a scientific analysis of incident response, but nevertheless provides useful observations.

Some of these observations could be expected; others are perhaps surprising. For example, successful attacks are fairly evenly split between opportunistic and targeted, F-Secure found. Since there are far more opportunistic attacks fueled by mass spam and phishing campaigns, the implication is that targeted attacks are, pro rata, very successful.

Within the industry sectors included in the analysis, there are interesting distinctions. For example, successful attacks against the financial and manufacturing sectors are evenly distributed between opportunistic and targeted. Successful attacks against the gaming and public sectors were (within the confines of this report) always targeted; but such attacks against the insurance, media and telecom sectors are always opportunistic.

It would be interesting to conjecture why this might be so. For example, gaming is almost continuously under one form or another of attack, while the public sector is highly regulated. It would be tempting to suggest that a solid security posture can effectively eliminate most opportunistic attacks.

The report notes that targeted attacks use social engineering to a greater extent than opportunistic attacks. This suggests that an important defense against targeted attacks will be user security awareness training.

Opportunistic attacks, however, are more likely to focus on external technology exploits via internet facing services.

"Opportunistic attacks," say the report's authors, "are often initiated with cost-effective target selection techniques, such as mass scanning the internet and attacking a vulnerable service when a new exploit comes out. This can be done in a matter of minutes using tools readily available on the internet." The implication here is that an effective early patching regime will reduce the success of opportunistic attacks.

Another surprise is the high number of insider-instigated successful attacks. While 'internet exploits' tops the list at 21%, this is closely followed by insiders at 20%. Malicious e-mail attachments and phishing attacks (often considered to be the major threats) are at 18% and 16% respectively.

However, one of the biggest surprises in this report is the number of incident response calls that are false positives. False positives are a common problem during network analysis and incident triaging, but it is surprising how many of these false positives result in a call to an incident response specialist firm like F-Secure.

Thirteen percent of F-Secure incident response investigations were false positives; that is, says the report, "were conducted due to IT problems or other issues being misunderstood as security incidents by the reporting organization."

This is nothing like the number of successful attacks that caused actual damage (79%), but more than the meager 8% of investigations into failed attacks.

These figures lead F-Secure to believe that many companies simply do not have adequate internal incident response capabilities, able to detect and stop an incident before it progresses. “Every incident response process begins with the same question: is it an incident? How fast a company can make that determination, how smooth and efficient their processes and procedures are, the quality of their forensics and technology, and how well-trained their staff is, defines the cost of the answer to that question,” says F-Secure principal security consultant Tom Van de Wiele. “Once an organization has the facts based on detection capabilities, and not rumors or assumptions, then the process can continue with the next step which is usually containment and eradication.”

In a related blog post, F-Secure's Adam Pilkey describes three incident response recommendations for companies. The first is that breach evidence can be found in the system logs. "You'll want to collect other evidence too, although exactly what will depend on your organization, infrastructure, threat model, and other factors."

The second is that a method of filtering the collected data will be necessary. Manually will be too time-intensive; and requires expensive expertise. As an example of the volumes to be expected, F-Secure's specialist sensors collected about 2 million events from one customer in one month. Correlation and analytics brought this number down to 25 genuinely suspicious events -- and manual analysis found they contained 15 actual threats.

The third requirement is knowing what to look for. "Anything out of the ordinary should be a potential concern," writes Pilkey. "You should also cross reference your logs against threat intelligence feeds to find any indicators of compromise (such as finding activity from known malicious IPs)."


119,000 Scanned IDs of FedEx-owned company Bongo International’s customers exposed online
17.2.2018 securityaffairs Incindent

Researchers discovered an Amazon S3 bucket contains personal information and scans of IDs of some 119,000 US and international citizens.
It has happened again, researchers discovered another unsecured Amazon S3 bucket holding a huge trove of data that was exposed online. The Amazon S3 bucket contains personal information and scans of IDs of some 119,000 US and international citizens, the discovered was made once again by Kromtech security experts earlier this month.

The data belongs to the FedEx-owned company Bongo International that provides support the online sales of North American retailers and brands to consumers in abroad. Bongo was acquired in 2014 by FedEx and was operating with the name FedEx Cross-Border International until it went out of the business in April 2017.

The AWS bucket contained more than 112,000 files, unencrypted information and ID scans of customers from many countries, including the US, Mexico, Canada, various EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia.

“Among other stuff, it contained more than 119 thousands of scanned documents of US and international citizens, such as passports, driving licenses, security IDs etc. IDs were accompanied by scanned “Applications for Delivery of Mail Through Agent” forms (PS Form 1583) – which also contained names, home addresses, phone numbers and zip codes.” reads the blog post published by the company.

ZDNet analyzed the documents and found scans of drivers’ licenses, national ID cards, work ID cards, voting cards, utility bills, vehicle registration forms, medical insurance cards, firearms licences, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division.

“Among the exposed files, ZDNet confirmed drivers’ licenses, national ID cards, and work ID cards, voting cards, and utility bills. We also found resumes, vehicle registration forms, medical insurance cards, firearms licences, a few US military identification cards, and even a handful of credit cards that customers used to verify their identity with the FedEx division.” wrote Zack Whittaker on ZDNet.

“One identity card, when we checked, revealed the details of a senior official at the Netherlands’ Ministry of Defense.”

It seems that the Amazon S3 bucket includes data related to anybody who used Bongo International services between 2009 and 2012 and the bad news is that it has been available for public access for many years. As said, FexEx bought the company in 2014, it is likely it was not aware of the data leak at the time of the acquisition.

Amazon S3 bucket

Kromtech tried to contact FedEx without success, the company removed the S3 bucket only after its existence was publicly disclosed.

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” said FedEx spokesperson Jim McCluskey. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”

In October 2017, the Kromtech Security Center released a free scan tool that could allow admins to identify and secure Amazon S3 Buckets belonging to their organizations.

Let me suggest reading the guide published by the company to explain how to secure Amazon S3 buckets.


New details emerge from Equifax breach, the hack is worse than previously thought
13.2.2018 securityaffairs Incindent

New documents provided by Equifax to senators revealed that the security breach suffered by the firm involved additional data for some customers.
In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK.

Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.

The vulnerability was fixed back in March, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

Compromised records include names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers.

Now experts argue the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.

This means that crooks have all necessary data to arrange any king of fraud by steal victims’ identities.

Equifax data breach

“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” criticized Senator Elizabeth Warren (D-MA) who disclosed the documents.

Equifax pointed out that additional info exposed after the security breach are only related to a limit number of users.

Another curious thing to observe about the Equifax case, it that C-Level management was allowed to retire with multi-million dollar severance pays.

On Monday, the company announced Jamil Farshchi as its Chief Information Security Officer (CISO), he replaces Chief Security Officer Susan Mauldin, who retired from the company after the data breach was disclosed in late 2017.


Equifax Hires Former Home Depot Security Chief Jamil Farshchi as CISO
13.2.2018 securityweek  Incindent
Credit reporting agency Equifax announced on Monday that it has named Jamil Farshchi as its Chief Information Security Officer (CISO).

Farshchi replaces Equifax Chief Security Officer Susan Mauldin, who abruptly retired from the company after a massive data breach was disclosed in late 2017.

Farshchi previously served as CISO at The Home Depot, where he was hired in March 2015 after Home Depot suffered a massive data breach. Before Farshchi took the reigns as CISO at the home improvemt company, cybercriminals managed to steal email addresses and payment card data belonging to more than 56 million Home Depot customers in 2014.

According to Equifax, Farshchi will be based in Atlanta and assume “company-wide leadership of work already underway to transform the company's information security program, and collaborate with the industry to share best practices on information security.”

He will report to the Chief Executive Officer, the company said.

"Jamil has a reputation for helping enterprises rebuild and fortify information security programs,” Paulino do Rego Barros, Jr., interim Chief Executive Officer at Equifax, said in a statement. “His expertise in risk intelligence and cybersecurity combined with his intimate knowledge of industry best practices will allow us to design and deploy a best-in-class, global security strategy to re-establish ourselves as a trusted leader."

Prior to his role at The Home Depot, Farshchi was the first Global CISO at Time Warner. Before that, he was the Vice President of Global Information Security at Visa. Farshchi has also held senior roles at Los Alamos National Laboratory, Sitel Corporation, Nextwave Broadband, and NASA.

He holds a master's degree from the University of Pennsylvania’s Wharton Business School and a bachelor's degree in Business Administration from the University of Oklahoma.

"Equifax is a company with tremendous potential, and I am confident that we will transform our security program into one of the most advanced and recognized globally," said Farshchi. "I am grateful for this new challenge and am looking forward to enabling the business with new insights, a fresh perspective, and a multi-dimensional way of thinking about global data stewardship and information security."

In September 2017, Equifax revealed that hackers had accessed its systems between mid-May and late July 2017. The company eventually said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom – including their social security numbers, dates of birth, addresses, and in some cases driver’s license numbers, payment cards, and dispute documents.

Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.


Equifax Hires Former Home Depot Security Chief Jamil Farshchi as CISO
13.2.2018 securityweek  Incindent
Credit reporting agency Equifax announced on Monday that it has named Jamil Farshchi as its Chief Information Security Officer (CISO).

Farshchi replaces Equifax Chief Security Officer Susan Mauldin, who abruptly retired from the company after a massive data breach was disclosed in late 2017.

Farshchi previously served as CISO at The Home Depot, where he was hired in March 2015 after Home Depot suffered a massive data breach. Before Farshchi took the reigns as CISO at the home improvemt company, cybercriminals managed to steal email addresses and payment card data belonging to more than 56 million Home Depot customers in 2014.

According to Equifax, Farshchi will be based in Atlanta and assume “company-wide leadership of work already underway to transform the company's information security program, and collaborate with the industry to share best practices on information security.”

He will report to the Chief Executive Officer, the company said.

"Jamil has a reputation for helping enterprises rebuild and fortify information security programs,” Paulino do Rego Barros, Jr., interim Chief Executive Officer at Equifax, said in a statement. “His expertise in risk intelligence and cybersecurity combined with his intimate knowledge of industry best practices will allow us to design and deploy a best-in-class, global security strategy to re-establish ourselves as a trusted leader."

Prior to his role at The Home Depot, Farshchi was the first Global CISO at Time Warner. Before that, he was the Vice President of Global Information Security at Visa. Farshchi has also held senior roles at Los Alamos National Laboratory, Sitel Corporation, Nextwave Broadband, and NASA.

He holds a master's degree from the University of Pennsylvania’s Wharton Business School and a bachelor's degree in Business Administration from the University of Oklahoma.

"Equifax is a company with tremendous potential, and I am confident that we will transform our security program into one of the most advanced and recognized globally," said Farshchi. "I am grateful for this new challenge and am looking forward to enabling the business with new insights, a fresh perspective, and a multi-dimensional way of thinking about global data stewardship and information security."

In September 2017, Equifax revealed that hackers had accessed its systems between mid-May and late July 2017. The company eventually said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom – including their social security numbers, dates of birth, addresses, and in some cases driver’s license numbers, payment cards, and dispute documents.

Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.


Thousands More Personal Records Exposed via Misconfigurations

12.2.2018 securityweek Incindent
Two more misconfigured databases exposing the personal details of thousands of people were disclosed late last week.

The Maryland Joint Insurance Association (MDJIA, with offices in Ellicott City, MD) left internet access to a data repository of customer files containing information such as customer names, addresses, phone numbers, birth dates, and full Social Security numbers; together with financial data such as check images, full bank account numbers, and insurance policy numbers. Also exposed were MDJIA access credentials for ISO ClaimSearch, a third-party insurance database containing ‘tens of millions of reports on individual insurance claims’ for industry professionals. The problem was a NAS server with an open port 9000.

Paris-based Octoly, a brand marketing firm, left open internet access to an AWS S3 bucket. This contained details of its IT operations, including sensitive personal details of more than 12,000 social media influencers used in its marketing campaigns. The details include the real names, addresses, phone numbers, email addresses – including those specified for use with PayPal – and birth dates, together with thousands of hashed passwords.

Both misconfigurations were discovered by Chris Vickery, the director of cyber risk research at UpGuard. Researcher Vickery has discovered numerous misconfigurations providing open access to sensitive, often personal, information over the last few years. Examples include details of 191 million U.S. voters, nearly 1.4 billion user records exposed by known spammers, and sensitive military data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) left exposed by contractor Booz Allen Hamilton.

None of these misconfigurations require any hacking effort or skill to exploit, merely a computer with internet access. If a white hat researcher such as Vickery can find them, potentially any malicious actor could also find them with disastrous results. The question then is, why do misconfigurations, rated #6 in the OWASP top ten threats list, happen so frequently – and what should organizations do to prevent them?

Bryce Carlen; CIO at Washington State Department of Commerce, notes that MDJIA is a small organization with minimal – if any – dedicated IT staff. He warns that there may be many more small organizations in a similar position. “If this is as small an organization as it appears to be, then all of this is no real surprise. If you only have the budget for one or two IT staff or contractors, it's likely you're not going to have dedicated security staff or deep security expertise in the generalists you have working for you.” The problem, he added, is that small organizations don't understand the risks until after a cybersecurity event, because protecting data is not part of the core business based around using that data.

The Octoly incident is similar to many other examples of exposed AWS S3 buckets. “Every time I look at the AWS control panel, it seems like there are new services available, each of which comes with new settings and configuration switches. It's especially tough when you layer that on top of the constantly evolving job of securing your on-prem environment against shifting threats,” Carlen said.

He fears that the cloud is simply increasing 'security fatigue', leading to simple errors. “It's one of the things that frightens me about the cloud. There are a bunch of what appear to be otherwise competent organizations making a big mess with cloud configuration settings.”

Randy Potts, information security leader at Real Time Resolutions, Inc, believes the problem is still a missing 'culture of security' in many organizations. “Both of these incidents [last week] happened because the person that deployed them did not think about the bad actors. They only think about giving access to the people that need it, not preventing access from those that should not have it.”

He believes that it is the continuing point of tension between IT and information security. “IT is measured by uptime and functionality, but information security is measured by controlling access to data. From the IT perspective, information security risks breaking access and harming functionality.” He believes that IT personnel need to understand security better: “They need to respect that while not taking that extra step may save time now, it can have a serious impact to the organization later.”

But the problem goes beyond just IT and security into the entire corporate culture; that is, “the moral obligation that everyone handling sensitive information has to the people that correspond to that PII.” That includes the business owners as well as the IT staff and the security team.

This is a theme agreed by Graham Mann, managing director at CyberSpace Defence Ltd. “Management must shoulder their portion of the blame because they simply do not attach sufficient importance to security,” he says. He believes it is an area that can be addressed by legislation – indeed, it has already been addressed by the EU's General Data Protection Regulation (GDPR).

“GDPR specifically addresses the issues outlined in these so-called misconfiguration problems,” he told SecurityWeek; “and had Octoly happened five months later, they would now be facing a significant fine. Moreover, given the closeness of GDPR, it’s somewhat amazing that Octoly hasn't yet put measures in place to avoid such catastrophes.

“Misconfigurations are entirely feasible and easy to make when you are rushing to implement a device or making seemingly innocuous modifications to existing devices,” he continued. “Most IT administrators probably never consider the implications or consequences of making such errors. That’s why you need to consider the potential repercussions in advance (as specified in GDPR); you need to undertake a risk analysis on everything you do -- what could go wrong and what can we do to ensure any errors are mitigated. This is where management are critical: the involvement of security must be supported from above.”

Security researcher and consultant, Stewart Twynham, goes one step further. He believes the gaps between IT and security can be closed by treating both as aspects of corporate governance. “Professional IT people are under constant pressure to get things done, which is why security should be treated as a governance issue as well as an IT one,” he suggests. “Without those checks and balances (have we carried out the due diligence? do we fully understand the technology? do we understand the risks? do we have a process in place to continuously review what weíve set up?) mistakes like this will continue to happen.”

In short, misconfigurations will continue to occur while the pressure on IT to react instantly to business requirements goes unabated. Any alteration to the IT infrastructure should involve the security team before implementation. But this will require senior management to own the problem under an overarching corporate governance regime – and when that happens, misconfigurations will be less common.


New Details Surface on Equifax Breach
12.2.2018 securityweek Incindent
Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.

In mid-May 2017, malicious actors exploited a known vulnerability in the Apache Struts development framework to gain unauthorized access to Equifax systems. The company said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom – including their social security numbers, dates of birth, addresses, and in some cases driver’s license numbers, payment cards, and dispute documents.

Confidential documents sent by Equifax to the Senate Banking Committee, copies of which were seen by CNN and The Wall Street Journal, show that hackers may have also stolen tax identification numbers, email addresses, and driver’s license information other than just license numbers.

In response to news reports, Equifax said its initial disclosure was never intended to include all the types of information that may have been compromised.

U.S. Senator Elizabeth Warren has called on Equifax to provide clarifications on what she has described as “conflicting, confusing and incomplete information” provided by the company to the public and Congress.

According to Sen. Warren, Equifax told the Banking Committee in early October that passport numbers had also been included in the database tables possibly accessed by the attackers, but now the credit reporting agency claims passports were not compromised.

“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” Sen. Warren wroten in a letter to Equifax.

The senator has given Equifax one week to provide a full and complete list of data elements confirmed or believed to have been compromised in the breach, along with a timeline of its efforts to determine the full extent of the intrusion.

Sen. Warren last week published a 15-page report containing the findings of her own four-month investigation into Equifax’s failures. The lawmaker’s investigation found that the company had set up a flawed system to prevent data security incidents, it ignored numerous warning of risks to customer data, it failed to disclose the breach to stakeholders in a timely manner, and provided inadequate assistance and information to consumers. The report also said Equifax had taken advantage of federal contracting loopholes to force the IRS into signing a contract.

Earlier this year, senators Warren and Mark Warner introduced a bill that would provide the Federal Trade Commission (FTC) with punitive powers over the credit reporting industry for poor cybersecurity practices. The bill came in response to the Equifax breach.

Reuters reported earlier this month that Mick Mulvaney, the head of the Consumer Financial Protection Bureau (CFPB), had halted the probe into the Equifax breach. Following the news, 32 senators sent a letter CFPB asking for additional information on its investigation.


Swisscom data breach Hits 800,000 Customers, 10% of Swiss population
9.2.2018 securityaffairs Incindent

Swisscom data breach – Telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.
Swiss telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.

According to Swisscom, unauthorized parties gained access to data in Autumn, the attackers accessed the customers’ records using a sales partner’s credentials.

The security breach was discovered by Swisscom during a routine check, most of the exposed data are related to the mobile services subscribers.

“In autumn of 2017, unknown parties misappropriated the access rights of a sales partner, gaining unauthorised access to customers’ name, address, telephone number and date of birth. Under data protection law this data is classed as “non-sensitive”.” reads the press release issued by the company.

“Prompted by this incident, Swisscom has now also tightened security for this customer information. The data accessed included the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers; contact details which, for the most part, are in the public domain or available from list brokers.”

Swisscom data breach

Exposed data includes names, physical addresses, phone numbers, and dates of birth, the telecom giant collects this type of data when customers subscribe an agreement.

It is not clear how the hackers obtained the credentials, the good news is that sales partners are allowed to access only information for customers’ identification and to manage contracts.

Swisscom highlighted that data accessed by the intruders are not considered sensitive under data protection laws, anyway, accessed info is a precious commodity in the criminal underground because crooks can use them to conduct phishing campaigns against the company’s customers.

Swisscom has reported the data breach to the Swiss Federal Data Protection and Information Commissioner (FDPIC).

“Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident,” continues the press release.“Rigorous long-established security mechanisms are already in place in this case.”

After the Swisscom data breach, the company revoked the credentials used to access its systems and implemented tighter controls for partners.

Swisscom implemented a number of changes to improve its security, including:

Access by partner companies will now be subject to tighter controls and any unusual activity will automatically trigger an alarm and block access.
In the future, it will no longer be possible to run high-volume queries for all customer information in the systems.
In addition, two-factor authentication will be introduced in 2018 for all data access required by sales partners.
Customers are advised to report any suspicious calls or email.