The Week In Breach: August 22 to August 29 2018

A slow, but troubling week to say the least!  Phishing and compromised databases still rule the day. This Week in Breach highlights incidents involving a New York-based gaming developer, medical data held by a University, and the disclosure of sensitive data held by a popular babysitter application.

Is Breaking Bad?
A German company by the name of Breaking Security has been up in arms about the use of their legitimate software named Remcos (Remote Control and Surveillance). Remcos is used for managing Windows systems remotely and is increasingly being used by hackers for malicious attacks known as Remote Access Trojan (RAT). The question is, however… are they telling the truth? Researchers have uncovered that the product sold by the company is widely advertised on Dark Web hacking forums and it seems that not only does the organization know that this is happening, they are encouraging it. Breaking Security has strongly stated that any license linked to malicious hacking campaigns are revoked, yet still, many hacking campaigns continue to use the service.
https://www.darkreading.com/attacks-breaches/attackers-using-legitimate-remote-admin-tool-in-multiple-threat-campaigns/d/d-id/1332631

Not So Private Messages
In May, the popular live streaming service, Twitch, exposed user’s private messages because of a bug in their code. The Amazon subsidiary disabled the service, which allowed users to download an archive of past messages. When a user requested this archive, the game streaming company accidentally intertwined messages from other users. Twitch has come out and said that this only affected a limited number of users and has provided a link for customers to visit so they can find out if any of their messages were exposed and what the messages were.
https://www.bleepingcomputer.com/news/security/twitch-glitch-exposed-some-users-private-messages/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
IT Provider Network – The Podcast for Growing IT Service
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – Augusta University
Exploit: Email compromise by phishing attacks.
Risk to Small Business: High: This is a significant breach in scale and severity, and due to the sensitive nature of the data compromised the organization will likely face heavy fines.
Individual Risk: Extreme: Individuals affected by this breach are at high risk for identity theft, as well as their medical information being sold on the Dark Web.
Augusta University: Georgia based healthcare network.
Date Occurred/Discovered: September 10, 2017 – July 11, 2018
Date Disclosed: August 20, 2018
Data Compromised:

  • Medical record numbers
  • Treatment information
  • Surgical details
  • Demographic information
  • Medical data
  • Diagnoses
  • Medications
  • Dates of services
  • Insurance information
  • Social Security numbers
  • Driver’s license numbers

Customers Impacted: 417,000
https://cyware.com/news/augusta-university-health-breach-exposes-personal-records-of-over-400k-patients-432de74e

https://www.augusta.edu/notice/message.php

United States – Animoto
Exploit: Undisclosed.
Risk to Small Business: High: A breach of customer trust, especially involving geolocation data, can be highly damaging to a company’s image.
Individual Risk: Moderate: Users affected by this breach are at a higher risk of spam and phishing.
Animoto: New York-based company that provides a cloud-based video-making service for social media sites.
Date Occurred/Discovered: July 10, 2018
Date Disclosed: August 2018
Data Compromised:  

  • Names
  • Dates of birth
  • User email addresses
  • Salted and hashed passwords
  • Geolocation

Customers Impacted: Unclear.
https://techcrunch.com/2018/08/20/animoto-hack-exposes-personal-information-geolocation-data/

United States – Sitter
Exploit: Exposed MongoDB database.
Risk to Small Business: High: Most customers would be uncomfortable with a company leaking data about their kids and when they are left alone with someone who doesn’t live there.
Individual Risk: High: A lot of sensitive personal information was exposed in this breach, much of it unsettling.
Sitter: An app that connects babysitters and parents.
Date Occurred/Discovered: August 14, 2018
Date Disclosed: August 14, 2018
Data Compromised:

  • Encrypted passwords
  • Number of children per family
  • User home addresses
  • Phone numbers
  • Users address book contacts
  • Partial payment card numbers
  • Past in-app chats
  • Details about sitting sessions
    • Locations
    • Times

Customers Impacted: 93,000.

https://www.linkedin.com/pulse/incident-report-no1-babysitter-application-exposure-bob-diachenko/

https://www.bleepingcomputer.com/news/security/mongodb-server-exposes-babysitting-apps-database/

Australia – Melbourne High School

Exploit: Negligence.
Risk to Small Business: Extreme: This is a major exposure of sensitive and potentially embarrassing information that could irreparably damage a company’s reputation.
Individual Risk: High: Those affected by the data breach have sensitive information about their personal medical information that is considered highly private and could leave them exposed to identity theft.
Melbourne High School: School in Melbourne.
Date Occurred/Discovered: August 20-22, 2018
Date Disclosed: August 22, 2018
Data Compromised:

  • Medical information
  • Mental health conditions
  • Learning behavioral difficulties

Customers Impacted: 300 students.
https://www.theguardian.com/australia-news/2018/aug/22/melbourne-student-health-records-posted-online-in-appalling-privacy-breach


 


Tick Tock.
The cost of cybercrime is no joke. This is easy to say from the perspective of someone whose business it is to know all about cybercrime trends, attack vectors, and yada, yada, yada.  But to really quantify how big of a problem cybercrime is in the world of business, it is often easier to compare it to day to day things… like a doctor explaining a complicated procedure or a mechanic telling you why your car is making that noise. So today I would like to compare the cost of cybercrime to the most universal understanding that there is… time.

The cost of cybercrime each minute globally: $1,138,888

The number of cybercrime victims each minute globally: 1,861

Number of records leaked globally each minute (from publicly disclosed incidents): 5,518

The number of new phishing domains each minute.21

As you can see, cybercrime buids by the minute.
https://www.darkreading.com/application-security/how-threats-increase-in-internet-time/d/d-id/1332629


Advertisements

This Week in Breach August 10 to August 17 2018

Dark Web Inforgraphic

This week we saw mobile apps making headlines. Tinder was used by a potential spy to unsuccessfully bait military secrets out of an airman and Snapchat’s source code was published on Github. The marketing campaign for the PGA championship has hit a speed bump in the form of a ransomware attack and an Australian hospital specializing in maternal health exposed treatments on the web.

Highlights from The Week in Breach:

  • Samsung Meets Meltdown
  • Snapchat Source Code
  • Think of the Children
  • The PGA is in the Sand Trap

In Other News:

Catfished
A hacker recently tried a new take on an old trick, utilizing the dating app Tinder in a honeypot scheme. The bad actor set out to steal military secrets from the British Royal Air Force, using a compromised RAF airwomen’s dating profile to try and trick a serviceman into revealing the details of the F-35 stealth fighter. The brand-new fighter is the result of a £9 billion project . China and Russia are eager to get their hands on any details they can about the plane. The airwomen realized almost immediately that her account was hacked and informed RAF, who was able to confirm that no information was disclosed, and the airman targeted was not connected to the F-35 program.
https://www.telegraph.co.uk/news/2018/08/05/honeytrap-hacker-attempted-steal-raf-fighter-jet-secrets-using/

Galaxy Meltdown
Samsung phones are not invulnerable to the microchip security flaw known as Meltdown as previously thought. Researchers at an Austrian University uncovered a way to exploit the vulnerability on the popular smartphone. The researchers plan on testing other phones in the future and believe that they will have similar results with other devices. With as much damage as Spectre exploits have done since its discovery, the same kind of exposure in smartphones could wreak havoc.
https://www.irishexaminer.com/breakingnews/business/samsung-galaxy-s7-phones-vulnerable-to-being-hacked-860965.html

Oh Snap!
A hacker got ahold of some of the source code for the popular photo-messaging service Snapchat, publishing the valuable code on Github. The hacker is believed to be from Pakistan and the code has since been taken down by the company. It is likely that the repo contained part of or all of their iOS app but because the code was removed from Github. There is no way to verify the amount of source code published. The validity of the source data is also questionable, but given Snapchats all-caps DMCA request, (seen below) it seems like there’s a good chance the code was the real deal.

“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.”
https://thenextweb.com/security/2018/08/07/hacker-swipes-snapchats-source-code-publishes-it-on-github/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
IT Provider Network – The Podcast for Growing IT Service
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


 

United States – The Professional Golfers’ Association (PGA)
Exploit: Ransomware.
Risk to Small Business: High: Ransomware is highly disruptive to any organization.
Individual Risk: High: Loss of data and possibly exfiltration of personal information can result from a ransomware attack.
The Professional Golfers Association: A golfing association that hosts the PGA Championship.
Date Occurred/Discovered: August 7, 2018
Date Disclosed: August 9, 2018
Data Compromised:

  • Creative material for the PGA Championship
    • Promotional banners
    • Logos
    • Digital signage
  • Creative material for the Ryder’s Cup in France
    • Abstracts of logos

Customers Impacted: With the PGA championship around the corner, this breach could affect golf fans all over the country.
https://cyware.com/news/pga-of-america-hit-by-ransomware-attack-days-before-championship-e16f53a7

Mexico – Hova Health
Exploit: Exposed the MongoDB database.
Risk to Small Business: High: Carelessness with customers’ sensitive data can cause irreparable damage to an organizations image.
Individual Risk: High: The information exposed on the internet could be used in identity theft.
Hova Health: Technology company that services the Mexican health care sector.
Date Occurred/Discovered: August 2018
Date Disclosed: August 7, 2018
Data Compromised:

  • Name
  • Gender
  • Date of birth
  • Insurance information
  • Disability status
  • Home address

Customers Impacted: 2 million individuals.
https://www.bleepingcomputer.com/news/security/health-care-data-of-2-million-people-in-mexico-exposed-online/

Australia – The Women’s and Children’s Hospital
Exploit: Negligence.
Risk to Small Business: High: The sensitive nature of the data exposed as well as the scope of the breach will cost the organization the trust of its customers and could possibly result in hefty fines.
Individual Risk: High: The data exposed by the organization could be extremely useful for bad actors to impersonate them, in addition to the high value of personal medical information on the Dark Web.
The Women’s and Children’s Hospital: An Adelaide based health care facility that provides treatment for women, babies and children.
Date Occurred/Discovered: Occurred over the last 13 years
Date Disclosed: August 6, 2018
Data Compromised:  

  • Names
  • Date of birth
  • Test results

Customers Impacted: 7,200 individuals.
https://cyware.com/news/7200-womens-and-childrens-hospital-patient-records-test-results-exposed-online-for-13-years-1d384ef4

United States – Comcast
Exploit: Web vulnerability.
Risk to Small Business: High: The loss of customer trust and the expense of providing identity monitoring for the affected individuals could damage any organization.
Individual Risk: High: Key data needed for identity theft was exposed.
Comcast: One of the United States largest cable providers.
Date Occurred/Discovered: August 2018
Date Disclosed: August 8, 2018
Data Compromised:

  • Social Security Numbers
  • Partial home addresses

Customers Impacted: 26.5 million individuals.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers



Go Phish.
Phishing emails have evolved far past the misspelled words and suspicious email addresses that most people use to help judge the validity of an email. The phishing email of today can look like an exact copy of the communications coming from the imitated company. With the constant PII saturation of dark web, personal details can be added to the phishing email to make it look even more convincing. The malicious emails will continue to get better and more refined, so how do you counter them? The best way to keep your organization safe is by training employees about social engineering attacks, encouraging employees to be skeptical of suspicious emails and to report them, and utilizing technologies such as an antivirus and simulated phishing awareness training and using constant credential monitoring with Dark Web ID™. A properly executed phishing email could result in a business’s operations suspended due to ransomware, the theft of IP or the exposure of customer data… so why wouldn’t any organization proactively get prepared?

The Week in Breach

spearphishing

Russian Dark Web
A reporter from The Guardian recently dove into a popular Russian Dark Web hacking forum known as FreeHacks, which aims to maximize efficiency in the attacks of its members and to disperse information on ‘quality’ hacking. On the surface it looks like any other forum, and (in essence) it is, with a twisted turn provided by the malicious nature of the subject matter. The categories of the forum are split into a wide variety of specific types of hacking and some ‘lifestyle’ forums as well.

Hacker news, humor, botnet, DDoS, programming, web development, malware and exploits, and security are examples of some of the topics discussed on the site. Some of the markets on the site include stolen credit cards, password cracking software, a clothing market to launder money, and a document market where members can buy passports and citizenships. The forum has about 5,000 active members and claims that a hacker is not a ‘computer burglar’ but rather ‘someone who likes to program and enjoy it.” Given the kind of information and marketplaces available on the site, this seems more like mental gymnastics rather than a nuanced examination of one’s own criminality. After passing the registration to get into the site, the reporter found step-by-step directions for finding someone’s physical address, among other nefarious ways to penetrate companies’ networks or to extort individuals.
https://www.theguardian.com/commentisfree/2018/jul/24/darknet-dark-web-hacking-forum-internet-safety

Gamer Recognize Game
The website for Kaiser Permanente was hijacked this week by hackers, defacing the site to include a variety of Game of Thrones quotes, which is a popular book series turned TV show. The American integrated care consortium based in Oakland, California had their pictures of happy healthy families on their front page replaced with a black screen and a declaration that a hacking group known as the faceless men was responsible for the act. The hacking group appears to be somewhat amateur in nature, and Turkish in origin. An investigation into the group’s members reveals that a few of the hackers listed are active Turkish gamers, which raises the question about how an organization that handles sensitive medical information was able to be hacked by a group of Turkish gamers with very little hacking experience. It is unclear whether any personal information has been accessed in the hack … the organization has declined to comment as of the writing of this Week in Breach.
https://www.databreaches.net/hear-me-roar-kaiser-permanente-site-defaced-by-got-fans/

Security > Convenience
More customers value security over convenience than professionals in the UK, according to a new study. 83% of customers prefer security, compared to only 60% of cybersecurity professionals. The study explores the reason for the disparity in the concern, citing organizations desire for frictionless customer experience as a reason for not having tight security. This could contribute to the UK scoring an unimpressive 56 out of 100 points on the Digital Trust Index which is one of the lowest in the world and 5 points lower than the global average. This disconnect is likely to continue in the future considering 88% of UK executives believe they are doing a good job protecting consumer data while over half of their organizations have been breached in the past year.
https://www.infosecurity-magazine.com/news/uk-consumers-prefer-security-to/

Hacking from The Inside
Across 5 different correctional facilities in Idaho, hundreds of inmates were able to add thousands of dollars’ worth of credits to their JPay accounts, which allows inmates to buy music or send emails. Over 300 inmates were able to exploit a vulnerability in the JPay system to add $224,772 across the group. One of those involved managed to gain nearly $10,000 using the exploit. Those who hacked their JPay accounts are being punished, and the vulnerability is being fixed, but this raises questions about the security of programs used by the U.S. prison system.
https://www.nytimes.com/2018/07/27/us/idaho-prison-hack-jpay-nyt.html

Podcasts:
IT Provider Network – The Podcast for Growing IT Service
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – Reddit
Exploit: SMS intercept.
Risk to Small Business: High: Could have damaging effects on the trust of clients, as well as highlighting the vulnerabilities of SMS 2FA.
Individual Risk: Moderate: The nature of the data is not particularly harmful due to the age and the scope but affected users could be at risk for spam.
Reddit: Extremely popular forum, one of the 5 most popular sites on the internet.
Date Occurred/Discovered: June 14 – 18, 2018
Date Disclosed: August 1, 2018
Data Compromised:

• Old Reddit user data (before May 2007)
• Usernames
• Salted hashed passwords
• Email addresses
• Public content
• Private messages
• Email digests
Customers Impacted: Users with accounts made before 2007, subscribers to email digests between June 3 and June 17, 2018.
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

United States – UnityPoint Health
Exploit: Phishing.
Risk to Small Business: High: A huge breach of customer trust, also this organization will be fined heavily because medical data was breached.
Individual Risk: High: The content breached is valuable on the Dark Web and is vital in identity theft.
UnityPoint Health: Multi hospital group operating in Iowa, Illinois and Wisconsin.
Date Occurred/Discovered: March 14 – April 3, 2018
Date Disclosed: July 31, 2018
Data Compromised:
• Protected health information
• Names
• Addresses
• Medical data
• Treatment information
• Lab results
• Insurance information
• Payment cards
• Social Security Number
Customers Impacted: 1.4 Million.
https://www.healthcareitnews.com/news/14-million-patient-records-breached-unitypoint-health-phishing-attack

New Zealand – Hāwera High School
Exploit: Phishing.
Risk to Small Business: High: Ransomware attacks can be very disruptive.
Individual Risk: High: Students could lose files stored locally on computers. High risk of identity theft if PII is stored.
Hāwera High School: A New Zealand High School.
Date Occurred/Discovered: August 2018
Date Disclosed: August 2, 2018
Data Compromised:
• Local files stored on school computers
Customers Impacted: Students at the school.
https://www.theregister.co.uk/2018/08/02/new_zealand_school_hit_by_ransomware_scum/

India – CreditMate.in
Exploit: Exposed database.
Risk to Small Business: High: The exposed database was found during a routine google search, this kind of breach would seriously damage an organizations image.
Individual Risk: High: Data key for identity theft were exposed in this breach.
CreditMate: Helps customers obtain loans to purchase motorbikes.
Date Occurred/Discovered: July 27, 2018
Date Disclosed: August 2, 2018
Data Compromised:
• Member reference number
• Enquiry number
• Enquiry purpose
• Amount of loan being sought
• Full name
• Date of birth
• Gender
• Income tax ID number
• Passport
• Driver’s license
• Universal ID number
• Telephone number
• Email address
• Employment information
• Employment income
• CIBIL credit score
• Residential address
• Payment history of other loans/credit cards
Customers Impacted: 19,000.
https://www.databreaches.net/exclusive-creditmate-in-developers-goof-left-19000-consumers-credit-reports-unsecured/

United States – Yale University
Exploit: Unclear.
Risk to Small Business: High: Highly sensitive personal information was leaked which would damage consumer trust.
Individual Risk: High: The data accessed would be highly useful for bad actors looking to steal someone’s identity.
Yale University: A prestigious American University.
Date Occurred/Discovered: April 2008 – January 2009
Date Disclosed: June 2018
Data Compromised:
• Social security numbers
• Dates of birth
• Email addresses
• Physical addresses
Customers Impacted: 119,000
https://www.zdnet.com/article/yale-discloses-old-school-data-breach/

A note for your customers:
Texts from a Hacker.
With the breach of Reddit being disclosed this week, it’s key to remember the importance of robust cybersecurity, given that the hacker of the site was able to bypass 2FA. The actor was able to do this by using a method called ‘SMS intercept’ which is when the hacker is able to receive the text that contains the code for authentication. One way this is done is by SIM-swap, which is when the attacker convinces the phone provider that he is the target and applies their service to a new SIM card. Another method of attack is when bad actor impersonates the target and tricks the phone provider into transferring the target’s number to a new provider where the attacker is then able to access any 2FA codes coming into the phone.

A more secure alternative to SMS 2FA is app-based authentication through organizations such as Duo, which is not subject to the same vectors of attack. Stay vigilant out there, because SMS-intercept attacks are going to become more and more prevalent as they have been shown to be successful, and publicly too considering Reddit is one of the most popular sites on the internet.

This Week in Data Breaches 7/27 to 08/1 2018

Phishing

This week there were a few troubling breaches that stood out, especially the identity theft company LifeLock. When a company deals with sensitive information like the data LifeLock stores, customer trust is paramount…. so, when a breach occurs it really makes one reevaluate the effectiveness of the organization. A U.S. bank was also breached, with customer accounts drained at hundreds of ATMs across the country: a clear sign of a highly organized and effective attack. Bad actors are becoming smarter and getting better at attacking organizations, and the barrier to entry into this career of crime is getting lower and easier.

Thanks to our friends at ID Adgent!

 

Highlights from The Week in Breach:
– Banking Trojan.
– Life-UnLocked!
– Cyber Bank Heist.
– Huge Supply Chain Breach!

In Other News:

This Trojan is Galloping
The increasing popularity of ‘malware as a service,’ which is pre-packaged malware, developed by authors with technical skill and leased to less advanced cybercriminals, has made it easier for cybercriminals to launch advanced attacks on victims across the globe. A top-shelf malware as a service known as Exobot has had its code leaked after the author of the malware sold the banking trojan’s source code to interested parties. Once the source code is sold to enough people, eventually someone posts it publicly or it leaks in other ways. Authors of these ‘service’ malware rarely sell off the source code, that is unless they are finished with the project and moving on to other things. This is concerning in multiple ways, first being that a new more powerful malware may be in the works by the same author, second being that the sophisticated Android banking trojan is now becoming more available to bad actors. Researchers fear that the availability of the source code on underground hacking forums and its inevitable spread across the web will trigger a surge of malicious Android applications. History lends to this conclusion, as the leak of Android banking trojan ‘BankBot’ on the web lowered the barrier of entry into the world of malware and resulted in an explosion of the use of the trojan.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

The Best Test to Fail
Penetration testers are useful for assessing the strength and weaknesses in the cybersecurity of an organization, and according to new research these testers are mostly successful. Penetration testers can gain control over the network in question 67% of the time. The study in question was conducted by Rapid7 and examined organizations across industries and sizes, providing a supple sample size for finding two main points of vulnerabilities. The main vulnerabilities proved to be software and credentials. Software has increasingly been used to infiltrate networked resources, and credentials have always been a route of entry for bad actors. Only 16% of the organizations examined did not have a vulnerability, which is less than last year’s study, where 32% were vulnerability-free.
https://www.darkreading.com/threat-intelligence/new-report-shows-pen-testers-usually-win/d/d-id/1332368

I Ain’t Afraid of No PowerGhost
There is a new cryptocurrency mining malware out in the wild, and instead of using an individual’s devices, this malware has been targeting business PCs and servers. The cryptojacker is fileless, utilizing PowerShell and EternalBlue to spread through a business like a disease. PowerGhost is what researchers have begun calling the malware, and it can start on a single system and then spread to other organizations. As of the writing of This Week in Breach, South America is mainly affected by the cryptojacker, but PowerGhost also has a presence in North America and Europe.
https://www.zdnet.com/article/this-new-cryptomining-malware-targets-business-pcs-and-servers/

Podcasts:
IT Provider Network – The Podcast for Growing IT Service
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


Canada – GM, Toyota, Tesla, More – Exposed by Level One Robotics

Exploit: Unprotected server/supply chain vulnerability.
Risk to Small Business: Extreme: A breach of this magnitude and depth would more than likely end a small business due to the extremely sensitive information that was leaked. Most companies would not choose to do business with an organization that leaked their trade secrets.
Individual Risk: Extreme: Passport photos and driver’s license scans of some employees were leaked, which puts them at extreme risk for identity theft.
Level One Robotics: Ontario-based business that provides industrial automation services for automotive suppliers.
Date Occurred/Discovered: July 10, 2018
Date Disclosed: July 23, 2018
Data Compromised:

  • Blueprints
  • Factory schematics
  • Robotic configurations
  • Non-disclosure agreements
  • Employee data
    • Names
    • ID numbers
    • Driver’s license scans
    • Passport scans
    • ID photos
  • Invoices
  • Contracts
  • Price negotiations
  • Insurance policies
  • Customer agreements
  • Banking information for the company
    • Account
    • Routing numbers
    • SWIFT codes

Customers Impacted: Over 100 manufacturing companies.
https://cyware.com/news/trade-secrets-of-gm-toyota-tesla-and-others-from-last-10-years-exposed-in-major-data-leak-d707fe02

United States – LifeLock

Exploit: Lack of website authentication and security.
Risk to Small Business: High: Email addresses were exposed, which allows bad actors to target customers. The exploit also allowed a hacker to unsubscribe from all communication with the company, which could be devastating to small businesses.
Individual Risk: Low: Due diligence with opening phishy emails and being suspect of unexpected emails will go a long way to combat this breach.
LifeLock: Identity theft protection company.
Date Occurred/Discovered: July 2018
Date Disclosed: July 25, 2018
Data Compromised:

  • Email addresses

Customers Impacted: 4.5 Million.
https://krebsonsecurity.com/2018/07/lifelock-bug-exposed-millions-of-customer-email-addresses/ 

United States – The National Bank of Blacksburg

Exploit: Phishing.
Risk to Small Business: High: The cybercriminals got away with a great deal of money in this hack. Most small businesses would not be able to stay afloat after a hit like the one detailed here.
Individual Risk: Extreme: The money taken was from customer accounts.
The National Bank of Blacksburg: A banking organization located in Virginia.
Date Occurred/Discovered: May 2016 and January 2017
Date Disclosed: Not disclosed, but discovered when a lawsuit was filed June 28, 2018
Data Compromised:  

  • Was able to disable anti-theft systems
  • $1,833,984 USD

Customers Impacted: Hundreds of customers’ accounts were used to steal money from the bank.
https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

United States – COSCO
Exploit: Ransomware.
Risk to Small Business: High: The Company’s email is down, forcing employees to use Yahoo mail to communicate with customers as well as internally.
Individual Risk: Low: Customers of the shipping company are not affected due to the continuing operation of the company, but it may be more difficult to coordinate with them.
COSCO: COSCO is an acronym for China Ocean Shipping Company and is a Chinese state-owned shipping services company. It is the 4th largest shipping company in the world.
Date Occurred/Discovered: July 24, 2018
Date Disclosed: July 25, 2018
Data Compromised: A ransomware attack has taken down their American network. The organization is keeping the breach under wraps, for now, so most details are not disclosed.
Customers Impacted: All the organization’s customers are affected by this attack. The difficulty in contacting the company could disrupt its customers’ business.
https://www.bleepingcomputer.com/news/security/ransomware-infection-cripples-shipping-giant-coscos-american-network/

http://lines.coscoshipping.com/home/News/detail/15325081261286611042/50000000000000231?id=50000000000000231

United States – Blue Spring Family Care

Exploit: Ransomware.
Risk to Small Business: High: Ransomware would be highly disruptive to any sized business.
Individual Risk: Moderate: There is no indication that any customer’s data was exfiltrated.
Blue Spring Family Care: Family healthcare provider.
Date Occurred/Discovered: May 12, 2018
Date Disclosed: July 26, 2018
Data Compromised: Ransomware attack encrypted the organization’s data. The extent of the attack is not clearly defined.
Customers Impacted: 44,979
https://www.databreaches.net/mo-blue-springs-family-care-notifies-44979-patients-after-ransomware-attack/



Supply Pain.
Supply chain attacks are extremely prevalent and costly, and most organizations are not prepared for them. A recent study found that less than 40% of organizations in the US, UK and Singapore have properly vetted their suppliers in the last year. Two-thirds of organizations have suffered a supply chain breach within the same time-frame, and almost three quarters (71%) don’t require the same level of security from their suppliers as they do internally. With the global average cost of a supply chain breach at $1.1 million, do you want to take those odds?https://www.darkreading.com/attacks-breaches/two-thirds-of-organizations-hit-in-supply-chain-attacks-/d/d-id/1332352

 

Want to see if you are compromised? Get a free Live Search Dark Web Scan for your business domain!

 

The Week in Breach 07/09/2018 to 07/18/2018

The Week in Breach

This week there was a TON of attention in the media about dark web markets and what’s bought and sold in these shady marketplaces. Timehop, a social media nostalgia app was breached exposing the PII of at least 21 million individuals, due to lack of 2FA, while Macy’s was hit with a breach where credit card data was accessed.

 Highlights from The Week in Breach:

– Pedal to the metal! Gas stolen in hack.
– Tracking military workouts!
– Macy’s falls victim to a breach.
– Timehop wishes it could turn back time for more security!

In Other News:

Dead Men Do Tell Tales
Hackers on the Dark Web have always sold medical records, as they are valued much higher than credit card info or PII. Researchers found this week that bad actors in these dark corners of the web are also selling medical records of deceased patients, with one vendor claiming to have 60,000 available for purchase. The records for sale include name, SSN, Address, zip code, phone number, birthday, sex, insurance and even date of death. What ever happened to respecting the dead?
https://threatpost.com/deceased-patient-data-being-sold-on-dark-web/133871/

Classified Documents for $200
The U.S. military can’t escape the Dark Web either! A lot of military documents have turned up on dark web markets after a hacker, with only a moderate level of technical skill, was able to access a captain’s computer through a previously-disclosed FTP vulnerability. Some of the documents are classified, and all of them contain sensitive data about military tactics or hardware. One of the documents is a maintenance book for the MQ-9 Reaper drone which is regarded as one of the deadliest drones used by the United States. How much money will classified U.S. military documents fetch on the Dark Web? $200. That says a lot about how much information is available for criminals to buy.
https://www.theverge.com/2018/7/10/17555982/hacker-caught-selling-stolen-air-force-drone-manual-dark-web

A $10 Key into Your Network
Remote access to IT systems is a competitive market on the Dark Web, with some running an interest to criminals for as low as $10! Some of these forums have tens of thousands of compromised systems available for bad actors to choose from, across all versions of Windows and at places such as international airports, hospitals and governments. One international airport found on the site had the administrator account exposed, as well as accounts associated with the companies that provide camera surveillance and building security. That’s not a good look!
https://www.zdnet.com/article/hackers-are-selling-backdoors-into-pcs-for-just-10/

Gassed Up
This week in Detroit, two suspects managed to steal over 600 gallons of gasoline after hacking the gas pump. The fuel is worth about $1,800 and was taken in broad daylight over the course of 90 minutes. At least 10 cars benefited from the hack and the police are at a complete loss on who conducted the hack. The hacker or hackers used a remote device that was able to alter the price of the gas and lock out the clerk from being able to shut off the affected pump. With gas prices being so high, it’s likely that attacks like this will continue in the future.
https://www.clickondetroit.com/news/men-hack-into-pump-at-detroit-gas-station-steal-600-gallons-of-gas_

Fitness App Turned Finder App
A fitness tracking app hailing from Finland has disabled their global activity map after it was revealed it could be used to track the geolocation of military personnel. The map showed the biking and running routes of its users, but also included the usernames of each person, allowing one to cross-reference the username with other websites and possibly identify the person’s name. Using the map, one could see where the person jogged around their home address and around the military base; possibly even bases that are secret to foreign countries.
https://www.bleepingcomputer.com/news/technology/polar-app-disables-feature-that-allowed-journalists-to-identify-intelligence-personnel/

Sex Appall
A twist on a classic email scam has appeared this week, with the classic ‘sextortion’ scam getting an upgrade. Now rather than just an intimidation email where targeted parties pay up out of fear of friends and family finding out what they do privately, the email also includes a password. The password appears to be from a large or multiple large data breaches, but these data breaches appear to be fairly old. Those who reported receiving the email claimed that the passwords were correct… ten years ago. While the passwords are outdated in many cases, this likely indicates that we will see more complex versions of this scam appearing in the near future.
https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/#more-44406

Podcasts:

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – Macy’s

Exploit: Supply chain exploit.
Risk to Small Business: High: A bad actor accessing names and card information can severely damage consumer trust in a brand.
Individual Risk: High: Individuals affected by this breach are at high risk of their credit card details being sold on the Dark Web.
Macy’s: Large department store chain.
Date Occurred/Discovered: April 26 – June, 2018
Date Disclosed: July, 2018
Data Compromised:

  • Full name
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Debit/ credit card numbers
  • Expiration dates

Customers Impacted: Unclear but the hacker operated undetected for almost 2 months.
https://cyware.com/category/breaches-and-incidents-news

United States – Timehop

Exploit: Lack of 2FA on cloud infrastructure.
Risk to Small Business: High: All of Timehop’s customers were a part of this breach, which discredits the organization and could have long-lasting effects on the business.
Individual Risk: Moderate: The credentials stolen could be used to compromise other accounts.
Timehop: Social media aggregation site that allows users to see posts made in the past.
Date Occurred/Discovered: July 4, 2018
Date Disclosed: July 8, 2018
Data Compromised:        

  • Names
  • Email addresses
  • Phone numbers
  • Date of birth
  • Gender

Customers Impacted: 21 Million.
https://www.infosecurity-magazine.com/news/timehop-breach-hits-21-million/
https://www.timehop.com/security
https://techcrunch.com/2018/07/11/timehop-data-breach/

United States – Cass Regional Medical Center

Exploit: Ransomware.
Risk to Small Business: High: A ransomware attack on any business in any sector would greatly diminish the organization’s ability to operate as needed. In some ransomware cases the data encrypted is lost entirely.
Individual Risk: Moderate: At this point in time there is no evidence that the data affected was also exfiltrated.
Cass Regional Medical Center: Missouri based medical center.
Date Occurred/Discovered: July 9, 2018
Date Disclosed: July 9, 2018
Data Compromised: The medical center’s internal communications system and access to their electronic health record system were affected by the hack, but there is no public indication that patient data has been accessed.
Customers Impacted: Many details surrounding the attack are being withheld from the public at this time, but restoration of the affected systems were at 50% as of July 10, 2018.
https://cyware.com/news/missouris-cass-regional-medical-center-hit-with-ransomware-attack-92884b12

Germany – DomainFactory

Exploit: Dirty cow vulnerability. (this is a nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild)
Risk to Small Business: High: A breach including banking account numbers would heavily damage the reputation of a small business.
Individual Risk: High: A wealth of PII was accessed during this breach and could leave individuals vulnerable to account takeover or identity theft.
DomainFactory: Web hosting service based in Ismaning.
Date Occurred/Discovered: July 6, 2018
Date Disclosed: July 9, 2018
Data Compromised:

  • Names
  • Addresses
  • Phone numbers
  • DomainFactory passwords
  • Dates of birth
  • Bank names/ account numbers
  • Schufa scores

Customers Impacted: The amount of customers impacted has not been made publicly available.
 https://www.zdnet.com/article/user-data-exposed-in-domain-factory-hosting-security-breach/
https://www.infosecurity-magazine.com/news/unauthorized-party-accessed/


 Did you know?

The cost of a breach
A recent study conducted by IBM provides some context to the same old story that you hear in the news of big bad breaches and how scary they are for your business. The Cost of a Data Breach Study by Ponemon* puts numbers to these stories and provides a wealth of analysis so even someone who has never used a computer before can quantify the seriousness of a breach… as long as they are familiar with money.

The average cost of a breach increased this year by 6.4%, with the per capita cost rising less, but only barely, by 4.8% (page 3). The cost of a data breach varies greatly by country, with the United States average breach price coming in at $7.91 Million and per capita costing $233. Canada’s per capita cost is the second highest out of the nations surveyed at $202 per record, and their average price of a breach is $4.74 million. Australia’s cost of a breach is less than the US and Canada, but Aussies are far from getting off free. The average cost of a breach down under is $1.99 million and the per capita cost averages at $108 (page 13).

The study also explored the main factors that were found to affect the cost of a breach, stating 5 major contributing factors that could make the difference between a manageable breach vs a mega breach. The loss of customers following a breach, the size of the data breach, the time it takes to identify and contain a breach, management of detection costs and management of the costs following a breach are the factors that most contribute to the cost of a breach (page 7). The time it takes to identify a breach being a major contributing factor to the cost of a breach is particularly important due to the fact that organizations saw an increased time to identify a breach this year. This can be contributed to the ever-increasing severity of malicious attacks companies face and highlight the need for proactive monitoring for breaches, as well as a serious focus on cybersecurity on a management level. That’s why tools such as Dark Web ID™ that dredge the Dark Web for personal information and credentials can contribute greatly to decreasing the cost of a breach. Organizations that identified breaches within 100 days saved more than $1 Million (page 9) compared to companies who did not. That says a lot because after all… money talks.

*Source: Ponemon Cost of Breach Study 2018

New Cybersecurity Regulations on Horizon for Corporate America

Image result for horizon

 

Prime Telecommunications, Inc., a leading managed technology services provider, is helping small to mid-sized businesses (SMBs) navigate the recent changes in cybersecurity standards that are highly likely to affect American businesses. Many have heard about Facebook’s recent controversy around Cambridge Analytica and irresponsible data sharing policies. Marc Zuckerburg even testified in front of the EU in order to address these major concerns and the result has been the passing and implementation of the GDPR (General Data Protection Regulation), which took effect in Europe in late May.

This new regulation demands transparency and responsible data practices on the behalf of all companies that do business in the EU. Some examples of GDPR in effect are 1) Requiring all subscribers to opt-in again to receiving all newsletters/marketing emails/etc. and 2) Companies need to report any major data breaches to all of their customers within 72 hours of the breach occurring. There are many more components to the regulation, however, the penalties for not adhering to these standards are in the millions.

This standard is very likely to reach the US marketplace and for most companies, this standard is already affecting their businesses. For example, if a business has any suppliers, customers, or satellite offices in countries located within the EU, they need to take a serious look at their data practices and make sure they are compliant. In time, many experts expect GDPR or some derivation of it to affect US-based businesses. “We strongly believe data regulation is coming to the US marketplace it’s certain that some form of cybersecurity regulation is imminent and severe penalties will follow businesses that aren’t compliant,” stated Vic Levinson, President of Prime Telecommunications. “There’s simply been too many data breaches that have affected major companies like Dropbox and Target for regulation not to come. When it does Prime Telecommunications’ proven cyber security program will play a major role in helping our customers meet these new regulations,” added Mr. Levinson.

Cybersecurity has transitioned from the era where an enterprise could “play dumb,” expect a slap on the wrist, pay minor fines and resume business as usual. Cybersecurity is now a central pillar of any organization’s success or demise and with the stakes as high as they are now, SMBs need to address their data policies and practices immediately.

While most business owners dread the idea of spending time, energy and money on meeting a new compliance, the simultaneous opportunity is for businesses to leverage the expertise of Prime Telecommunications to lower their operating costs through the deployment of advanced technology to offset the new investments in cybersecurity that they will likely be required to make. Whether the organization is large or small, soaring or declining, it’s time to revisit cybersecurity policies today.

The Week in Breach: 07/02/18 – 0706/18

 

While it has been a slow week in terms of the number of breaches, the severity of the breaches that did occur this week is nothing short of disturbing. The information exposed on the open web by ALERRT could be used with far-reaching effects…including both physical and permanent consequences. A cyber-attack conducted against a small business hosting provider in Australia also highlights a “WORST case” scenario for a breach. I strongly encourage everyone to check out their website here for a sobering reminder of what a company crippled by a breach looks like. When you cannot contact your customers to tell them that you have been breached, because you don’t even have a complete list of who your customers are… well, this is a good example of how damaging a breach can be.

In other news…

  • GDPR is inspiring others around the globe to enhance privacy and breach notification laws!
  • Hey T-Mobile Customers, are your photos safe?
  • Big Brother aka “Google” is exposing us again!
  • Privacy and Breach Notification laws are spreading globally

California has enacted a law similar to GDPR. This statute is widely regarded as one of the strongest privacy laws in the country and goes into effect in 2020, giving those who do business in the state some time to prepare for the change. The bill assures that organizations have to tell a consumer if their data is being collected, who it will be shared with, and the business purpose for collecting personal data.
https://www.darkreading.com/attacks-breaches/californias-new-privacy-law-gives-gdpr-compliant-orgs-little-to-fear/d/d-id/1332217

Cali is not the only place that was inspired by the implementation of GDPR. Brazil has passed a data protection bill in early June that if made into law, would prevent organizations from collecting and processing Brazilians’ data without informing users. Breaches are also covered by the bill, which requires organizations to report breaches immediately with fines up to 4% of revenue for those who don’t comply.
https://www.zdnet.com/article/brazil-moves-forward-with-online-data-protection-efforts/

Hello… Photos.
Those who have Samsung phones should be careful what they keep in their photo gallery! There are reports of Galaxy users having their photos sent to random contacts without their knowledge. This bug seems to only affect T- mobile users, but it is probably best to lean on the side of caution, considering the ramifications of sending the wrong photo to the wrong person.

https://techcrunch.com/2018/07/02/some-samsung-users-say-their-phones-randomly-sent-photos-to-contacts/

Gmail has its eye on you!
Google has been allowing third parties to read through people’s inboxes, according to a report by the Wall Street Journal. While the creator of Gmail has promised to stop scanning emails on their platform to curate ads, the organization has been allowing third parties to access inboxes if the user has opted into email-based tools like travel itinerary planners. These third parties are not just using AI to snoop through messages either…oftentimes employees of the organization go digging for information themselves.
https://www.nbcnews.com/tech/security/google-reportedly-allowed-outside-app-developers-read-user-emails-despite-n888571

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


Australia – Cyanweb Solutions – Total Devastation Event

Exploit: DDos Attack, Web server compromise, data encryption/ ransomware & data destruction.

Risk to Small Business: Extreme/Total Devastation: This is a catastrophic event impacting Cyanweb and its 400 customers that relied on them for web hosting.

Risk to Exploited Individuals: Extreme/ Total Devastation: This breach may devastate the businesses that relied on Cyanweb. This will also impact those businesses downstream customers and the employees of the impacted businesses. The goal was maximum data loss/ total devastation.

Cyanweb Solutions: Digital marketing and web provider based in Perth.

Date Occurred/Discovered: June 27th, 2018

Date Disclosed: July, 2018

Data Compromised: Only 12% of customer data survived the attack. 1200- 2500 man hours of work between the 3 employees is estimated for a full recovery.

How it was compromised: A ‘professional’ group distracted the admin with a DDoS attack while simultaneously infiltrating the server and delivering a ‘seek and destroy’ payload.

Customers Impacted: 435 accounts.
https://www.crn.com.au/news/perth-web-hosting-provider-cyanweb-solutions-hit-by-criminal-hacking-data-and-backups-lost-496455
https://www.cyanweb.com.au/

United States – ALERRT

Exploit: Negligence (no password required to access web server.)

Risk to Small Business: High: A breach that is a result of negligence dramatically reduces confidence in the company by consumers.

Risk to Exploited Individuals: Extreme: Compromised PII, password and correspondence that can be used to target and exploit individuals including law enforcement.

ALERRT: A federally funded active shooter training center for law enforcement.

Date Occurred/Discovered: June 2018

Date Disclosed: June 2018

Data Compromised:  

  • Work contact information
  • Personal email addresses
  • Work addresses
  • Cell numbers
  • Who has taken ALERRT courses, with feedback
  • Full name of those who took the course
  • Zip code
  • Histories on instructors
  • Instructors skills and training
  • Names of instructors
  • Geolocations of:
    • Schools
    • Courts
    • Police departments
    • City halls
    • Places where people gather such as universities and malls
  • Officers home addresses
  • 85,000 emails between staff and trainees dating back to 2011 including:
    • Password reset emails
    • Names
    • Email addresses
    • Phone numbers
    • The courses taken
    • When the courses were offered
  • Highly sensitive information about weaknesses in response ability

Customers Impacted: 65,000 officers, but this information could be harmful to anyone in the U.S. given how it could be used by domestic terrorists or other bad actors.
https://www.zdnet.com/article/a-massive-cache-of-law-enforcement-personnel-data-has-leaked/

UK – National Health Service

Exploit: Coding error/ misconfiguration leading to privacy violation.

Risk to Small Business: High: A breach of this size that essentially mislead those who specifically requested for their health information to be kept private would shake the trust of any customer. Privacy laws, including the EU’s GDPR, will impose harsh fines and penalties for similar incidents moving forward.

Risk to Exploited Individuals: Lowthe data was exposed externally and picked up by hackers.

National Health Service: The public health services in the United Kingdom.

Date Occurred/Discovered: March 2015 – June 2018

Date Disclosed: July 2nd, 2018

Data Compromised: 

  • Health Data

How it was compromised: A supplier defect that did not properly indicate that the patient’s data was to be only used for medical treatment.

Customers Impacted: 150,000
https://cyware.com/news/nhs-data-breach-exposing-150000-patients-sensitive-health-details-blamed-on-coding-error-40aa0ccf

https://www.parliament.uk/business/publications/written-questions-answers-statements/written-statement/Commons/2018-07-02/HCWS813/


Often times there is no “why”, just a “because”!

The Cyanweb Solutions breach was well organized and a caused catastrophic damage to both Cyanweb and the hundreds of customers that replied on them for hosting support. It’s nearly impossible to quantify the overall financial impact that this breach has caused.

When conducting post-breach forensics, the first question often asked is “why” – what was their motivation to destroy this small business? Often times, the answer is “because they could”.  The group conducted this takedown overwhelmed Cyanweb with a massive DDos attack, and while distracted, they compromised the servers, escalated their access, encrypted user data and proceeded to destroy almost everything – including backups. It did not take long for Cyanweb to discover the attack, but by the time they did, 88% of their data was permanently deleted.

This attack demonstrates how quick and devastating an attack can be on a small business.  Cyanweb was a trusted provider to hundreds of organizations, yet they lacked the proper security controls to secure their customer’s data, thus breaching their fiduciary responsibility. Whether we like it or not, we have to proactively invest in cybersecurity solutions to protect the continuity of our business and ensure those that count on us are secured.

Regardless of the size of your business or the industry we’re in, we’re all targets.

The Week in Breach: 06/25/18 – 6/29/18

Hacks this week showed no mercy or regard to international boundaries. From North America to Australia, businesses of all sizes, across all industries were targeted. Malware injection and insecure databases were some of the most damaging compromises highlighted this week. At least 230 million individuals and 110 million businesses exposed on the dark web… YIKES.

Highlights from The Week in Breach:

  • Ransomware be gone!
  • Comcast’s leaky API
  • Another Intel CPU vulnerability?
  • Massive breach exposes how many kids you have and where you live.

In other news…
A popular Australian medical appointment booking app called HealthEngine is receiving negative attention from privacy advocates and cyber security professionals alike this week. It has come to light that they have been sharing patients’ personal information with a third-party law firm. The information sharing occurred daily as part of a referral partnership.
https://cyware.com/news/popular-medical-appointment-booking-app-healthengine-reportedly-patient-data-with-law-firm-3aba7747

Researchers at Cisco Talos have developed a tool that decrypts files affected by the ransomware Thanatos. This news is only made better by the fact that they are releasing it at no cost. The less ransomware out there, the better.
https://www.zdnet.com/article/thanatos-ransomware-free-decryption-tool-released-for-destructive-file-locking-malware/

Comcast’s website has been leaking account information, including whether a home security setup is in place. Anyone on the customer’s network could trick one of the company’s APIs into returning customer information. Comcast was quick to shut down the API after the vulnerability was revealed to them.
https://www.zdnet.com/article/comcast-fixes-another-xfinity-website-data-leak/

At Black Hat USA this year, it was revealed that Intel CPUs have a side-channel vulnerability that could be used to leak encryption keys for signing a message. Researchers at the Systems and Network Security Group at Vrije Universitet Amsterdam constructed an attack that can reliably extract an encryption key using Intel’s Hyper-Threading technology. To exploit the flaw, a hacker would need to already have malware on the system or use compromised credentials to log in.
https://www.zdnet.com/article/tlbleed-is-latest-intel-cpu-flaw-to-surface-but-dont-expect-it-to-be-fixed/

Podcasts:

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!

Exactis
Exploit: Elasticsearch insecure database exploit.
Risk to Small Business: High: Demonstrable gross negligence while aggregating and normalizing PII. This increasingly common exploit (insecure/ publicly accessible database). This compromise will cross state and international boundaries.
Risk to Exploited Individuals: High: The data breached could be used to execute extremely effective spear phishing campaigns.
Exactis: A marketing and data aggregation firm based in Florida.
Date Occurred/Discovered: June, 2018
Date Disclosed: June 27, 2018
Data Compromised: 

  • Names
  • Address
  • Email address
  • Telephone number
  • Interests
  • Habbits
  • Number of children, their ages and gender
  • Whether the individual smokes
  • Religion
  • Pets

Etc… over 400 variables per person
How it was compromised: Negligence
Customers Impacted: 230 million Americans and 110 million businesses

https://www.wired.com/story/exactis-database-leak-340-million-records/
https://info.idagent.com/blog/big-data-big-breach

People Dedicated to Quality (PDQ)
Exploit: Hackers gained entry by exploiting an outside technology vendor’s remote connection tool. Demonstrates supply chain-based vulnerabilities.
Risk to Small Business: High: Remote session / access tools are frequently targeted. Outsourcing and the cost-effectiveness of remote support makes this a very effective attack vector for hackers. This should be top of mind especially if an organization holds PII or any customer data of value.
Individual Risk: Low: Victims of this breach are highly vulnerable to financial fraud and identity theft.
PDQ: People Dedicated to Quality, or PDQ for short, is a chicken focused food stop founded in Florida.
Date Occurred/Discovered: May 19, 2017 – April 20, 2018
Date Disclosed: June 22, 2018
Data Compromised: 

  • Credit card information
  • Expiration dates
  • CVV
  • Names

How it was compromised: PDQ believes that a hacker gained access to their customer’s credit card information using an outside technology vendor’s remote connection tool.
Customers Impacted: Unknown, but all 70 PDQ locations were compromised.
https://www.eatpdq.com/promos/news/2018/06/22/guestinfo

FastBooking
Exploit: Web Application Exploit, Remote Access, Malware injection.
Risk to Small Business: High: There seems to be several layers to this exploit. Remote access was achieved to download the data scraping malware. This breach is far-reaching globally impacting businesses and individuals globally. The forensics, mandatory credit monitoring, brand damage will be costly and will linger to years.
Risk to Exploited Individuals: High: Personal data and credit card information was compromised during the breach, leaving individuals vulnerable to identity theft.
FastBooking: Based in France, the company sells hotel booking software globally.
Date Occurred/Discovered: Occurred on June 14, 2018, discovered on June 19, 2018.
Date Disclosed: June 26, 2018
Data Compromised: 

  • Full name
  • Nationality
  • Home address
  • Email address
  • Booking information

In some cases:

  • Credit card details
  • Name on card
  • Card number
  • Expiration date

How it was compromised: Malware installed on their server which granted remote access.
Customers Impacted: 4,000 hotels in 100 countries.
Prince Hotels is the first to inform customers, with 123,963 of their customers affected. Of these, 58,003 are instances of personal information compromised. 66,960 involved credit card information.

https://www.bleepingcomputer.com/news/security/hundreds-of-hotels-affected-by-data-breach-at-hotel-booking-software-provider/

https://www.japantimes.co.jp/news/2018/06/26/business/corporate-business/prince-hotels-hack-results-loss-124000-customers-credit-card-numbers-data/#.WzOvIdVKjIW

Best Sleep Centre
Exploit: Ransomware
Risk to Small Business: High: Significant impact to business operations if data not properly encrypted and backed up.
Risk to Exploited Individuals: Moderate: Data was encrypted by the ransomware. At this point, there is no public evidence that it was also exfiltrated.
Best Sleep Centre: Winnipeg based mattress store
Date Occurred/Discovered: June 2018
Date Disclosed: June 26, 2018
Data Compromised: The company’s server was encrypted.
How it was compromised: Ransomware. The owner decided to pay the ransom, but negotiated it down to $2,000 CAD.
Customers Impacted: Unknown at this time, but the business is impacted.

https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/

Ticketmaster
Exploit: JavaScript chatbot with data scraper injected in to supply chain systems.
Risk to Small Business: High: Highlights how supply chain vulnerabilities can lead to massive data loss and exposure. Companies dealing with customer data / PII should have elevated security controls in place to prevent supply chain vulnerabilities.
Risk to Exploited Individuals: High: This breach leaves Ticketmaster customers vulnerable to identity theft.
Ticketmaster: A ticket purchasing website that is used globally for many types entertainment.
Date Occurred/Discovered: Discovered on June 23, 2018. Could have occurred as early as September 2017.
Date Disclosed: June 27, 2018
Data Compromised: 

  • Names
  • Address
  • Email address
  • Telephone number
  • Payment details
  • Ticketmaster login details

How it was compromised: Malware hosted on a customer support product hosted by a third-party supplier which sent data to a remote location.
Customers Impacted: Ticketmaster has been telling the media that about 400,000 customers have been affected, but in their alert to customers they claim that ‘less than 5% of their customer base have been affected. 5 percent of their customer base comes out to 11.5 million, so we will have to see if their investigation into the breach will reveal more affected customers.

https://www.govinfosecurity.com/ticketmaster-breach-traces-to-embedded-chatbot-software-a-11144
https://security.ticketmaster.co.uk/

Facebook (yes again)
Exploit: Unsecured JavaScript file/ supply chain
Risk to Small Business: High: A supply chain vendor that leaks data will tarnish the reputation of business.
Risk to Exploited Individuals: Moderate: The data the quiz app is leaking could be used in spear phishing attacks.
Facebook: A social media site that has over 2 billion monthly active users.
Date Occurred/Discovered: End of 2016-present
Date Disclosed: June 28, 2018
Data Compromised: 

  • Facebook ID
  • First name
  • Last name
  • Language
  • Gender
  • Date of birth
  • Profile picture
  • Cover photo
  • Currency
  • Devices used
  • When your information was last updated
  • Posts
  • Statuses
  • Photos
  • Friends on Facebook

How it was compromised: Any third party can view.
https://techcrunch.com/2018/06/28/facepalm-2/

Prime Telecommunications’ Technology Thwarts Cryptojacking

Cryptojack

 

Prime Telecommunications, Inc., a leading managed technology services provider, is helping small to mid-sized businesses (SMBs) to prevent cryptojacking attacks from damaging their organizations. Cryptojacking attacks, are derived from the widely popular cryptocurrencies, such as Bitcoin and Ethereum, and occurs when a corporate server is hijacked in order to facilitate cryptocurrency transactions by leveraging the inherent power of high-performance servers. As cryptocurrencies rely on an enormous amount of server power in order to facilitate transactions, many of the corporate servers that power small to mid-sized businesses have become an obvious target of cryptojacking attacks, as they are simply the most efficient vehicle for cryptojackers to exploit. Prime Telecommunications is currently protecting SMBs from this threat.

“Businesses that are under attack are often unaware of this threat because these attacks are specifically designed to be minimally intrusive and hard to trace,” stated Vic Levinson, President at Prime Telecommunications. “Typically, cyber criminals set up their malware to run quietly in the background during daytime hours, only to extract maximum power during off-hours. It’s one of the telltale signs, yet this is rarely monitored by organizations that aren’t working with a reputable managed technology services provider. The result is that most businesses are flying blind and unaware that their security has been compromised, which doesn’t seem very dangerous on the surface. However, this leaves many cryptocurrency hackers with access to very sensitive points within an organization that can be taken advantage of later.”

Most attacks take place when businesses are most vulnerable; after-hours and during migration to cloud-based solutions. Durring off-hours, cryptocurrency mining software can be installed quickly and without detection, creating a pivot-point where hackers can later install even more malware. Another vulnerable moment is when businesses are migrating their network to the cloud. The vulnerability here is because of the complexity and level of detailed attention required to successfully navigate these kinds of infrastructure transitions. Where most business owners simply add technology piece-by-piece, this fails to address the gaps in the network that arise gloming one solution onto another. Networks can quickly become messy and this is how organizations get exposed to hackers. In the case, of cryptojacking, it’s no different.

“Business owners can protect themselves by taking the following actions, commented Mr. Levinson. “As a first step, they need to diagnose their network and segment the utilization of their data. By doing this, business owners or CTOs can see which devices, servers, and endpoints are performing optimally and which are underperforming. Underperforming servers can provide a hint that the organization may have been cryptojacked. Another action they can take is to make sure that they aren’t vulnerable to exploit kits, which are tools hackers use to infiltrate networks via common business software. Lastly, businesses can direct their attention to systems that expose the network, like VPNs (Virtual Private Networks) or other cloud-based technology. While there are many more steps to take, these are very effective first steps to protect any organization from cryptojacking.”

 

ABOUT PRIME TELECOMMUNICATIONS, INC.

For more information on Prime Telecommunications, call (847)329 8600 or visit http://www.primetelecommunications.com.

The Week in Breach June 23 to June 29 2018

 

The Week in Breach

 

It’s no surprise that this week has been busy for cyber-attacks on the web, targeting big events such as the World Cup but also continuing to pursue small-and medium-sized businesses across the globe.

– Google is still leaking!
– Another Dark Web marketplace down in a big win for French authorities.
– Do androids dream of electric… rats? A new malware for Android!
– Going phishing at the World Cup.

In other news… Google has announced that Chromecast and Google Home devices, that are easily scripted to reveal precise location data to the public, will be patched in the coming weeks. Disclosed by a researcher at Tripwire, the simple script running on a website can collect location by revealing a list of internet connections available to the device. Researchers go on to describe how easy it would be to remote into an exposed individual’s device and network.
https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/

The Dark Web marketplace known as ‘Black Hand’ was shut down by French authorities this week. The marketplace was used to sell drugs, weapons, stolen personal information and banking data, as well as fake documents. The site had over 3,000 users from France and was highly active for selling illicit materials.
https://www.hackread.com/authorities-shut-down-dark-web-marketplace-black-hand/

Researchers have come across a new malware family that takes form as an Android remote administration tool (or RAT). The malware uses the messaging app Telegram both to spread and to operate the RAT. When an attacker gains access to a device, he or she operates it by using Telegram’s bot functionality and can intercept text messages, send text messages, make calls, record audio or screen, and locate the device.
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

With the World Cup in full swing this week, bad actors are taking advantage of the attention on the event and spinning up malicious email campaigns. The idea is that people are less vigilant about clicking emails from unknown sources when related to an event that only occurs every couple of years. Sites selling fake tickets, offering fictitious giveaways and luring unsuspecting induvial to click on malicious links related to the World Cup are popping up all over the place.
 https://www.darkreading.com/attacks-breaches/wallchart-phishing-campaign-exploits-world-cup-watchers/d/d-id/1332080

A network worm called ‘Olympic Destroyer’ that debuted at the 2018 winter Olympics is still doing damage across Europe. Since the Olympics, the group has taken an interest in financial and biochemical organizations and oftentimes uses spear phishing as a way to gain illegal access to systems. The group has so far remained anonymous, using a complex combination of false flags and other deceptive behavior to avoid being revealed.
https://www.darkreading.com/vulnerabilities—threats/olympic-destroyer-reappears-in-attacks-on-europe-russia/d/d-id/1332094


What we’re listening to this week!

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!

Indian Government

Exploit: Leaky websites, lack of basic website/ internet security controls.

Risk to Small Business: High: Demonstrates that poor cyber hygiene and complete disregard for basic website/ internet security can be highly damaging.

Risk to Exploited Individuals: High: Sensitive personally identifiable information that can be used for identity theft.

Indian Government: The Republic of India’s government.

Date Occurred/Discovered The government has experienced a wide variety of breaches over a long span of time, but with their websites being audited in May of 2018, their continuing lack of security with such highly sensitive information proves to be a continuing problem.
Date Disclosed June 20, 2018
Data Compromised · Names and phone numbers of those who bought various medicines from state-run pharmacies

Recently but not this week:

· Aadhaar number

· Data collected in ‘Smart Pulse Survey’

· Geolocation of people based on caste/religion

· Geolocation of ambulances, why they were summoned, and the hospital destination

How it was compromised Leaky websites and dashboards allowing anyone to look up HIGHLY sensitive medical and personal information.
Customers Impacted Anyone who has purchased medicine from the state-run pharmacies.
Attribution/Vulnerability Poorly configured database.

http://www.newindianexpress.com/specials/2018/jun/19/in-wake-of-data-leaks-andhra-pradesh-orders-audit-of-all-government-websites-1830571.html

https://www.huffingtonpost.in/2018/06/19/caught-leaking-information-on-people-buying-viagra-from-government-stores-ap-orders-security-audit_a_23463256/

Med Associates

Exploit: Supply Chain/Trusted Vendor Compromise
Compromised Workstation, most likely compromised credentials and a lack of multi-factor authentication.

Risk to Small Business: High: At least 42 physician practices had their customer’s PII compromised. Lack of situational awareness within the supply chain will create significant challenges for the vendors that replied on the claims processing vendor.

Risk to Exploited Individuals: High: This breach has disclosed a massive amount of HIGHLY sensitive personal and health information leaving customers impacted significant risk of identity theft and fraud.

Med Associates: A New York-based claims processing company.

Date Occurred/Discovered March 2018
Date Disclosed June 2018
Data Compromised · Patient names

· Dates of Birth

· Addresses

· Dates of service

· Diagnosis codes

· Procedure codes

· Insurance information, such as insurance ID numbers

How it was compromised Not disclosed, but it was specified that the attack did not involve ransomware or phishing.
Customers Impacted 270,000
Attribution/Vulnerability Still under investigation, but the third party gained remote access to the workstation without phishing or ransomware.

https://www.govinfosecurity.com/hacking-incident-at-billing-vendor-affects-270000-patients-a-11116


Chicago Public Schools

Exploit: Negligence

Risk to Small Business: High: If a breach of this magnitude happened to a small business, it is unlikely it would recover. This kind of negligence causing a breach tarnishes a name to a great degree, but people do not have a choice but to continue using Chicago public schools because it is a government-run program.

Risk to Exploited Individuals: High: Unfortunately, a minor’s personally identifiable information is highly sought after and valuable as its often not monitored.

Chicago Public Schools: School district in the Illinois city of Chicago

Date Occurred/Discovered June 16, 2018
Date Disclosed June 16, 2018
Data Compromised · Children’s names.

· Home phone numbers.

· Cell phone numbers.

· Email addresses.

· School ID numbers

How it was compromised When sending out an email about applications to selective enrollment schools, an employee attached a spreadsheet containing the sensitive data which was then sent out to families in the district. The person who made the critical mistake is going to lose their job according to the superintendent.
Customers Impacted 3,700 students and families
Attribution/Vulnerability Negligence

https://chicago.suntimes.com/news/cps-data-breach-exposes-private-student-data/

An important takeaway from this week is how easy it is to unsuspectingly leak personal information. A study conducted by Positive Technologies found some alarming statistics when researching the vulnerabilities of something that is often overlooked; web applications.

The study uncovered that almost half (48%) of the web applications tested were vulnerable to unauthorized access from a third party, with 17% of the tested applications being so unsecured that full control could be acquired. Every single web app that the study looked had vulnerabilities with just over half of them (52%) being high risk. A little under half (44%) of web apps examined that processed personal data leaked that personal data and 70% of all applications were at risk of leaking critical information to the business. The study found an average of two critical vulnerabilities per web application, and where the researchers had access to the source code of the web app they uncovered high-severity vulnerabilities 100% of the time. The industries used in this study of web applications include: finance, IT, e-commerce, telecom, government, mass media, and manufacturing.

Make sure to consider what web applications you are using in both your professional and personal life, otherwise, your information could end up on the Dark Web.

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Web-application-vulnerabilities-2018-eng.pdf

https://www.darkreading.com/attacks-breaches/most-websites-and-web-apps-no-match-for-attack-barrage/d/d-id/1332092