Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Cloud Database Leak Exposes 425GB of Small Biz Financial Data

Cloud Database Leak Exposes 425GB of Small Biz Financial Data

Over half a million highly sensitive legal and financial documents have been leaked online by a US loans company after another cloud configuration error.

Security researchers at vpnMentor led by Noam Rotem found the database in an unsecured Amazon Web Services (AWS) S3 bucket at the end of December.

It appears to be linked to a smartphone app known as MCA Wizard, developed by New York-based fintechs Advantage Capital Funding and Argus Capital Funding, which vpnMentor claimed were likely owned by the same company.

They are said to provide “merchant cash advances” (MCAs): controversial high-interest loans for small businesses and start-ups.

However, although the database URL contained the words “MCA Wizard,” the app is no longer available and most files bore no relation to the project. Even as the researchers discovered and tried to contact the firms, without success, new files were apparently being uploaded to the database.

The 425GB trove contained highly sensitive customer information including credit reports, bank statements, driver’s licenses, Social Security info, tax returns, scanned checks, purchase orders, and much more.

With this information, attackers could launch highly convincing phishing attacks, attempt check and financial fraud, target victim companies with malware, or even sell the data on the dark web, warned vpnMentor. The leak could even be investigated under the new California Consumer Privacy Act (CCPA), it claimed.

“This leak raises serious credibility and trust issues for Advantage and Argus. By not sufficiently securing this database and revealing so much information, they have compromised the safety, privacy, and security of their clients, partners, and customers,” the firm said.

“Those affected may take action against Advantage and Argus for doing so, either from ceasing to do business with either company or possibly pursuing legal actions. Both would result in considerable loss of clients, contracts, business relationships, and ultimately, revenue.”

After receiving no reply from the database owners, the researchers went direct to AWS, which promptly corrected the privacy snafu on January 9.

Source: Information Security Magazine

Encryption Debate Stalls Child Protection Bill

Encryption Debate Stalls Child Protection Bill

Concern over the use of end-to-end encryption in the United States is preventing a bill aimed at preventing child sexual abuse from becoming law. 

In a rare example of political unification during an election year, the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020,” or EARN IT Act, has attracted bipartisan support. 

If passed, the bill would create a government-backed National Commission on Online Child Sexual Exploitation Prevention. The commission would be tasked with developing "best practices" for owners of internet platform to "prevent, reduce and respond to" the plethora of child sexual abuse material online.

Companies that fail to comply with the best practices Congress chooses to adopt would lose their legal liability shield as defined in the Communications Decency Act. Section 230 of that act states that "no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."

While many welcome the bill as an attempt to protect children from the ruinous horrors of sexual exploitation, others view it as a sneaky attempt to limit the privacy of American citizens.

Critics of the bill anticipate that a ban on the use of end-to-end encryption in commercial services will be one of the best practices recommended by the commission. Law enforcement has warned that such encryption allows sexual predators to operate with impunity by making it impossible for companies, law enforcement, or the government to access private communication between devices. 

Senator Ron Wyden has derided the bill as a "Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans' lives."

Co-sponsor of the bill Senate Judiciary Committee chairperson Lindsey Graham stated that the proposed law had no hidden agenda, explaining that it is "not about the encryption debate, but the best business practices."

In an effort to give the bill a fighting chance of overcoming the question of encryption, one of its co-sponsors, Senator Josh Hawley, said: "I can tell you right now I will not support something that compromises the integrity of encryption for users, because I think that that's hugely significant."

Source: Information Security Magazine

Guitar Tuition Website Suffers Six-Month Data Breach

Guitar Tuition Website Suffers Six-Month Data Breach

A Florida company that offers guitar lessons online to millions of students around the world has suffered a data breach.

Unauthorized access of TrueFire's computer system went on for six months before the breach was detected on January 10, 2020. 

In a data breach notification letter dated March 9, 2020, and signed by TrueFire Chief Customer Officer Ren Wright, users who made purchases via the website truefire.com between August 3, 2019, and January 14, 2020, were warned that their data may have been compromised.

Wright said that data exposed during the lengthy breach may have included names, addresses, payment card account numbers, card expiration data, and security codes.

Though the company does not store customers' payment card information itself, it warned that threat actors with access to its computer system may have been able to steal this information in real time as users bought classes and courses.

Wright wrote: "On January 10, 2020, TrueFire discovered that an unauthorized person gained access to our computer system and, more specifically, to information that consumers had entered through our website.

"While we do not store credit card information on our website, it appears that the unauthorized person gained access to the website and could have accessed the data of consumers who made payment card purchases, while that data was being entered, between August 3, 2019 and January 14, 2020."

TrueFire did not reveal how the breach was discovered but said that it has been reported to law enforcement. The company also said that it is "working with computer forensic specialists to determine the full nature and scope of the intrusion."

The company has advised its users to review their credit and debit card statements and check for any discrepancies or unusual activity. 

"You should also remain vigilant and continue to monitor your statement for unusual activity going forward," wrote Wright. No offer was made to provide users with free credit monitoring services. 

In their breach notification letter, TrueFire gave no reason as to why they waited until March 9 to inform users of the breach that was discovered on January 10. No mention of the data breach could be found on the TrueFire website at time of publication.

Source: Information Security Magazine

Human Traffickers Still Recruiting Victims

Human Traffickers Still Recruiting Victims

Human traffickers are still recruiting fresh victims via social media and online dating platforms, according to a new warning issued by America's Federal Bureau of Investigation. 

In a public service announcement delivered yesterday, the FBI warned the public to be wary when arranging to meet someone they have met online in person. 

Human traffickers use the lure of sex, romance, and increasingly of employment to ensnare online victims, setting up fake dates and making what appear to be legitimate jobs offers. 

The FBI said that in addition to providing human traffickers with rich hunting grounds for victims, online platforms are also a favorite way for criminals to advertise victims for sale as slaves or sex workers.

"FBI investigations show that human traffickers continue to use online platforms to recruit individuals to engage in forced labor or sex work. The Internet lets human traffickers contact virtually anyone in the world, giving them an opportunity to communicate with and recruit victims domestically and internationally," said the FBI. 

"Many Americans unknowingly encounter trafficking victims through their daily activities."

Victims who have been groomed online and persuaded to meet with the trafficker aren't simply snatched off the street and bundled into a van. The process of victimization is far more sinister and gradual.

"Human traffickers target vulnerable individuals by preying on their personal situations. After establishing a false sense of trust, traffickers may force victims into sex work or forced labor," warned the FBI.

Human traffickers select users to target by mining the information people share online for vulnerabilities that can be exploited. For example, if a user shares a post saying that they have lost their job, a trafficker might trap them by offering employment. 

The FBI said: "Online platforms make it easier for traffickers to find potential victims, especially those who post personal information, such as their financial hardships, their struggles with low self-esteem, or their family problems. 

"Human traffickers target and recruit their victims by appearing to offer help, or pretending to be a friend or potential romantic partner. They leverage their victims' vulnerabilities and coerce them to meet in person."

Source: Information Security Magazine

Student Loans Company Hit by 5.4 Million Email Attacks in 2019

Student Loans Company Hit by 5.4 Million Email Attacks in 2019

The Student Loans Company (SLC) was hit by over five million email attacks last year, but appears to have weathered the cyber-storm from hackers.

A Freedom of Information (FOI) request issued by law firm Griffin Law revealed the scale and nature of the email threat to the government-owned public body, which provides funding for over 1.3 million UK students.

A total of 5,445,273 email attacks were recorded by the SLC last year, 10,125 of which were linked to malware, and 19,188 of which were phishing attempts. The vast majority, 5,415,960, were classified as spam.

Although the data does not list any successful email attacks, the scale of the threat is clear from the figures. In fact, data from security vendor Trend Micro issued recently revealed that the firm blocked nearly 48 billion email-borne threats in 2019, 91% of the total it detected during the 12 months.

Tim Sadler, CEO at Tessian, argued that the SLC was understandably a major target for cyber-criminals given the vast trove of personal and financial information it holds on UK students.

“Phishing attacks are particularly effective because they are relatively easy and inexpensive to execute — it just takes one employee to fall for the scam and the attacker can steal money, harvest credentials or install malware onto devices,” he explained.

"In the case of SLC, it's likely that hackers will impersonate a trusted brand or individual to lure individuals to fake websites in order to steal their login credentials. With these credentials, attackers can then access an individual's account and send emails on their behalf.”

If they’re able to hijack an SLC account, hackers could pose as an employee to make phishing emails to students appear even more convincing, Sadler added.

A mixture of improved employee awareness training and technology filters that can better spot malicious and spoofed emails is the key to tackling such threats.

Source: Information Security Magazine

US VPN Use Could Soar 150% as Covid-19 Spreads

US VPN Use Could Soar 150% as Covid-19 Spreads

Use of virtual private networks (VPNS) has rocketed in some of the countries hardest hit by the Covid-19 virus, according to new data from a company that supplies these services.

Atlas VPN analyzed data from its 50,000 weekly users, measuring how much traffic travelled through its servers last week (March 9-15) versus the week before (March 2-8).

While the total number of customers remained relatively the same during the two weeks, usage spiked in some of the countries suffering the most from the new coronavirus.

VPN usage in Italy increased 112% over the past week, while the figure hit 38% in Iran and 36% in Spain.

At the time of writing there were 183,000 confirmed global cases of Covid-19. Italy (28,000), Iran (15,000) and Spain (10,000) are the top three countries affected after China, where the virus originated.

The respective governments of Italy and Spain have issued “lockdown” notices that require all citizens to stay at home and bars, cafes, restaurants, stadiums, cinemas and museums to close. Home working is urged, where possible.

In Iran, where the death toll from the virus is nearly at 6%, the government has been forced to release 85,000 prisoners in an attempt to prevent serious outbreaks in the country’s jails.

Other countries where Atlas VPN noted an uptick in VPN usage included the US, where there was a 53% spike over the two-week period.

Although the infection rate there is relatively low, organizations are already ramping up home working plans as trust in the Trump administration’s response to the outbreak slips.

The vendor’s COO, Rachel Welch, said the figures could increase even further over the coming months.

“We estimate that VPN usage in the US could increase by over 150% by the end of the month,” she said. “Overall, the usage of VPNs should continue to surge if the coronavirus pandemic worsens.”

Home workers are most likely taking advantage of VPNs to secure communications with corporate networks, while closed schools mean children and parents are using them in greater numbers to circumvent geo-restrictions to view their favorite entertainment content from around the globe, Atlas VPN suggested.

Source: Information Security Magazine

Over a Quarter of Security Alerts Are False Positives

Over a Quarter of Security Alerts Are False Positives

More than a quarter of security alerts fielded within organizations are false positives, according to new research from the Neustar International Security Council (NISC).

The NISC surveyed senior security professionals across five European markets and the US, highlighting the risks of alert fatigue currently being faced by businesses around the world.

As detailed in the research, more than two-fifths (43%) of organizations experience false positive alerts in more than 20% of cases, while 15% reported more than half of their security alerts are false positives.

The survey also revealed that enterprises, in response to growing cybersecurity threats, are investing more resources in network monitoring and threat intelligence technologies that create more alerts – and thus more false positives – for security teams.

“Security tools that simply produce large quantities of data to be analyzed, without contextualizing potential threats, are contributing to data overload, alert fatigue and burnout,” said Rodney Joffe, chairman of the NISC and SVP and fellow at Neustar.

“Cybersecurity teams are increasingly drowning in data and are overwhelmed by the massive volume of alerts, many of them false positives. To ensure these high-value employees in mission critical roles are well-equipped to separate the signal from the noise, enterprises need a curated approach to security data that provides timely, actionable insights that are hyper relevant to their own organization and industry.”

Curated threat data helps enterprises to counter real threats more effectively and spend less time chasing false positives, Joffe concluded.

Source: Information Security Magazine

Agents Arrest 24 on $30m Money Laundering Charges

Agents Arrest 24 on $30m Money Laundering Charges

Federal agents have arrested 24 individuals on suspicion of acting as money launderers for an online fraud operation that is said to have made over $30m.

Businesses and individuals are said to have lost the funds through various business email compromise (BEC), romance fraud and retirement account scams, among others.

The 24 defendants are accused of laundering funds from the schemes through bank accounts in the US and across the globe.

They’re alleged to have created fake companies and used fake and victim identities to open bank accounts, before transferring funds, quickly withdrawing them and then circulating the money among the other defendants.

Of the 24, Darius Sowah Okang, 29, of Stone Mountain, Georgia, is also charged with one count of bank fraud and one count of aggravated identity theft, after creating a bank account in a retirement account scam victim’s name and depositing $288,000 of their money in it.

Afeez Olaide Adeniran, 31, of Atlanta, Georgia, and Blessing Ojo, 34 of Nigeria, are also charged with one count of wire fraud. Adeniran is accused of defrauding a homebuyer of $40,000 intended for a real estate transaction, while Ojo is said to have masterminded a false invoicing scam that duped a Californian media company into wiring $646,840 to a bank account controlled by one of the defendants.

A further 17 individuals are awaiting charges of bank fraud, aggravated identity theft, money laundering, and conspiracies to commit these offenses from a federal court in Atlanta.

The charges highlight how rampant online fraud is today. BEC scammers made almost $1.8bn in 2019, over half the $3.5bn total cybercrime losses reported to the FBI, according to a recent report. Confidence and romance scams were in second place, netting scammers $475m.

“Fraud schemes, like the ones perpetrated and facilitated by these defendants, inflict considerable losses on citizens, companies and the financial system,” said US attorney Byung Pak. 

“Some of these schemes target the elderly and often deplete the victims’ entire life savings. These arrests affirm the Department of Justice’s commitment to prosecuting those who prey on our most vulnerable citizens.”

Source: Information Security Magazine

Illinois College Suffers Data Breach

Illinois College Suffers Data Breach

An Illinois college is offering nearly free credit monitoring to over 1,700 current and former employees following a recent data breach.

Officials at the College of DuPage confirmed on Monday that a cybersecurity incident had taken place recently. 

College president Brian Caputo said that personal and tax information belonging to 1,755 staff had been compromised. Data exposed in the incident included 2018 W-2 tax forms.

Caputo told the Daily Herald that the likelihood of the exposed information's being obtained by criminals or used for fraudulent purposes was low.

"However, the responsibility to protect private information is taken very seriously," Caputo said in a statement. "Therefore, the college is notifying the affected individuals out of an abundance of caution."

In addition to issuing breach notifications, the Glen Ellyn college is offering credit monitoring and identity protection services to current and former employees free of charge.

Caputo added that in a bid to prevent any future breaches, additional procedural safeguards have been implemented. 

An investigation into how the breach occurred is yet to produce any conclusive results. The college has not stated when the incident occurred or when it was discovered, nor shared any details regarding how the sensitive data came to be exposed.

"College of DuPage sincerely regrets this unfortunate incident and apologizes for any concern it may cause," Caputo said.

News of the cybersecurity incident comes as the college implements an alternative instruction plan in the wake of the COVID-19 pandemic. So far, no cases of the novel coronavirus have been confirmed among students, faculty, or staff. 

Elsewhere in the state, attackers infected the website of Champaign-Urbana Public Health District in Illinois with NetWalker ransomware last Wednesday. 

The cyber-attack was timed to hit as Americans clamor for up-to-date health advice and information amid the spread of COVID-19. 

"The timing is horrible," said health department administrator Julie Pryde on March 11. “The public needs to know it’s being taken care of, and we’re still functioning."

With the department's website temporarily out of service as a result of the attack, CUPHD used its social media accounts to share information on the coronavirus. 

Fortunately, the health department's website was back up and running by March 12.

Source: Information Security Magazine

Checkmarx to Be Acquired by Hellman & Friedman

Checkmarx to Be Acquired by Hellman & Friedman

Insight Partners has agreed to part with application and software security company Checkmarx in a billion-dollar deal. 

Once the deal is complete, Checkmarx will be owned by global private equity firm Hellman & Friedman, though Insight Partners will retain a substantial minority interest.

Checkmarx is to be acquired at a valuation of $1.5bn, making the planned transaction the largest acquisition of an application security company to date.

Among Checkmarx's 1,400 customers in 70 countries are 40 Fortune 100 organizations, including SAP, Samsung, and Salesforce.com.

Since being founded in 2006, Israel-based Checkmarx has been led by CEO Emmanuel Benzaquen and CTO and founder Maty Siman. Currently, the company employs more than 700 employees in 22 countries. 

"This acquisition is a clear testament to Checkmarx’s inimitable global team who have ensured our leadership position in software security, as well as to the significant role our technology plays in the broader cybersecurity industry," said Benzaquen.

The CEO went on to say that the company's planned partnership with Hellman & Friedman would enable Checkmarx to reach even dizzier heights of achievement. 

He said: "More than 40 of the Fortune 100 have turned to Checkmarx to mitigate risk, secure code, and embed security into every aspect of their software development. We are thrilled to partner with H&F in our journey that takes our ‘software equals security’ vision to the next level."

Insight Partners managing director Richard Wells praised the progress Checkmarx has made in recent years. 

"Even before we invested in the Company in 2015, we have been continuously impressed by the leadership to come out of this team of game changers and innovators," said Wells.

"Maty and Emmanuel are two of the cybersecurity industry’s top operators and we have been thrilled to have supported their stratospheric growth over the last five years. We will remain active supporters and vocal champions of the Checkmarx team."

Evercore acted as lead financial advisor and Stifel as advisor for this transaction. RBC acted as lead financial advisor and Simpson Thacher as legal counsel to H&F. HFN acted as legal counsel to Checkmarx, and Willkie Farr & Gallagher acted as legal counsel to Insight Partners.

Source: Information Security Magazine