Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

‘Secure’ Backup Company Leaks 135 Million Records Online

‘Secure’ Backup Company Leaks 135 Million Records Online

A company claiming to provide “the world’s most secure online backup” leaked metadata and customer information in over 135 million records after misconfiguring an online database, Infosecurity has learned.

The team at vpnMentor discovered the privacy snafu as part of its ongoing web mapping project that has already uncovered major cloud data leaks at brands including Decathlon, PhotoSquared and Yves Rocher.

It was traced to Californian-headquartered SOS Online Backup, which claims to be a multi-award winning provider with 12 data centers around the globe. The firm was contacted on December 10 and again seven days later. Although it never replied to the researchers, the incident was mitigated on December 19.

“The exposed database contained over 135 million records, totalling almost 70GB of metadata related to user accounts on SOS Online Backup. This included structural, reference, descriptive, and administrative metadata covering many aspects of SOS Online Backup’s cloud services,” vpnMentor explained.

The trove also included PII such as names, emails, phone numbers, business details (for corporate customers) and account usernames.

“By exposing so much metadata and user PII, SOS Online Backup has made itself and its customers vulnerable to a wide range of attacks and fraud,” warned vpnMentor.

“This database could have been a goldmine for cyber-criminals and malicious hackers, with access to cloud storage highly sought after in the online criminal underworld.”

Aside from the impact of potential reputational damage on the firm, the incident could be investigated by Californian regulators of the new CCPA data protection law, as well as GDPR regulators, if EU citizens’ data is included.

“Finally, the exposed database showed the structure of their cloud-based backup technology, accounts’ systems, and how they work. Hackers could use this information to plan effective attacks and embed malicious software in their system,” vpnMentor suggested.

“This would allow them to steal customer data and files, or attack SOS Online Backup directly.”

Source: Information Security Magazine

OIG Lacks Confidence in FBI's Adherence to Woods Procedures

OIG Lacks Confidence in FBI's Adherence to Woods Procedures

The Office of the Inspector General (OIG) has said it lacks confidence that the Federal Bureau of Investigation is executing its Woods Procedures in line with FBI policy when applying for court permission to surveil people in the United States. 

The FBI implemented its Woods Procedures in 2001 following errors in numerous Foreign Intelligence Surveillance Act (FISA) applications submitted to the Foreign Intelligence Surveillance Court (FISC) in FBI counterterrorism investigations. The procedures, named for FBI agent Michael Woods, who helped devise them, require that every fact submitted in support of a wiretap application must be verified.

FBI policy requires case agents who will be requesting the FISA application to create and maintain a "Woods File" that contains supporting documentation for every factual assertion contained in the application together with the results of required database searches and other verifications.

report published by the OIG on March 30 states that a recent audit of the FBI found that in some FISA applications, Woods Files had gone missing or may not have ever existed.

Over the past two months, auditors visited 8 FBI field offices and reviewed a judgmentally selected sample of 29 applications relating to US persons and involving both counterintelligence and counterterrorism investigations. 

The OIG report states that "we could not review original Woods Files for 4 of the 29 selected FISA applications because the FBI has not been able to locate them and, in 3 of these instances, did not know if they ever existed." 

In all 25 of the FISA applications the OIG were able to review, auditors identified errors or inadequately supported facts.

The OIG said: "For all 25 FISA applications with Woods Files that we have reviewed to date, we identified facts stated in the FISA application that were: (a) not supported by any documentation in the Woods File, (b) not clearly corroborated by the supporting documentation in the Woods File, or (c) inconsistent with the supporting documentation in the Woods File."

The auditors' findings led the OIG to conclude that the FBI's FISA applications were not as accurate as they should be.

"We believe that a deficiency in the FBI’s efforts to support the factual statements in FISA applications through its Woods Procedures undermines the FBI’s ability to achieve its 'scrupulously accurate' standard for FISA applications," stated the OIG.

Source: Information Security Magazine

OIG Lacks Confidence in FBI's Adherence to Woods Procedures

OIG Lacks Confidence in FBI's Adherence to Woods Procedures

The Office of the Inspector General (OIG) has said it lacks confidence that the Federal Bureau of Investigation is executing its Woods Procedures in line with FBI policy when applying for court permission to surveil people in the United States. 

The FBI implemented its Woods Procedures in 2001 following errors in numerous Foreign Intelligence Surveillance Act (FISA) applications submitted to the Foreign Intelligence Surveillance Court (FISC) in FBI counterterrorism investigations. The procedures, named for FBI agent Michael Woods, who helped devise them, require that every fact submitted in support of a wiretap application must be verified.

FBI policy requires case agents who will be requesting the FISA application to create and maintain a "Woods File" that contains supporting documentation for every factual assertion contained in the application together with the results of required database searches and other verifications.

report published by the OIG on March 30 states that a recent audit of the FBI found that in some FISA applications, Woods Files had gone missing or may not have ever existed.

Over the past two months, auditors visited 8 FBI field offices and reviewed a judgmentally selected sample of 29 applications relating to US persons and involving both counterintelligence and counterterrorism investigations. 

The OIG report states that "we could not review original Woods Files for 4 of the 29 selected FISA applications because the FBI has not been able to locate them and, in 3 of these instances, did not know if they ever existed." 

In all 25 of the FISA applications the OIG were able to review, auditors identified errors or inadequately supported facts.

The OIG said: "For all 25 FISA applications with Woods Files that we have reviewed to date, we identified facts stated in the FISA application that were: (a) not supported by any documentation in the Woods File, (b) not clearly corroborated by the supporting documentation in the Woods File, or (c) inconsistent with the supporting documentation in the Woods File."

The auditors' findings led the OIG to conclude that the FBI's FISA applications were not as accurate as they should be.

"We believe that a deficiency in the FBI’s efforts to support the factual statements in FISA applications through its Woods Procedures undermines the FBI’s ability to achieve its 'scrupulously accurate' standard for FISA applications," stated the OIG.

Source: Information Security Magazine

New Marriott Data Breach Affects 5.2 Million Guests

New Marriott Data Breach Affects 5.2 Million Guests

Hotel chain Marriott International announced today that it has suffered a second data breach.

According to an incident notification published on their website, the company spotted unusual activity occurring in an app that guests use to access services during their stay. 

An investigation into the activity revealed that the login credentials of two Marriott employees had been used to access "an unexpected amount" of guest information.

Marriott said guest data that may have been compromised in the breach included contact details, loyalty account information, personal details such as birth dates, and information concerning linked partnerships and affiliations like airline loyalty programs. 

Precisely what information was accessed varied from guest to guest, but in some cases email addresses, phone numbers, and employer details were exposed. 

Marriott said: "At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020."

While the investigation into the data breach is ongoing, Marriott said that "we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers."

On March 31, 2020, Marriott sent emails about the incident to guests involved. The hotel chain has offered guests affected by the incident a year's worth of personal information monitoring from IdentityWorks free of charge. 

Marriott said: "We have also set up a self-service online portal for guests to be able to determine whether their information was involved in the incident and, if so, what categories of information were involved." 

This latest data breach has affected approximately 5.2 million Marriott guests. The hotel chain has advised Marriott Bonvoy account holders to change account passwords and to monitor their accounts for suspicious activity.

In November 2018, Marriott reported a data breach that saw the records of approximately 339 million guests exposed. In a catastrophic and ongoing cybersecurity incident, threat actors were found to have had unauthorized access to the hotel's Starwood network since 2014.  

Source: Information Security Magazine

#WorldBackupDay: Only 58% of Brits Back Up Their Data

#WorldBackupDay: Only 58% of Brits Back Up Their Data

The majority of British people don't back up their data even though they know how to do it.

New research by Avast published today to coincide with World BackUp Day found that 42% of Brits do not back up their data and files. 

Of those running the gauntlet of data loss in the event of theft, infection, accidental deletion, or destruction, 52% said they didn't keep any information on their device that was important enough to back up.

Other Brits who don't back up their data said that they had intended to get around to it but had not been successful. Of those, 10% said it had slipped their mind, while 13% said that they were too busy with other tasks to find time to back up. 

The remaining 26% of Brits throwing data preservation to the wind by not performing backups confessed that they hadn't bothered to find out how to carry out this simple task.

Of the Brits who do back up their data, 47% do so once a month, while 20% do so continuously and 17% perform a backup every 1 to 6 months.

While 39% of Brits who do actually back up their data do so to cloud storage, the most popular method, practiced by 59% of those surveyed, was to use an external hard drive. 

Android users showed a marked preference for using external hard drives over cloud storage for their backups, while iPhone users were only slightly more likely to choose an external hard drive over the cloud. 

"Losing personal documents, photos and videos can be a painful experience and it’s not until this happens that they realize how valuable it actually is,” said Luis Corrons, security evangelist at Avast. 

“It’s important to back up data on a regular basis, keeping memories, captured in the form of photos and videos, safe and secure.”

Avast researchers recommend backing up data regularly to two locations, in effect creating a backup backup. They also advise users backing up to an external hard drive to protect that drive from ransomware attacks by disconnecting it once the backup is complete. 

Source: Information Security Magazine

Sensitive Voter Data Exposed by App Used in US Elections

Sensitive Voter Data Exposed by App Used in US Elections

Sensitive information about US voters was left exposed due to a data breach by the voter contact and canvassing app Campaign Sidekick, which is used by the Republican party in election campaigns. It has been revealed by the cybersecurity company UpGuard that an unprotected copy of Campaign Sidekick’s app’s code was mistakenly left freely available on its website. The breach has since been secured.

Originating during the 2002 election cycle, Campaign Sidekick has been used to help digitalize election campaigning as part of a wider approach by the Democratic and Republican parties to capture, unify, analyze and act on data about US voters. The Campaign Sidekick app helps collate information from interactions that take place with voters during canvassing.

On February 12 2020, UpGuard found that the git directory on app.campaignsidekick.vote was publicly available online. The files were downloaded and discovered to contain some sensitive data, following which the analyst informed Campaign Sidekick of the breach. Following communication between the two organizations, the breach was secured on February 15 2020.

With extensive data analytics now used in election cycles, it is critical that political parties have the most rigorous cybersecurity techniques and practices in place to protect individuals’ data.

“Organizations need to understand the ease with which attackers can access sensitive data by exploiting vulnerable third parties. Political campaign staffs rely on a broad ecosystem of third parties to help them do business, and it only takes one mistake within a single app to expose sensitive voter data,” commented Kelly White, CEO, RiskRecon.

“Any organization involved in maintaining the integrity of elections – from campaign staffs to party officials to state and local election boards – needs to better understand the security practices of all parties in the data chain of custody and hold those parties accountable.”

There have been several high profile election data breaches in recent years, including leaked emails relating to Hillary Clinton’s campaign to run for Senate.

Source: Information Security Magazine

NATO Report Warns of New Authoritarian Chinese Splinternet

NATO Report Warns of New Authoritarian Chinese Splinternet

Chinese government plans to push through standardization of a new internet architecture could broaden the threat landscape, destabilize security and privacy, and fragment the world wide web, a new NATO report seen by Infosecurity will warn.

First proposed at the UN’s International Telecommunication Union (ITU) last September, the plans call for a replacement to the current TCP/IP model, dubbed “New IP.” They’re being led by Huawei, China’s state-run telcos and the government itself.

Published by the FT, the plans claimed that TCP/IP is broken, incapable of supporting IoT advances, space-terrestrial communications and other innovations coming down the line, such as holographic comms. 

It also points to security vulnerabilities in the current model and claimed its “ubiquitous, universal and better protocolled system” would provide improved security and trust for the internet.

However, an upcoming report from Oxford Innovation Labs (Oxil) for NATO is extremely apprehensive of the plans. China is effectively “creating a perception of necessity” for its new model when in fact TCP/IP is far from completely broken — in fact, it has adapted consistently well to everything thrown at it over the years, it says.

Even worse, the New IP model for a decentralized internet infrastructure (DII) will undermine security and embed “fine-grained controls in the foundations of the network” — ultimately putting more control into the hands of the ISPs.

“New IP would centralize control over the network into the hands of telecoms operators, all of which are either state run or state-controlled in China,” the report authors told Infosecurity. “So, internet infrastructure would become an arm of the Chinese state.”

New IP also includes plans for an object identifier resolution system to replace the current Domain Name System (DNS), ostensibly to improve performance, stability, privacy and security. But Oxil claimed: “The use of alternate technologies for identification on the internet and the DNS would lead to less predictability in cyberspace and new questions around norms and governance.”

It also criticized the New IP plans for distributed ledger technology (DLT), which China claimed is necessary to counter overt centralization of internet architecture, in the hands of IANA, CAs and other bodies.

In the Chinese model, governments are likely to have control over the DLT, thus enabling mass surveillance, Oxil argued.

“It is not uncommon for language of ‘trust’ to replace ‘security’ in Chinese DII-related discussions. This is concerning because it indicates that the principle of ‘security by design’ – at least in the Western context – is not being adopted in DII’s development. In the long-term this could negatively impact cybersecurity globally,” the report claimed.

The plans are being pushed through at pace at an ITU level, with Oxil and other UN delegates alarmed at the speed such radical changes are being proposed, and the impact of global standardization of New IP.

It will “increase the threat landscape by introducing new security uncertainties across the stack” and provide authoritarian governments everywhere with a new model for controlling the populace, Oxil warned.

The fragmentation of the global internet into national, government-run “intranets,” will also undermine the predictability of cyberspace and NATO’s ability to protect and defend its networks, it continued.

“A proliferation of alternate internet technologies will increase the internet’s threat landscape, decrease predictability, and potentially destabilize existing and future norms for responsible state behavior in the online environment,” the report concluded.

Source: Information Security Magazine

Privacy Snafu Exposes 42 Million ‘Telegram’ Records

Privacy Snafu Exposes 42 Million ‘Telegram’ Records

Security researchers have discovered tens of millions of accounts from a third-party version of Telegram that were leaked online in another cloud misconfiguration.

Bob Diachenko and the Comparitech team found the exposed data on March 21. It had been posted to an Elasticsearch cluster, password-free, by a group called “Hunting system” in Farsi.

Although the cluster was deleted on March 25, a day after Diachenko informed the hosting provider, at least one user had apparently already posted it to a hacking forum.

That’s bad news, because the trove contained 42 million records from a third-party version of popular messaging app Telegram. They included user account IDs, phone numbers, names, and hashes and secret keys.

As Telegram has been banned in Iran since anti-government protests in 2018, the database could put users at risk of being singled out by the authorities as having something to hide.

Although the hashes and keys can’t be used to access accounts, third-party hackers could use the other information in financially motivated attacks, warned Comparitech.

“SIM swap attacks are one example. A SIM swap attack occurs when the attacker convinces a phone carrier to move a phone number to a new SIM card, allowing them to send and receive the victim’s SMS messages and phone calls. The attacker could then receive their one-time access verification codes, granting full access to app accounts and messages,” explained privacy advocate, Paul Bischoff.

“Affected users could also be at risk of targeted phishing or scams using the phone numbers in the database.”

This isn’t the first such privacy incident involving messaging users in the country. In 2016, hackers identified the user IDs, phone numbers and one-time verification codes of 15 million Telegram users after activation codes were likely intercepted by phone carriers.

Source: Information Security Magazine

Houseparty Offers $1m for Info on ‘Smear Campaign’

Houseparty Offers $1m for Info on ‘Smear Campaign’

Houseparty is offering $1m for evidence of a suspected smear campaign, after several reports emerged that multiple users had had other online accounts compromised via the video conferencing app.

The platform has become extremely popular over recent weeks as consumers flock online to socialize safely during a time of lockdowns and social distancing.

However, similar reports in UK tabloid media outlets on Monday pointed to social media “hysteria” over Houseparty users claiming that their use of the app had somehow led to other accounts being compromised.

These include PayPal, Spotify, Amazon, Netflix, Instagram and eBay.

“Anyone who’s using the #Houseparty app be super careful. My bank account was hacked today and it has been linked back to the app. Lots of other people are experiencing the same thing. I’d definitely recommend deleting it,” noted one user in a typical post on Twitter.

However, security experts have leaped to Houseparty’s defense, claiming there’s no evidence linking Houseparty to compromises of other accounts. If the stories are true, it’s more than likely that reused passwords are to blame.

Experts recommended users switch to two-factor authentication for log-ins across as many sites as they can, and to use a password manager.

As a result of the outcry, the video conferencing platform said it is now looking at whether these rumors were a coordinated attempt to defame the company.

“We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1m bounty for the first individual to provide proof of such a campaign,” it said on Twitter.

“All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.”

Users have also complained on social media that when they tried to delete the app it required them to re-enter their password, and then claimed it was incorrect.

Source: Information Security Magazine

Ban Hasn't Stopped COVID-19 Instagram Ads

Ban Hasn't Stopped COVID-19 Instagram Ads

Adverts and listings that capitalize on the COVID-19 outbreak are appearing on Instagram and Facebook despite being banned.

On March 6, Facebook and Instagram announced a temporary ban on ads and listings selling medical face masks on its marketplace. On March 19, Rob Leathern, head of trust and integrity for Facebook ads and business platform, extended the ban to include hand sanitizers, coronavirus testing kits, disinfecting wipes, and several other products.

Tenable's Satnam Narang has observed a growing number of adverts for COVID-19 essentials since the ban was issued.

"Despite the ban, advertisements continue to appear on Facebook and Instagram, some as recently as March 26," said Narang. 

"I began observing an uptick in activity in my Instagram Feed on Friday, March 20. All of a sudden, every single sponsored post in my Instagram Feed had something to do with masks, whether it be N95 masks, surgical masks or face shields."

Advertisers have carefully moderated the language they use in their ads in a slippery attempt to get around the ban.

"Many of the advertisements don’t overtly reference COVID-19 or the novel coronavirus that causes it in their posts," said Narang. "They do, however, talk about protecting oneself from 'harmful particles' and how to 'stay protected at all times' while referencing N95 masks or harmful viruses and bacteria, implying a connection to COVID-19."

Narang observed carefully worded ads appearing in his Instagram feed and showing up in his Instagram stories. Some were native to Instagram, but others originated from Facebook advertisers, including duamaskcom and Plengoods.

Alongside Facebook pages and Instagram accounts created recently for the sole purpose of promoting COVID-19-related items like N95 masks, Narang observed opportunists compromising the accounts of existing pages in order to advertise their products. 

"The Facebook Page for a Greek restaurant in Zimbabwe was compromised and used to push an advertisement for surgical masks to Instagram. The page does not appear to have been maintained since 2008," said Narang. 

But the crappy behavior of the few has not caused Narang to lose his faith in humanity. 

He told Infosecurity Magazine: "It’s certainly disheartening to see opportunists trying to profit from this crisis, but I’ve definitely seen a lot of kindness that gives me hope: People within communities volunteering to pick up groceries for the elderly, high-risk individuals creating blueprints to 3D print masks and other personal protective equipment, folks brokering deals to secure N95 masks for frontline workers, and retired medical professionals coming out of retirement to help out on the front line."

Narang urged users of these platforms to "help by reporting these ads using the built-in reporting functionality on social media services."

Source: Information Security Magazine