Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

SAP Blunder Exposes Gun Owners’ Personal Data

SAP Blunder Exposes Gun Owners’ Personal Data

SAP has been forced to apologize after an internal error leaked the personal data of tens of thousands of gun owners to dealerships in New Zealand.

The German software giant is supporting a government gun buyback scheme introduced in the wake of the deadly mass shootings in Christchurch earlier this year.

As part of this policy, owners can return their firearms to accredited dealerships as well as police stations, registering their weapons first on a dedicated website.

However, problems with an SAP update appear to have led to highly sensitive details being made accessible to scores of those dealers. It’s thought that they included names, addresses, dates of birth, firearms licence numbers and bank account details — with as many as 38,000 potentially affected.

“As part of new features intended for the platform, security profiles were to be updated to allow certain users to be able to create citizens records,” a reported statement from the firm explained.

“A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP… We unreservedly apologize to New Zealand Police and the citizens of New Zealand for this error.”

Police have apparently shut down the database temporarily after receiving reports of the privacy snafu from dealers, and will continue to manage the process manually.

Unsurprisingly, gun lobbyists have gone on the offensive.

“It’s a shopping list for criminals,” argued Nicole McKee of the Council of Licensed Firearms Owners, adding that gun owners considering the buyback scheme are “now being told they have to comply with a system that cannot be trusted.”

There are fears that Kiwi gun owners could now have their properties targeted by criminals.

Source: Information Security Magazine

Mixcloud Breach Hits Millions of Users

Mixcloud Breach Hits Millions of Users

British streaming service Mixcloud has been hacked and the personal data of tens of millions of users put up for sale on the dark web, it has emerged.

The service issued a brief statement on Saturday confirming the incident.

“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems,” it noted.

“Our understanding at this time is that the incident involves email addresses, IP addresses and securely encrypted passwords for a minority of Mixcloud users. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.”

One saving grace is that the firm doesn’t store full credit card details, or mailing addresses.

Another is that the encryption used for those who had signed up with passwords rather than Facebook authentication is SHA-2, a set of NSA-designed cryptographic hash functions which are thought to be almost impossible to crack.

Although Mixcloud hasn’t revealed the true scale of the attack, the alleged hacker told various news sources that the trove contained details of at least 20 million customers, which they have put up for sale on the dark web for 0.5 Bitcoin ($3650).

“Whilst we have no reason to believe that any passwords have been compromised, you may want to change yours, especially if you have been using the same one across multiple services,” the firm concluded.

Users should also be on the lookout for follow-on phishing attempts as fraudsters use their breached personal information to craft convincing-looking scam emails designed to elicit more info.

It’s unclear whether the breach came as a result of deficient internal security policies, but given Mixcloud is a UK-based company, the Information Commissioner’s Office (ICO) will be keen to take a look.

The number of global breaches (+54%) and exposed records (52%) both grew significantly from the first half of 2018 to the first six months of this year, according to Risk Based Security.

Source: Information Security Magazine

Alaska Named America's Riskiest State for Cybercrime

Alaska Named America's Riskiest State for Cybercrime

A new risk index has named Alaska as the state most vulnerable to cybercrime. 

The index was created by payments platform Cardconnect using data published by the Federal Bureau of Investigation's Crime Complaint Center. 

The company analyzed state-by-state statistics on four of the most prominent types of online crime—credit card fraud, identity theft, personal data breaches, and phishing scams that involve phishing, vishing, smishing, and pharming.

For each crime type, the number of instances per 100,000 residents was calculated, and each state was then ranked from 1 to 50, with 50 being the riskiest. The totals were then combined to give an overall risk index figure.

Despite boasting one of the nation’s smallest populations, Alaskans face the biggest risk of falling victim to online fraud of any state in the United States. Out of a possible worst-case scenario score of 200, Alaska came in at 195 on the risk index. 

Alaska accumulated 48 out of 50 points for credit card fraud and identity theft, 49 for personal data breaches, and 50 out of 50 for phishing.

At just one point behind Alaska, Nevada was found to be the second riskiest state for cybercrime, scoring 50 out of 50 for identity theft and personal data breaches and 49 out of 50 for credit card fraud. 

The Silver State only managed to slink into second place by the width of an eyelash for being slightly safer when it came to phishing, scoring 45 out of 50 on the risk index for crimes of this type.

In January 2019, Alaska’s Division of Public Assistance sent letters to 87,000 people—11.7% of the state’s entire population—notifying them that personally identifiable information such as names, Social Security numbers, and healthcare details may have been accessed by cyber-attackers. 

Seven months later, 650,000 Nevada students were the victim of a data breach, which resulted in the exposure of dates of birth and email addresses.

The safest state on the risk index, with an overall risk score of just 12 out of 200, was Iowa. 

"There were only 53 reports of credit card fraud in Iowa, resulting in a tiny ratio of 1.68 reports for every 100,000 residents," said a spokesperson for Cardconnect.

"This Midwestern state ranked in second place for credit card fraud, eighth place for phishing, and rated as the safest state of all for identity theft and personal data breaches."

Source: Information Security Magazine

United States Post Office Faces Cybersecurity Challenges

United States Post Office Faces Cybersecurity Challenges

Cybersecurity has been listed as one of the challenges facing the United States Postal Service (USPS) in a semi-annual report to Congress by the Office of the Inspector General (OIG). 

The report, which was released on Monday, outlines the most critical management issues with which the service has had to contend during the six-month period from April 1 to September 30, 2019.

Modernization, IT, and cybersecurity were all flagged as challenges, along with the long-running problem of illegal narcotics being sent through the mail. 

In the report, USPS inspector general Tammy Whitcomb wrote: "The use of the mail system to ship illicit narcotics continues to demand our attention both in our audit work and our investigations. While narcotics allegations are rapidly becoming our greatest investigative area of focus, our special agents cover a wide swath of areas: health care fraud (claimant and provider); mail theft; contract fraud; and financial fraud."

During the six-month period covered by the report, the USPS completed 1,362 investigations that led to 436 arrests and nearly $1.48bn in fines, restitutions, and recoveries. Of that total, more than $77m was returned to the Postal Service.

Whitcomb highlighted the difficulties of meeting the demands of the customer base in an increasingly digital world. 

Whitcomb wrote: "A modern information technology network with sufficient capacity is critical to the success of the Postal Service. Customers and businesses demand timely, relevant, and accurate information and data as part of their digital experience. 

"The network must have the ability to meet these demands as well as the flexibility to continually adjust to the ever-changing business and regulatory environment. As information technology and the cyber-threat landscape evolves, security continues to be an ongoing challenge."

review of the cybersecurity of the USPS conducted in November 2018 found a lack of long-term planning in which ongoing costs such as software licenses and contractor support had not been considered. This in turn had led to overspending. 

In the review, the OIG recommended that the USPS "create and execute a program/administrative budget to adequately plan and administer an ongoing cybersecurity program." The current target implementation date for fulfilling this recommendation is March 2020.

Source: Information Security Magazine

Third-Party Vendor Exposes Data of Palo Alto Employees

Third-Party Vendor Exposes Data of Palo Alto Employees

American cybersecurity firm Palo Alto Networks has suffered a data breach after a third-party vendor accidentally published personal data regarding the firm's employees online. 

The privacy of seven current and former employees of Palo Alto Networks was compromised in the incident, which took place in February of this year. Details shared on the internet for all to see included names, dates of birth, and Social Security numbers, which were contained in a database of company employee details. 

News of the breach came to light after a former Palo Alto Networks employee disclosed the breach to Business Insider. The American financial and business news website has kept the identity of the story's source under wraps. 

In their testimony, the former employee said that the incident had been undetected for months. 

Palo Alto Networks, which is headquartered in Santa Clara, California, has more than 60,000 customers in over 150 countries. Upon being contacted, the global cybersecurity company confirmed that the breach had taken place and said that the contract with the third-party vendor that inadvertently published the data had been terminated.

The decision to dissolve the contract and send a clear message out to other vendors of what is expected of them was made by CEO of Palo Alto Networks, Nikesh Arora.

A Palo Alto Networks spokesperson said: "We took immediate action to remove the data from public access and terminate the vendor relationship. We also promptly reported the incident to the appropriate authorities and to the impacted individuals.

"We take the protection of our employees' information very seriously and have taken steps to prevent similar incidents from occurring in the future."

Precisely which third-party vendor ensnarled Palo Alto Networks in this embarrassing data exposure has been revealed by neither the firm nor—assuming that they were in fact privy to this particular piece of information—Business Insider.

Absent also from the press reports on the incident are exact details of how the breach came to occur. All that's revealed is that the data was exposed as a result of a security error on the part of the third-party vendor.

It is unknown whether the exposed data ended up on the dark web as a result of the breach.

Source: Information Security Magazine

Hotels Under Attack as Guest Data is Swiped from Front Desks

Hotels Under Attack as Guest Data is Swiped from Front Desks

Security researchers are warning of an information stealing malware campaign that has already impacted hotel guest data in 12 countries worldwide.

The RevengeHotels operation has been running since 2015 but recently expanded its presence this year, according to Kaspersky.

It refers to the activities of at least two groups, dubbed “RevengeHotels” and “ProCC,” which target hotel front desks with remote access Trojan (RAT) malware.

“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine,” explained the report.

“One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.”

Once malware has been installed, cyber-criminals could sell subscription-based access to the infected machine on the dark web. That means fraudsters could get access to guest details, including credit card data copied from online bookings during the charging process, Kaspersky warned.

Over 20 hotels in 12 countries have so far been confirmed with victims in Latin America, Asia and Europe. However, many others may have accessed the malicious link in the phishing emails, the Russian AV vendor claimed.

“As users grow wary of how protected their data truly is, cyber-criminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” argued Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, LatAm.

“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”

Source: Information Security Magazine

Security Giant Prosegur Struck by Ransomware

Security Giant Prosegur Struck by Ransomware

Private security giant Prosegur has become the latest multi-national to suffer operational problems after being struck by ransomware.

The Spanish firm — which produces building alarms, and offers physical security services including cash transit vans — has over 60,000 employees around the globe and declared profits of €118m ($130m) for the first nine months of 2019.

However, it posted a statement to its Twitter account on Wednesday claiming the company had been struck by the Ryuk variant. Prosegur added that it had “enabled maximum security measures” to prevent the spread of the malware, including the “restriction of all communications.”

Security researchers monitoring the incident claimed in a series of tweets that the impact was severe, with the firm's websites taken offline in various regions.

“Prosegur appear to be in a hell of a mess, I’ve been monitoring social media posts and staff outside Spain in multiple offices report Ryuk ransomware on systems and outage of all services, so I’m guessing they have a common AD domain,” said UK-based Kevin Beaumont.

“Prosegur incident is just over a day old, customers and resellers are taking to Twitter saying alarms aren’t working and resellers saying they’re getting abusive calls from their customers. An entire ecosystem of security and cash handling services are up in the air.”

A statement from the firm on Thursday appeared to suggest it was on top of things.

“The ransomware, Ryuk, has been fully contained and the company has already deployed all the necessary mitigatory controls. Likewise, Prosegur has already begun the process of restoring its services,” it said.

“In addition to restricting its communications, the company initiated an investigation to determine the typology of the incident, its behavior, evaluation of the scope and definition of containment and recovery procedures, all of them included in the response plan for incidents of information security.”

The firm said it is also in contact with the “competent authorities” and is providing relevant technical information to “other actors” — stressing the need for collaboration to fight an ever evolving cyber-threat.

Source: Information Security Magazine

Missed Security Targets Start to Trouble Senior Execs

Missed Security Targets Start to Trouble Senior Execs

Companies that fail to set their IT security teams targets that directly correlate with overall business performance are causing problems for their CEOs, according to new research from Thycotic.

The privileged access management solutions provider surveyed more than 100 UK IT security decision-makers, with 61% admitting that there are implications for the CEO if security teams are unable to meet targets set to them.

With regards to the types of consequences they can face, the respondents noted facing a hard time from shareholders (44%), longer hours spent at work (40%) and even more serious implications such as penalties including lost bonus payments (37%) and threats to job security (35%).

Of particular note though, Thycotic’s research discovered that, when asked to describe what success looks like to them, IT security teams felt that being valued by the company (45%) was of more importance than achieving targets set by the board (42%). That suggests that CEOs risk repercussions if they set targets that do not effectively inspire IT and security professionals in their work.

Joseph Carson, chief security scientist and advisory CISO at Thycotic said: “The data breach at TalkTalk ushered in a new era where CEOs can and will be held accountable for IT security failures that occur on their watch. Today, when cybersecurity teams do not meet their targets, it impacts the CEO with longer hours, shareholder pushback, job insecurity and bonus reductions.”

To minimize the risks, he added, CEOs need to set IT security professionals proactive measures and appropriate budgets that demonstrate the positive contribution they make to overall business performance.

“A good example is to appoint an IT security professional with good communication skills in charge of cross-departmental co-operation. This has the dual advantage of putting IT security on a more proactive footing and increasing the chances of spotting/remediating digital risks early before they can escalate and cause trouble at board level.”

Source: Information Security Magazine

Googlers Fired for Breaking Security Policy

Googlers Fired for Breaking Security Policy

Tensions at Google have kicked up another notch this week after four employees were fired for apparently breaking data security policy, in what others have claimed is a witch hunt.

The four ex-staffers were accused of breaking policy by spying on colleagues’ work, including calendars and email. The back story appears to be that those they were monitoring were working on projects they didn’t approve of, such as a collaboration with the US Customs and Border Protection.

According to reports they repeatedly scoured through these colleagues’ data and distributed it to others despite this being “outside the scope of their jobs.”

“We have always taken information security very seriously, and will not tolerate efforts to intimidate Googlers or undermine their work, nor actions that lead to the leak of sensitive business or customer information,” a Google statement noted.

“This is not how Google’s open culture works or was ever intended to work.”

However, former colleagues and defenders of the four have claimed that what they did was in keeping with the tech giant’s code of conduct, which states: ​​​​​​​“And remember… don’t be evil, and if you see something that you think isn’t right — speak up.”

They argued that Google had ulterior motives in firing the four because they were involved in union organizing at the firm.

“Here’s how it went down: Google hired a union-busting firm. Around the same time Google redrafted its policies, making it a fireable offense to even look at certain documents. And let’s be clear, looking at such documents is a big part of Google culture; the company describes it as a benefit in recruiting, and even encourages new hires to read docs from projects all across the company,” they wrote in a blog post.

“Which documents were off limits after this policy change? The policy was unclear, even explicitly stating the documents didn’t have to be labelled to be off limits. No meaningful guidance has ever been offered on how employees could consistently comply with this policy. The policy change amounted to: access at your own risk and let executives figure out whether you should be punished after the fact.”

The incident comes at a time of unprecedented employee unrest at the tech goliath, with accusations that it has been too slow to tackle sexual harassment and has a problem with unequal pay.

Source: Information Security Magazine

US Man Charged with Stealing 100+ Songs from Recording Artists

US Man Charged with Stealing 100+ Songs from Recording Artists

A Texas man has been charged for his part in an alleged conspiracy to steal music tracks from 20 recording artists and release them online.

Christian Erazo, 27, from Austin, has been charged with aggravated identity theft, conspiracy to commit computer intrusion and conspiracy to commit wire fraud.

Between 2016 and 2017 he’s alleged to have worked with three others to target two music management companies in New York and LA.

The group is said to have obtained employee log-ins which enabled them to access the companies’ cloud storage accounts and steal over 100 songs from 20 artists that had not yet been released. They illegally accessed one company’s trove over 2300 times in just a few months, the DoJ said.

Erazo is also accused of hacking the social media account of an LA-based musician and producer and using it to send messages to recording artists and producers asking them for tracks.

The music obtained from these ventures was later released online in public forums, causing the victims financial losses, the court documents allege. In one case an entire album that had been in production for a year was effectively scrapped, potentially costing its creator $2m in lost sales.

The conspirators then allegedly tried to pin the blame for the attacks on someone else. A member of the group emailed one of the management companies claiming that an unnamed “Individual-1” was hacking the firm’s cloud storage accounts.

Erazo and others are said to have repeated the allegations to undercover officers posing as music executives, claiming he was helping them “for the love of the artists.”

He’s later alleged to have sent an email to one of the conspirators claiming the scheme was the “perfect cover-up.”

Music is big business. In June this year, world-famous band Radiohead revealed that a hacker stole lead singer Thom Yorke’s minidisc archive and was asking $150,000 in return for not releasing it. The band subsequently decided to publish the 18 hours of music themselves and donate the proceeds to a climate change group.

Source: Information Security Magazine