Massachusetts' Department of Revenue is not doing enough to protect the sensitive information of taxpayers.
A recent report on the cybersecurity protocols of the Department of Revenue (DOR), compiled by auditor of the commonwealth Suzanne Bump, found that the DOR had no system in place to assess and document third-party vendor risks.
Furthermore, the audit found that the DOR had no documented and tested incident response procedures and had not established an information technology strategy committee.
The department previously had a security review board, but the board has not been active since early 2017.
"Without a committee or board charged with governing DOR’s IT environment, responsibility for IT governance and risk is not clear. This can result in information security risks and investments not being aligned with business needs," states the report.
"Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion."
The audit revealed that the DOR had failed to come up with an interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) that defined and documented updated roles and responsibilities despite having three years in which to do so.
The report states: "DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay."
No instances in which sensitive data had been compromised were discovered, but Bump’s office found that the DOR "was not prepared to respond to or mitigate cyber-attacks it or its vendors face" and "did not have procedures in place to guide its response to IT security incidents."
"The whole infrastructure for data security was missing at the Department of Revenue," Bump said in an interview that aired Sunday morning on Boston TV show On the Record.
The report, which was published on December 13, covered the DOR’s IT and security-related activities from July 2016 through December 31, 2018.
New research into litigation trends has identified cybersecurity as a major new source of legal disputes in the United States.
Of the 287 lawyers polled, 44 percent said that they foresee cybersecurity and data protection as a new source of disputes during the next few years.
The results of the 2017 and 2018 editions of the Litigation Trends Annual Survey saw cybersecurity and data protection concerns coming to the forefront as a key challenge in dispute management. However, the trend saw a marked rise this year, with respondents reporting an increase in the number of disputes triggered by data privacy issues.
From 2018 to 2019, the number of in-house counsel who rated cybersecurity and data privacy as the most important litigation issue they faced doubled. More than half of those surveyed (52 percent) feel more exposed than previously to such disputes.
Respondents to Norton Rose Fulbright's survey said that their concern over cybersecurity stemmed from the volume of threats, the creativity of threat actors, and the sensitivity of the data content. Counsel were also worried about some jurisdictions’ enactment of stringent data privacy laws.
Rapid growth in the size of the organization was also a key factor. One respondent quoted in the research wrote: "We’re growing at such a fast rate, in terms of the number of companies and the volume of work in the insurance industries, we have a large number of consumer-facing data points, so our consumer data retention is probably tripling yearly."
Companies in 2019 whose in-house counsel took part in the survey spent $1.5m on average on disputes and employed 2.5 disputes lawyers per $1bn of revenue.
Researchers found that more than 80 percent of companies conduct third-party and/or in-house assessments of cybersecurity and data protection risks, and such assessments are helpful in reducing these types of risks.
Other findings of the research are that counsel predict a rise in litigation caused by an anticipated economic downturn. Thirty-five percent of corporate counsel—8 percent more than in 2018—expect disputes to increase in the next year. Nearly two-thirds of corporate lawyers said economic downturns lead to an increase in litigation cases.
Introduced in 2004, the Norton Rose Fulbright’s Litigation Trends Annual Survey is the longest-running survey of corporate counsel on litigation issues and trends.
Honda has become the latest big-name brand to expose the personal information of countless customers because of a cloud misconfiguration.
The carmaker’s North America business leaked around 26,000 unique customer records thanks to an unsecured Elasticsearch cluster, according to security researcher, Bob Diachenko.
He found 976 million records in total in the exposed database, including one million containing info about Honda owners and their vehicles — including names, contact details and vehicle information.
Although he was unable to confirm the volume of exposed records, Honda put the figure at just shy of 30,000.
“We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII,” it said in a statement sent to Diachenko. “We can also say with certainty that there was no financial, credit card or password information exposed on this database.”
On the plus side, the company acted promptly to resolve the security issue, shutting the server on December 13, just a day after it was informed. However, it claimed the misconfiguration happened on October 21 and the database was first indexed by search engine BinaryEdge on December 4, leaving plenty of time for hackers to potentially scan for and find the trove.
Diachenko warned that it could be used to craft convincing follow-on phishing emails.
“The security issue you identified could have potentially allowed outside parties to access some of our customers’ personal information. We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability,” the statement continued.
“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations.”
The incident comes just months after Honda leaked 40GB of data on its internal security systems, via another unsecured Elasticsearch server.
A former IT administrator at Palo Alto Networks and four others have been charged with insider trading, in a three-year conspiracy said to have netted them over $7 million in profits.
According to a complaint filed by the SEC, Janardhan Nellore used his IT credentials and work contacts to access confidential information about his former employer’s financial performance and quarterly earnings.
He then allegedly traded Palo Alto Networks shares based on that information, and tipped off four friends: Sivannarayana Barama, Ganapathi Kunadharaju, Saber Hussain, and Prasad Malempati.
To cover up the scam, he is alleged to have told the group to use the code word “baby” to refer to the technology company’s stock. It’s also claimed that some of the group kicked back profits to Nellore in small sums to avoid scrutiny.
Nellore is said to have bought one-way tickets to India for himself and his family following an interview with the FBI, and was arrested at the airport. Reports suggest the group made over $7 million from insider trading activity that ran from 2015 to 2018.
“As alleged in our complaint, Nellore and his friends exploited Nellore’s access to valuable earnings information and attempted to hide their misconduct using code words and carefully tailored cash withdrawals,” said Erin Schneider, director of the SEC’s San Francisco Regional Office. “This case highlights our use of enhanced data analysis tools to spot suspicious trading patterns and identify the traders behind them.”
Nellore and Barama are also the subject of criminal charges issued by the US Attorney’s Office for the Northern District of California.
Insider trading is increasingly facilitated by unauthorized IT access to digital information. In January this year, two Ukrainian nationals were charged with hacking the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which stores documents related to company disclosures including test filings made before announcements go public.
They then allegedly sold this information to insider traders, making over $4 million in the process.
The FBI has issued a warning to holiday travelers not to use public Wi-Fi on the road this Christmas because of cybersecurity concerns.
As internet users cross countries and continents to be with friends and family over the holiday period, the Feds argued that Wi-Fi hotspots should be avoided.
“Don’t allow your phone, computer, tablet, or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device. They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera,” it said in a “Tech Tuesday” post this week.
“If you do need to connect to a public hotspot — such as at an airport or hotel — make sure to confirm the name of the network and the exact login procedures. Your goal is to avoid accidentally connecting to a fraudster’s Wi-Fi that they are trying to make look legit.”
If using a public hotspot is unavoidable, the FBI urged users not to log-in to any sensitive accounts like their online banking. Where possible, the Bureau advised individuals to use their smartphones as a private hotspot for other devices.
Although these best practices have long been promoted by the information security community, users, including business travelers, continue to expose themselves to unnecessary risks by using public Wi-Fi without adequate security.
A 2018 study from iPass revealed that 81% of global IT leaders had recorded staff Wi-Fi-related security incidents over the previous year.
VPNs are seen as the best way to ensure traffic and web browsing sessions are protected from Wi-Fi snoopers. However, UK IT leaders were least confident (38%) that their mobile workers are using a VPN every time they go online.
The FBI warning comes just weeks after LA County’s district attorney issued a public security notice warning people not to use public USB charging points for fear of so-called “juice jacking” malware attacks.
A bill designed to enhance the cybersecurity of K–12 schools was introduced to the US House of Representatives on Monday.
If passed into law, the K-12 Cybersecurity Act would require the Department of Homeland Security (DHS) to create a list of cybersecurity recommendations and a cybersecurity toolkit for educational institutions to use when making improvements to their cyber-protections.
The bill was introduced by Senators Rick Scott and Gary Peters, who both serve on the Senate Homeland Security Committee.
Peters, who also serves on the Governmental Affairs Committee, said: "Schools across the country are entrusted with safeguarding the personal data of their students and faculty, but lack many of [the] resources and information needed to adequately defend themselves against sophisticated cyber-attacks."
Support for the bill has been expressed by the National Education Association, the American Federation of Teachers, the National Association of Secondary School Principals, and the Consortium for School Networking.
It would further require the DHS to research and report back on the overall cyber-risks faced by schools.
Scott said: "The safety of our schools is always my top priority, and that includes protecting the information of our students and teachers. I’m proud to sponsor the K–12 Cybersecurity Act of 2019 to further protect our schools, students and educators, and give them the resources they need to stay safe."
The bill closely mirrors the State and Local Government Cybersecurity Improvement Act, which was introduced to the House in August but has yet to see any action.
According to data collected by Armor, over 1,000 schools in the United States have been affected by ransomware alone in 2019. In Louisiana, Governor John Bel Edwards declared a statewide emergency in July in response to ransomware attacks on three school districts.
It isn't just malware that poses a risk to American schools. In August 2019, a high school in Spotsylvania County, Virginia, wired $600,000 to a fraudulent football field turf provider after being deceived in an elaborate email phishing scam.
"School districts are a treasure trove for cyber-criminals seeking to pilfer valuable information, such as social security numbers and financial information until a ransom has been paid. From January through November of this year, SonicWall detected almost nine million intrusion attempts, demonstrating the tenacity and dedication of online threats and threat networks," commented Bill Conner, CEO of cybersecurity firm SonicWall.
A Siemens contractor who sabotaged computer programs so that he would later be re-hired to fix them has been jailed.
David Tinley of Harrison City, Pennsylvania, pleaded guilty in federal court to a charge of intentional damage to a protected computer back in July 2019.
Between 2014 and 2016, the 62-year-old computer programmer inserted malicious pieces of code known as logic bombs into software used at the Monroeville branch of Siemens in Pennsylvania. The logic bombs were designed to unleash code that would cause the software to malfunction after specific circumstances arose.
"The logic bombs ensured that the programs would malfunction after the expiration of a certain date. As a result, Siemens was unaware of the cause of the malfunction and required Tinley to fix these malfunctions," reads a statement released July 19, 2019, by the United States Attorney's Office of the western district of Pennsylvania.
Deceived by Tinley's despicable ruse, Siemens reputedly paid tens of thousands of dollars to the contractor to fix the masterfully orchestrated problems of his own sinister creation. According to a pre-sentence memorandum, Tinley paid Siemens $42,000 in restitution for that work.
For his criminal actions, Tinley faced a maximum prison term of 10 years and a maximum fine of $250,000. On Monday, December 16, United States District Judge William S. Stickman handed the corrupt contractor a six-month federal prison sentence and ordered him to pay a $7,500 fine.
Once his custodial sentence has been served, Tinley will spend a further two years under court-ordered supervision.
According to Law360 (registration required), the computer programs that prosecutors said Tinley had damaged were in fact spreadsheets that Siemens used to manage orders.
Siemens rumbled Tinley's logic bomb–planting scheme in May 2016, when the contractor, who was out of town and unable to visit the office to carry out a fix in person, was able to provide a password that unlocked the spreadsheets to Siemens staff.
Assistant United States Attorney Shardul S. Desai prosecuted this case on behalf of the government.
United States Attorney Scott W. Brady lauded the Federal Bureau of Investigation for its investigation, which led to the successful prosecution of Tinley.
A Canadian laboratory testing company has made a payment to secure the sensitive information of millions of customers that was exposed during a cyber-attack.
LifeLabs opted to pay up after criminals gained unauthorized access to the information of 15 million customers. Most of the customers impacted were in British Colombia and Ontario.
In an open letter to customers, president and CEO of LifeLabs Charles Brown said customer information exposed in the incident may have included names, addresses, email addresses, logins, passwords, dates of birth, health card numbers, and lab test results.
The information accessed by the cyber-criminals has not been exposed publicly.
Brown wrote: "I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations."
After identifying that a data breach had occurred, the laboratory engaged security experts to isolate and secure the affected systems and determine the scope of the incident.
LifeLabs then took steps to strengthen their system against future attacks and paid an undisclosed amount to retrieve the data that had been accessed.
Brown wrote that the payment had been made "in collaboration with experts familiar with cyber-attacks and negotiations with cyber-criminals."
The laboratory's investigation into the incident indicates that the lab-test results of around 85,000 Ontario customers, who underwent tests in 2016 or earlier, may have been impacted in the incident. Similarly, any health and information accessed by cyber-criminals is thought to have dated from 2016 or earlier.
LifeLabs has offered any customers who are concerned about this incident a year's worth of free security protection that includes dark-web monitoring and identity-theft insurance.
Brown wrote that the attack occurred despite the laboratory's efforts to increase their cybersecurity in recent years.
"While we’ve been taking steps over the last several years to strengthen our cyber defenses, this has served as a reminder that we need to stay ahead of cybercrime, which has become a pervasive issue around the world in all sectors," wrote Brown.
Brown gives no indication as to where the attack originated, when it happened, or who perpetrated it.
Government partners were notified of the breach on October 28, and the incident is currently under investigation by law enforcement.
A digital consultancy has accidentally leaked the personal details of thousands of US defense contractor employees after yet another misconfiguration of cloud infrastructure, it has emerged.
Washington DC-based IMGE accidentally exposed the names, phone numbers, home and email addresses of more than 6000 Boeing staff, according to The Daily Beast.
The trove featured government relations staff and senior executives, including one who apparently worked at the contractor’s advanced prototyping unit on highly sensitive technologies.
“This information was exposed as a result of human error by the website’s vendor,” a Boeing spokesperson told the news site. “Boeing takes cybersecurity and privacy seriously and we require our vendors to protect the data entrusted to them. We are closely monitoring the situation to ensure that the error is resolved quickly.”
The information itself is said to have been harvested by IMGE from a website called Watch US Fly, dedicated to “advancing and protecting American aerospace and manufacturing.”
That site requests that supporters leave their contact details for future campaigns and in order to direct their demands to fund Boeing projects to the right lawmakers, according to the report.
However, it is blocked in the UK so Infosecurity could not confirm these details.
It’s unclear how long the data was left exposed in the Amazon S3 bucket, although the Boeing employees were just a small fraction of the 50,000 individuals whose personal information was reportedly compromised by the snafu.
Chris DeRamus, CTO of DivvyCloud, explained that cloud misconfigurations like this are increasingly common as many users aren’t familiar with cloud security settings and best practices.
“It is especially concerning that the database contained information about 6,000 Boeing employees, many of whom are heavily involved with the US government and military, as the exposed data is more than enough information for cyber-criminals to launch highly targeted attacks against those impacted to gain more confidential government information,” he added.
“Companies who manage large amounts of sensitive data, especially data related to government and military personnel, need to be proactive in ensuring their data is protected with proper security controls. Companies must adopt robust security strategies that are appropriate and effective in the cloud at the same time they adopt cloud services – not weeks, months, or years later.”
Over 1000 US schools have now been affected by ransomware so far this year, according to new data from Armor.
The security vendor claimed to have discovered 11 new school districts comprised of 226 schools that have been compromised by the malware since late October.
That brings the total number of affected school districts to 72 for the year, impacting an estimated 1039 schools nationwide.
Chris Hinkley, head of Armor’s threat resistance unit (TRU), said the attackers are deliberately targeting organizations that store sensitive data and run critical services.
“The attackers know that the services these organizations provide are critical to their communities, and they also know that schools and municipalities are typically more vulnerable to security attacks because of their limited budgets and lack of IT staff,” he said.
“This combination can give the threat actors a tremendous advantage over their victims because they know these entities cannot afford to shut down and are often more likely to pay the ransom.”
Fortunately, of the 11 districts caught in the latest round of ransomware attacks, only one is confirmed to have paid the ransom.
Earlier this week Microsoft urged customers not to pay the cyber-criminals.
“We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers,” argued Ola Peters, senior cybersecurity consultant at the firm’s Detection and Response Team (DART).
“The most important thing to note is that paying cyber-criminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored.”
The bad news for US organizations doesn’t end with school districts. According to Armor, 82 municipalities and 44 healthcare organizations have also been hit with ransomware this year.
The figures from Emisoft are even more stark: 103 municipalities and 759 healthcare providers, as well as 1224 schools may have been impacted by ransomware so far this year.
Facebook is expanding its fact-checking program on Instagram globally to help combat the rising tide of misinformation on the social site.
The social network started working with third-party fact-checkers in the US back in May. If content is assessed as false, Instagram will then label it as such for global users and remove it from Explore and hashtag pages to reduce its exposure.
Now fact-checking organizations around the world will be able to participate in the program, although they’re not the only tool in the social network’s armory.
“We use image matching technology to find further instances of this content and apply the label, helping reduce the spread of misinformation. In addition, if something is rated false or partly false on Facebook, starting today we’ll automatically label identical content if it is posted on Instagram (and vice versa),” the firm explained.
“The label will link out to the rating from the fact-checker and provide links to articles from credible sources that debunk the claim(s) made in the post. We make content from accounts that repeatedly receive these labels harder to find by removing it from Explore and hashtag pages.”
Instagram said it combines community feedback — including any users who have chosen to avail themselves of a new “false information” option — with in-house technology to determine which content to send to fact-checkers for review.
Although less commonly associated with fake news and state-backed attempts to spread misinformation than Facebook, Instagram is being increasingly used in “coordinated inauthentic behavior.”
Earlier this week Instagram also announced an anti-bullying initiative which uses AI to warn users if their captions “may be considered offensive."
An internal whistleblower has raised concerns about the cybersecurity of Minnesota's largest health insurer, BlueCross BlueShield.
As reported yesterday by the Star Tribune newspaper, the whistleblower expressed concern that BlueCross BlueShield had left its system vulnerable to attack by neglecting to make thousands of important updates to its computer system.
Internal documents show that despite warnings to executives, 200,000 vulnerabilities that were deemed “critical” or “severe” were left to fester on the company's computer systems. In most cases, software patches to fix the issues were available.
Documents obtained by the newspaper show that as far back as August 2018, cybersecurity engineer Tom Yardic met with executives to share concerns that important patches hadn't been installed.
Frustrated with their response, Yardic went on to email his concerns to the company's CEO and board of trustees on September 16.
“I am sending this e-mail because I have been unable to impact the situation within the avenues the organization provides,” wrote Yardic. “What has not happened is a serious attempt to remedy the situation.”
In a statement emailed to the Star Tribune, the company's chief information security officer, Amy Ecklund, said that BlueCross BlueShield is working hard to cut the number of security vulnerabilities down before the end of the year.
"We certainly understand that our members expect us to protect their most sensitive data, and we want them to know that we are committed every single day to doing just that," said Ecklund.
BlueCross BlueShield Minnesota insures 2.8 million people. To date, the company has not reported a data beach of its own systems.
The personal data of 11,000 members of Minnesota's Supervalu Group Health Plan were breached in 2015 after Minnesota BlueCross BlueShield stored their information on vulnerable computers owned by another BlueCross licensee, now known as Anthem Inc.
“Protecting our members’ information is our top priority, and our efforts are ongoing,” Minnesota BlueCross BlueShield officials said via email. “As with all companies holding sensitive information, we remain vigilant in our security systems and testing, but we will always strive to do more.”
A Chinese online retailer with a huge North American fanbase has leaked more than 1 terabyte of customer data.
Researchers were able to gain access to a massive database containing 1.3 terabytes of daily logs dating from August 9, 2019, to October 11, 2019, totaling over 1.5 billion records.
The substantial leak compromised the security of LightInTheBox customers across the globe. Researchers were also able to access data from the vendor's subsidiary sites, including MiniInTheBox.com.
"Our team was able to access this database because it was completely unsecured and unencrypted," wrote researchers.
Vpnmentor notified the vendor of the breach on November 24. Although no reply was received, the database breach was closed shortly after LightInTheBox was made aware of its existence.
LightInTheBox, which was founded in 2007, sells clothing, accessories, gadgets, and various items for the home and garden. Most of the 12 million monthly visitors to the retailer's website are based in North America and Europe.
The company does not provide specific details about their data security and storage practices and has not publicized any measures they may take to protect their customers’ data.
Vpnmentor researchers wrote: "The data breach affected customers around the world, with entries from many of their international sites, and in numerous languages."
Private personal data exposed in the leak included users' IP addresses, countries of residence, email addresses, and the destination pages and online activity of users on the vendor's website.
"This data breach represents a major lapse in LightInTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken," wrote researchers.
Researchers warned that a leak of this nature could put customers at risk from crimes far more disturbing than online fraud.
"With a website user’s IP address, we were able to identify their city of residence. If a criminal hacker had access to this, along with the other data exposed, they could trick a victim into revealing their home address, and target them for theft and home robbery," wrote researchers.
New Jersey's largest hospital health network has paid threat actors an undisclosed sum to restore data compromised in a cyber-attack.
Hackensack Meridian Health's computer systems were shut down after being infected with ransomware on Monday, December 2. The attack caused major disruptions to services at 17 hospitals, nursing homes, and urgent care centers operated by the network.
Elective surgeries for roughly 100 patients were rescheduled as a result of the ransomware incident. Hackensack Meridian Health employees who were unable to access electronic records had to revert to using a paper-based system to deliver care.
The ransomware payment, together with the costs associated with recovering from a cyber-attack, were covered by Hackensack Meridian Health's insurance policy, according to Asbury Park Press.
At first, Hackensack Meridian Health was reluctant to disclose the true nature of the problem, citing only that it was grappling with "externally-driven technical issues."
But, on Thursday, December 5, news of the ransomware attack was leaked to NJ Advance Media by a hospital IT professional who chose to remain anonymous.
Bridget Devane, a spokesperson for the union Health Professionals and Allied Employees, or HPAE, confirmed on Friday, December 6, at 5 p.m., that "northern New Jersey hospitals are definitely back online."
Describing the disruption caused by the incident, Devane said: "There have been delays in orders and lab work, and they are having to double-check paperwork carefully to make sure everything is accurate."
According to NJ Advance Media, the health network confirmed the ransomware attack and the payment of the ransom in a statement released on Friday, December 13.
The statement read: "Due to developments in the investigation, and on advice of national experts, we could not disclose that this was a ransomware attack until now.
"Our network’s primary clinical systems are operational, and our IT teams continue working diligently to bring all applications back online safely. Based on our investigation to date, we have no indication that any patient or team member information has been subject to unauthorized access or disclosure."
Hackensack Meridian Health, which is based in Edison, New Jersey, has more than 35,000 employees and generates around $6bn in annual revenue.
Spammers behind one of the most prolific botnets of recent years have begun bombarding users with Christmas-themed phishing lures, according to researchers.
Phishing emails sent by the Emotet botnet were spotted by Cofense Labs. With typical subject lines such as “Christmas” or “Christmas Party” they’re trying to gain legitimacy by tapping the current seasonal trend for internal emails of this sort.
One particular phishing email posted to Twitter by the vendor read:
“I have attached the menu for the Christmas Party next week. If you would like bring something, look at the list and let me know. Don't forget to get your donations in for the money tree. Also, wear your tackiest/ugliest Christmas sweater to the party.”
Malicious Word documents are typically attached to these emails, with names like “Party menu” and “Annual Holiday Lunch.” They require the user to “enable editing” to view, but clicking on this button will execute embedded macros to install the Emotet Trojan.
Once installed, this could provide various groups with he means to attempt ransomware downloads, more spam and phishing emails.
Like TrickBot, Emotet was originally a banking Trojan, but then was re-written to function as a malware loader. Its operators sell access for clients to use it as a malware distribution network.
According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018. In July 2018, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.
The Christmas phishing lures have been seen before: back in 2018 Trend Micro warned of a similar campaign targeting UK users. It urged them at the time to automatically disable macros in their security settings.
Security researchers have uncovered a massive 890GB database containing over one million highly sensitive web browsing records leaked by a South African IT company.
The Elasticsearch database, which was left online without any password protection, belonged to Conor, which has a range of big-name ISP and telco clients in Africa and South America, according to vpnMentor.
The unencrypted data trove related to a web filtering product the South African firm produced for these clients. Effectively this meant it revealed user activity logs for the previous two months, including website URLs, IP address, index names, and MSISDN codes which identify mobile users on a specific network.
These details include highly sensitive web browsing activity such as attempts to visit pornography sites, social media accounts, online storage including iCloud and messaging apps such as WhatsApp.
“Because the database gave access to a complete record of each user’s activity in a session, our team was able to view every website they visited – or attempted to visit. We could also identify each user,” the vpnMentor team explained.
“For an ICT and software development company not to protect this data is incredibly negligent. Conor’s lapse in data security could create real-world problems for the people exposed.”
If hackers had access to the leaked browsing data, exposed customers could find themselves targeted for blackmail and extortion due to the sensitive nature of the sites they may have visited.
That’s not to mention the reputational impact on Conor itself, among its client base, and the ISPs to whom end users would probably turn their ire in the event of a serious breach.
This is just the latest in a long line of exposed Elasticsearch databases revealed by vpnMentor as part of a major web mapping project designed to improve cloud security.
The security of RSA certificates has come under scrutiny after researchers revealed that they were able to break nearly a quarter of a million currently active keys.
The team first built a database of 75 million active RSA keys, augmented with another 100 million certs available through certificate transparency logs.
RSA keys consist of the product of two large, randomly chosen prime numbers and are typically used to encrypt data in transit. However, if a key shares its prime factors with others, then it is compromised.
Unfortunately, the researchers found over 435,000 certificates with a shared factor, enabling them to “rederive” the private key.
“In a real-world attack scenario, a threat actor with a re-derived private key for an SSL/TLS server certificate could impersonate that server when devices attempt to connect,” said JD Kilgallin, senior integration engineer and researcher at Keyfactor.
“The connecting user or device cannot distinguish the attacker from the legitimate certificate holder, opening the door to critical device malfunction or exposure of sensitive data.”
This could have a particularly major impact on the IoT sphere due to the low entropy or lack of randomness in key generation there, the firm said.
“These devices could include cars, medical implants and other critical devices, that if compromised, could result in life-impacting harm,” argued Keyfactor CTO, Ted Shorter.
Michael Barragry, operations lead and security consultant at Edgescan, explained that the issue discovered by the research team was a fault in implementation rather than a weakness with the underlying mathematics.
“Public key certificates are one of the key pieces of infrastructure that enable various devices and servers to securely identify and trust each other. If a malicious actor can successfully spoof a certificate for a particular device, they can essentially masquerade as that device. Depending on the trust chain that it lies within, multiple further attacks may be possible,” he added.
“Vendors need to be conscious of the potential upstream impact of all design decisions, as in this case it seems like an innocuous shortcut around random number generation has given rise to a much more serious flaw.”
The cybersecurity incident, disclosed by Orbitz in March 2018, may have exposed the personal data of 20,755 Pennsylvanian customers.
An investigation into the breach, carried out by Shapiro's office and led by Deputy Attorney General Timothy Murphy, found that a threat actor had used malware to target up to 880,000 payment cards around the world by compromising Orbitz's online travel booking portal.
Orbitz was notified by a business partner in 2017 that the travel rewards redemption portal hosted by the Orbitz Legacy Platform may have been a possible common point of purchase in connection with fraudulent payment card transactions.
It further alleges that Orbitz failed to fully implement Expedia’s company policies related to data security and neglected to have in place multiple Payment Card Industry Data Security Standards at the time of the breach.
Under the terms of the settlement, Expedia and Orbitz will pay $110,000, which includes an $80,000 civil penalty. Expedia acquired Orbitz and its assets in September 2015.
Josh Shapiro said: "Just like that, someone broke into Orbitz’s IT system and vacationed in what was supposed to be a safe place for travelers. The breach showed the company’s promise to keep customer information secure was more like a leaky boat.
"We work every day to protect Pennsylvania consumers and to seek justice when any company misrepresents itself."
Expedia and Orbitz have agreed to strengthen their security practices going forward by implementing a comprehensive information security program on the Orbitz website, conducting an annual comprehensive risk assessment, and developing a plan and program for designing, implementing, and operating safeguards.
The companies have also agreed to perform regular security monitoring, logging, and testing; improve access control and account management tools; reorganize and segment its network; and comply with Payment Card Industry Data Security Standards.
Instagram has launched an artificial intelligence warning system that challenges the free speech of its users.
Starting today, the social networking app will notify people when their captions on a photo or video "may be considered offensive" and give them "a chance to pause and reconsider their words before posting."
A user who attempts to post a comment deemed to be objectionable will receive a prompt that reads "This caption looks similar to others that have been reported." The user will then be given three options: to edit the caption, to learn more about why their comment has prompted this response, or to share it anyway.
The new warnings feature is being presented as a strategy to reduce online bullying; however, the warnings are the smallest of steps away from directly impeding users' free speech.
Rollout of the warnings feature has currently only been undertaken in "select countries"; however, Instagram plans to exert control over what users are allowed to post globally in the coming months.
In a statement released today, Instagram wrote: "As part of our long-term commitment to lead the fight against online bullying, we’ve developed and tested AI that can recognize different forms of bullying on Instagram. Earlier this year, we launched a feature that notifies people when their comments may be considered offensive before they’re posted.
"Results have been promising, and we’ve found that these types of nudges can encourage people to reconsider their words when given a chance."
Instagram has not stated who it is that decides whether content is potentially offensive or by what standards such comments are measured. No mention is given either of the potential dangers of silencing users' voices and driving the disaffected underground.
Instagram wrote: "Today, when someone writes a caption for a feed post and our AI detects the caption as potentially offensive, they will receive a prompt informing them that their caption is similar to those reported for bullying. They will have the opportunity to edit their caption before it’s posted.
"In addition to limiting the reach of bullying, this warning helps educate people on what we don’t allow on Instagram, and when an account may be at risk of breaking our rules."
The long-established cybersecurity firm, which has 730 employees operating from 11 locations in the United States and the United Kingdom, is being purchased from The Carlyle Group and The Chertoff Group for an undisclosed sum.
According to a statement released on Friday, the deal is expected to close in early 2020, subject to regulatory approval.
Coalfire was founded in 2001 with the mission to help organizations avert threats, close gaps, and effectively manage cyber-risk. Today, the company has more than 1,800 government and commercial clients and extensive cloud security experience, working with seven of the top ten SaaS providers.
In the US, Coalfire is one of several third-party assessment organizations chosen by the government to evaluate and certify cloud computing products and services for use by federal agencies as part of the government-wide Federal Risk and Authorization Management Program (FedRAMP).
Rohan Haldea, partner at Apax Partners, said: "Coalfire is an established and highly respected cybersecurity advisory and assessment services firm that is well-positioned for further growth due to cybersecurity trends and the vision of its strong management team. The Apax Funds’ investment will assist the company in particular by increasing Coalfire’s investment in technology; continuing to invest in thought leadership, especially with respect to securing cloud environments; and deepening capabilities across assurance standards while scaling its penetration testing and cyber-risk services business."
William Blair and Latham & Watkins respectively served as financial and legal advisers to Coalfire in the transaction. Kirkland & Ellis LLP acted as Apax Funds’ legal counsel.
Carlyle made an investment in Coalfire in 2015 through its $1.1bn US Equity Opportunity Fund I. At the end of 2016, Coalfire acquired Viennese cybersecurity leader Veris Group.
Tom McAndrew, Coalfire CEO, said: "We are thrilled with our new partnership with Apax, which will help drive our growth plans while continuing our commitment to our customers, people, and core values. The leadership, support, and investment provided by Carlyle, Chertoff, and Baird Capital have been instrumental in our success over the last four years, and we are excited to begin this new chapter."