Another SIS (Security Ignorance Syndrome) related Data Leak - Exposed S3 bucket compromises 120 million Brazilian citizens

The treasure trove of Brazilian citizens information included banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.

First, someone had renamed the index.html” to “index.html_bkp,” revealing the directory’s content next and then did not prohibit access through .htaccess configuration

https://www.scmagazine.com/home/security-news/exposed-s3-bucket-compromises-120-million-brazilian-citizens/

Remember "He Went to Jared" Commercial - Here is an add-on "And he could access other orders by changing a link in his confirmation email".

A  bug was discovered and reported by a Jared customer who learned he could access other shoppers' orders by altering a link in his confirmation email and pasting the link into his browser. It was a small change, the report states, but it led him to orders containing peoples' names, billing and shipping addresses, phone numbers, email addresses, items and amount purchased, delivery date, tracking link, and the last four digits of the credit card used

“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”

https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/

2018 - Year of Data Leak + Data Breach - The sad part is "Data Leak" can be easily avoided if we can overcome SIS (Security Ignorance Syndrome)

ElasticSearch server database containing the information of nearly 57 million U.S. residents was found to have been left exposed without a password.

The data base was first indexed by Shodan on November 14, 2018 and contained the information including first and last names, employers, job titles, email, addresses, state, zip codes, phone numbers, and IP addresses. Diachenko also reportedly discovered a second cached database named “Yellow Pages,” which reportedly held an additional 25,917,820 records, which appeared to be business entries.

Overprivileged identities are one of the biggest threats facing enterprises with complex, multi-cloud environments, and we will continue to see database leaks like this one until companies get better at assessing and managing unused, high-risk privileges

https://www.scmagazine.com/home/security-news/elasticsearch-server-exposed-data-of-nearly-57m-u-s-residents/

Apparently, IT Security folks may be estimating the value of the data wrongly - Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520)

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. 

IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

https://www.darkreading.com/vulnerabilities---threats/incorrect-assessments-of-data-value-putting-organizations-at-risk/d/d-id/1333362

Is this Funny - Former FBI Director James Comey, who led the investigation into Hillary Clinton's use of personal email while secretary of state, also used his personal email to conduct official business.

In three of the five examples, investigators said Comey sent drafts he had written from his FBI email to his personal account.

In one instance, he sent a "proposed post-election message for all FBI employees that was entitled 'Midyear thoughts,'" the report states. In another instance, Comey again "sent multiple drafts of a proposed year-end message to FBI employees" from his FBI account to his personal email account.

In other instances, Comey sent himself an email of "proposed responses to two requests for information from the Office of Special Counsel" that contained two attachments. One attachment was "a certification for Comey to sign" and the other was "a list of FBI employees" that included "their titles, office, appointment status, contact information, and duty hours."

https://www.buzzfeed.com/talalansari/james-comey-personal-email-use

It looks like Data is anxious to get out (rather than being stolen). Check this 2018 GLOBAL DATA RISK REPORT - from Varonis

• 41% of organizations had at least 1,000 sensitive files 
• 58% of organizations have more than 100,000 folders open to all employees 
• 54% of an organization's data is stale on average 
• 46% of organizations had more than 1,000 users with passwords that never expire 

https://info.varonis.com/hubfs/2018%20Varonis%20Global%20Data%20Risk%20Report.pdf

Android keyboard app - It it a Keyboard or a Keylogger?

First, it collected a user's Google email account as well as other important device information and uploaded all that data to its servers.

Second, it can download and execute code from a remote server in violation of its policy. Those snippets of code include plugins marked as adware or potentially unwanted programs (PUPs) by multiple anti-virus engines.

For More:
https://www.grahamcluley.com/go-keyboard-app-data-collection/

Malware (GSMem) can add a (not so) nice feature to your computer - It can turn it into a cellular antenna to leak information.

Welcome to the world of "never ending hackovation "(Hacker - Innovation)


From the Article

This attack uses ordinary computer hardware to send out the cellular signals.

The air-gapped computer that is targeted does need to have a malware program developed by the researchers installed. That could be accomplished by creating a type of worm that infects a machine when a removable drive is connected.

The malware, called GSMem, acts as a transmitter on an infected computer. It creates specific, memory-related instructions that are transmitted between a computer's CPU and memory, generating radio waves at GSM, UMTS and LTE frequencies that can be picked up by a nearby mobile device.

malware has such a small footprint in the memory, it would be very difficult and can easily evade detection

(This is interesting) Their receiver was a nine-year-old Motorola C123 so-called "feature" phone, which looks downright ancient compared to mobile phones today. But there are a couple of reasons why they chose it.

Most embassies and many companies ban smartphones from being taken inside their premises, to prevent signals intelligence collection. But some companies, including Intel and defense contractor Lockheed Martin, still allow devices that are not smartphones into sensitive areas



For more info:
http://www.csoonline.com/article/2962328/data-protection/new-malware-turns-your-computer-into-a-cellular-antenna.html

Steganography with a new twist - Using Twitter Messages

Another (new) double-edged sword

According to the article:-

Users need only type the text they want others to see in one field and the hidden message in a separate field. The service, created by New Zealand-based developer Matthew Holloway, then spits out a tweetable message that fuses the two together in a way that's not noticeable to the human eye

Check the following link for the example-

http://arstechnica.com/security/2014/05/how-to-stash-secret-messages-in-tweets-using-point-and-click-steganography/

Useful Add-On - For Symantec DLP - for better dashboard with Real-time Data. (if you have extra money to spend)

This might help those who need real-time data

According to the article:- 

MetriX provides those within security with an unprecedented view into the organization’s security posture, while providing you with real-time notifications when thresholds or service levels are not being met. This ensures that IT can respond quickly to threats, thereby reducing risk associated with lack of timely visibility.


The links below has more information:
http://www.symantec.com/connect/forums/dlp-real-time-dashboard-security-visability

Android Vulnerability - If exploited - Reboot endlessly or lose all user data (recovery)

Sounds nasty but, I am not sure how easy it is to exploit.

According to the article:- 

We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include 'bricking' a device, or rendering it unusable. 

"An even worse case is when the malware is written to start automatically upon device startup," they said. "Doing so will trap the device in a rebooting loop, rendering it useless."

The only method to recover from such an attack would be to perform a factory reset from the bootloader options, but this implies deleting all user data and preferences stored on the device including contacts, photos and files, the Trend Micro researchers said.

The links below has more information:

http://www.csoonline.com/article/750181/rogue-apps-could-exploit-android-vulnerability-to-brick-devices

C'mon , it is just Metadata - No, it is data about data so, it is important.

Most of us don't care about Metadata , that is because we don't know what it is and don't care to know what it can be used for. 

Here is what someone discovered from phone metadata. ( this one affects individual's privacy)

SNIPPETS from the Article:-

Stanford researchers crowdsourced phone metadata from real users, and easily identified calls to 'Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more.' Looking at patterns in call metadata, they correctly diagnosed a cardiac condition and outed an assault rifle owner.

The links below has more information:

http://webpolicy.org/2014/03/12/metaphone-the-sensitivity-of-telephone-metadata/

For curious minds - Symantec DLP - Implementing EDM (Exact Data Match)

The links below has more information:

http://www.symantec.com/connect/articles/how-implement-exact-data-matching

I did not know this - Exchange 2012 DLP function now has "fingerprinting" capability.

I know Microsoft introduced DLP features in Exchange 2013 and now, in SP1 they have introduced "Fingerprinting".

Good job Microsoft.

I believe we will see the DLP feature becoming part of more and more enterprise products.

(Similarly, I am hoping the vendors would also add firewall functions like how Oracle is doing) 

SNIPPETS from the Article:-

The file that you provide is not uploaded or stored by Exchange - only the hash value is kept. Once the document is processed, you can use the new sensitive data type that it represents in DLP rules in exactly the same way as any of the out-of-the-box sensitive data types (like credit card or social security numbers) defined by Microsoft. The hash value that is generated can then be used to compare against documents that flow through the transport system and any rule that uses the sensitive data type associated with the hash value will "fire." 

The links below has more information:

http://windowsitpro.com/blog/exchanges-interesting-document-fingerprinting-feature

4 Billion dollars profits per year - Which Industry? - Tax Fraud (by Cyber-criminals)

SNIPPET from the Article:-

Many consumers also begin to file their tax returns only to find out that someone else illegally filed a return in their names, according to ThreatMetrix. 

After a legitimate user files his or her tax return online, cybercriminals can compromise the system and steal personally identifiable information.

And finally, Cyber criminals are increasingly using social networks to collect data about their victims -- such as marital status or number of children -- which helps them to file more accurate tax returns and increase the success of their fraud.

The links below has more information:

http://www.darkreading.com/authentication/report-cybercriminals-bank-nearly-4-bill/240166574

Hey, what's that burning smell - it's nothing, just a cyberattack setting my computer is on fire.

A cyberattack demonstration "frying the machine" was done by targeting the machine's APC embedded controller through a fake firmware update devised by CrowdStrike that spiked the CPU and turned off the fans.

The point, said Alperovitch, is this is a type of cyberattack that enterprises really can expect to see happen in the future, an attack that is not recoverable in terms of data or the machine itself

The link below has more details:

http://www.cio.com/article/748849/RSA_Security_Attack_Demo_Deep_Fries_Apple_Mac_Components