Source: FORA.tv
What security-related videos have made you laugh? Let us know! Send them to [email protected].
Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio
Article source: https://www.darkreading.com/a-virus-walks-into-a-bar-/d/d-id/1335836?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
More than 24 million data records, belonging to patients across 52 countries, were found freely accessible on hundreds of servers that lacked basic protection for the sensitive data they held.
From mid-July through early September 2019, researchers with Greenbone Networks analyzed about 2,300 medical image archiving systems connected to the public Internet. These Picture Archiving and Communications Systems (PACS) servers are typically used within the healthcare industry to store images from radiological procedures so physicians can review them. The protocol is known as DICOM, or Digital Imaging and Communications in Medicine.
It’s not new to learn PACS servers are unsecured, the researchers say. What’s new here is the full extent of how widespread these security issues are: Of the 2,300 archive systems analyzed, 590 were found to be accessible to the public Internet. Combined, they hold 24.3 million data records belonging to patients around the world. The number of images linked to the data sets is estimated to be around 733.5 million, about 400 million of which could be accessed or downloaded.
The “vast majority” of records exposed included the patient’s first and last name, birthdate, date of examination, scope of investigation, type of imaging procedure, attending physician, the institute or clinic, and number of images generated, the report states. Given the extent and sensitivity of personal data compromised, researchers warn of the potential for social engineering or business email compromise (BEC) attacks. They estimate the value of this data on the Dark Web could exceed $1 billion
Researchers found 31 systems that provided direct access to patient data through a DICOM Web Viewer. No authentication was required to access the data, and in most of these 31 systems, the information was transmitted in plaintext. They also identified more than 10,000 vulnerabilities on the systems, more than 2,000 of which were categorized as “high severity.”
Read more details here.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, But Definitely ‘Well Done’.”
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
In 2018, opportunistic cybercriminals had an easy way to monetize compromised web servers: Add JavaScript from the cryptomining-as-a-service provider Coinhive to eke out small profits for every compromised server by surreptitiously having them do the cryptography tasks necessary to generate Monero cryptocurrency.
With Coinhive’s shutdown in March 2019, however, cybercriminals have resorted to more standard tactics, infecting Windows and Linux servers and finding ways to allow their malware to persist for longer periods.
Two research analyses released this week by Trend Micro and Guardicore highlight the techniques used by cybercriminals’ attempts to maintain their control of compromised servers. In a September 16 report, security firm Trend Micro found that the Skidmap Linux malware uses a variety of techniques — from the complex, such as loading malicious kernel modules, to the simple, such as inserting SSH keys into the authorized-keys file. Meanwhile, the 2-year-old Smominru botnet has used a variety of techniques to hold its ground on the more than 4,900 networks and 90,000 servers a month the malware infects every month.
On compromised Windows servers, Smominru schedules tasks using scripts, exploits the SQL service, creates administrative users, and installs a remote access trojan, says Ophir Harpaz, a security researcher at Guardicore Labs.
“They are just shooting in as many directions as possible,” she says, adding that the attackers are not just worried about defenders. “These threat actors are trying to eliminate each other, so the more ways you find to be persistence on the machine, the less chance you have of losing access to the compromised host.”
While cryptomining peaked in 2018, when 42% of companies saw attacks, the attack technique is still a major threat, according to data from networking security firm Check Point Software Technologies. In the first half of 2019, the company found 21% of networks had one or more machines infected with cryptomining malware. That decline is due to the shutdown of the Coinhive mining service, which allowed attackers to inject unwanted — and many would say, malicious — JavaScript into websites to force browsers to process the resource-intensive computations required to “mine” for the Monero cryptocurrency. The service claimed to be making $250,000 a month while controlling 62% of the cryptojacking market.
Because such easy-to-use services are no longer the rule, adding persistence to cryptomining malware has become a priority for cybercriminals, Augusto Remillano II and Jakub Urbanec, threat analysts at Trend Micro, stated in their analysis of Skidmap. The researchers found that the attackers, like the Smominru group, have taken a kitchen-sink approach, using techniques from Linux kernel module (LKM) rootkits to overwriting the rm binary for the Linux command used to remove software.
“Its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware,” the researchers stated in the analysis. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up.”
In its research into Smominru, Guardicore’s team found the credentials for a command-and-control server that collected information on the botnet, finding information and credentials for compromised servers. The security firm monitored the information on the server over time to study the infection patterns. About a quarter of the systems had been infected more than once, showing that the focus on persistence pays off for the attackers.
And the focus becomes more important because the vast majority of computers on the Internet are difficult to infect. For every organization serious about security, there are a few individuals or small businesses that have a few machines that have not been updated or secured, says Daniel Goldberg, a security researcher with Guardicore.
“Many groups compete to be on the same small number of machines — it’s still hundreds of thousands of machines, but only a fraction on what is on the Internet,” he says. “There is this whole undergrowth of forgotten servers lying around on the Internet and available for hacking.”
The company estimates that the botnet has control of an average of 6,500 processing cores per day to use for cryptomining.
Therefore, any attempt at persistence can pay off for attackers. The Linux cryptominer Skidmap, for example, even adds an SSH key to the authorized keys file on Linux, allowing for a simple but effective form of a backdoor. This often works because companies do not monitor those files, Kevin Bocek, vice president of security strategy and threat intelligence at security firm Venafi, said in a statement.
“We see these tactics used so effectively to target critical infrastructure because security teams rarely have oversight of SSH keys that control access,” he said. “These keys don’t expire — creating an encrypted backdoor that attackers can use until they’re detected.”
While the recent attack focus on both Windows and Linux, some experts see Linux servers to be an increasingly valuable target for attackers focused on cryptomining.
“Over the last several months, we’ve seen more evidence that suggests that attackers are continuing to increase their focus on Linux as a vehicle to obtain access to compute and bandwidth resources,” Casey Ellis, chief technology officer and founder of crowdsourced security firm Bugcrowd, said in a statement.
For server administrators, the best defense is to keep your servers updated and patched and monitor their performance. If the company often uses open source repositories, they should be verified. And all systems should enforce the concepts of least privilege, only allowing the level of access necessary to the user.
While cryptomining is often not considered as significant a threat as, say, ransomware, allowing attackers to steal processing power can have a significant impact on a company, Trend Micro’s researchers said.
“Cryptocurrency-mining threats don’t just affect a server or workstation’s performance — they could also translate to higher expenses and even disrupt businesses especially if they are used to run mission-critical operations,” they stated in their analysis. “Given Linux’s use in many enterprise environments, its users, particularly administrators, should always adopt best practices.”
Related Content:
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, But Definitely ‘Well Done’
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio
An arrest has been made following the disclosure of a massive data leak affecting most of Ecuador’s population. Officials have confirmed the arrest of William Roberto G, manager of Ecuadorian consulting firm Novaestrat, which owned the unsecured Elasticsearch server.
Earlier this week, researchers shared the discovery of a misconfigured database containing 18GB of information, including 20.8 million personal records. Most of the data belonged to individuals in Ecuador, a country with a population of only 16.6 million. Information exposed included full name, birthdate, gender, place of birth, home and email addresses, phone numbers, marital status, level of education, date of marriage, and date of death, if applicable.
An investigation is now underway. Ecuadorian officials seized electronic equipment, storage devices, and documentation during a raid at Roberto’s home; he has been taken to Quito for questioning. Officials plan to use the data collected on Novaestrat’s business processes and relationships to further its investigation, they said in a statement. The government has also confirmed plans to pass a Law on Protection of Personal Data to protect citizens’ information.
Read more details here.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, But Definitely ‘Well Done’
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Article source: https://www.darkreading.com/cloud/one-arrested-in-ecuadors-mega-data-leak/d/d-id/1335839?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
An Israel-based security firm backed by a $4 million seed investment led by Discount Capital and Check Point co-founder Marius Nacht officially moved out of stealth mode today.
Digital asset management firm GK8 announced that it has developed patented technology that sends transactions to the blockchain in real time without connecting to the Internet using its own cryptographic method for more security. Its end-to-end encrypted technology is aimed at financial institutions, exchanges, and hedge funds that hold cryptocurrencies, for example. Among its customers is eToro, a trading and investment platform, the company said.
“In 2017, Shahar Shamai, GK8’s co-founder and CTO, and I hacked the Ledger Nano S, considered to be one of the most secured cold wallets in the market,” said Lior Lamesh, co-founder and CEO of GK8 in a statement. “After we saw how easy it was, we understood that hackers will invest millions to steal billions, and we decided to develop a secured end-to-end institutional tool for managing digital assets.”
Read more here.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, but Definitely ‘Well Done’.”
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Article source: https://www.darkreading.com/risk/new-security-startup-emerges-from-stealth-mode/d/d-id/1335841?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
The relatively new practice of DevSecOps — bridging DevOps workflows with information security (infosec) operations — is defining new approaches and shared responsibilities as well as evolving cultural norms within formerly disparate security and technology teams. As companies offer customers digital experiences where products and services are increasingly powered by mobile, cloud, and data analytics capabilities, developers, in turn, are moving to development processes that meet the need for greater agility and scale. To keep pace, chief information security officers now need to work with developers much earlier in the production cycle.
It’s an issue that requires both technology and culture change but is well worth the effort. At Cisco, our DevSecOps adoption and the subsequent security improvements exceeded our expectations. Within several weeks, the minimal viable version of the security automation tool we built was running in 72% of accounts that were hosting Cisco’s cloud offerings; on average, 97% of those accounts received a health score of A or B in their daily report.
How did we get there? Here are four tips to guide your company on its DevSecOps journey.
Tip 1: Establish your DevSecOps foundation. Using clearly defined guiding principles to drive security throughout the development process helps establish mutual trust among the engineering, operations, and security teams. This is also the point at which expectations for mutual accountability and high security standards are defined. The Devsecops.org manifesto offers a great starting place. These guidelines can be readily modified to fit your company’s unique requirements.
Tip 2: Prove it out first. Anyone with IT experience knows it’s best to prove ideas manually before automating them. Consider running an Agile security hack-a-thon with participants from the information security and application teams to first configure the most important security requirements — what we at Cisco call the guardrails. Start by defining what your guardrails should be in the context of what platform you will use. Our first target environment was built on the Amazon Web Services (AWS) platform, so we defined 10 guardrails for our AWS accounts that fit Cisco-specific requirements. Do the same for your organization and its chosen platform. Then, conduct your hack-a-thon as you would for other Agile development efforts. Post-test readouts will help the entire team be knowledgeable and support users in true DevOps fashion.
Tip 3: Automate your guardrails. Provide an easy way for your teams to apply the guardrails — for example, at the time of new account provisioning. You can also develop simple scripting to retrofit existing accounts. This likely will require coordination among multiple teams — infosec, IT, supply chain, procurement, and possibly others. We implemented our security automation via our own tool that we call the Continuous Security Buddy (CSB), which is built on several AWS services.
Tip 4: Continuously validate. As new resources are onboarded or other changes occur, keep guardrails up to date with continuous security validation and real-time monitoring of security logs. Consider creating security “health reports” based on specific scoring or grading criteria to send to department-level “customers” on a regular basis. That will empower those customers to address any critical security findings in a timely manner. The cycle of teams continuously integrating and deploying code while getting ongoing security assurance is the holy grail of security!
The year-and-a-half long effort also taught us some meaningful lessons:
Cloud is more about doing than telling. Hack-a-thons enable cross-functional collaboration and deliver on critical security areas defined in the guardrails. They also provide great hands-on learning opportunities for everyone involved.
Timing matters. Coordinating your initial launch with other key organizational efforts can offer exponential returns on your effort. Try to integrate your efforts with other strategic initiatives, like signing a major cloud service agreement with a platform vendor or developing a new digital service offering for customers.
Start small and grow. Release minimal capabilities first, then iterate based on what you’ve learned and user feedback. Continuous visibility via those regular security health reports will enable teams to self-remediate issues and gain confidence in their offering’s security posture. Scale over time as you learn more.
Guardrails vs. just pass/fail. The guardrail approach provides deep and clear guidelines for the range of compliance needed based on the situation at hand, allowing teams to manage their risks. For example, a Center for Internet Security benchmark score of 80% that is within the acceptable risk for an internal host is much more salient than just a hard pass/fail rating.
Cultivate partnerships. Establishing key operations partnerships with groups such as IT, infosec, procurement, and product operations creates a multiplying effect where the aligned efforts help everyone move faster and in the same direction.
Credibility built on trust. Be open and transparent regarding what you do with the access provided and be available for support if there are any issues. Consider setting up a central online site like a chat room to facilitate easy and fast interaction.
Skill sets matter. Realistically, infosec practitioners don’t code. Complement their efforts with those of the skilled developers in your organization who do code, to ensure successfully delivery of your DevSecOps principles and guardrails. The collective skills and knowledge will cross-pollinate.
Take risks. DevSecOps is something new; it requires some risk-taking. Be patient but confident that it will pay off. Bringing teams together guided by a common goal is always a recipe for success.
Related Content:
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, But Definitely ‘Well Done’.”
As the leader of Cisco’s Information Security organization, Steve Martino is responsible for driving effective data security and privacy practices across Cisco. His team fosters Cisco’s security culture and secures Cisco in a manner that still allows the company to … View Full Bio
Article source: https://www.darkreading.com/risk/devsecops-recreating-cybersecurity-culture--/a/d-id/1335783?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
GitHub, the popular code repository, is becoming a CVE Numbering Authority and acquiring Semmle, a code-analysis engine that will be available to all public repositories and enterprise customers.
As a CVE Numbering Authority, GitHub can assign a CVE ID, post to the CVE List, and then post to the National Vulnerability Database (NVD) on behalf of a developer. According to a blog post announcing its news, GitHub said it expects the combination of Semmle code scanning and CVE number assignment will make it much more likely that vulnerabilities in open source projects will be found and reported.
Semmle reports that more than 100 open source CVEs have already been identified using its semantic code analysis system. GitHub hosted 100 million repositories as of August.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Poll Results: Maybe Not Burned Out, But Definitely ‘Well Done’.”
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
An Ohio gamer who got into a spat over a $1.50 wager that led to the death-by-swatting of an innocent man has been sentenced to 15 months in prison, the Department of Justice (DOJ) announced on Friday.
Casey S. Viner, 19, pleaded guilty to one count of conspiracy and one count of obstructing justice.
Viner admitted to arguing with another gamer – co-defendant Shane Gaskill – while playing Call of Duty World War II online. The two gamers were disputing a $1.50 wager. Apparently, one had accidentally “killed” a teammate in the first-person shooter game.
So, as Viner admitted in his plea agreement, he contacted known swatter Tyler Barriss and asked him to swat Gaskill.
Swatting (or SWATting), which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams, is the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.
Barriss did as he was asked: he first taunted Gaskill in Twitter direct messages. Gaskill challenged Barriss to go ahead and swat him, according to court records.
But Gaskill then sent Barriss the wrong address: that of a home nearby, at 1033 W. McCormick, in Wichita, Kansas, where he once lived. That misdirection led police to show up at the wrong house – the home of 28-year-old Andrew Finch.
In the recording of the emergency call that cost Finch his life, Barriss told operators that he’d shot his father in the head. He also said that he was holding his mother and a sibling at gunpoint in a closet. Barriss said he’d poured gasoline all over the house and that he was thinking of lighting the place on fire.
Police surrounded Finch’s Wichita home, prepared to deal with a hostage situation. When Finch answered the door, he followed police instructions to put up his hands and move slowly. But at some point, authorities said, Finch appeared to be moving his hand toward his waistband as if he was going to pull out a gun.
A single shot killed Finch. He was dead by the time he reached the hospital. Police said the innocent man – the father of two children – was unarmed.
Finch’s family is now suing the police and the city of Wichita for what they say was his wrongful death.
In March 2019, Barriss was sentenced to 20 years in federal prison for placing the deadly hoax call. He pleaded guilty to more than 50 felonies nationwide, including federal charges in Kansas of making an interstate hoax that resulted in a death and cyberstalking.
Other swatting incidents connected to Barriss between 2015 and 2017 happened in Ohio, Nevada, Illinois, Indiana, Virginia, Texas, Arizona, Massachusetts, Missouri, Maine, Pennsylvania, New Mexico, Indiana, Michigan, Florida, Connecticut and New York.
Viner’s obstruction of justice charge comes from Viner having tried to erase any record on his phone of his communications with Barriss and Gaskill, according to the DOJ.
After serving his sentence, Viner will be banned from gaming for two years.
In court, Viner reportedly said that he was “awfully sorry”, that he never intended anything to happen, and that he thinks of it every day.
US District Judge Eric Melgren told him that intentions didn’t play into his sentencing:
We impose sentences not only for what people intend, but what happened.
There’s still one party to be prosecuted: Gaskill, the intended victim of the swat who gave Barriss Finch’s address. The DOJ says that the gamer has been placed on deferred prosecution.
US Attorney Stephen McAllister described swatting as “more than foolish”. It’s “reckless, dangerous and, as this case proves, potentially tragic,” he said. He called on gamers to self-police their community to ensure that the practice is ended, “once and for all.”
Swatting is not a prank, and it is no way to resolve disputes among gamers.
Amen to that.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BXYnEBqKVRk/
Don’t be lulled into a false sense of security by that shiny new router or network-attached storage (NAS) device – the chances are that it’s no more secure than its predecessors. That’s the finding from a new piece of research that tested multiple devices for security bugs.
In 2013, Baltimore-based security consulting company Independent Security Evaluators (ISE) tested 13 small office/home office (SOHO) routers and wireless access points. It found 57 security bugs and was able to take over 11 of them from outside the local network. No wonder it called its report SOHOpelessly Broken.
So, the industry would have taken this to heart and enhanced its security in the last six years, right? Wrong.
In its update to the test, called SOHOpelessly Broken 2.0, ISE tested another 13 devices, some from the same vendors and some new. They found more than double the number of flaws, filing 125 CVE bugs based on their research. This time around, it got remote root access on 12 of the devices.
The team tested equipment from ASUS, Buffalo, Drobo, Lenovo, Netgear, QNAP, TerraMaster, Seagate, Synology, Xiaomi, Zyxel, and Zioncom.
Typical attacks included bypassing authentication mechanisms altogether. On one device, the team was able to hijack a cookie authentication system by changing the IP address to 127.0.0.1 and issue unauthorized requests via the API.
The project found that some things had changed since 2013, and others had not. Device vendors had taken newer steps to try and protect their software. For example, several used address-space layout randomization (ASLR), which randomizes the memory that programs use and is supposed to make memory-based attacks like buffer overflows difficult. However, they could exploit other flaws to break ASLR and launch their buffer overflow attacks anyway.
One device encrypted the PHP files used to process requests through its web interface but had to store the decryption key on the device, which the team used to access the files and exploit those using PHP’s system() function, gaining shell access.
This comment from the report suggests that the manufacturers were running before they could walk:
Perhaps more interesting is the amount of approaches that have not changed since SOHOpelessly Broken 1.0. Features such as anti-CSRF tokens and browser security headers, which are commonplace in mainstream web applications, are still rare among our sample of devices.
If companies had implemented these basic protections, then the team wouldn’t have been able to hack them, it said.
ISE tried several kinds of attack, often stringing them together to successfully exploit the device. The most successful were cross-site scripting (XSS) and command injection, which are old categories of attack that should be well understood by firmware developers.
Based on the research, Synology seems to come out on top, as its DS218J, a device that ISE included in the 2013 test, didn’t show up in any of the broad attack categories and had the fewest CVEs at just two: a session fixation bug in its Photo Station application and the ability to determine metadata of arbitrary files (both medium severity).
Synology also responded promptly to ISE’s bug reports, which isn’t something the company was able to say about all manufacturers. Some vendors’ methods for handling bug reports had improved in the last six years, and others hadn’t.
In 2013, none of the manufacturers tested had bug bounty programs. Today, Netgear, Synology, Xaomi and QNAP all have bug bounty programs, the report said.
Unfortunately, reporting bugs to several companies was a headache. The researchers got either no co-operation or no response at all from some.
What does all this mean for consumers? The report says that when buying a device, you should look for a history of security vulnerabilities with its vendor, along with how long it takes to fix them.
You should also avoid using the device with the default configuration. Turn off features that you won’t use, especially remote access features. Also, regularly search for patches from that vendor and apply them. Don’t rely on this to happen automatically. As the report pointed out:
It is likely that a significant number of devices are deployed and never updated afterwards. These devices will be vulnerable to any publicly-disclosed issues, even if patched firmware is made available.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xV-wZSwqUts/
Ecuadorian police on Monday searched the home of an attorney for the consulting and analytics company Novaestrat, seizing storage devices, documents and electronic equipment after what appears to be the company’s unsecured database – located in Miami – was found spilling deep data on over 20 million Ecuadorians.
…as well as data for one Australian by the name of Julian Assange, who was granted political asylum by Ecuador in 2012, and squirreled away in the Ecuadorian embassy in London up until April 2019.
This is an unprecedented breach for the country. In fact, there were more people’s data in that database than there are people living in Ecuador. As of 2017, the country only had a population of about 16.62 million, as pointed out by the team of vpnMentor researchers – led by Noam Rotem and Ran Locar – who found the breach.
The personally identifying information (PII) of those few extra million people could have come from deceased people, according to Ecuador’s state attorney general’s office and according to the “death date” record the researchers found – among many, many other sensitive types of information – in the database. According to a post from the state AG’s office, the cache also contained the PII of about 7 million minors.
vpnMentor said in its report, released on Monday, that its research team discovered the breach as part of its large-scale web-mapping project. One assumes it’s the same project that recently led the team to a leaky database stuffed with Groupon emails that turned out to belong to crooks who were ripping off ticket sellers using fake email accounts and stolen payment card details.
The leaky Ecuadorian database contained about 18GB of data, mostly pertaining to people apparently located in Ecuador. vpnMentor said that it appears to contain information coming from sources that may include Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess.
According to the country’s telecommunications ministry, it received a report on the breach from vpnMentor on 11 September, and the leak was closed on the same day.
On Monday, 16 September, Telecommunications Minister Andres Michelena said that a personal data protection bill that’s been in the works for months would be sent to the National Assembly within 72 hours.
(Note that in its press release about the new data privacy law, the government used two similar spellings to refer to the data analytics company in question: Novastratech SA, which appears to be a computer hardware seller, and Novaestrat, which appears to be the company now under investigation and whose site was down as of Tuesday morning.)
Leonardo Granda, Sophos’s manager of Sales Engineering in Latin America, explained to Naked Security that Ecuador is just one country in Latin America looking at data protection laws.
Latin America is going through a process of digital transformation that is very important and the region lacks mature data protection laws. The pioneer in this area is Brazil that created the “general data protection law” in its acronyms LGPD, similar to GDPR in Europe, but in the rest of the countries of the region they are still trying to figure out how to advance in this matter.
The records were full of what identity thieves consider pure gold. People in the database were identified with a 10-digit ID code – a code that was referred to in some places in the database as “cedula” and “cedula_ruc”. In Ecuador, the terms “cédula” or “cédula de identidad” refers to an individual’s national identification number, which is similar to the taxpayer ID, or Social Security Number (SSN), used in the US.
The term “RUC” refers to Ecuador’s taxpayer registry: Registro Unico de Contribuyentes. Thus, vpnMentor researchers suggest that the “cedula_ruc” value may refer to Ecuadorians’ taxpayer ID number.
Other sensitive information in the database:
The researchers also found bank details relating to the Ecuadorian national bank Biess (El Banco del Instituto Ecuatoriano de Seguridad Social), including:
They found still more, including the full name of the individual’s mother, father, and spouse, and were able to view each family member’s “cedula” value – in other words, what may be their national ID number.
Another part of the database held these employment details:
And there’s more: vpnMentor also found automotive records that may be linked to individual car owners through their taxpayer identification number, including the car’s license plate number, make, model, date of purchase, most recent date of registration, and other technical details.
The database was also leaking some Ecuadorian businesses’ information, including their Ecuadorian taxpayer identification number (RUC), each company’s address and contact information, and contact details and identity of the companies’ legal representatives.
We don’t know if the researchers at vpnMentor were the first people to find this database, or if the crooks got there first. If they did, they could be using the information they found to conduct email and phone scams, to target people with spam, or organisations with business email compromise (BEC) fraud, to tailor convincing spearphishing attacks, or even to identify potential targets for theft, even kidnapping.
The information could be put together to make a profile that’s useful for all kinds of criminal activity. Granda gives this example:
The worrying thing is that if we cross reference this information, one could determine who is the person with the most money in Ecuador, where he lives, what car he has and even the data of their children.
Individuals and businesses in Ecuador, or with interests in Ecuador, will have to remain vigilant for social engineering attempts and scams of all kinds.
For administrators charged with keeping data safe, this breach is another reminder (as if there haven’t been enough already) that databases need to be patched like any other software; that they shouldn’t be attached to the internet unless absolutely necessary; that databases should always have effective access controls that follow the principle of least privilege; that authentication should be multi-factor; and that sensitive data should be encrypted when at rest.
Granda, again:
The encryption theme is a critical point in GDPR – it makes sensitive information unreadable to any attacker who tries to rob the data.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oulqmkZ0WNw/