STE WILLIAMS

Black Hat If you’re heading off the Black Hat and DEF CON security conferences in Las Vegas, USA, this week, be prepared to have your hotel room searched if – for any reason – you shoo maid service away and stop staff from cleaning your room.

Most hotels in the city enforce mandatory checks within their rooms following the October 1, 2017 mass shooting from the Mandalay Bay hotel, now the home of the Black Hat conference. A murderer, whose name isn’t worth recording, killed 58 people and wounded 422 after hauling an arsenal of weapons into his hotel room, and raining bullets on a music festival crowd below.

In the aftermath, the Las Vegas police and hotel chains became more security minded, enacting policies that took hackers and infosec professionals visiting Sin City by surprise. These policies included mandatory searches of rooms for guns and suchlike, and zero tolerance for any kind of talk of threats against people.

As such, last year, a jokey tweet about attacking tourists got one senior Googler temporarily banned from Caesars; by attack, he meant a cyber-attack, not a physical one, and he was speaking hypothetically. Meanwhile, other folks were shocked when, without warning, hotel security barged into and rifled through their rooms to check for firearms, weapons, and illicit gear.

Women were particularly concerned: one infosec expert was naked in the bathroom when security guards forced their way in. During these searches, the staffers were not carrying anything like proper identification, and so guests feared they were about to be seriously assaulted by these mystery intruders. More than a few have decided to stay away from the conferences this year, or at least move to accommodations off the strip.

Black Hat USA axes anti-abortion congressman as keynote speaker after outcry – and more news from infosec land

READ MORE

The events colored DEF CON so much so that the event’s head of security offered his resignation, though he was buoyed by a huge wave of support from attendees and so stayed on in his volunteer role. You would hope the hotels would be a little bit clearer about their policies of room searches this year. Sadly, that hasn’t been the case for everyone.

We contacted the two big hotel chains that control many strip hotels: MGM and Caesars. MGM flat-out refused to comment, saying it doesn’t discuss security procedures. Caesars, possibly mindful of last year’s kerfuffle, was more forthcoming.

“In an effort to ensure the safety of our guests and employees, certain hotel team members may periodically enter guest rooms to perform standard wellness checks, if – and only if – a room has not otherwise been serviced or accessed by a team member for an extended period,” a spokesperson told The Register.

“In other words, even if a team member accesses your room, by opting out of housekeeping services or posting a room occupied sign on the door, for example, team members may still periodically enter the room. This policy applies to all guest rooms and is intended to help us ensure guests and employees are safe.”

Other hotels contacted by The Register had similar policies or refused to say one way or the other. The venue for Bsides, the Tuscany, will be searching rooms, we’re told. We did find an off-strip Motel 6 which said it wouldn’t be checking unless a complaint was made but, let’s face it: who really wants to stay in a Motel 6?

Dark Tangent’s advice

Naturally the DEF CON organizers were more than a little concerned about last year’s problems.

According to conference founder Dark Tangent, aka Jeff Moss, all the hotels involved in the event promised to write up an official set of guidelines in time for this year’s hacker summer camp and, in the case of Caesars, this appears to have happened – albeit at the last minute.

In a forum posting late last week, Moss said hotel security would not carry out room checks; instead, that will be left to housekeeping. A staffer of the same gender can be requested by guests to carry out the inspection, and the hotel said it will be doing visual searches only.

Then again, they said that last year, and hackers who claim to have rigged cameras in their rooms say that wasn’t true and that staff had rummaged through drawers and belongings. The Reg did not see any of this claimed footage, however.

Certain items deemed a fire hazard have been banned from rooms, such as hot pots, soldering irons, rice cookers, and camp stoves. If found, they will be confiscated and stored before being handed back to guests when they leave.

Quite a few guests bring firearms for the ever-popular DEF CON Shoot, an event out in the desert where attendees fire off everything from handguns to small artillery. Coordinator Deviant Ollam said that guns are (understandably) not allowed in rooms but can be checked into hotel secure storage so long as they are in their proper cases, although space is limited.

Also, be advised that both the police and hotels seem to be keeping a close eye on social media during the show. So no “joke” tweets about violence or hacking please, or you may well find yourself in hot water. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/05/black_hat_defcon_hotels/

Twee T-shirts ‘n’ merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy.

Details of the breach emerged when infosec researcher Troy Hunt’s Have I Been Pwned service – which allows users to search across multiple data breaches to see if their email address has been compromised – began firing out emails to affected people in the small hours of this morning.

According to HIBP, a grand total of 23,205,290 CafePress customers’ data was compromised, including email addresses, names, phone numbers and physical addresses.

We have asked CafePress to explain itself and will update this article if the company responds. There was no indication on its UK or US websites at the time of writing to indicate that the firm had acknowledged any breach.

New breach: CafePress had 23M unique email addresses breached in February. Some records also contained names, physical addresses and phone numbers. 77% were already in @haveibeenpwned https://t.co/hv1u9SEsMR

— Have I Been Pwned (@haveibeenpwned) August 5, 2019

Darren Pauli, late of this parish, was affected and discovered this screen when he logged into CafePress to change his password:

Pretty disingenuous of CafePress to mask a data breach of names, mobiles, and street addresses under a password policy update. pic.twitter.com/t7RUt6pRKH

— darren (@darrenpauli) August 5, 2019

He told El Reg: “I went to log into CafePress to see if they had my current street address and it threw that ‘change password’ page. No sign anywhere on the homepage or login of the breach – which Hunt puts as February this year – and no email in my inbox from them to notify me.”

CafePress had not contacted him proactively, he said.

Professor Alan Woodward of the University of Surrey opined that the breach must have been “as big a surprise to them as to their customers”, while wondering whether, given the evident lack of response so far from CafePress, whether the attackers had merely made off with 24 million people’s data or had left “something still in there phoning home”.

Musing on the 77 per cent of email addresses from the breach having been seen in previous HIBP reports, Woodward said that factoid “brings me to a problem that isn’t being discussed that much, and which this kind of breach does highlight: the use of email as the user name. It’s clearly meant to make life easier for users, but the trouble is once hackers know an email has been used as a username in one place it is instantly useful for mounting credential-stuffing attacks elsewhere.”

“I wonder,” he told The Register, “if we shouldn’t be using unique usernames and passwords for each site. However, it would mean that it becomes doubly difficult to keep track of your credentials, especially if you’re using different strong passwords for each site, which I hope they are. But all users need do is start using a password manager, which I really wish they would.”

The standard post-breach advice is to change your passwords, especially any on sites where you have reused those credentials (which you shouldn’t do, by the way), keep extra vigilant for any signs of login attempts or password resets that you didn’t initiate, and stay vigilant for any phishing attempts. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/05/cafebreach_breach_23m_user_records/

Code repository GitHub and credit card flinger Capital One are facing down a potential class action suit in the US accusing them of negligence over the loss of 106 million individuals’ personal data.

Capital One is accused of failing to take appropriate action to secure its systems, while Microsoftie GitHub – or so the lawsuit claims – is alleged to have been negligent in leaving information relating to the exploit that allowed access to Capital One’s customer data available on its site.

The case is being brought by two customers, Aimee Aballo and Seth Zielicke, and lawyers Tycko Zafareei, on behalf of anyone else affected by the breach.

The complaint (PDF) accuses GitHub of “failure to monitor, remove or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed and used on and by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months.”

The document accuses Capital One of enthusiastically embracing the cloud while failing to pay proper attention to security concerns, saying that the bank should have been aware of the breach of its AWS-hosted database as early as 12 March.

Capital One, for its part, said it was unaware of any breach until about 19 July and that it took immediate action to secure its systems. The financial giant said that the FBI has arrested the person responsible. The filings allege this person is an ex-AWS employee and that the Capital One was alerted to the breach by a GitHub user emailing the bank’s tip-off address.

The lawyers claim GitHub could have relatively easily spotted data like social security numbers because of their standard formatting and suggested GitHub employ content moderators like Facebook and YouTube.

But a GitHub spokesperson told us: “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service.

The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”

The US government has also weighed in. The House of Representatives Committee on Oversight and Reform has written to Capital One (PDF) requesting a full briefing on the loss and the bank’s response before 15 August.

We’ve emailed Capital One and will update this story if we get a response. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/05/github_and_capital_one_hit_by_class_action_suit/

Big picture: Think holistic, with appropriate levels of visibility into each stage of the insider threat kill chain.

Question: What things should I be scanning for that could, collectively, indicate I’ve got a malicious insider?

Katie Burnell, global insider threat specialist at Dtex Systems: Put simply, you should be scanning the full spectrum of user behaviours that lead up to an actual theft or sabotage of data. Without insight into exactly what your users are doing on their endpoints, you are blind to symptomatic behaviours that malicious users exhibit ahead of any data exfiltration or sabotage, for example.

A malicious insider will intentionally perform activities that may harm the company – for example, data-based activities through exfiltration or sabotage, or deliberate acts to compromise the operations of the business. In order to succeed in these activities, the user will likely need to circumvent corporate security measures, whether it be disabling existing tools, such as VPNs, or adopting alternative applications akin to private browsing or elevating their privileges. Security bypass activity is a conscious violation of security policy and is consistently used to engage in high-risk behaviour. Visibility into these actions and tell-tale early warning signs is vital. 

Your monitoring approach must be holistic and involve appropriate levels of visibility into each stage of the insider threat kill chain. Focusing exclusively on the latter stages – aggregation and exfiltration – is a common shortfall of many approaches and fails to spot initial indicators of questionable and potentially high-risk user activity.

What do you advise? Let us know in the Comments section, below.

Do you have questions you’d like answered? Send them to [email protected].

 

When Katie Burnell went to work for the Bank of England as a data processor, she didn’t intend to switch career paths into cybersecurity. She was on the digital media team when she learned the bank was creating an IT security department. As she moved up through the ranks, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-do-i-monitor-for-malicious-insiders/b/d-id/1335368?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The good news is that Web servers have come a long way in terms of security. But to err is human, even for IT and security people.

When the security industry thinks about breaches caused by human error, the image of an employee accidentally clicking on a malicious link in a phishing email often comes to mind. But to err is human, even for IT and security people, especially when it comes to Web servers.

Web servers themselves have come a long way in terms of security. Think back to the nascent days of Apache and how the server earned its name. “It was, ‘A-PAtCHy server’ based on applying a number of patch files against an older server platform,” says Geoff Walton, senior security consultant at TrustedSec.

But the industry has moved beyond that world. Today, whether you are running Apache, IIS, Nginx, or some combination thereof, “all of these and some others have benefited from years of hardening and security improvements,” Walton says. “Most Web security challenges today are really found in the applications running on those servers.”

If Servers Are Misconfigured
Configuration errors made by administrators are probably the biggest risks to Web servers themselves in modern deployments, according to Walton.

Server misconfiguration issues include “inappropriate directory permissions, running the server itself as an account with excessive privileges, enabling handlers or plugins for scripts, and APIs that are not needed or should be restricted to specific applications or documents,” he says. “These and the selection of weak SSL/TSL cipher algorithms are all still common problems.”

According to WhiteHat Security, unnecessary default and samples of application, script, Web page, and configuration files that often come with servers contribute to these misconfiguration issues. “They may also have unnecessary services enabled, such as content management and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous users,” writes WhiteHat Security.

In some cases, misconfigurations also can trigger unexpected authentication and authorization behavior that differs from what administrators have configured for a hosted applications Web directory.

Removing the Target from Your Back
It’s really not possible to discuss best practices in Web server security without also mentioning Web application security.

Because the Web applications you run are a hacker’s most likely target for abuse, “if you discover the application you plan to host requires you to soften your hardened platform, it’s a good indicator that the application isn’t following best practices and should trigger an investigation into why,” Walton says.

Applications can be strengthened at the development phase when you want to ensure you have a strong secure software development life cycle (secSDLC) process in place. Additionally application defense can be addressed at runtime, when a Web application firewall (WAF) can provide effective detection and prevention control.

Improper server or Web application can lead not only to flaws, but also to cyberattacks, according to the OWASP Foundation’s Top Ten 2017 Project. That is why it’s important to detect when an application is vulnerable. If an application is “missing appropriate security hardening across any part of the application stack,” it could be vulnerable, OWASP states.

“Without a concerted, repeatable application security configuration process, systems are at a higher risk,” OWASP adds.

Patch, Patch, and Patch Again
Because Web servers are mostly Internet-facing, and the Internet is littered with bots, it is likely that a bot is probing your Web server for exploitable vulnerabilities to compromise access, such as to embed malicious scripts or malware used to steal credentials, financial details, sensitive personal information, or deploy malware to unknowing visitors, says Joseph Carson, chief security scientist at Thycotic.

“The best way to stay one step ahead of those Internet bots is to consistently patch your Web servers and ensure that you don’t leave the door open to cybercriminals waiting for the moment you forget to update major security vulnerabilities,” he adds.

In addition, security teams should combine the principle of least privilege with strong privileged access management. “Web servers should only be accessible via authorized and approved employees who should only access the Web server when scheduled or planned maintenance is expected,” says Carson.

That means go ahead and lock down access to the Web servers with strict privileged access management controls and restrict access to only those employees who are permitted to view or make changes. 

Hold onto the Vendor Guide!
According to Walton, the best way to address Web server and Web application challenges is to consult the vendors’ security best practices guide and follow it.

“Roll that up into your organization’s platform standards for server and container configurations. Once you have a solid platform configuration and repeatable process, it becomes much easier to avoid the most serious problems,” Walton adds.

Taking the time to include security code reviews for new features and changes before deployment or even integrating application security testing into your QA process will also enhance server security. In addition, developers should make it a point to remain aware of the most common threats to Web-based applications and how they can be avoided.

“This enables them to put those things into practice or validate that the tools they are selecting do so,” Walton says.

Leveraging static source code analyzers and Web vulnerability scanners can provide developers a great deal of insight, Walton adds. “These tools will help to find potential risks in large existing projects that may have been present for years,” he says. “They can also spot problems in new work.”

Web vulnerability scanners look at the application at run time and exercise it, using probes against all inputs to detect risky application behavior, according to Walton. They may also detect issues in third-party components and other parts of the overall application stack that a static analysis tool does not have visibility into. However, Walton says, “they are usually unable to detect authorization and business logic issues as effectively.”

No single best practice can defend against determined attackers, and no combination of these steps is a magical elixir. While most products come with a solid set of general rules out of the box, getting the most out any tool requires that someone familiar with the behavior the application is protecting is in charge of building out custom rule sets.

Even then, Walton warns, “highly crafted targeted attacks might still be able to be effective before blocking rules and alerts are triggered.”

Related Content:

• What Every Security Team Should Know About Internet Threats
• The Truth About Vulnerabilities in Open Source CodeApache Access Vulnerability Could Affect Thousands of Application
• IIS Attacks Skyrocket, Hit 1.7M in Q2
• There’s a Security Incident in the Cloud: Who’s Responsible?

Image Source: Siarhei via Adobe Stock

 

 

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-to-keep-your-web-servers-secure/b/d-id/1335435?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Watch right here for more than 30 video interviews with speakers and sponsors. Streaming live from Black Hat USA Wednesday and Thursday 2 p.m. to 6 p.m. Eastern.

If the Las Vegas grasshopper apocalypse is keeping you from attending Black Hat USA 2019, never fear: Dark Reading’s video News Desk will have you covered. The News Desk will return to Black Hat this week, bringing you more than 30 live video interviews with conference speakers and sponsors as we stream live from the expo floor this Wednesday and Thursday.

Return right here at 2 p.m. Eastern, 11 a.m. Pacific Wednesday, Aug. 7 to learn about the newest gobsmacking vulnerability disclosures, headsmacking attack trends, clever penetration tools, inventive security solutions, and, horrifying, um, bug infestations.

Watch here and follow the action on Twitter at #DRNewsDesk.

[The stream will start right here Wednesday. Return to https://darkreading.com/drnewsdesk Wednesday.]

Here’s the line-up for Wednesday, Aug. 7: 2 p.m. to 6 p.m. Eastern / 11 a.m. to 3 p.m. Pacific

• Mike Kiser, Office of the CTO, SailPoint — Spartacus-as-a-Service: privacy via obfuscation
• Eldon Sprickerhoff, Founder and Chief Innovation Officer, eSentire — the differences between MSSPs and managed detection response
• Xavier Garceau-Aranda, Senior Security Consultant, NCC Group — Scout Suite: a multi-cloud security auditing tool
• Nathan Hamiel, Head of Cybersecurity Research, Kudelski Security and Nils Amiet, Senior Cybersecurity Engineer, Kudelski Security — FumbleChain: a purposely vulnerable blockchain
• Chester Wisniewski, Principal Research Scientist, Sophos — automated active attacks and why they’re here to stay
• Nikhil Mittal, Principal Trainer, PentesterAcademy — on Active Directory attacks
• Dean Sysman, CEO Co-Founder, Axonius — on asset management and its role in infosec
• Joshua Maddux, Software Engineer / Security Researcher, PKC Security — How Apple Scattered Vulns All Over the Internet
• April Wright, Security Consultant, ArchitectSecurity.org and Jayson Street, VP of Infosec, SphereNY — on social engineering detection and incident response
• Spencer McIntyre, Technical Director of RI,RSM — King Phisher: A Phishing Campaign Toolkit
• Tim Vidas, PhD, Senior Distinguished Engineer, Office of the CTO, Secureworks and Nash Borges, PhD, Senior Director of Engineering and Data Science, Secureworks 
• Patrick Cable, Director of Platform Security, Threat Stack — Trash Taxi: Taking Out the Garbage in Your Infrastructure
• Dmitry Snezkhov, Red Team Operator, X-Force Red, IBM Corporation — Zombie Ant Farming
• Mark Dufresne, Vice President, Research Development, Endgame — achieving security parity between Apple Mac OSX environments and Windows. Also introducing Endgame for MacOS
• Gregory Conti, Senior Security Strategist, IronNet and David Raymond, Director, U.S. Cyber Range, Virginia Tech — Information Operations and misinformation
• Anthony James, VP of Products, Infoblox — how to use DNS infrastructure to protect your data and users
• Mohammed Aldoub, independent security consultant Black Hat Trainer — barq: The AWS Post-Exploitation Tool
• Joakim Kennedy, threat intel manager, Anomali — the impact of the security skills shortage on threat intelligence
• Haiyan Song, SVP and GM of Security Markets, Splunk — the Phantom acquisition, “Dark Data,” and the integration of security and analytics

 

Lineup for Thursday, Aug. 8: 2 p.m. to 6 p.m. Eastern / 11 a.m. to 3 p.m. Pacific

• Roman Zaikin, Security Researcher, Check Point Software Technologies and Oded Vanunu, Head of Products Vulnerability Research, Check Point Software Technologies — Reverse Engineering WhatsApp Encryption for Chat Manipulation and More
• Jesse Rothstein, CTO and Co-Founder, ExtraHop
• David Cross, Principal Security Architect, Henry Schein One — Alexa HackerMode 2.0: Voice auto Pwn using Kali Linux and Alexa skill combo
• Robert Leale, President, CanBushHack, Inc. — Car Hacking Hands-on Training
• Pablo Breuer, US Special Operations Command, Donovan Group, Innovation Officer, SOFWERX and David M. Perlman, Ph.D., Social Media professional founder of CoPsyCon — Hacking Ten Million Useful Idiots
• Mike Price, Chief Technology Officer, ZeroFOX and Matt Price, Principal Research Engineer, ZeroFox — Playing Offense and Defense with Deep Fakes
• Chris Eng, Chief Research Officer, Veracode — on application security
• George Williams, Director of Data Science, GSI Technology — Detecting DeepFakes with Mice
• Ruben Santamarta, Principal Security Consultant, IOActive — Reversing the Boeing 787’s Core Network
• Mike Sapien, Chief Analyst, Enterprise Services, Ovum 
• Eric Parizo, Senior Analyst, Ovum 
• John Weinschenk, General Manager of Enterprise Network and Application Security, Spirent — better vulnerability identification and getting more benefit from compliance efforts
• Dr. Paul Vixie, CEO, Farsight Security
• Brian Knighton, Senior Researcher, National Security Agency Chris Delikat, Technical Lead, CNE Research, National Security AgencyGhidra: Journey from NSA Tool to Open Source
• Dan Hubbard, CEO, Laceworks — cloud security 
• Philippe Courtot, Chairman and CEO, Qualys — cloud security
• Chris Morales, Vectra — ransomware’s evolving methods
• Michael Wozniak Technical Lead for Infrastructure Security, Snap Inc and Winston Howes, Technical Lead for Application Security, Snap Inc. — Securing Apps in the Open-By-Default Cloud
• Eva Galperin, Director of Cybersecurity, Electronic Frontier Foundation — Hacking for the Greater Good
• Pramod Rana — LMYN: Let’s Map Your Network

See you Wednesday!

(Image Source: Filmarkivet. Author: Unknown. Creative Commons.)

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/dark-reading-news-desk-live-at-black-hat-usa-2019/d/d-id/1335369?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Hackers know vulnerable systems when they see them, and they also know this: Many government systems are decades old, running Windows 7 and even Windows XP.

Image Source: Adobe Stock: arrow

Hackers know vulnerable systems when they see them, and they also know this: Many government systems are decades old, running Windows 7 and even Windows XP. So it’s no wonder why the bad guys have been striking out against them with ransomware attacks in recent months. 

Even school districts are getting hit, the most notable being the four districts that were attacked in Louisiana last month, prompting Gov. John Bel Edwards to declare a state of emergency. 

To be sure, security teams can take some clear steps to stay secure and/or mitigate such attacks. Best practices include solid patch management, comprehensive phishing and email management education, and privileged access management, according to Phil Rivers, CISO at Ivanti, who also advises reviewing the Center for Internet Security’s 20 Controls. Additional guidance includes having good backups, reinforcing basic cyber awareness and education, and revisiting and refining cyber incident response plans. 

But while an ounce of prevention is worth a pound of cure, attacks can’t be fully prevented. The following slides review eight of the most high-profile ransomware cases to hit city governments since last fall. 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/8-head-turning-ransomware-attacks-to-hit-city-governments/d/d-id/1335424?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Roundup Here is a quick roundup of the recent happenings in the world of computer security beyond what we’ve already reported.

Also, look out this week for our Black Hat, DEF CON, and Bsides Las Vegas coverage: our vultures out in the Nevada desert will produce a string of articles from the hacking conferences.

Amazon closes one open S3 bucket, two more pop up

In what has become a depressingly common occurrence, misconfigured Amazon S3 buckets continue to expose people’s private information to the public internet.

Researcher Gareth L. found that Bank of Cardiff, a financial institution based in San Diego, California, had left open a public-facing S3 bucket containing its communications with customers. The archive, which has been up since at least December, includes recordings of the bank’s customer service calls.

El Reg was unable to get a response from Bank of Cardiff over the issue. At least some of the files have now been hidden from view by its staff, though. Shortly after that discovery, our man spotted another open bucket, this belonging to UK company VQ solutions.

In about an hour it’ll be ~72 hours since @vqsolutions was notified that they had suffered a GDPR breach resulting in the exposure of British citizens’ passports, employment contracts, educational history, driving licenses and more.

Have they told the @ICOnews?

I hope so…

— Gareth (@NetworkString) May 19, 2019

In better news, a collection of sensitive data, hosted in a poorly secured public-facing Amazon S3 bucket, that Gareth L. and El Reg have been tracking for some time has finally been taken down. That archive included patient medical records, health insurance details, and court filings.

Despite trying to reach the multiple doctors, lawyers, and insurance companies whose documents were included in the archive, and despite reporting the breach to the US Department of Health and Human Services, the S3 bucket was only taken down by alerting Amazon’s AWS security team to the leak.

StockX admits it fell victim to cyber-attack

Late last week, a Register ad-sales exec who buys shoes from StockX.com got an email from the e-tailer asking him to reset his account password. This was due to a “system upgrade” he was told at the time. Well, it turns out it was actually due to hackers, who managed to raid the web store and steal customer data.

“An unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history,” the online souk added.

“From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.”

Reset your passwords, folks, or find a better e-tailer for your sneakers.

Europol celebrates No More Ransom milestone

This week marked an important milestone for Europol’s ‘No More Ransom’ project, as the security campaign celebrated its third anniversary.

Since its launch in 2016, No More Ransom says it has helped some 200,000 people and companies decode their encrypted data without caving to ransom demands. This has kept more than $100m out of the hands of criminals the agency claimed.

“With visitors from 188 countries, the project has become a one-stop shop for the victims of ransomware, registering already over three million individual visits in its short life span,” Europol said. “Thanks to the cooperation between more than 150 partners, the criminal business model behind ransomware has been severely hit since the initiative was launched, resulting in some $108 million profit prevented from going to the wrong pockets.”

LAPD relieved of personal details on job applicants

Los Angeles Police find themselves on the wrong end of a data exposure case as someone has managed to pilfer the details on more than 17,000 officers and job applicants.

Local news station NBC Los Angeles reports that a hacker appears to have gotten into a database containing the information police candidates gave when they applied for a job with the department, including, name, partial social security numbers, email and home address. Those affected are being advised to keep a close eye on their bank and credit reports.

Cisco Nexus wrecks us

Anyone using a Cisco Nexus 9000 switch will want to check for an update after the networking giant issued an alert for a high-severity security flaw. The bug potentially allows for complete takeover of the switch.

“An attacker could exploit this vulnerability by sending a crafted LLDP packet to the targeted device. A successful exploit may lead to a buffer overflow condition that could either cause a DoS condition or allow the attacker to execute arbitrary code with root privileges,” Cisco notes.

And this week’s government ransomware victim is… *spins wheel*…Georgia state police!

Word out of Atlanta is that multiple Georgia state police agencies have fallen victim to an unspecified ransomware infection.

The malware, affecting the Georgia State Patrol and the State Capitol Police, partially disabled the system officers use to check records, meaning in some cases they are having to use phones and dispatch radio to perform checks.

Project Zero details iOS flaws

Noted bug-hunter Natalie Silvanovich with Google’s Project Zero has dropped the details on a handful of flaws her team uncovered in Apple’s iOS. The (since-patched) vulnerabilities have been known for weeks, the release of the PoC will make it that much easier to exploit the bugs.

If you haven’t updated your iOS gear recently, do so immediately.

SanDisk SSDs found to have hard-coded passwords

Trustwave researcher Martin Rakhmanov has found two CVE-listed flaws in SanDisk solid-state hard drives stemming from the use of hard-coded passwords.

While not critical, the bugs could potentially allow an attacker to gather detailed system data on a target by intercepting and reading the status reports SanDisk drives send back to the company.

Apple devices blab data over Bluetooth

Researchers have uncovered a new set of vulnerabilities in Apple iOS gear via Bluetooth connections. Like many other devices, Apple gear allows some data to be harvested over bluetooth low energy connections. Things like hardware details, device names, and even your mobile number. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/05/security_roundup_0209819/

Last Friday, the hugely popular gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach that exposed four million user accounts.

Having account data including email addresses, usernames, IP addresses and passwords hacked is bad enough in any event but this was made much worse by the fact it came on the back of a separate breach in January 2018 affecting 1.7 million accounts, made public more than a year later.

The cause of the latest breach? According to someone connected to CPRewritten who contacted news site Bleeping Computer this week, the hack happened after hackers accessed a hidden PHP database back door put there by a former site admin last year.

It’s a version of events that both the individual concerned, and a hacking group that’s claimed responsibility for the hack, both strenuously deny.

The New World Order group who claim credit for the breach say they compromised the site using a vulnerability in the Adminer database administration tool. Regarding the admin’s involvement, they tweeted this:

…he had nothing to do with it. CPR admins know who we are, we’re responsible for the database breaches of many other CPPSes.

July breach

CPRewritten launched in 2017 in order to continue the earlier Club Penguin (CP), which was shut by owners Disney in the same year.

A year later it was announced that Club Penguin, too, would be closing, a decision that was reversed a month later after extra funding was found.

The breach is believed to have begun at around 11pm BST last Friday, about an hour after which an admin noticed that the server’s resources were being used heavily.

CPRewritten only realised that this was connected to a breach the next day. By the time it took defensive measures, they claim the hackers had already tried to…

…damage records and steal valuable accounts with rare virtual items [exchangeable for money] collected from the game.

What to do

The first task is to change the account password, something the site will presumably require users to do anyway when they next log in (as far as we can tell, the ‘Padlock’ two-factor authentication is not yet available to turn on).

The fact that the data hashes were stored using Bcrypt will be seen as good news. However, this isn’t a magic shield and might still be vulnerable to attackers with enough time on their hands.

Both breaches suffered by the site were made public by the Have I Been Pwned? (HIBP) breach notification site that can also now deliver alerts of new incidents in Mozilla Firefox.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OOy5KTZxQEM/

Uncle Sam is testing a system that uses high-altitude balloons to conduct surveillance over American soil.

Government contractor Sierra Nevada Corporation – the aerospace company, not the brewery – has released balloons that will drift over a large area in the United States’ Midwest, and form a network capable of monitoring and tracking activity on the ground over massive distances.

The Pentagon-ordered tests, involving 25 balloons cruising at 65,000-odd feet, will run from July 12 to September 1. It is understood the craft are carrying radar equipment to track the movement of vehicles far below.

Mid-July, Sierra Nevada successfully filed the necessary paperwork with America’s comms watchdog, the FCC, to obtain permits for wireless communications from the balloons. They will float over South Dakota and then move into neighboring Iowa, Minnesota, Wisconsin, Missouri, and Illinois. The filings sought permission for Sierra Nevada to use various radio frequencies over the area as well as inform those who are in the flight path of the trial.

Watch the world’s biggest ‘flying bum’ go arse over tit in a crash

READ MORE

Sierra Nevada did not return a request for comment on the report, though the FCC filing includes a passage in which the biz provides a brief description of its activities, stating it wants to “conduct high altitude MESH networking tests over South Dakota to provide a persistent surveillance system to locate and deter narcotic trafficking and homeland security threats.”

Meanwhile, The Guardian newspaper today noted that Sierra Nevada’s other contracts with the US government are for small aircraft that have been equipped with cameras and sensors and used to provide images and surveillance in Mexico, Central America, and the Caribbean.

It would stand to reason, then, that the balloon network would be designed to operate alongside, or as a replacement for, these light aircraft. By operating at 65,000 feet (19,812 meters) and using solar panels to power its radar and surveillance systems, the unmanned balloons would be able to stay in the air for days, far longer periods than the planes would.

They would also, however, raise privacy concerns, particularly in this trial as the massive balloon network is going to be operated over populated American cities. Privacy advocates will be less than-thrilled to learn that the US military’s unmanned observation craft are floating over large parts of the Midwest. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/02/government_spy_balloons/