e dot dot dot
a mostly about the Internet blog by

August 2019
Sun Mon Tue Wed Thu Fri Sat
       


Another Day, Another Company Leaving Sensitive User Data Exposed Publicly On The Amazon Cloud

Furnished content.


What is it about companies leaving consumer data publicly exposed on an Amazon cloud server? Verizon made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million citizens (read: most of you) similarly just sitting on an Amazon server without protection. Time Warner Cable also recently left 4 million user records sitting in an openly-accessible Amazon bucket.You'd think that after all of this press attention fixated on a fairly basic (but massive) screw up, that companies would stop doing this. But you'd be wrong.The latest company to fail at fundamental security practices is California's Bank of Cardiff, which managed to leave millions of phone recordings made by employees -- you guessed it -- in an unsecured Amazon cloud bucket open wide to the general internet. Many of the phone recordings exposed include bank employees talking with customers about sensitive financial transactions:

"Many of the calls appear to be Bank of Cardiff employees phoning up individuals the bank has discussed loans with, or attempting to offer them one. One call includes a potential customer discussing their plans for obtaining financing either from Bank of Cardiff or a competitor. In another, an employee contacts a company focused on industrial equipment; Motherboard identified the company because of its hold music which includes the firm's website. The company did not respond to a request for comment. In a third call, an employee contacted a company about a business loan."
Yeah, whoops-a-daisy. The practice by lazy and/or incompetent companies has basically made a career for folks like UpGuard cyber risk analyst Chris Vickery, who has spent the better part of the last few years searching and exposing companies that can't be bothered to secure their cloud accounts. But again, it's absolutely incredible given the media exposure of this basic gaffe that every company on the planet hasn't done an audit to make sure their brand isn't the next one in lights for security incompetence.Bank of Cardiff has yet to issue a public statement on the exposure, but it did finally lock down access to the data trove once journalists and security researchers (once again) did their jobs for them.

Permalink | Comments | Email This Story


Read more here

posted at: 12:00am on 08-Aug-2019
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



Microsoft Nabs Russian Hackers Exploiting Flimsy IOT Security

Furnished content.


Week after week we've documented how internet of things devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors. And CIA leaks have indeed confirmed that "smart" TVs and other devices with embedded microphones make for wonderful surveillance tools.So it's not too surprising to see Microsoft's Security Response Center proclaim this week that it has caught Russian hacking group Strontium" (aka Fancy Bear and APT28) using poorly secured printers, VoIP phones, and video decoders to gain access to sensitive networks. As is usually the case, Microsoft found that once these devices' security was bypassed (often an easy feat given there's sometimes little to no security measures in place), they were able to use them as a beach head to gain broader access to the networks they were connected to:

"After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server."
In at least two instances, the hacks were only made possible thanks to hardware shipping with default username and password logins, something that has frequently plagued residential routers as well. Just as unsurprising as the hack was Microsoft's warning that this is a problem that's only going to get worse, regardless of the government or organization pulling the strings:
"While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives, the report noted. These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments."
As security researchers like Bruce Schneier have long noted, there's some severe market failure driving this dysfunction. Companies don't want to spend money on security and privacy standards as they connect everything under the sun to the internet, and by the time vulnerabilities are discovered, they're off to selling the next big thing. Because the devices often don't provide insight into what they're doing, consumers routinely have no idea what the device is even doing on the network. And by the time vulnerabilities are addressed, consumers are off to buy the next big thing (with equally terrible security holes).Year after year after year, we're connecting millions upon millions of devices to home and business networks with paper-mache grade security. And while there's some fleeting efforts to address the problem (like incorporating flaws into product reviews), it's still not something folks are taking seriously enough. And while such proclamations are often dismissed as hyperbole, it's something folks like Schneier predict isn't likely to change until these vulnerabilities result in some notable human casualties.

Permalink | Comments | Email This Story


Read more here

posted at: 12:00am on 08-Aug-2019
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



August 2019
Sun Mon Tue Wed Thu Fri Sat
       







RSS (site)  RSS (path)

ATOM (site)  ATOM (path)

Categories
 - blog home

 - Announcements  (2)
 - Annoyances  (0)
 - Career_Advice  (1)
 - Domains  (0)
 - Downloads  (4)
 - Ecommerce  (2368)
 - Fitness  (0)
 - Home_and_Garden  (0)
     - Cooking  (0)
     - Tools  (0)
 - Humor  (1)
 - Notices  (0)
 - Observations  (1)
 - Oddities  (2)
 - Online_Marketing  (3559)
     - Affiliates  (1)
     - Merchants  (1)
 - Policy  (1526)
 - Programming  (0)
     - Browsers  (1)
     - DHTML  (0)
     - Javascript  (536)
     - PHP  (0)
     - PayPal  (1)
     - Perl  (37)
          - blosxom  (0)
     - Unidata_Universe  (22)
 - Random_Advice  (1)
 - Reading  (0)
     - Books  (0)
     - Ebooks  (1)
     - Magazines  (0)
     - Online_Articles  (4)
 - Resume_or_CV  (1)
 - Reviews  (1)
 - Rhode_Island_USA  (0)
     - Providence  (1)
 - Shop  (0)
 - Sports  (0)
     - Football  (1)
          - Cowboys  (0)
          - Patriots  (0)
     - Futbol  (1)
          - The_Rest  (0)
          - USA  (1)
 - Woodworking  (1)


Archives
 -2019  October  (27)
 -2019  September  (46)
 -2019  August  (52)
 -2019  July  (55)
 -2019  June  (49)
 -2019  May  (49)
 -2019  April  (81)
 -2019  March  (94)
 -2019  February  (91)
 -2019  January  (15)
 -2018  December  (44)
 -2018  November  (43)


My Sites

 - Millennium3Publishing.com

 - SponsorWorks.net

 - ListBug.com

 - TextEx.net

 - FindAdsHere.com

 - VisitLater.com