Search This Blog

Showing posts with label Data Exposure. Show all posts

Confidential Terrorist Watchlist With 1.9Mn Records Exposed Online

 

Cyber security researcher Bob Diachenko has unearthed an unsecured ElasticSearch server containing nearly two million terrorist watchlist records, including "no-fly" list indicators, which were left exposed for a period of three weeks between July 19th and August 09th. 

Earlier this week, Diachenko posted a message and said, “On July 19, I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it." The unprotected server had a Bahrain IP address but it remains unclear whether the server was owned by the US or any other country.

Diachenko immediately reported his discovery to the US Department of Homeland Security, but the records weren't taken down until August 09. The leaked records contained passport details, full name, dates of birth, citizenship, gender, TSC watchlist, country of issuance, and no-fly indicator. 

“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI, which maintains the country's no-fly list, a subset of the larger watchlist. A typical record in the list contains full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more,” he informed. 

No-fly list

The exposed data belongs to the people who are suspected as terrorists but have not necessarily been charged with any crime. "If it falls in wrong hands, this list could be used to oppress, harass or persecute people mentioned on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list," Diachenko said. 

Prior to 2015, the terrorist watchlist was completely confidential. Then the US government modified its policy and began privately informing US citizens who were added to the list, but foreigners still often can't find out whether they're on the no-fly list until they try to board a plane. 

Several media reports suggest that the US officials are recruiting informants in exchange for keeping their names off the no-fly list. Some past or present informants' identities could have been exposed. The Terrorist Screening Center (TSC) was set up by the US Federal Bureau of Investigation (FBI) in 2003.

The discovery of the exposed records comes just a month after the DHS, the Department of Justice, and other federal agencies -- launched a new website with the sole motive of combating the threat of ransomware.

Indian Startup Exposed Byju's Compromised Server Data

 

Salesken.ai, an Indian-based technology secured a compromised server that was leaking out private and sensitive data on one of its clients, Byju's, a startup and one of the leading educational startups. The server was left uncompromised since June 14, says Shodan, who provide the historical data. Shodan is a search engine for compromised devices and databases. Anyone could access the server data as it was left without the password. 

The compromised server was discovered by security researcher Anurag Sen, who also asked for assistance from Tech Crunch. "WhiteHat Jr. spokesperson Sameer Bajaj said the company is currently communicating with Salesken.ai about the incident and will take appropriate action in accordance with our rigorous security policies," reports Tech Crunch. Salesken.ai offers companies like Byjus customer-relationship technology. It is a Bangalore-based start-up that recently raised $8 Million in Series. 
Funding from Sequoia Capital India in 2020, after two years of its founding. 

Most of the data stored in the compromised server containing information related to an online school that teaches coding to students in India and the U.S. Byjus bought Whitehat for $300 Million last year. The server had the names and addresses of the students and the email addresses and contact numbers of the parents and teachers. Besides this, the exposed server contained other data related to students, such as chat logs between parents and staff, and remarks given by teachers to their students. The compromised server also contained email copies that had reset codes for restoring accounts and other data pertaining to Salesken.ai. 

Co-founder and chief executive at Salesken.ai, Surga Thilakan says the company is currently investigating the issue but didn't disclose any information related to what kind of data was exposed in the compromised server. "Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India-based end-of-life sales logs for a fortnight." Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device," reports Tech Crunch.

Cloud Misconfiguration is Still the Leading Source of Cloud Data Violations

 

Almost everybody by now is workings from home and 84 percent are worried that new security vulnerabilities have been generated with the quick move towards 100 percent remote working. 

Cloud service providers built their administration panels' user interface purposefully to mislead consumers and charge for more services than originally intended. 

Although it was never demonstrated as a systematic business strategy, reports and alerts of a data breach have overwhelmed the internet in recent years since a cloud-based database has indeed been misconfigured and confidential information ultimately leaked. 

Throughout the past month, Censys, a security company that specializes in census-like inspections on the internet, looked closely at the cloud-based services, hoping to uncover what the best potential origin of misconfiguration might be for cloud-based businesses. As per the study, Censys has found over 1.93 million cloud server databases that have been displayed publicly without even any firewall or other authentication measures. The security company arguments that threat actors will discover and target these databases utilizing older vulnerability exploits. In addition, if the database was unintentionally leaked, it could also use a weak or even no password at all, disclosing it to all those who have detected its IP address. 

Censys reported having been used to scan MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle and that nearly 60 percent of all disclosed servers were MySQL databases which represent 1.15 million of the 1.93 million overall exposed DBs. 

The security agency also searched to find ports that could also be exposed by clouds service as they are normally used for remote management applications like SSH, RDP, VNC, SMB, Telnet, Team Viewer, and PC Anywhere. Censys retained that access to all these remote managing port must not be easily discovered but rather secured by Access Control Lists, VPN tunnel, or other traffic filtering solutions, although the underlying cause of these applications is that the systems can be remotely logged into. 

Another very significant discovery was indeed the virtual exposure of the RDP login screens by more than 1.93 million servers. 

Microsoft and several others have also indicated that many violations of security have also been caused by attackers obtaining access to an enterprise through compromised RDP credentials. Which included attacks on a broad range of actors, including DDoS botnets, crypto mining activities, ransomware gangs, and government-funded actors. 

Most organizations do not operate internally with just one cloud services provider infrastructure, but instead use several solutions, many of which might not have the same access or default settings, allowing several systems to become accessible even though IT personnel are not supposed to do so. While some cloud providers have taken measures to improve their dashboards and to clarify how those controls operate, the wording of each cloud provider is still substantially different, and some system administrators are still often confused. 

Censys said, “it expects the issue of misconfigured services to remain a big problem for companies going forward.”

Tala Research Shows that European Telecommunication Websites Expose Sensitive Customer Data

 

In 7 EU countries, Tala assessed the websites of the leading MSPs for the European top mobile providers, data exposure is a major unacknowledged concern. Analysis of Europe's leading mobile providers' websites by Tala Security shows that critical information has been at risk of over-sharing and attack — with few appropriate security measures in place to discourage it. Tala Security's recent study reveals that data exposure is a real concern for Europe's leading mobile companies and by extension for more than 253 million customers who register up and share personal information. The main issue is the insecure website supply chains. 

For many valid reasons, European Telecommunication companies collect sensitive information as part of the digital sign-up procedure, including passport numbers, payment slips, and bank account details. The analysis by Tala shows that European Telco sites do not have enough protection against third-parties risk but also uncover them to other serious risks by using numerous third-party JavaScript integrations. Without command, all websites that have JavaScript code from each owner's website including the supply chain vendor can alter, grab, or release information via JavaScript facilitated client-side attacks. The average JavaScript integration among Telecommunications companies was 162 in the group; this is a very high risk of over-sharing and data visibility. If website owners do not protect sensitive data when entered on their websites, they actually do not leave it suspended; the only reason why it is not stolen is that criminals did not use it. 

“In many cases, data sharing or exposure takes place via trusted, legitimate applications on the allow list —often without the website owner's knowledge,” said Deepika Gajaria, VP of Products at Tala Security. 

Forms used to collect credentials, banking information, passport numbers, etc. are revealed to an average of 19 third parties at considerable risk through form data exposure. No responsive website protection was established on any of the sites. On a scale of 100 with a score of 50 at an average, the website average was only 4.5. 100 percent of the most widespread website attack that frequently led to a significant sensitive leakage in the data is cross-site scripting (XSS). 

“European Telco’s routinely collect sensitive data like passport scans, banking details, address, and employment information. When website owners fail to effectively secure data as it is entered into their websites, they’re effectively leaving it hanging, an accident waiting to happen,” said Gajaria.

Adorcam Leaks Thousands of Webcam Accounts

 

A webcam application installed by a huge number of clients left an uncovered database loaded with client information on the internet without a password. The Elasticsearch database belonged to Adorcam, an application for viewing and controlling a few webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine found the data exposure and reached Adorcam, which secured the database. Adorcam application is specially built for the P2P IP camera series. The clients just need to enter the camera ID and password to watch real-time video from any bought IP camera on their cell phone and no complicated IP or router settings are required. 

Paine said in a blog post shared, that the database contained around 124 million rows of information for the several thousand clients, and included live insights concerning the webcam —, for example, its location, whether the microphone was active, and the name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses. Paine additionally discovered proof of the camera uploading captured stills from the webcam to the application's cloud, however, he was unable to confirm since the links had expired. 

He likewise discovered hardcoded credentials in the database for the application's MQTT server, a lightweight messaging protocol often used in internet-connected devices. Paine didn't test the credentials (as doing so would be unlawful in the U.S.), yet alerted the application creator about the vulnerability, who at that point changed the password. Paine checked that the database was updated live by signing up with a new account and looking for his data in the database. Albeit the information was restricted in sensitivity, Paine cautioned that a malevolent hacker could create persuading phishing emails, or utilize the data for extortion. 

In his report on the matter, Paine pointed out that the data contained in the database distinguished between Adorcam's Chinese clients and its clients outside of China, saying, “One interesting detail about this database was that the user information was split between Chinese users and "abroad" users. For example: request_adorcam_cn_user vs. such as request_adorcam_abroad_user. Adorcam almost certainly has breach disclosure obligations based on what appeared to be a global user base. If they had users within the EU they absolutely have an obligation.”

Personal data of one million Moscow car owners were put up for sale on the Internet


On July 24, an archive with a database of motorists was put up for sale on one of the forums specializing in selling databases and organizing information leaks. It contains Excel files of about 1 million lines with personal data of drivers in Moscow and the Moscow region, relevant at the end of 2019. The starting price is $1.5 thousand. The seller also attached a screenshot of the table. So, the file contains the following lines: date of registration of the car, state registration plate, brand, model, year of manufacture, last name, first name and patronymic of the owner, his phone number and date of birth, registration region, VIN-code, series and number of the registration certificate and passport numbers of the vehicle.

This is not the first time a car owner database has been leaked.  In the Darknet, you can find similar databases with information for 2017 and 2018 on specialized forums and online exchanges.
DeviceLock founder Ashot Hovhannisyan suggests that this time the base is being sold by an insider in a major insurance company or union.

According to Pavel Myasoedov, partner and Director of the Intellectual Reserve company, one line in a similar archive is sold at a price of 6-300 rubles ($4), depending on the amount of data contained.
The entire leak can cost about 1 bitcoin ($11.1 thousand).Information security experts believe that the base could be of interest to car theft and social engineering scammers.

According to Alexey Kubarev, DLP Solar Dozor development Manager, knowing the VIN number allows hackers to get information about the alarm system installed on the car, and the owner's data helps to determine the parking place: "There may be various types of fraud involving the accident, the payment of fines, with the registration of fake license plates on the vehicle, fake rights to cars, and so on."

Against the background of frequent scandals with large-scale leaks of citizens data, the State Duma of the Russian Federation has already thought about tightening responsibility for the dissemination of such information. "Leaks from the Ministry of Internal Affairs occur regularly. This indicates, on the one hand, a low degree of information security, and on the other — a high level of corruption,” said Alexander Khinshtein, chairman of the State Duma Committee on Information Policy.