Hyperscale operators are defined as enormous companies like Amazon, Apple, Facebook and Google that need to provide computing on a massive scale. You would think that there would be a limited number of this type of highly specialized data center, but recent research from Synergy Research found that 2017 was actually a breakout year for new hyperscale data centers across the world — with… Read More
Security researchers at UpGuard recently made a terrifying discovery in finding an unprotected Amazon S3 server containing several databases belonging to a data analytics provider called Alteryx.
While the server contained a variety of databases, the two that are of biggest concern belonged to Alteryx’s business partners, Experian and the US Census Bureau.
Of these, far and away the most damaging database was the one belonging to Experian. As a credit reporting agency, Experian has access to just about everything that relates to your personal finances. In addition to your address, they’ve got details on how many credit cards you have, what your average balances on each one are, what your credit limit is, the state of your mortgage and more. All of that information was sitting on a completely unprotected server that literally anyone could access.
The scope and scale of the database is almost beyond comprehension, containing more than 3.5 billion financial details of more than 123 US households. That’s almost every household in the country.
It’s not much of a silver lining, but the database did not contain any names. Having said that, since address information was present, linking an address with the name of the current occupant is a trivial task for any hacker.
At this point, it’s unclear if anyone other than the UpGuard researchers downloaded the databases, but ultimately, it doesn’t matter. The simple fact that so much information on so many American households was left unguarded means that virtually every person in the country is now at risk of identity theft.
At the root, this is a problem of standards. Contractors like Alteryx simply do not adhere to the same security standards as the company or agency charged with the responsibility of safeguarding the data in the first place (Experian and the US Census Bureau, in this case). Given that, it was only a matter of time before a mishap of this scale occurred.
At this point, there’s really nothing you can do but be mindful that your personal information may have been compromised, and stay vigilant.
How many apps do you have on your smartphone? Do you know how much data they’re collecting about you?
Most people have scores of apps installed (and often hundreds), even if they only use a few on a regular basis, and shockingly, most users have no idea just how much information those apps are collecting about them.
However much you imagine, the answer is probably “more.”
This point was driven home painfully, courtesy of a recent discovery by a team of researchers at the Kromtech Security Center. They found completely insecure database online, a staggering 577GB in size, owned by an Israeli-based startup called AI.type, makers of a virtual keyboard app bearing the same name.
The information it contained is simply mind boggling.
Not only does it contain personal information on 31 million of the app’s 40 million users, but the database contents reveal just how intrusive AI.type actually is. The data includes:
As If that wasn’t enough, the research team also discovered that each user’s contact list had been scraped (including names, email addresses and phone numbers), and that the company was tracking a whole range of internet behaviors, including Google search queries, number of messages sent per day, the average length of those messages and more.
Obviously, there’s no reason that a simple keyboard app needs this level of information on its users. The only possible explanation is that it’s being collected for resale. If you use the app, be aware that the company knows almost everything about you and everyone you’ve been in contact with on your phone, and now, so do a lot of other people who don’t have your best interests at heart.
Most people agree that the use of USB drives increases efficiency and boosts productivity, which goes a long way toward explaining their popularity, but these handy little drives can also be problematic.
According to a recently published survey by Apricorn, 87 percent of employees surveyed report that they have lost or had a USB drive stolen and failed to notify their employer. Worse, 80 percent of employees surveyed reported using non-encrypted USB drives that they’ve often acquired for free at trade shows or conferences.
The fact that these drives are unencrypted is bad enough, but there’s another, even more frightening dimension to the problem. Such drives could be pre-loaded with malware, which could easily make it onto your company’s network the moment they’re connected to any office machine.
Apricorn had this to say about the results of the survey:
“With the ever-increasing amount of data breaches and compromises, companies need to carefully monitor what data is being created in their organizations, and what is leaving.
Government, healthcare, finance and education industries have access to copious amounts of sensitive information and most of these industries are using USBs without advanced permission. Not only are these companies leaving themselves vulnerable, they are placing their customers’ and employees’ data at risk.”
Although the company notes that there is an awareness of the damage that lost or compromised data can cause, not much is being done about preventing that loss, at least where the use of USB drives is concerned. According to the survey, fully half of the respondents indicated that they didn’t need to seek permission to use a USB drive to copy or transport potentially sensitive information.
Does your company have a robust set of policies in place to control the use of USB drives? Are all the USBs used by your employees encrypted and secure? Do you have a policy in place regarding proper reporting procedures should a USB drive go missing? Important questions, all.
AWS had a successful year by any measure. The company continued to behave like a startup with the kind of energy and momentum to invest in new areas not usually seen in an incumbent with a significant marketshare lead. How good a year was it? According to numbers from Synergy Research, the company remains the category leader by far with around 35 percent marketshare. Microsoft sits well behind… Read More
HP is in the news again. If you missed the initial story, earlier in the year, it was reported that an audio driver that came pre-installed on a number of HP laptops contained keylogging code that stored every key stroke made by the person using the machine to a human-readable file. Once discovered, HP issued a patch that removed the keylogging function and deleted the data file.
Now, an independent security researcher going by the name “ZwClose” has discovered more built-in keyloggers in 460 HP Notebook models and counting.
At issue is the SynTP.sys file, which is an integral part of the Synaptics Touchpad driver that ships with a great many HP Notebooks. Although the keylogger is disabled by default, a hacker could enable it using open source tools, simply by changing a registry value.
After HP was notified, the company released a security advisory, which included the following:
“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”
Since the release of the security advisory, HP has issued a driver update that removes the code for all affected models, so from a business and security standpoint, there’s nothing to be done here.
In an era where privacy on the internet is under increasingly intense assault, however, it’s worth noting that this is the second time an issue like this has been tied to HP equipment, and that’s concerning. Privacy matters, and if you’re concerned about it, then two such issues might be enough to make you start looking at some other vendor when it comes time to start replacing or upgrading your equipment.
On the surface, the new Facebook For Kids messenger app looks like a solid win that should put the minds of parents all over the world at ease.
The company conducted extensive interviews and assembled a Blue-Ribbon panel of experts to help them craft the new tool, aimed at children ages 6-12. The app itself is user friendly and filled with bright, cheerful primary colors that appeal to kids, but there are problems, or, at the very least, valid concerns.
For one thing, Facebook has made no mention of how it plans to monetize its new app, other than to say that it won’t contain any advertising. It’s not difficult to imagine some possibilities, however and none of them good.
For another, the company essentially used scare tactics to get parents to sign their kids up for the service, saying essentially that kids are going to chat online anyway, and if they don’t use Facebook’s new offering, they are at greater risk of talking to a child predator.
Then, there’s the issue that Facebook requires the child’s full name, and behind the scenes, the app is busily mapping out the child’s social network – who his parents are, the friends of both the children and their parents and so on.
According to the company, it has no plans to turn children’s accounts into full-fledged Facebook profiles, but given the amount of data being collected, it’s not hard to imagine them offering a one-click export function that would turn these accounts into regular Facebook accounts on the day the child turns 13.
What’s most disheartening of all is the fact that the company could have chosen another, far less intrusive route. Rather than requiring the child’s full name and the establishment of a familial relationship, the app could have been nested directly under the parent’s account, with a nickname or even a colorful symbol used to denote the child. This approach would have been far less data intensive and far less intrusive.
How well the new app will be received remains to be seen, much like the long-term consequences of its launch.
Researchers from the security firm 4iQ have made a disturbing discovery on the dark web. A massive repository has been discovered that contains a staggering 1.4 billion usernames and passwords in plain text.
The repository is well organized, with each letter of the alphabet having its own directory to facilitate rapid search, and 4iQ has tested a subset of the data it contains and found an alarming percentage of the usernames and passwords to be viable.
It should be noted that this data isn’t from a new, previously unknown breach, but rather, an aggregation of data stolen from 252 previous breaches. The CTO of 4iQ, Julio Casal, had this to say about the discovery:
“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of them have been verified to be true. The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo lists that exposed 797 million records. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”
The usernames and passwords come from a wide range of sources including Runescape, Minecraft, RedBox, Badoo, Zoosh, Last.FM, YouPorn, Netflix, MySpace, LinkedIn, Pastebin, Bitcoin and many others.
What’s even worse is that as large as this collection is, it’s really just the tip of the spear. A shocking percentage of users have the bad habit of using the same credentials across multiple web properties, so it’s a statistical certainty that many of the passwords contained in this file will allow hackers access to much more than just the web properties the passwords were stolen from.
If you’re not yet in the habit of changing your passwords on a regular basis, you should begin doing so immediately, and if you’re one of the hundreds of millions of people who use the same password on multiple sites, it’s well past time to break that habit.
Phishing attacks just got a whole lot easier.
A German security researcher named Sabri Haddouche has recently discovered a set of email vulnerabilities that have been collectively dubbed “Mailsploit.” At the root, these vulnerabilities stem from the way most email systems interpret addresses encoded with a 1992 standard called RFC-1342.
The standard is that all information in an email header must be an ASCII character. If a non-ASCII character is encountered, it gets converted. Unfortunately, a shockingly large number of email clients (33 and counting) make no effort to check the header afterward for malicious code.
Also, if the RFC-1342 decoded header encountered a null-byte, or two or more email addresses, the only address that would be read would be the one that preceded the null-byte, or the first valid email address encountered.
The email clients vulnerable to this type of attack include:
And many others, but Haddouche notes that Gmail is unaffected by the exploit.
There are two ways a hacker can use Mailsploit. First and most obvious to the eye is the fact that it can be used to spoof an email address, making it appear to be from someone you know, which, of course, has the impact of making it much more likely that you’ll click on any links embedded in the body of the message.
Secondly, and potentially even more troubling, is the fact that the exploit can be used to inject malicious code directly onto the recipient’s machine, which can easily give the hacker sending the email full control of the target’s system.
Worst of all, though, is the fact that while Haddouche contacted all of the companies found to offer vulnerable email clients, only eight of them have released a patch to correct the issue. Twelve vendors opted to triage the bug, but gave no information on if or when the issue might be patched, and twelve others made no reply at all.
Mozilla and Opera (both vulnerable) flatly refused to address the problem, which they see as a server-side issue.
Your IT staff’s job just got a whole lot harder.
It’s the busiest time of the year for shopping. Americans are on pace to exceed last year’s record-setting online holiday spending, while cyber thieves are also on track to exploit those digital processes with newly developed viruses, and highly sophisticated malware. Consumers who want to benefit from the sales without losing their shirts to thieves should be prepared for what will undoubtedly be an eventful holiday shopping season.
During the 2017 holiday season, Americans are expected to fork out more than 3 percent more for gifts and goodies than they did last year, averaging a total of $967 per shopper. And for the first time, online buying is expected to surpass traditional mall wandering.
Consumers are also expected to rely more than ever on their digital devices to seek out and complete their purchases. In many cases, however, mobile devices do not provide the same level of security that desktop or laptop computers have, making those users vulnerable to a higher-than-normal risk of cybertheft.
So, since it is certain that cyber thieves will also be using the latest and greatest in security-breaching tools to up their thieving game, shoppers who plan to use any digital tool, mobile or fixed, should follow four basic steps before getting started:
Web browsers, operating systems and banking apps periodically release updates with improved security measures. Figure out which programs will be used for online shopping purposes and be sure to have the most up to date version installed before starting your holiday shopping.
2017 has been a year filled with headlines surrounding major breaches. Chances are that if you have not changed your password over the last 6 months your information could be floating around the Dark Web. Change your password, if only for the holiday season while attackers will be the most active. The action may prove especially beneficial when digital devices automatically access banking information. Highly secure passwords include letters, numbers and symbols; highly secure shoppers use a unique password for each account.
After the password, authentication layers add increasing complexity to account access and can alert you to most hacking attempts. Some sites will text or email an access code through which that one and only transaction can occur. Other sites ask for data specific to the shopper such as the name of their first cat or favorite childhood friend. Consumers should always reply affirmatively when given the option to require additional authentication before each account access.
Of course, retailers are also highly sensitive to the possibility of digital hacking on their sites (See how SentinelOne can help Here). Merchant giants such as Target, TJ Maxx and eBay have all paid out millions of dollars to consumers whose data was stolen after shopping on their e-commerce sites. Consequently, many have added security features specifically to protect their patrons, one of which is the little green padlock at the front of the URL that denotes the site is secure. A safe site is also indicated when that URL begins with HTTPS instead of just HTTP.
Ensuring proper “cyber hygiene” is a process, not an event, and every consumer and corporation benefits when they exercise safe browsing and computing practices all year round. However, by employing these tips throughout the holiday shopping season, consumers make themselves a more difficult target and reduce their chances of becoming a victim as we enter the new year!
For enterprises serious about their security, check out SentinelOne and see why Fortune 500 companies are switching from their traditional solutions.
The post 4 Tips to Protect Against Cyber Thieves During the Holidays appeared first on SentinelOne.
