The target: Flight booking site, Option Way.
The take: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data personally identifying information is a ripe target for identity thieves.
The attack vector: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data includes names, dates of birth, gender, e-mail addresses, phone numbers and addresses - a ripe target for identity thieves.
Companies must evaluate their ‘attack surface’ across servers/firewalls and third-party services to ensure that their data is secure and should continuously monitor infrastructure to be assured that changes do not result in exposure of sensitive information.
New York Post: The New York Attorney General sued the retail chain formerly known as Dunkin Donuts for its handling of a cyber-security lapse that gave hackers access to hundreds of thousands in store credit that could only be used to buy crullers and other Dunkin products.
CityAM: Phishing emails are a major concern in cyber security. Some, like that message, are intended to trick the recipient into revealing sensitive information, while others are used to install malware onto someone’s device – sometimes without their knowledge – or can even lead to a ransomware attack, where the user is locked out of their system unless they fork over cash to the perpetrator.
ZDNet: Companies that fall victim to cyberattacks and data breaches often come in for criticism, but one of the best things an organisation can do to ensure it remains protected against the impacts of a hacking incident is to take advantage of the expertise of cybersecurity professionals who've faced a major attack.
CNet: California is poised to enact the country's most stringent privacy law on Jan. 1, but the driving force behind the California Consumer Privacy Act wants privacy rights in the state to be even stronger.
IOL: According to reports, Africa’s Fintech ecosystem has surged 60 percent in the last two years and the continent’s Fintech firms have grown to 491 from 301 in 2017, with $132.8 million raised in 2018, making last year the sector’s best year yet - and proving the sector’s readiness given the high mobile phone penetration levels and the boom in mobile financial services and payment technologies.
Bloomberg: A Russian hacker admitted Monday that he executed the largest known cyber-attack against a U.S. bank, pleading guilty to charges that he stole data on more than 80 million clients of JPMorgan Chase & Co. and other institutions that netted hundreds of millions of dollars in ill-gotten gains.
CNN: Twenty-seven countries have signed a joint agreement on what constitutes fair and foul play in cyberspace — with a nod toward condemning China and Russia.
The target: Scotiabank, a major Canadian based banking institution
The take: Login keys to backend systems, internal source code of mobile apps, software blueprints, and credentials for a database of foreign exchange rate data.
The attack vector: The data in question was left accessible on a non-secured public repository, GitHub. Analysis of the leaked data could provide numerous and deep exploitations and vulnerabilities.
Source code repositories, like file storage repositories, must be correctly configured to ensure that sensitive data remains internal and accessible only by authorized parties. Default permissions or accessibility settings must always be reviewed before sensitive data is committed to storage.
Forbes: Acronis, a data protection and storage company, achieved unicorn status on Wednesday with a $147 million funding round led by Goldman Sachs. The company’s first major injection of cash boosts its valuation to more than $1 billion, according to CEO and founder Serguei Beloussov.
The Sydney Morning Herald: Australians who have had their super accounts drained by crime gangs will be fully compensated as some of the country's biggest funds ramp up cyber-security in the wake of an alleged $10 million international identity theft scam.
LA Sentinel: Los Angeles Mayor Eric Garcetti today announced L.A. Cyber Lab’s new Threat Intelligence Sharing Platform, as well as a free mobile app that will help people detect malicious email. Garcetti said this makes Los Angeles the first city in the nation to release a publicly available threat-sharing platform and cybersecurity app.
SecurityWeek: Researchers at vpnMentor said the problem stemmed from an unsecured server located in Miami that contained information on over 20 million individuals, most of whom reside in Ecuador. The small South American nation is home to just over 17 million people, meaning nearly everyone could have been exposed.
University Affairs: Universities in Canada are joining the growing ranks of global cybercrime fighters. In June alone, three universities – Ryerson University, the University of Waterloo and the University of New Brunswick – announced initiatives to increase the country’s cybersecurity capacity.
The Strait times: Global cyber security firms, large and small, that set up base in Singapore to grow their businesses and capabilities can tap the Republic's technical prowess, skilled manpower and networks, Senior Minister Teo Chee Hean said.
CBR: Improving cybersecurity is now top of the technology investment agenda at banks, according to an annual survey conducted by Lloyds Banking Group: climbing above reducing operating costs and improving customer satisfaction – last year’s priorities.
The target: Monster.com, a popular job posting website service.
The take: Personal information of hundreds of job applicants dating between 2014 and 2017 including: resumes, phone numbers, email addresses, home addresses and work history.
The attack vector: A customer of Monster.com, a third-party recruitment company, misconfigured a publicly-accessible web server, leaving records exposed.
A firm’s security posture is only as good as its weakest link - sub-contractors and third parties with access to sensitive data are possible sources of data leakage and must be held to a firm’s own security standards.
Business Irish: Justice Minister Charlie Flanagan has admitted that the Government cannot deal with the threat of cyber-attacks on its own. Speaking this morning at the Secure Computing Forum cyber security conference at Dublin's RDS, the Minister stressed that Ireland needs to stay ahead of the growing number of cyber-criminals.
Cision: Nearly two-fifths of European businesses have knowingly fallen victim to a cyberattack in the last five years, with 64% admitting that they may have been hacked unknowingly. This is compounded by a sense of apathy and acceptance, as 62% of respondents believe hackers are more sophisticated than security software developers.
The Australian: Australia’s banks and universities are being forced to fight off increasingly sophisticated cyber attacks, and NAB is responding through a new strategic partnership with La Trobe University to be finalized on Tuesday.
Cision: KeyData Associates Inc. (" KeyData"), a leading provider of cybersecurity services, announced today that it has been selected by the Government of Canada's Shared Services Canada (SSC) to provide security technology solutions and systems integration services to address the Privileged Access Management (PAM) requirements of the Government of Canada's cybersecurity strategy.
The Telegraph: Ripjar, a start-up headquartered in Cheltenham and backed by British hedge fund billionaire David Harding, saw its losses for 2018 climb to £3.7m from £1.9m the previous year. Administrative expenses rose to £5.6m from £3.2m in 2017, despite a 30.6pc increase in turnover to £2.6m.
Reuters: Private equity firms Permira and Advent International Corp have proposed a deal to buy Symantec Corp for more than $16 billion after the cyber security company agreed to a sale of a big chunk of its business.
Tulsa World: The FBI is investigating a cybertheft of $4.2 million from the state’s pension fund for retired Oklahoma Highway Patrol troopers, state agents, park rangers and other law enforcement officers.
The Target: Facebook, the social media giant.
The take: 419 million records which contained user’s unique Facebook ID and their associated phone numbers, as well as names, gender and country.
The attack vector: A server containing the data was left unsecured and publicly accessible. Facebook justified the security breach by explaining that the records were ‘old’, and believe that the user accounts in question were not compromised as a result of the breach.
Data breaches are a liability, regardless of whether or not the leaked data is in its most current form. Backups, replicates, and otherwise non-production datasets must be protected with the same encryption and protections to prevent the loss of sensitive information.
The Paypers: A Brazilian criminal gang has cloned Mastercard debit cards issued by German bank OLB and withdrew more than EUR 1.5 million from about 2,000 of its customers. Criminals have stolen the funds by cloning customer debit cards and then cashing out user funds across Brazil, despite the original cards being protected by EMV (chip-and-PIN) technology.
AGIO: In the context of cybersecurity, social engineering can best be defined as the use of deceptive tactics to prompt individuals to grant access or disclose information for fraudulent or malicious purposes.
ZDNet: Criminals are using AI-generated audio to impersonate a CEO's voice and con subordinates into transferring funds to a scammer's account. So-called deepfake voice attacks could be the next frontier in a scam that's cost US businesses almost $2bn over the past two years using fraudulent email.
The Globe and Mail: Lack of candidates who are able to prevent data breaches means agencies, businesses and customers are left vulnerable to attacks.
Business Standard: The 'Digital India' and 'New India' mission has been offered an essential impetus by an Indian Ethical hacker, Khushhal Kaushik. His passion, drive and burning desire to 'go the extra mile', has helped him strengthen India's stature in the global cyber security industry. Conventionally, western countries have always ruled the cyber security domain.
ZDNet: Business email compromise (BEC) has overtaken ransomware and data breaches as the main reason companies filed a cyber-insurance claim in the EMEA (Europe, the Middle East, and Asia) region last year, said insurance giant AIG.
Security Magazine: In a blog post, Imperva said its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula suffered a data exposure incident. On August 20, Imperva learned from a third party of the data breach that impact Cloud WAF product who had accounts through September 15, 2017.