このブログ投稿では、2017年に起こった22の最も重要な違反を収集しました。すべてのレポートは、MacKeeperブログで「最もホットな」セキュリティとデータ侵害に関するレポートを提供するためにMacKeeperと提攜したデータ侵害ハンターによって行われました。

これは、一連のデータ侵害レポートの2番目の投稿です。ここにアクセスして、2016年のデータ侵害レポートアーカイブを読んでください。

レポートを読むには、データリーク名をクリックしてください。

• Militarysleep.org違反
• 世界レスリングエンターテインメント300萬の電子メールリーク
• HARAK1R1 0.2ビットコインランサムウェア攻撃
• Spasurgica：カナダの整形手術(shù)の顧客の記録リーク
• 通訳無制限：従業(yè)員と顧客の個人データが漏れます
• Telemarketing Companyは、4萬人近くの機密ファイルをリークしています
• IndyCarデータリーク
• ピップ印刷およびマーケティングサービスのデータリーク
• INTL空港での大規(guī)模な違反
• Amazon AWSの問題がインターネットを倒します
• MacKeeper Security Researchersは、米國空軍データを敏感に発見します
• 校舎のデータ侵害
• レポート：313の大規(guī)模なデータベースが公開されました
• Auto Financing Companyは、500kの顧客の情報をオンラインでリークします
• グローバル通信ソフトウェア：オンラインで膨大な量のデータ
• メキシコの観光稅還付會社：顧客記録のリーク
• MacKeeper Research Centerは、大規(guī)模なElasticsearch感染マルウェアボットネットを発見します
• 自動追跡會社は數(shù)十萬の記録をオンラインでリークします
• Verizonワイヤレス従業(yè)員：機密データのオンライン露出
• レポート：仮想キーボード開発者は、3100萬件のクライアントレコードをリークしました
• アシュリー?マディソンのプライベートな寫真は口コミになりました
• レポート：サイバー犯罪者は、カリフォルニア州の有権者データベースを盜む

本質(zhì)的な読書とツール：

• Macセキュリティガイドを使用すると、MacOSセキュリティ設(shè)定に深く潛ります
• リアルタイムでMacを守るMacアンチウイルスを入手してください
• インターネットを使用するたびに安全な接続があるようにMac用のVPNをインストールする
• Mac所有者向けのマルウェア削除ガイドでは、さまざまな種類のマルウェアを削除する方法を示します
• マルウェアガイドのためにMacを確認する方法は、Macからマルウェアを見つけて削除する方法を教えてくれます
• あなたのメールがデータ侵害に屬しているかどうかを確認するために私はpwndを?qū)g行しました
• データ侵害を防ぐ方法についてのガイドを読んで數(shù)分かかります

Militarysleep.org違反

Militarys Sleep.orgは、ユーザーがアカウントを作成し、治療オプションについて話し合い、睡眠障害について質(zhì)問することができる患者ポータルです。 MacKeeper Security Research Centerの研究者は、睡眠障害に苦しむ何千人もの軍事退役軍人の私的な醫(yī)療データを含む公開されているMongoデータベースを発見しました。

データベースには、1,300を超えるメッセージ（患者と醫(yī)師の間のデリケートな通信）を含む合計2つのギグデータベースと、名前、電子メール、個人の細胞番號、暗號化されていないパスワード、軍事履歴/サービスランクなど、1,200人以上のユーザーの個人データが含まれていました。発見された最も有害な情報は、患者が経験している敏感な醫(yī)學(xué)的問題について質(zhì)問することで、コミュニケーションが機密であると信じている保存されたメモとチャットログです。電子メールアドレスの多くは @us.army.milであり、アクティブな兵役と以前の兵役の両方のメンバーの両方を扱うことができます。

醫(yī)療プライバシーは市民と軍の退役軍人の両方にとって非常に重要であり、診斷と治療について詳細が漏れている場合、現(xiàn)在の雇用、將來の雇用、セキュリティクリアランス、またはその他の生活分野に影響を與える可能性があります。さらに悪いことに、雇用主が漏れた醫(yī)療記録や病気の可能性に基づいて、申請者または従業(yè)員を差別することができるという恐怖。これが、醫(yī)療記録を保護することが非常に重要であり、サイバーセキュリティのすべてのステップをとらなければならない理由です。

このサイトは、メリーランド州に本拠を置くエマーソン?ウィックワイヤー博士に登録されています。そして、彼の個人的なウェブサイトによると、「私の研究関心は、身體と脳の治療、最も一般的な睡眠障害、特別な集団の睡眠、ベストプラクティスの普及などの睡眠を含む生物行動の睡眠プロセスに焦點を當(dāng)てています。」

幸いなことに、このデータベースは、HARAK1R1の犠牲になりませんでした。開発者からの言葉やコメントはありませんが、データベースに電子メール通知を送信した直後にデータベースに閉鎖されました。

その違反をカバー/確保するのを支援してくれたDataBreaches.netからの反対に感謝したいと思います。ここで彼女の話を必ず読んでください。

Militarys Sleep.orgデータベースは、同様に誤って構(gòu)成されたMongoデータベースが感染し、すべてのデータを削除して0.2ビットコインの身代金を削除してファイルを回復(fù)した1日後に発見されました。この不幸なデータリークは、HARAK1R1ビットコインランサムウェアによって削除されることからデータを保存しただけかもしれません。今週初め、MacKeeper Research Centerは、Emory Healthcareに接続されたデータベースが推定されていることを発見しました。

世界レスリングエンターテインメントは300萬通のメールをリークします

World Wrestling Entertainmentは、WWEは人気のあるアメリカのエンターテイメント會社であり、プロレスレスリングのプロモーターとしても知られています。レスリングは主な焦點ですが、映畫、音楽、ビデオゲーム、製品ライセンス、直接製品販売などから収益を得ています。

今週、MacKeeperのセキュリティ研究者は、WWEマーケティングの目的で特別に第三者機関によって収集された大量の情報を含む2つのオープンで公開可能なAmazon S3バケツを発見しました。すべての情報の約12％（いくつかのギガバイト）が「公開」アクセスに設(shè)定されており、インターネットに接続して表示およびダウンロードする人が利用できると推定しています。

WWEリークに含まれるデータ

最初のセキュリティでは、Amazon S3バケットには、TXTファイルに電子メールの大きなグループが含まれていました。データは2014年から15年までで、教育、年齢と人種、子供の年齢、子供の性別を?qū)い亭毪长趣摔瑜?、ファンの名前、電子メール、物理的な住所、ファンの人口統(tǒng)計調(diào)査の結(jié)果が含まれています。記録の合計數(shù)は3,065,805人で、研究者は複製があるかどうかを確認し、サンプリングにはそれらがすべてユニークだったようです。

3Mレコードのデータフィールド：

すべてのスクリプトと間違いなく段階的な試合にもかかわらず、彼らは大規(guī)模なファンベースとフォローを持っています。 WWEは米國だけで毎週1500萬人のファンに監(jiān)視されており、2016年に彼らは中國に拡大していると発表しました。

パブリックアクセスで保存されているアーカイブの1つには、別のWWE関連のバケット名を含む構(gòu)成ファイルも含まれています。

2番目のバケットは、パブリックアクセスのために部分的に（データの約12?15％）設(shè)定されており、2016年からの數(shù)十萬人のヨーロッパの顧客の請求詳細（住所、ユーザー名など）を含む、マーケティングと顧客データの別の巨大な部分を含んでいました。

ドキュメントには、WWEソーシャルメディアアカウントのソーシャルメディアトラッキングを備えたスプレッドシートも含まれています。これには、YouTubeのように、毎週のプレイ、シェア、コメント、およびソーシャルメディアとファンの相互作用を測定する方法をより詳細に見ています。このリストは國ごとに分類されていたため、広告やローカライズされたコンテンツをよりよくターゲットにできると想像できます。

また、WWEに関連する指定されたキーワードの検索結(jié)果として保存されたTwitterの投稿の大きなキャッシュが見つかりました。

大手エンターテインメント企業(yè)は、この種のものを公に共有することはないので、WWEがビッグデータを使用してファンベースとそれらが生成するコンテンツを理解する方法についてはまれです。

両方のバケットは、最初のバケットにあるWWE Corp開発者のメールに通知メッセージを送信してから數(shù)時間以內(nèi)に保護されました。ただし、これらのデータが公開されている期間、情報の公開、および現(xiàn)在データベースにアクセスしたIPアドレスの數(shù)について、回答やフィードバックは受け取られませんでした。

グローバルなエンターテインメント組織であるにもかかわらず、非公開會社の舞臺裏の內(nèi)部の仕組みについてはほとんど知られていません。いくつかの推定によると、WWEは価値があると評価されています40億ドルです。フォルダーの多くは保護されており、外部アクセスを許可しませんでした。レスラーやスタッフに関する情報はアクセスできませんでしたが、ファンのメール、名前、その他のデータのリークは、サイバーセキュリティのモーニングコールです。

このニュースは、WWE Divasのリークしたヌード寫真を含む一連のハッキングの直後に、さらには英國のスーパースターペイジが関與するセックステープスキャンダルでもあります。また、ハッキングされたのは、WWEスターのMaryse、Victoria、およびAlexia Blissでした。

注意 - この記事の一部は、適切に參照され、MacKeeper Security Research Centerにクレジットが與えられた場合、公開に使用できます。

0.2ビットコインランサムウェアのHARAK1R1の別の犠牲者

ご存知かもしれませんが、醫(yī)療記録は連邦法および州法の下で米國で保護されています。病院、醫(yī)師、保険會社は、醫(yī)療記録がオンラインで漏れている場合、大きな罰金や罰則に直面する可能性があります。 2016年12月30日に、MacKeeper Security Research Centerは、患者の記録やその他の機密情報と思われる數(shù)十萬人を含む誤ったMongoデータベースを発見しました。


IPはGoogle Cloudでホストされ、そのアドレス（リバースIP）でホストされているドメイン名の結(jié)果がEmory Brain Health Centerを特定しました。 2017年1月3日、研究チームがデータのレビューに戻ったとき、データベースが0.2ビットコインランサムウェアのharak1R1の犠牲者であったことが特定されました。


この非伝統(tǒng)的な身代金法は、実際に被害者のデータを採取して削除し、身代金が支払われるまでそれを保持します。データはデータベースから完全に拭き取られ、最も一般的なタイプのランサムウェア攻撃のように暗號化されているわけではありません。こちらの詳細をご覧ください。


MacKeeper Security Research Centerによるデータベースの元のスキャンでは、暴露された記録の推定數(shù)は200萬を超えるように見えました！彼らは次のファイル名とレコードに分解されました。

• 「ClinicWorkFlow」には6,772のレコードが含まれていました（醫(yī)療記録番號、住所、生年月日、名前、姓）
• 「整形外科」には31,482のレコードが含まれていました（名、姓、醫(yī)療記録番號、住所、電子メール）
• 「Orthopaedics2」には157,705のレコードが含まれていました（攜帯電話、名、姓、住所、電子メール）
• 「Orthoworkflow」には168,354のレコードが含まれていました（攜帯電話、名、姓、生年月日、住所、メール）

次のメッセージはデータベースにあります。

現(xiàn)在、0.2ビットコインランサムウェアであるHARAK1R1によって抽出されたレコードとデータ収集のテキスト例。この例は、データが削除される前に取得されました。

大きな質(zhì)問：MacKeeper Security Research Centerによって発見されたデータベースが実際にEmory Healthcareに屬していたかどうか。彼らは、このデータの盜難と違反について顧客と當(dāng)局に知らせるための適切な措置を講じましたか？


databreaches.netからの異議と協(xié)力して、Emory Healthcareとのつながりを特定したり、データを回復(fù)したり患者に通知するかについてのコメントを取得するために、複數(shù)の連絡(luò)先に連絡(luò)しました。

Spasurgica：カナダの整形手術(shù)は、顧客の記録を漏らします

豊胸、インプラント、削減の寫真の前後に含まれるファイル。また、Spasurgicaは、多くの顧客がプライベートに望む幅広い整形性整形、および幅広い整形手術(shù)の選択肢も提供しています。各患者の寫真、説明、病歴は、どのタイプのデータがリークされたかについて、親密な見方をしています。これらは単なる自宅の住所や醫(yī)療記録ではなく、患者の體の親密な寫真です。また、アカウント、プリンター、その他のパスワードで保護されたログインのユーザー名とパスワードを含む、暗號化されていないテキストファイルへのアクセスもありました。

MacKeeperチームは、この調(diào)査に參加し、Mohamed Elmaraghy博士のリークオフィスに通知したDatabreaches.netからの反対に感謝しています。その後、アクセスは閉鎖されており、公開されなくなりました。 Spasurgicaから返事を聞いたことはありませんが、発見後すぐに通知メールがすぐに送信されました。

彼女の話の詳細はこちらをご覧ください。

プレーンテキストのネットワークインフラパスワード。

患者の寫真アーカイブには何百もの畫像が含まれていました。

患者の名前は畫像に関連付けられています。

醫(yī)療記録は非常にプライベートで敏感です。これは、數(shù)千のスキャンまたはファックスファイルの1つが、両親がどのように亡くなったか、そして彼女が直面したすべての主要な醫(yī)學(xué)的問題を共有しただけでなく、コカイン中毒に関する詳細も含めた患者を示していることを示しています。殘念ながら、薬物中毒と健康記録は、雇用や、雇用主が民間の病狀や課題で従業(yè)員をどのように見ているかに影響を與える可能性があります。

カナダの法律は、データリークで患者を保護しています

オンタリオ州の情報とプライバシー委員のウェブサイトによると、民間の醫(yī)療データの盜難または漏れに関する?yún)椄瘠圣抓恁互工ⅳ辘蓼埂?2004年の個人的な健康情報保護法（PHIPA）に基づき、醫(yī)師は患者の個人的な健康情報を秘密にする義務(wù)があります。また、Phipaは、患者の個人的な健康情報を盜難、損失、または不正使用または開示から保護する情報慣行を維持および遵守するための醫(yī)師に法的義務(wù)を提供します。個人の健康情報が盜まれている場合、不正な個人によって紛失、またはアクセスされた場合。

法律は、封じ込めと通知を要求しています。

プライバシー違反に直面している場合、すぐに対処する必要がある2つの優(yōu)先事項があります。

• 封じ込め：潛在的な違反の範(fàn)囲を特定し、それを封じ込めるために必要な手順を?qū)g行します。
  通知：影響を受ける個人にできるだけ早く通知する必要があります。
• 調(diào)査と修復(fù)：違反が封じ込められ、影響を受ける當(dāng)事者が通知されたら、內(nèi)部調(diào)査を?qū)g施する必要があります。

***

通訳者無制限の個人データリーク

このデバイスには、クライアント、従業(yè)員、給與データ、社會保障番號、電子メール、およびExcelスプレッドシートと.txtファイルの一部として、より機密のテキストの個人情報（當(dāng)社の推定値は4,500の記録）が含まれていました。

特別なフォルダーには、すべてのすべての従業(yè)員のすべてのサーバーアクセスの詳細、すべての電子メールログイン、パスワードが含まれていました。

Webサイトの技術(shù)管理者はWHOIS登録にリストされており、ITマネージャーに屬するデバイスに保存されている個人文書がたくさんありました。

一般的なルールとして、社會保障番號をプレーンテキストドキュメントに保存することは決してなく、名前、住所、電子メール、およびその他の識別可能な情報と組み合わせると、サイバー犯罪者に必要な情報をすべて提供します。

MacKeeperの研究者によって発見されたデータには、昨年、會社で撮影された翻訳者の數(shù)もありました。この1つの文書は、犯罪者が偽の納稅申告書を提出したり、融資を取得したり、その他の形式の詐欺を提出したりできる十分な情報を提供します。

通訳無制限は、オンサイト解釈、ビデオ、電話、その他のさまざまなサービスなどの翻訳サービスを提供します。彼らのウェブサイトによると、「私たちは「仲人」として行動し、あなたのニーズに合った最適な言語サービスを見つけます」。彼らのクライアントプロファイルには、Google、ボーイング、米國郵便サービスなどの企業(yè)が含まれます。

私たちはZDNetのZack Whittakerと一緒にこのケースに取り組んでおり、彼は會社の社長に連絡(luò)し、事件について彼に警告することができました（當(dāng)社のITマネージャーに電子メールで送信された最初の通知は気付かれないままでした）。會社は弁護士とサードパーティのセキュリティ監(jiān)査會社を募集しています。しかし、會社は、翻訳者である人々に露出を知らせます。

データは「4?6か月」とストリーミングしていたと彼は言った。

ZdnetでZack'sstoryを読むことができます。

Telemarketing Companyは、4萬人近くの機密ファイルをリークしています

MacKeeper Security Research Centerの研究者は、これまでで最大の発見の1つを作成し、數(shù)十萬のファイルが公開されています。このファイルは、フロリダに拠點を置くマーケティング會社Vici Marketing LLCに屬し、顧客が名前、住所、電話番號、クレジットカード番號、履歴書番號などを提供する數(shù)千のオーディオ録音を含みます。 2009年、VICI Marketing LLCは、フロリダ州司法長官事務(wù)所による苦情を解決するために350,000ドルを支払うことに同意しました。研究者は、罰金と罰則にもかかわらず、彼らはまだ顧客または會社のデータを確保していないことを確認し、數(shù)年前にさかのぼる日付の記録があることを確認しました。契約に基づく：差止命令の條件に違反した場合、VICIは100萬ドルの民事罰の対象となる可能性があります。


各呼び出しには、クレジットカード情報を盜むか、幅広い犯罪を犯すために必要なすべてをサイバー犯罪者に提供するのに十分な情報があります。録音の一部は、通話が記録または保存されていることを顧客に警告していません。 11の州では、録音を合法的にするために、すべての當(dāng)事者の電話または會話に同意する必要があります。これらの「二人間同意」法は、カリフォルニア、コネチカット、フロリダ、イリノイ、メリーランド、マサチューセッツ、モンタナ、ニューハンプシャー、ペンシルバニア、ワシントンで採用されています。


不適切なデータストレージまたは誤解されたデータベースは、大小の企業(yè)に発生する可能性がありますが、すでに多額の価格を支払っており、規(guī)制違反の対象となっている企業(yè)にとって、サイバーセキュリティをより真剣に受け止めるようです。盜まれた消費者情報を取得したと非難された2009年のケースでは、Viciの弁護士であるRobby Birnbaumは、「私たちにはその証拠がない」と主張しました。 2009年の和解の條件に基づき、VICIはデューデリジェンスなしでデータを取得または使用し、違法または疑わしい起源のデータを使用し、バックグラウンドデューデリジェンスなしで消費者テレマーケティングのデータへのアクセスと使用、および違法なテレマーケティングを使用することを永久に禁止されています。


MacKeeper Security Researchersが発見したファイルには、數(shù)十萬のレコードが含まれており、それらすべてを調(diào)べるのに數(shù)週間かかる可能性があります。研究者は、検証目的で28 GBのバックアップのコピーをダウンロードし、ケースが閉じられたら、公開されたドキュメントを安全に削除します。 MacKeeperは、データが刑事または民事捜査の一部になる場合、法執(zhí)行機関と米國國土安全保障と緊密に連攜しています?，F(xiàn)時點では、クレジットカード番號とプライベート顧客ファイルを備えた17,649のオーディオ録音を漏らす以外に、不正行為の疑いはありません。


また、375,368のオーディオ録音も「コールドコール」として資格があり、個人情報も含まれているものもあります。


インターネットは、Vici Marketing LLCがどのように運営または請求し、元従業(yè)員からの申し立てを請求しているかについての苦情に満ちている場合。顧客のレビューと従業(yè)員のコメントを検索するとき、私たちは、顧客が送料だけを支払う場合に顧客にプロモーションギフトを與える方法を説明するブログ投稿を発見しました。彼らは、3.95ドルかかると思われるスキンDM/Rejuvaglowクリームを提供し、すべてが終わった後、92.61ドルの費用がかかりました。ジャスティン?タイムという名前の元従業(yè)員は次のように述べています。

消費者が何が起こったのかを認識するまでに、すでに100ドル以上の請求書を請求しています。顧客が払い戻しを求めると、製品を保持するために提供し、部分的な払い戻しのみを提供することで、それを手に入れることができないように聞こえます。製品を送信者に返品し、出荷を拒否した人がいると思いますか？そして、あなたがあなたの払い戻しについて尋ねるために電話をかけるとき、あなたはあなたが製品を適切に送り返さず、それが倉庫に処理されなかったので、あなたはそれを持っていないと言ったとあなたはそれを持っていると言った!!!あなたのアカウントで、製品が正常に戻ってきたことをあなたのアカウントではっきりと見ることができると言っているのと同じ人は、彼らはそれを「RMAなし」とマークしているので、會社はあなたのお金を返さないことを知っています?！?br>

元従業(yè)員の主張を確認することはできませんが、オンラインでの苦情の多くは同じストーリーを語り、まったく同じ販売と請求方法を説明しています。

IndyCarデータリーク

これらのバックアップの大部分は単に動作しているように見えますが、際立っているのは、IndyCarの従業(yè)員ログイン資格情報と、電子メール、物理アドレス、最初と姓、パスワードハッシュ、ユーザー名、セキュリティの質(zhì)問と回答、生年月日、性別などのフィールドを含む200Kユーザーアカウントです。これにより、本質(zhì)的にINDING INTHEITION THEFT TREASURE TROVEが発見されます。

これらのアカウントが獲得したIndyCar掲示板は、退職したことを指摘することが重要です。したがって、IndyCarフォーラムのログインパスワードを変更する必要はありません。ただし、パスワードを再利用するタイプの人（そして、ほとんどの人がそうであることは殘念です）である場合、同じパスワードを使用している可能性のあるアカウントをリセットする必要があります。悪意のある人々がこのデータセットに出會った場合、彼らはこれらのパスワードを解読し、今すぐ他のオンラインアカウントでそれらを使用しようとしている可能性があります。

それは私がしばらくの間不思議に思っていたものに私を?qū)Г蓼?- なぜ企業(yè)は、関連するサイトが閉鎖された後もずっとパスワードハッシュを保持するのですか？それは責(zé)任に他なりません。彼らは顧客を利益を得るために危険にさらしています。これらのパスワードのハッシュを保持することで、IndyCarが得ることは絶対にありませんでした。そして今、彼らは狀況の言葉がレースファンに出るので、ネガティブなPRに直面しています。

私は、IndyCarで働いている弁護士とリスク管理の人々が、廃止フォーラムのログインが保存されていることを知らなかったと仮定することができます。報酬の可能性がゼロで大きなリスクを冒すことは、これらのタイプの人々が自分の仕事を維持する方法ではありません。これを読んでいて、大企業(yè)でリスクを管理する場合は、ITスタッフに2つの重要な質(zhì)問をする必要があります。

1. 何を保管していますか？
2. 本當(dāng)に必要ですか？

ピップ印刷およびマーケティングサービスのデータリーク

400 GBサーバーの大部分は、印刷ビジネスに関連するファイルと畫像の設(shè)計に専念しています。最も機密情報は、「Outlookアーカイブ」および「スキャン」フォルダーに含まれています。これらには、訴訟、醫(yī)療記録、有名な企業(yè)、および有名人に関する約50 GBのスキャンされた文書が含まれています。會社のクライアントが添付のドキュメントのコピーを作成するようにマネージャーに依頼する通信のアーカイブがあります。このアーカイブには2,200を超えるメッセージが含まれており、そのうちのいくつかはクレジットカード番號と請求の詳細を平易なテキストに掲載しています。

ピップ印刷およびマーケティングサービス、Aprinting、Design Companyは、米國にフランチャイズの場所があり、ランクサモンの起業(yè)家フランチャイズ500を備えた受賞歴のある印刷および制作會社です。

これは、私たちの生活がどれほどデジタルになったかの別の例であり、印刷ドキュメントが顧客の機密データを公開できるのと同じくらい単純なものでさえあります。 MacKeeper Securityは、機密性の高い顧客データを受け取って保存する會社は、それを確保し保護するためにあらゆるステップを踏むことを推奨しています。

デリケートなデータの中には、データが含まれている元アメリカのプロフットボール選手の文書には、NFL退職情報、社會保障番號、S、およびいくつかの醫(yī)療情報が含まれています。 Larry FlyntのHustler Hollywood Retail Storesの何千もの機密ファイル。ファイルは2010年までさかのぼり、各店舗のHRドキュメント、內(nèi)部調(diào)査、販売數(shù)、目標(biāo)、損益計算書が含まれています。

再び、オンラインでデータを適切に保護していない大小の企業(yè)の危険性を再び示しています。漏れは、機密店の販売データと內(nèi)部通信を公開するとき、単に恥ずかしいこと以上のものです。

重要なメモ

MacKeeper Security Research Centerによって発見された情報は公開されており、データにアクセスするためにパスワードは必要ありません。

まず、2016年10月下旬にレーダーに登場しました。印刷會社に通知しようとする試みにもかかわらず、通話と電子メールは真剣に対処されることはありませんでした。また、奇妙な振る舞いをしていて、情報をさらに転送することをいとわない受付係との電話を録音しました。

私たちは、この事件を支援し、彼自身の調(diào)査を?qū)g施したThe ThreatpostのTomspringに感謝しています。詳細については、https：//threatpost.com/printing-and-marketing-firm-leaks-high-profile-customers-data/123530/で彼のストーリーをご覧ください。

INTL空港での大規(guī)模な違反

漏れやすいデータセットには、敏感なTSA調(diào)査の手紙から従業(yè)員の社會保障番號、ネットワークパスワード、107ギガバイトの電子メール通信まで、すべてが含まれています。先週の火曜日に施設(shè)の管理に通知するまで、この米國空港のセキュリティと安全性には本當(dāng)のリスクがありました。

これは、ビジネス慣行がデータ侵害をもたらす方法の重要なケーススタディです。出席した資料によると、ニューヨーク＆ニュージャージー州の港灣局は、スチュワート?インターナショナルのアブポートという名前の民間企業(yè)と契約しています。その會社は、月に2、3回しかオンサイトである唯一のIT男と契約します。

1人が空港ネットワークインフラストラクチャを維持することを期待することはできません。そうすることは、セキュリティが失効するためのレシピです。これは、民営化によって何がうまくいかないかの典型的な例です。営利企業(yè)は、頻繁に、ベストプラクティスよりも収益を優(yōu)先するすべてのインセンティブを持っています。

これは、Avportsインシデント対応パフォーマンスによって強調(diào)されています。空港管理のレベルの業(yè)界では、すべての従業(yè)員が少なくとも大まかなデータ侵害準(zhǔn)備トレーニングを受ける必要があります。私がAvportsで最初に話した人は私にとってとても親切でしたが、ある時點でこれが「明日まで待つことができる」かどうか尋ねました。

その質(zhì)問に対する答えはノーです。あなたの會社が政府が作成した文書を「機密」、「公式使用のみ」、「不正なリリースが民事罰またはその他の行動につながる可能性がある」などのフレーズを漏らしている場合、明日まで待つことはできません。すぐにアクションが必要です。

初期応答

數(shù)分後、午後12時ごろの米國の時間頃にAvports COOが私に電話をかけたとき、私はやや安心しました。彼は、狀況をさらに調(diào)査し、改善するために、私が彼らのITスタッフからすぐに聞いていると私に保証しました。

3時間半後、私は誰からも返事をしていませんでしたが、データ侵害はまだ生きていました。私は港灣局に電話することにしました。彼らは私にスチュワートターミナルに電話するように指示し、電話番號を提供しました。その次の呼び出し中、ターミナルオペレーターに、サーバーの露出したポートは外の世界に閉鎖されました。ターミナルの男たちは、部門がそのような変更を加えることができないと主張したため、これが偶然のタイミングであるかどうかは不明です。

ITガイ

數(shù)時間後、午後7時ごろ、私はついにITガイから電話を受けました。會話は最初の景気後退を取りました。彼は、私がこのデータをダウンロードすることで犯罪を犯したことを私に知らせ、誰かの家からアイテムに侵入して盜むという類推を使用したことを私に知らせました（これは真実から遠く離れることはできませんでした）。

幸いなことに、私の行動は決して犯罪ではないと彼に説明したとき、會話は均等になりました。デバイスは、単一のユーザー名、パスワード、または別の認証尺度なしでこれらのファイルを公開している方法で構(gòu)成されていました。意図に関係なく、このマシンは本質(zhì)的に、パブリックWebサーバーとして機能していました。

考えられる説明

それで、これはどのように起こったのでしょうか？ここにいくつかの手がかりがあります。數(shù)ヶ月前に空港がShadowProtectとして知られるバックアップソフトウェアの使用を?qū)g験したことを私に知らせてくれました。プロセスの一部は、ファイアウォールにポート873を開くことに関係しており、Shadowsprotectの一部であるShadowstreamサービスがリモート同期サービス（RSYNC）のある側(cè)面を利用している可能性があることを知らされました。これは、私がその會話で言われたことです。

それはちょっと赤いニシンであり、パズルの一部にすぎないかもしれません。バックアップ內(nèi)で、Avportsが2016年3月に少なくとも1つのBuffalo Terastation Backup NASデバイスを購入したことを示す電子メールチェーンを見つけることができました。

私の仕事に遅れずについていく人は、この同じメーカーとNASデバイスのモデルが最近報告されたAmeriprise Financial Data侵害の中心にあることを思い出すかもしれません。実際、私はこの特定のデバイスを含む他のいくつかの最近の違反の調(diào)査結(jié)果を作成しました。

私の仮説では、いくつかのバッファローの誘導(dǎo)にポート873のデフォルトの開口部があるかもしれないということです。 ShadowProtectの実験の一部では、ポート873がスチュワートインターナショナルのファイアウォールで意図的にオープンしたことに注意してください。

現(xiàn)在の作業(yè)理論は、これらの2つの要因が整列し、違反シナリオをもたらしたということです。しかし、これはすべて疑問を投げかけています。AvportsがStewartでフルタイムのITの男を1人雇用した場合、そのような監(jiān)視は起こるでしょうか？

あなたはその中でさえ、あなたが支払うものを手に入れます。

詳細については、ZDNETの記事を參照してください。

***

この記事の注意は、適切に參照され、 MacKeeper Security ResearcherのChris Vickeryにクレジットが與えられた場合、公開に使用できます。

Amazon AWSの問題がインターネットを倒します

サービスの問題が何であるかはまだ明確ではありません。さらに、この問題は依然として存続し、東海岸ベースのWebサイトに部分的に影響します。 Amazonが公式Twitterアカウントで述べているように、「S3は高いエラー率を経験しています?；貜?fù)に懸命に取り組んでいます」。

AWSは、Netflix、Adobe Systems、Airbnb、BMWなどの大企業(yè)に人気のあるAmazonクラウドストレージサービスです。MacKeeperは、運用をスムーズに実行するためにAWSにも依存しています。しかし、AWSを使用する中小企業(yè)の數(shù)は想像も困難です。

Amazon Service Health Dashboardの最新の修正更新を確認できます。

ただし、多くのインターネットユーザーは、サービスが面白いことを発見し、Amazonにアドバイスを與えました。

MacKeeper Security Researchersは、米國空軍データを敏感に発見します

研究者は、數(shù)百人のサービスメンバーの名前、ランク、社會保障番號を含む適格性およびアクセスレポートによる人員を含む敏感な文書の群れを発見しました。各ページの下部には、次のような通知があります。

「1974年のプライバシー法に基づき、このシステムを通じて取得された人事情報を保護する必要があります。情報の開示は、タイトル5、ユナイテッドによって管理されています。」

最も衝撃的な文書は、名前、ランク、場所、および告発の詳細な説明を含むオープンな調(diào)査の広がりシートでした。 The investigations range from discrimination and sexual harassment to more serious claims. One example is an investigation into a Major General who is accused of accepting $50ka year from a sports commission that was supposedly funneled into the National Guard. There were many other details from investigations that neither the Air Force or those being investigated would want publically leaked.

There is a file that contains Defense Information Systems instructions for encryption key recovery. This is a comprehensive step-by-step guide of how to regain access to an encryption key and all of the urls where someone can request information regarding a Common Access Card (CAC) and Public Key Infrastructure (PKI). The possible danger of leaking the email addresses and personal information of senior military officials is that through social engineering and other methods, bad actors could potentially gain access.

Among the sensitive documents was a scanned image of the Lieutenant's JPAS account (Joint Personnel Adjudication System) from the Department of Defence. This included the login URL, user ID, and Password to access the system. JPAS accounts are only provisioned for authorized individuals and we can assume there would be classified information to anyone who would access the account. The database also included a copy of the North Atlantic Treaty Organization (NATO) Information Security Training Manual and many other documents that may or may not be publically available.


The device has since been taken offline and it is unclear if anyone other than members of the MacKeeper Research Team had access to the files or how long they were available.

Please see more details on the story in Zack's feature at ZDnet: https://www.zdnet.com/article/leaked-us-military-files-exposed/

Schoolhouse data breach

Schoolzilla, a student data warehousing platform, made the all-too-common mistake of configuring their cloud storage (an Amazon S3 bucket) for public access. I discovered the bucket after noticing a few other unsecured buckets related to the Tableau data visualization platform. There was an exposed “sz.tableau” bucket, so I started looking for other “sz” iterations. That's when I came across “sz-backups”, which turned out to be the main repository for Schoolzilla's database backups.

I downloaded several of the production backups, the largest was titled “Web_Data_FULL” and weighed in at 12 gigs. After loading them into a local MSSQL instance I did some review and concluded that this was most likely real student data and did indeed come from Schoolzilla. The possibility of a false-flag operation is always in the back of my head (a scenario in which an unscrupulous company creates a false data breach that appears to originate from a competitor).

Schoolzilla was quick to respond when I submitted a data breach notification ticket. They secured the data and opened dialogue with me to learn the full extent of the issue. I applaud their incident response. This was the first situation of its kind for them and they reacted professionally. It must have been grueling for the CEO to phone each client and relay the unpleasant news, but they did it within only a few days of my report.

Additionally, Schoolzilla understood the problem and took responsibility. They did not try to shoot the messenger or claim that I had somehow “hacked” them. That's worth an extra-large gold star on the board for them.

Unlike most reports, I do not have any redacted screenshots to share for this one. The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion. I did however seek guidance from the US Department of Education before overwriting my copies just in case they wanted them preserved for any investigatory purposes. Unfortunately, the Department's voicemail box is currently full and I could not leave a message.

A message from Schoolzilla's CEO regarding the situation can be found here: https://schoolzilla.com/commitment-information-security/

Information for editors:

The MacKeeper Security Research Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks and following a responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the MacKeeper Security Research Center a reputation as one of the fastest-growing cyber data security departments.

Auto financing company leaks 500K of customer's info online

As part of our research on publicly available Amazon AWS S3 buckets, MacKeeper Security Researchers discovered yet another repository, (mis)configured for public access, which contained 88 megabytes of spreadsheet documents in *.csv format with names of hundreds of auto dealerships around the United States.

Upon further investigation we were able to identify what appeared to be customer purchase information (such as full names, address, zip,last 4 SSN digits), credit scores (FICO auto scores), year, makes, and models. Once it was clear this was automotive financing data we found the name of who we believed were associated with the exposed data.

The files allegedly belong to Alliance Direct Lending Corporation, an automobile finance company in that refinances auto loans or uses a network of dealers to match with pre-qualified buyers.

The leaked data contained 124 files (each of them containing from 5 to 10 thousand records, which brings us to 550K - 1M customer details in total), with financing records broken down by dealerships and 20 audio recordings of customers agreeing to auto loans or refinancing of auto loans. These consent calls were the customers agreeing that they understood they were getting an auto loan, confirming that the information was correct and true. They included the customers' name, date of birth, social security numbers, and phone numbers. These calls were in both English and Spanish.

A member of MacKeeper Security Research called and spoke with an IT administrator who looked at the url of the publically accessible data and confirmed that it appeared to belong to Alliance Direct Lending. When searching online for Alliance Direct Lending it appears that they really dohave a solid reputation and nearly all of the reviews are positive, but data breaches can and do happen. This is yet another wake up call for anyone dealing with financial data, social security numbers, or other sensitive data to audit your data often. One simple misconfiguration could allow your entire organization's data storage publically available online to anyone looking for it.

Did anyone else see this data?

It is unclear if anyone other than security researchers accessed it or how long the data was exposed. According to the bucket properties, it was last modified on Dec 29, 2016. It contained 210 public items and 790 private ones (not available but listed) - logs. The IT Administrator claimed that it had only recently been leaked and was not was not up for long. He thanked us for the notification and the data was secured very shortly after the notification call.

The danger of this information being leaked is that cyber criminals would have enough to engage in identity theft, obtain credit cards, or even file a false tax return. Alliance Direct Lending is based in California where the law requires notification of a breach when a California resident's unencrypted personal information is compromised. California was the first state in the US to require notification of security breaches (its law became effective in 2003).

Information for editors:

The MacKeeper Security Research Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks, and following responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the MacKeeper Security Research Center a reputation as one of the fastest-growing cyber data security departments.

Troy Hunt did a great job describing all details about that, so this is why I have reached out to him first to see if this dump is something special.

After running a sample set at his HIBP project, Troy identified 243,692,899 unique emails, with almost every single address is already in HIBP, mostly centred around the big incidents.

And while it is not the news itself, the availability of this data almost publicly (I mean, unprotected MongoDB equals publicly) is alarming.

During our research, we were surprised to see as many as 313 large databases, with a size over 1GB, with several terabytes of data, hosted in the US, Canada, and Australia.

The database in question is hosted on a cloud-based IP, and it is unclear who actually owns it. We sent notification emails to the hosting provider, but usually, it is not the quickest way to shut it down.

After a series of 'ransomware' attacks targeted on MongoDBs left without authorization in the beginning of this year, I was not sure if somebody still uses early versions of Mongo where default configuration is possible. It appears that “Eddie” did.

Database is 75 gigs in size and containsdata structured in a readable json format which included at least 10 previously leaked sets of data from LinkedIn, Dropbox, Lastfm, MySpace, Adobe,Neopets. RiverCityMedia, 000webhost, Tumblr, Badoo,Lifeboat etc.

The lesson here is simple: most likely, your password is already there and somebody might be trying to use this just now. So isn't that a good time to change it now?

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.

313 large databases went public

Troy Hunt did a great job describing all details about that, so this is why I have reached out to him first to see if this dump is something special.

After running a sample set at his HIBP project, Troy identified 243,692,899 unique emails, with almost every single address is already in HIBP, mostly centred around the big incidents.

And while it is not a news itself, the availability of this data almost publicly (I mean, unprotected MongoDB equals publicly) is alarming.


During our research, we were surprised to see as many as 313 large databases, with size over 1GB, with several terabytes of data, hosted in US, Canada and Australia.


The database in question is hosted on a cloud-based IP, and it is unclear who actually owns it. We sent notification email to the hosting provider, but usually it is not the quickest way to shut it down.


After a series of 'ransomware' attacks targeted on MongoDBs left without authorization in the beginning of this year, I was not sure if somebody still uses early versions of Mongo where default configuration is possible. It appears that “Eddie” did.


Database is 75 gigs in size and containsdata structured in readable json format which included at least 10 previously leaked sets of data from LinkedIn, Dropbox, Lastfm, MySpace, Adobe,Neopets. RiverCityMedia, 000webhost, Tumblr, Badoo,Lifeboat etc.


The lesson here is simple: most likely, your password is already there and somebody might be trying to use this just now. So isn't that a good time to change it now?

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.

Global communication software left a massive amount of data online

Online communication has become a vital part of today's business environment and it is essential that business owners have tools and analytics to gauge efficiency, communication, and a range of data sets. One of the top companies that provide cloud-based unified communications has just leaked more than 600GB of sensitive files online.

The MacKeeper Security Center has discovered not just one but two cloud-based file repositories (AWS S3 buckets with public access) that appear to be connected to the global communication software and service provider BroadSoft, Inc. They have created an infrastructure for cloud unified communications tools that can be service provider hosted or cloud-hosted by BroadSoft. The publically traded company has over 600 service providers across 80 countries and supports millions of subscribers according to their website. Their partners are some of the biggest names in the communication business, telecom, media, and beyond, including Time Warner Cable, AT&T, Sprint, Vodafone among many other well-known companies. When 25 of the worlds top 30 service providers by revenue all use BroadSofts infrastructure and with so many subscribers it is easy to see that this data leak could have a massive reach.

BroadSoft business applications

• UC-One = single, integrated business communications solution
• Team-One = chat, take notes, track tasks and share files in organized workspaces.
• Also provides access to Google, Drive, Salesforce and other apps? Team-One is integrated with over 50 other popular apps.
• CC-One= omni-channel, cloud contact center solution that uses predictive analytics to lower operating costs and improve business performance.
• Hub =unified experience, bringing together BroadSoft Business and cloud apps

Other BroadSoft Business Platforms include BroadWorks, BroadCloud, Carrier, PaaS, Reseller, BroadSoft Mobility.

How the leak happened

The problem is that the repository was configured to allow public access and exposed extremely sensitive data in the process. They used Amazon's cloud but misconfigured it by leaving it accessible. Amazon AWS buckets are protected by default but somehow were left publically available. It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents. Not only could they access the documents but any “Authenticated Users” could have downloaded the data from the URL or using other applications. With no security in place just a simple anonymous login would work.

This leak shows once again just how insecure data can be when improper security settings are used. In this instance the same mistake leaked the data and information of potentially millionsof BroadSofts customers and that their partners service. This is not unique to BroadSoft and happens to companies big and small, but what does stand out is the size and scope of their business. Their infrastructure and portfolio of applications is used by millions of customers and many of them had their data exposed. It is unclear if BroadSoft will be notifying affected customers of this data exposure or if the partner companies who use their infrastructure will.

How it was discovered

In July MacKeeper Security researchers discovered an Amazon S3 cloud-based data repository that was connected to the WWE (World Wrestling Entertainment) hosted on the public 'wwe-test' S3 domain. This raised the flag that many administrators could potentially open a back up for testing and never close it. After the discovery researchers began testing other variations of the '-test' suffix and came across 2 of the connected repositories (one using the underscore sign '_' - not recommended by Amazon). Searching for the test resporsities is how it was discovered and we can only assume there are many more cloud-based data leaks actively available that started out as a testing ground, but were never secured.

On Aug 29th a security notice was sent to engineers based in BroadSofts Indian office (Bangalore) whose email communications was found in the repository. He replied “Who gave you my contact and it does not belong to us”. Then ironically one of the two repositories was closed to public access almost immediately after the notification. This would logically conclude that engineers may have been trying to do damage control by denying that the 600GB of data belonged to Broadsoft or their clients.

The second bucket was quickly secured only after a notification email to Charter-related people was sent.

What the leak contained

In short, the repository contained a massive amount of sensitive information and researchers estimate It would take weeks to fully sort through all of the data. The most potentially damaging discovery was the fact that it contained internal development information such as SQL database dumps, code with access credentials, access logs, and more. These are all things that should not be publicly available online. The two repositories contained thousands and thousands of records and reports for a number of Broadsoft clients with Time Warner Cable (TWC) appearing to be the most prominent and including applications like Phone 2 Go, TWC app, WFF etc.

Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable, Bright House Networks (BHN/Charter). For example “User Profile Dump, 07-07-2017” text file contains more than 4 million records, spanning the time period 11-26-2010 - 07-07-2017, with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more. Other databases also have billing addresses, phone numbers etc. for hundreds of thousands of TWC customers.

Bob Diachenko, chief communications officer, MacKeeper Security Center:

The threat and risk

Cyber criminals and state-sponsored espionage is a real threat to major corporations, businesses of all sizes, and individuals. We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes. One example is the infamous Yahoo email breach and the belief that it was used to identify dissidents, trade secrets, and gather other sensitive data. The bottom line is that data is valuable and there will always be someone looking for it. Improperly securing data is just as bad if not worse because it was preventable. BroadSoft accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access their network and infrastructure.

The MacKeeper Security Research Center has downloaded the contents of the repository for verification purposes and it is unclear if anyone else has had access to the data.

As we continue to see more and more cloud leaks appear it reminds us that companies large and small must conduct regular audits to secure their data. Misconfiguration of cloud-based storage repositories that allow public or semi-public access can result in a devastating data leak that requires no hacking or password. The MacKeeper Security Team is dedicated to identifying threats and vulnerabilities and helping to secure them or bring attention that will help make data more secure online.

Alex Kernishniuk, VP of strategic alliances, MacKeeper:

UPDATE: The article has been updated to reflect that no evidence except a similar report name was identified to mention AMC among affected companies.

Mexican tourist tax refund company leaks customer records

Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The MacKeeper Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible. These tourists traveled from around the world to enjoy Mexico's beaches, warm weather, historical sites, or cities and had their private data exposed in the process.

The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.

MoneybBack is part of Prorsus Capital SAPI de CV, a Mexican Investment Fund. The most dangerous aspect of this discovery is the massive amount of data totaling more than 400GB.

How MoneyBack works

They have created a network of affiliate stores who offer the tax refund as a type of discount to lower the final purchase price of certain goods tourists buy. These refunds would make sense for luxury jewelry, gold, and diamonds that cost many thousands of dollars. According to MoneyBack's General Director Danielle Van Der Kwartel “International travelers can receive an 8.9% refund of the total amount they spend when shopping at any of the 6,500 MONEYBACK affiliated stores”. They also claim to provide service in more than 98% of Mexico's air and maritime points of departure and have 55 offices, airport booths, cruise ports, and shopping mall locations.

MoneyBack works closely with travel agents by providing training on its services to help them promote the tax refunds to their clients traveling to Mexico. It seems to be a profitable business and encourages shoppers to spend more but are customers really saving that much money? Some credit card companies charge 3% foreign transaction fees and it is unclear what fees MoneyBack charges customers or the travel agent commissions. There are some complaints online about the bureaucracy of the Mexican Government taking up to 6 months to disburse refunds. Are the savings worth it?

How the leak happened

During a routine security audit, MacKeeper Security Researchers discovered a misconfigured CouchDB that allowed public access to the data via browser. Those who follow cybersecurity news may remember that in early 2017 10% of CouchDB servers were victims of ransomware because of the same misconfiguration. Although MoneyBack is based in Mexico the hosting and IP address is located in the United States. The database was publically accessible and required no password protection or other authentication to view or download MoneyBack's entire repository.

Bob Diachenko, chief security communications officer, MacKeeper Security Center:

What was leaked and who is affected?

Researchers identified passports from all over the world who used MoneyBack's services. Among the top passports identified were citizens of the US, Canada, Argentina, Colombia, Italy, and many more. It appears to be every client that has used their services between 2016 and 2017.

• Over 300 GB database in size
• 455,038 Scanned Doccuments (Passports, IDs, Credit Cards, Travel Tickets & More)
• 88,623 unique passport numbers registered or scanned

Mexico has a booming tourism industry despite travel warnings to certain areas, a history of gang violence and kidnappings. It was estimated that the country welcomed a record 35 million international tourists in 2016. Many tourists who will be buying expensive items on their vacation likely love the idea that they can have a portion of the sales taxes returned, but is it worth having your data exposed online?

How Tax-Free Shopping in Mexico works?

Tax-free sounds great but their are some restrictions. Tourists must spend at least 1200 pesos ($67 USD) on Mexican goods (this does not apply to services such as hotel stays and food expenses). Tourists must also enter and leave Mexico by sea or air. The minimum purchase per store is 1,200 pesos with electronic payment and cash purchases can not exceed 3,000 pesos ($168 USD). Another issue to consider is that you will have to file yourself with the bureaucracy Mexican Tax Authorities or give your personal information, credit card, and identification to a 3rd party company such as MoneyBack.

• Tourists need to shop at an affiliated store with “Tax Free shopping”.
• They must ask for an official invoice with the stores tax id number
• When tourists leave the airport or by ship there are Tax Free booths, they can visit one of the offices, or several other ways to submit their tax paperwork.
• Although they estimate 40 days to receive a refund complaints state up to 6 months.

The danger of this data?

Alex Kernishniuk, VP of strategic alliances, MacKeeper:

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Center.

MacKeeper Research Center discovers massive Elasticsearch infected malware Botnet

One of our recent researches was focused on the publicly accessible Elasticsearch (ES) nodes and we discovered suspicious indices names that didnot have any relations to Elasticsearch file structure.

Among the many “red flags” some of the file names referenced to AlinaPOS and JackPOS malware. These are the type of POS (Point-of-Sale) malware that attempts to scrape credit card details using a range of different techniques. As an example of how this malware is so effective, JackPOS attempts to trick the system that it is java or a java utility. It can copy itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and can even encode the stolen credit card data to go undetected as it is extracted. This malware first became widespread in 2012, but it is still effective today and available for sale online.

In 2014 the family tree looked as follows:

Today the picture is much worse and much more widespread.

Despite some security warnings and industry-related news, It appears POS malware has been out of the headlines for a while, but the danger is still there for millions of cardholders. Kromtech researchers started looking for any updates about that specific type of malware and the status of files being distributed on unsuspecting servers. What surprised researchers is that there are new and updated versions of the malware that are currently for sale to anyone.

At Cybercrime tracker https://cybercrime-tracker.net/index.php?search=alina we've seennew samples of these malware types and low detection rate by the most popular AntiVirus engine (tested with VirusTotal).

Even for the relatively old C&C servers hosting sites (Command and Control servers), there is not enough information to flag the real risks. The VirusTotal URL Scanner indicated that only 6 of the antivirus engines and website scanners out of the 65 available were able to identify the new versions of the POS Malware.

なぜそれが起こったのですか？

The lack of authentication allowed the installation of malware on the Elasticsearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the resources of the server and even launch a code execution to steal or completely destroy any saved data the server contains.

In our case, a bunch of AWS-hosted Elasticsearch instances was under attackfor malicious use. Moreover,every infected ES Server became a part of a bigger POS Botnet with Command and Control (C&C) functionalityfor POS (point-of-sale) malware clients. These clients are collecting, encrypting and transferring credit card information stolen from POS terminals, RAM memory or infected Windows machines.

Old C&C interface used by POS malware is displayed below (taken fromhttps://blog.malwaremustdie.org/2014/02/cyber-intelligence-jackpos-behind-screen.html)

We checked with Shodan (our commonly used IoT search engine which returnsservice banners with meta-data of the server) how many systems on the internet have similar signs of infection.

As of today, there are nearly 4000 infected Elasticsearch servers, and about 99% of them are hosted on Amazon.

Why are nearly all of the Elasticsearch servers hosted by Amazon Web Services?

Amazon Web Services provides customers with a free T2 micro (EC2 / Elastic Compute Cloud) instance with up to 10 Gb of disk space. These T2 instances are designed for operations that don't use the full CPU for general purpose workloads, such as web servers, developer environments, and small databases. The problem is that on the T2 micro, you can set only versions 1.5.2 and 2.3.2.

The Amazon hosting platform gives users the possibility to configure the Elasticsearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.

Kromtech Security Researchers discovered similar file structures on Shodan.io for Elastic Search Services. Then they compared the modification time of suspicious files on these infected Elasticsearch Servers and made some logical conclusions:

• There are different packages of C&C malware, ie servers were infected multiple times
• Different packages can be related to different Botnets (because POS malware was seen selling not only on Darknet but on public domains as well)
• There is a lot of servers infected, for the same packages on different servers the time of infection could be different due to periodical scans and Botnets network expansion
• Nearly 99% of infected servers are hosted on Amazon Web Services
• 52% of infected servers run Elastic Search 1.5.2 version, 47% - 2.3.2 version, and 1% for other versions.
• Recent infections were made at the end of August 2017

The following table represents Kromtech Security Centers findings and the attack distribution of the infected AWS instances through vulnerabilities in the Elasticsearch Server and the Amazon security configuration:

Kromtech Security Center highly recommend you to take the following actions required for effective incident response:

1. Check your log files on all servers in your infrastructure
2. Check connections and traffic
3. Make a snapshot/backup of all running systems
4. Extract samples of malware and provide it to us for further analysis (security@kromtech.com)
5. Reinstall all compromised systems, otherwise, you need to clean up all suspicious processes, check your systems with antivirus and also monitor your system during next 3 months for any anomaly connection
6. Install latest Elastic patch or completely reinstall it
7. Close all non-used ports from external access, or white-list only trusted IPs

Here are also some recommendations from Elastic Search site that need to be taken:https://www.elastic.co/what-is/elastic-stack-security

Vulnerability types in ELK

Infographics for infected ES Servers:

The following graph represents vulnerable versions of Elasticsearch Servers used by attackers to distribute and control malware through vulnerable or misconfigured Elasticsearch Servers:

Auto tracking company leaks hundreds of thousands of records online

Have you ever heard of the term SVR? The “SVR” stands for “stolen vehicle records.” The MacKeeper Security Center has discovered a repository connected to the vehicle recovery device and monitoring company SVR Tracking. And this is what we'll cover in this article.

In 2017 researchers found an Amazon AWS S3 bucket (public cloud-based storage) that happened to be misconfigured and left publically available. This breach exposed information on their customers and the reseller network, along with the device attached to the cars.

The repository we mentioned above had records of over half of a million logins and passwords, emails, IMEIs of GPS devices, VIN (vehicle identification number), and other information collected on their devices like customers or auto dealerships. What's curious, the exposed database also had the data where the tracking unit was hidden precisely in the car.

What was discovered?

A Backup Folder called “accounts” held the record of 540,642 ID numbers, information about accounts including many plates and VINs, hashed passwords, IMEI numbers, emails, and more.

• 71,996 (02/2016)
• 64,948 (01/2016)
• 58,334 (12/2015
• 53,297 (11/2016
• 51,939 (10/2016)
• 41,018 (9/2016)
• 35,608 (8/2016)
• 31,960 (7/2016)
• 31,054 (6/2016)
• 29,144 (5/2016)
• 38,960 (4/2016)
• 32,384 (3/2016)
• 116 GB of Hourly Backups
• 8.5 GB of Daily Backups from 2017
• 339 documents called “l(fā)ogs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records.
• Document with information on the 427 dealerships that use their tracking information.

The number of devices could be much higher because many of the resellers or clients had multiple devices for tracking.

If you feel at risk, learn how to act after a data breach occurred.

Detailed tracking 24hrs a day, even if the car is not stolen or missing

This software tracks wherever the vehicle has been during the last 120 days. What is even more terrifying is that all of the visited places are marked and pinpointed to the map. In addition to that, there's a feature showing anyone who has login credentials the best locations and stops where the car has been. The so-called “recovery mode” pinpoints every 2 minutes and creates zone notifications. With a 99% successful recovery rate being a great result, user logins and passwords for hundreds of unsuspecting drivers are leaked online?

According to their website “The SVR Tracking service enables lot owners to locate and recover their vehicles with live, real-time tracking and provides stop verification, enabling them to determine potential locations for their vehicles. Alerts will flag owners, making them aware of events of interest. The application dashboard provides real-time graphs and detailed vehicle data suited to tighter control and accurate measurements of vehicle activity.”

One can access the software on any device connected to the internet device (desktop, laptop, mobile, or tablet). The satellite locates the tracking unit and sends the data to its servers using the GPRS Data Network. Think of the potential dangers if cybercriminals find out a car's location by just logging in with the publicly available credentials and stealing that vehicle?

Shortly after sending the responsible disclosure note, the bucket has been secured, however, no words from the company.

In 2012 there were an estimated 721,053 automobiles stolen in the United States.

Verizon wireless employee exposed confidential data online

On September 20th, MacKeeper Security researchers discovered publicly accessible Amazon AWS S3 bucket containing around 100MB of data attributing to internal Verizon Wireless system called DVS (Distributed Vision Services).

DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data.

Although no customers data are involved in this data leak, we were able to see files and data named "VZ Confidential" and "Verizon Confidential", some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure.

Another folder contained 129 Outlook messages with internal communications within Verizon Wireless domain, again, with production logs, server architecture description, passwords and login credentials.

Upon analyzing the content of the repository, we identified the alleged owner of the bucket and sent responsible notification email on September 21st. Shortly after that, online archive has been took down and it has been later confirmed that the bucket was self-owned by Verizon Wireless engineer and it did not belong or managed by Verizon.

What the repository contained:

• Admin user info that could potentially allow access to other parts of the network
• Command notes, logs including
• B2B payment server names and info
• Internal PowerPoints showing VZ infrastructure, with server IPs, marked as “Verizon Wireless Confidential and Proprietary information”
• Global router hosts
• 129 saved Outlook messages with access info and internal communications

Damage control or denial?

Verizon had $126.0 billion in consolidated revenues in 2016 and it seems like they would not leave the keys to the front door of their data servers or network out for anyone? In the corporate world any bad news can affect stock prices or other aspects of the business. However, if these files were not sensitive, why not make this information open-source or publically available? access to production logs, scripts, instructions, and administrative credentials to protected areas of Verizon's internal infrastructure.

In the aftermath of the Equifax data leak it is easy to be skeptical considering that they waited 5 months to inform regulators or the public. Then remember that Equifax executives sold off stock before the price drop. It is not out of line to consider when someone has been approached with a data leak that they might deny it. As security researchers we often hear that data was not sensitive or that it was production or test data, when it is clearly not.

Bob Diachenko, chief security communications officer, MacKeeper:

Alex Kernishniuk, VP of strategic alliances, MacKeeper:

Report: virtual keyboard developer leaked 31 million client records

The MacKeeper team has discovered a massive amount of customer files leaked online and publically available. Researchers were able to access the data and details of 31,293,959 users. The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.

Ai.Type was founded in 2010 and According to their site, their flagship product for Android was downloaded about 40 million times from the Google Play store and the numbers of downloads and user bases are rapidly growing. They plan to integrate Matching Bots as a user types their conversation and that their Ai type keyboard will soon offer a “Bots Discovery Platform” Via Keyboard. There was also a notice of a name change from Ai.Type to Bots Matching Mobile Keyboard in the coming year.

Giving up data for personalized services and apps

Consumers give up more data than ever before in exchange for using services or applications. The scary part is that companies collect and use their personal data in ways they may not know. The concept is where people willing to provide their digital in exchange for free or lower-priced services or products. A study from the Annenberg School for Communication at the University of Pennsylvania concluded that a majority of Americans do not think the trade-off of their data for personalized services is a fair deal.

Once that data is gone users have little to no knowledge of what is done with their personal data. Why would a keyboard and emoji application need to gather the entire data of the user's phone or tablet? Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application.

How the data leak occurred and what it contained

Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to anyone with an internet connection. This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted from their phone or tablet.

MongoDB is a common platform used by many well-known companies and organizations to store data, but a simple misconfiguration could allow the database to be easily exposed online. One flaw is that the default settings of a MongoDB database would allow anyone with an internet connection to browse the databases, download them, or even worst-case scenario to even delete the data stored on them.

Summary of what the database contained:

Client registration

Client files that included the personal details of 31,293,959 users who installed ai.type virtual keyboard. This is highly sensitive and identifiable information.

例えば：

phone number, the full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google , Facebook etc.), IP (if available), location details (long/lat).

Phonebook and contact records

6,435,813 records that contained data collected from users' contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users' phones, which include all their contacts saved/synced on linked Google account.

Additionally, user data from a folder titled 'old database' that contained 753,456 records were also available.

There was a range of other statistics like the most popular users' Google queries for different regions. Data like average messages per day, words per message, age of users, words_per_day': 0.0, 'word_per_session and a detailed look at their customers.

To avoid the negative consequences of such events, learn how to secure yourself against data breaches.

Ashley Madison's private picture went viral

Ashley Madison, the online cheating site that was hacked two years ago, is still exposing its users' data. This time, it is because of poor technical and logical implementations.

As a result, approximately 64% of Ashley Madison (AM) private, often explicit, pictures are accessible. This access can often lead to trivial deanonymization of users who had an assumption of privacy and opens new avenues for blackmail, especially when combined with last year's leak of names and addresses.

Let's look at how "Sarah" and "Jim," two hypothetical users on AM, can have their privacy broken.
AM has two types of pictures, public and private, neither of which are required. Public pictures are viewable by any AM user. Private pictures are secured by a "key." Sarah can send her key to Jim so he can see her pictures. Jim can request Sarah's key, requiring her explicit approval. Sarah can also revoke Jim's key, restricting his access.

This structure makes sense but, two issues open the door to problems:

• By default, AM will automatically share Sarah's key with Jim if he shares his key with her.
• Pictures can be accessed, without authentication, by directly accessing its URL

To protect her privacy, Sarah created a generic username, unlike any others she uses and made all of her pictures private. She has denied two key requests because the people did not seem trustworthy. Jim skipped the request to Sarah and simply sent her his key. By default, AM will automatically give Jim Sarah's key.

That's right, Jim can now see all of Sarah's private pictures, rated (aka explicit) and non-rated.
How does this happen? When adding a picture, the box to share your private pictures is already checked. If you keep this box checked, it will apply the same setting to additional pictures of the same type (public or private).

There are two issues with this implementation. First, few understand the implications nor think through the way it could be exploited. Second, as Steve Gibson would put it, is the "tyranny of the default." As he explains it, "whatever the default settings are, most of the time that's what they end up being forever." People will simply click through the options, leaving them as recommended. The only way to change this configuration is to go deep into the settings page.

Let's go back to our metaphorical users. Sarah will at least get an email saying that she received Jim's key and can go to AM to validate the interaction and revoke the key Jim was given.

During testing, less than 1% of users revoked their key after it had been given. It is our assumption that this means that most users do not understand the impact of this policy. We believe it is far less likely that users who go through the effort to distinguish between public and private photos are ok with any random AM user seeing their private pictures.

Those that revoked their key, access is now denied.

Actually, that's not 100% true. Once Jim is granted access to Sarah's pictures, he is able to see the link, eg https://photo-cdn.ashleymadison.com/[picture_name] . Not only can he access the picture, with this link, anyone can access the picture without authentication, AM user or not. While the picture URL is too long to brute-force (32 characters), AM's reliance on "security through obscurity" opened the door to persistent access to users' private pictures, even after AM was told to deny someone access.

Data leakage


In order to prove the validity of this issue, we wrote a program to iterate through all IDs, aka profile numbers, (0-99,999,999) and gave a private key to a random sample of users that had private pictures. Based on this random sampling:

• 26% of users had private pictures
• 64% of users accounts that had private pictures automatically returned their key

AM's parent company, Ruby, also controls two other sites, Established Men and Cougar Life. Both of these sites also have automatic key exchange and require no authentication to directly access picture URLs; however, they at least force a user to pick if they want to enable sharing by default instead of defaulting it on and requiring a user to uncheck the box.

Implications

The implications of these issues are many.

• At the core, pictures that AM users entrusted them to securely store are exposed.
• Users can be victims of blackmail. AM users were blackmailed last year, after a leak of users' email addresses and names and addresses of those who used credit cards. Some people used "anonymous" email addresses and never used their credit card, protecting them from that leak. Now, with a high likelihood of access to their private pictures, a new subset of users are exposed to the possibility of blackmail.
• These, now accessible, pictures can be trivially linked to people by combining them with last year's dump of email addresses and names with this access by matching profile numbers and usernames.
• Exposed private pictures can facilitate deanonymization. Tools like Google Image Search or TinEye can search the internet to try to find the same picture, including on social media sites like Facebook, Instagram, and Twitter. This sites often have your real name, connecting your AM account to your identity. Some users also include their first name in their username, eg Sarah1234. With your name, age, location, and now pictures, it can be easy to search Facebook or Google for a matching profile.

推奨事項

• Remove automatic pictures sharing or adjust its logic. In our opinion, Sarah should have to explicitly give Jim permission to her private pictures.AM's parent company does not agree and sees the automatic key exchange as an intended feature.
• Limit key exchanges. If you limit how many keys a user can send out, you decrease the speed with which they can exploit automatic key sharing across the user base.AM's parent company has completed this.
• Restrict right-click functionality in the web page. While this is not perfect, it at least raises the difficulty in saving or stealing private pictures.
• Add authentication to all AM photos. Having pictures accessible, unauthenticated, is negligent.
• Only allow 1 user account per email address. We were able to create 7 user accounts under the same email address, which lowered the difficulty of conducting the scan of user accounts.

For more recommendations on keeping your data secure on the web, check out these tips on how to protect your privacy online.

Report: cybercriminals steal voter database of the State of California

If there is one thing that the 2016 US election has taught us it is that the entire electoral process needs to be revamped and a more uniform secure process. There have been several high-profile leaks of voter data in recent months but in this case the entire voting population of California has had their information taken by cyber criminals.

In early December, MacKeeper security researchers discovered an unprotected instance of MongoDBdatabasethat appear to have contained voter data. The database named 'cool_db' contained two collections and was available for anybody with Internet connection to view and/or edit.

One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records,allopen for public access.

According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.

MacKeeper researchers were unable to identify the owner of the database or conduct a detailed analysis due to the fact that the database has been deleted by cyber criminals and there is a ransom note demanding 0.2 bitcoin ($2,325.01 at the time of discovery).

We were able to analyze the stats data we saw in our report (metadata on total number of records, uptime, names of the collection etc.), as well as 20-records sample extracted from the database shortly before it has been wiped out and ransom note appeared.

Ransomware and stolen data

In January 2017 a 27k or roughly a quarter of MongoDB databases left open to the internet were hit by ransomware and again in September 2017 three groups of hackers wiped out an estimated 26,000 MongoDB databases. The cyber criminals demanded that the owners of those databases pay around $650 USD in the cryptocurrency BitCoin to regain their data. It is still unknown just how that stolen data was used or how many people paid to have it returned, and if it was even returned after the cybercriminals received the money.

Back in January MacKeeper Security came up with the initiative to help those who suffered an attack.Read more about last year 'massacre' here.

It is unclear who exactly compiled the database in questionor the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository ("cool_db”), but this is only a suspicion. Political firms assist campaigns in building voter profiles. This information of California voters is governed by state law that dictates what kind of information can be released, and for what purposes.

The danger of a state voter database leak

In this case security researchers were able to bring awareness to millions of California citizens that their data was not only publicly leaked online, but also that cyber criminals have stolen it for ransom. State voter registration databases store detailed information on each registered voter in the state, as required by federal law.

The criminals used ransomware to wipe out the voter data and likely backed it up on a server making it even riskier. Once in the hands of cyber criminals, this voter data could end up for sale on the “Dark Web”. If this were an official database, deleting parts of that data could affect someones voting process.

What the database contained?

The 4GB collectioncontained data structured with the following rows:

• 市：
• ジップ：
• StreetType:
• 苗字：
• HouseFractionNumber
• RegistrationMethodCode
• State: CA
• Phone4Exchng:
• MailingState: CA
• メール：
• Phone3Area:
• Phone3NumPart:
• Status: A
• Phone4Area:
• StreetName:
• ファーストネーム：
• StreetDirSuffix:
• RegistrantId:
• Phone1NumPart:
• UnitType:
• Phone2NumPart:
• VoterStatusReasonCodeDesc: Voter Requested
• Precinct:
• PrecinctNumber:
• 出生地：
• Phone1Exchng:
• AddressNumberSuffix:
• ExtractDate: 2017-05-31
• Language: ENG
• Dob:
• 性別：
• MailingCountry:
• AssistanceRequestFlag
• MailingCity:
• ミドルネーム：
• AddressNumber:
• StreetDirPrefix:
• RegistrationDate:
• PartyCode:
• Phone1Area:
• サフィックス：
• NonStandardAddress:
• Phone4NumPart:
• CountyCode:
• MailingAdd3:
• MailingAdd2:
• MailingAdd1:
• UnitNumber:
• Phone2Exchng:
• NamePrefix:
• _id: ObjectId
• MailingZip5:
• Phone2Area:

The “Extract Date” is most likely is the indicator of when the database has been compiled. It appears to have been created on May 31st, 2017.

The purpose of the second much larger collection in the database, named '22GB appears to be the complete California voter registration records. It contains a massive 409,449,416 records in total.

The format and information in the document titled “22GB”

• ExtractDate: '2017-05-31',
• '地區(qū)'：
• 'RegistrantId':
• 'CountyCode':,
• 'DistrictName':
• '_id': ObjectId

Bob Diachenko, head of communications, MacKeeper Security Center:

Here are the transactions for the wallet in the ransom note
https://www.blockchain.com/btc/address/1EPA6qXtthvmp5kU82q8zTNkFfvUknsShS

The database has been taken down since the initial discovery. Secretary of State of California was aware of the leak and "was looking into it", however, at the time of publication we did not receive any official statement.

Read more guides:

• What to Do If Your Data Was Leaked in a Data Breach
• How to Remove Personal Information from the Internet

以上がデータ侵害レポートアーカイブ - 2017の詳細內(nèi)容です。詳細については、PHP 中國語 Web サイトの他の関連記事を參照してください。