Industry News: ESG5

The target: Macy’s, an American department store chain.

The take: First and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes and expiration dates.

The attack vector: The attackers used card skimming code, colloquially termed as Magecart, to inject a malicious script into two pages on Macy’s website, the wallet and checkout page. Tampering with the scripts on the retailer’s website allowed attackers to ‘skim’ sensitive information as it was entered by customers and forward it to their own systems.

Any webpage where sensitive information is entered by the user is a prime target for hackers. Ensuring robust standards around critical nodes such as these are key for strong security practices.

Read more...

The target: InfoTrax, a Utah-based provider of IT systems for the Direct Sales industry.

The take: 1 million user records including Social Security Numbers, payment card information, bank account information, user names and passwords.

The attack vector: A vulnerability in InfoTrax’s public facing website allowed the attacker to upload malicious code, which allowed remote control of the company’s website and servers. Inadequate security monitoring practices gave the attacker unrestricted, and undetected, access to 17 different systems over a period of two years. InfoTrax was only alerted when one of its servers ran out of storage space.

Robust monitoring standards are critical to detect not only intrusions, but any and all unusual activity that can indicate if IT systems have been compromised.

Read more...

The target: First American Financial Corp, a Fortune 500 real estate title insurance giant

The take: 885 million files, including records of wire transactions with bank account numbers, bank statements, mortgage records, tax documents, Social Security numbers and driver’s licenses.

The attack vector: FA’s webserver used a system of assigning sensitive documents unique web links – however, incrementing the id number in the link returned other, unrelated documents for any user accessing the site via web, with no authentication necessary.

‘Security by obscurity’ has no place in the 21^st century – it is altogether insufficient to rely on the presumed inability of an attacker to locate sensitive resources left exposed to the public web. Any data which is not for public consumption must be protected with a secure authentication system to ensure that it can only be accessed by the intended audience.

Read more...

The target: SingHealth, Singapore’s largest group of healthcare organizations.

The take: 1.5 million patient records which included: names, prescriptions, medical records, government registration numbers, addresses and dates of birth.

The attack vector: The source of the breach according to early reports was a phishing campaign, however, security researcher’s leading hypothesis was that the attack originated through SingHealth’s failure to keep their software updated. The company used an open source penetration testing application called Ruler. However, they ignored an available patch for Ruler which addressed a known vulnerability, and which led to the hackers gaining access.

Regular and rigorous attention to security updates must be applied to ensure maximum safety of a company’s IT systems – especially where it pertains to tools used to assess the security of internal systems and the effectiveness of technical controls.

Read more...

The target: Imperva, cyber-security firm based out of California.

The take: A complete copy of their customer information database.

The attack vector: Imperva uploaded a snapshot of its customer database for testing. However, in an unrelated incident, they left one of their internal systems publicly accessible on the internet from which the attacker stole key to the recently uploaded database. Using the key, the hacker was able to download a copy of the customer information.

After Imperva adopted cloud technologies to scale their infrastructure to meet increasing needs, they failed to account for the increased risk of this strategy. Cyber-security diligence applies at all levels of scale including times of expansion and investment in new technology.

Read more...

The target: FireEye, a publicly traded cybersecurity company in California.

The take: Corporate documents, details on client contracts and licenses, and personal login credentials.

The attack vector: Attackers used credentials exposed in public data breaches to access the personal accounts of a security analyst employed by FireEye. Once his accounts had been compromised, they were able to exploit his business use of those personal accounts to obtain sensitive information belonging to his employer.

On an individual level – this attacks highlights the importance of changing passwords and rotating credentials, particularly in the wake of a publicized credential breach. At the firm level - once confidential and sensitive information leaves a firm’s information systems, it’s completely outside of their control. Security policies must reflect zero tolerance for use of personal accounts to communicate on behalf of the firm or store/transfer sensitive and proprietary information.

Read more...

The target: Malindo Air, a Malaysian subsidiary of Indonesia’s Lion Group

The take: Approx. 35 million passenger records, including names, emails, addresses, passport numbers/expiration dates.

The attack vector: Two former employees of a subcontracted e-commerce provider were identified as having “improperly accessed and stole the personal data of our customers.” Malindo Air reiterated that their external controls were not breached and that “services and infrastructure worked as designed and were not compromised in any way.”

Malicious insiders are unfortunately common sources of data breaches, and internal controls and oversight must be put in place to ensure that data is being handled appropriately by both direct employees and subcontracted staff.

Read more...

The target: Philips Capital Inc, a Chicago-based brokerage firm.

The take: $1 million USD from a client account.

The attack vector: Attackers gained access to internal systems via a successful phishing attempt and impersonated a client of the firm using information they’d gained from reviewing past e-mail correspondences. Gaps in disbursement procedures allowed a requested wire transfer to an unknown bank account to be approved and processed.

While technical controls can protect against cyber-attacks, they cannot always compensate for gaps in procedure and a failure to think critically.

Read more...

The target: Flight booking site, Option Way.

The take: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data personally identifying information is a ripe target for identity thieves.

The attack vector: Security researchers were able to access Option Way’s Elasticsearch database via browser due to misconfiguration. Exposed (and unencrypted) data includes names, dates of birth, gender, e-mail addresses, phone numbers and addresses - a ripe target for identity thieves. 

Companies must evaluate their ‘attack surface’ across servers/firewalls and third-party services to ensure that their data is secure and should continuously monitor infrastructure to be assured that changes do not result in exposure of sensitive information.

Read more...

The target: Scotiabank, a major Canadian based banking institution

The take: Login keys to backend systems, internal source code of mobile apps, software blueprints, and credentials for a database of foreign exchange rate data.

The attack vector: The data in question was left accessible on a non-secured public repository, GitHub. Analysis of the leaked data could provide numerous and deep exploitations and vulnerabilities.

Source code repositories, like file storage repositories, must be correctly configured to ensure that sensitive data remains internal and accessible only by authorized parties. Default permissions or accessibility settings must always be reviewed before sensitive data is committed to storage.

Read more...