數據洩露報告檔案 - 2017年

在這篇博客文章中，我們收集了2017年發生的22種最重大的違規行為。所有報告均由克里斯·維克里（Chris Vickery）（一個數據洩露的獵人）進行，他與MacKeeper合作，在Mackeeper博客上提供了有關“最熱門”的安全性和數據漏洞的報告。

這是一系列數據洩露報告中的第二篇文章。在這裡閱讀2016年數據洩露報告檔案。

單擊數據洩漏名稱以閱讀報告：

• Morialssleep.org違反
• 世界摔跤娛樂300萬電子郵件洩漏
• HARAK1R1 0.2比特幣勒索軟件攻擊
• Spasurgica：加拿大整形手術客戶的記錄洩漏
• 口譯員無限：員工和客戶的個人數據洩漏
• 電話銷售公司洩漏了近40萬個敏感文件
• IndyCar數據洩漏
• PIP打印和營銷服務數據洩漏
• 英特爾機場的廣泛違反
• 亞馬遜AWS問題降低了互聯網
• Mackeeper安全研究人員發現敏感美國空軍數據
• 校舍數據洩露
• 報告：313個大數據庫公開
• 汽車融資公司在線洩漏50萬客戶信息
• 全球通信軟件：在線大量數據
• 墨西哥旅遊退稅公司：客戶記錄中的洩漏
• MacKeeper Research Center發現大量Elasticsearch感染的惡意軟件殭屍網絡
• 自動跟踪公司洩漏了數十萬個在線記錄
• Verizon Wireless員工：在線曝光機密數據
• 報告：虛擬鍵盤開發人員洩露了3100萬個客戶記錄
• 阿什利·麥迪遜（Ashley Madison）的私人照片傳播了
• 報告：網絡犯罪分子竊取了加利福尼亞州的選民數據庫

基本閱讀和工具：

• 使用MAC安全指南，您將更深入地深入MACOS安全設置
• 獲取Mac防病毒軟件，該防病毒軟件將實時防止您的Mac
• 每次使用Internet時，安裝Mac的VPN以具有安全連接
• Mac所有者的惡意軟件拆除指南將向您展示如何刪除各種惡意軟件
• 如何檢查Mac以獲取惡意軟件指南將告訴您如何從Mac中發現和刪除惡意軟件
• 運行我是否一直在檢查您的電子郵件是否在數據洩露中
• 花幾分鐘閱讀我們有關如何防止數據洩露的指南

Morialssleep.org違反

MoricalSleep.org是一個患者門戶網站，用戶可以在這裡創建帳戶，討論治療選擇並詢問有關其睡眠障礙的問題。 Mackeeper安全研究中心的研究人員發現了一個公開訪問的Mongo數據庫，其中包含數千名患有睡眠障礙的軍人的私人醫療數據。

該數據庫包含2個GIGS數據庫，其中包含1300多條消息（患者和醫生之間的敏感通信）以及1,200多名用戶的個人數據，包括他們的姓名，電子郵件，個人手機號碼，未加密的密碼以及軍事歷史/服務等級。發現的最具破壞性信息是存儲的筆記和聊天日誌，患者在其中詢問有關他們正在經歷的敏感醫療問題的問題，並認為溝通是機密的。許多電子郵件地址是 @us.army.mil，我們可以假設對現役和以前的軍事服務人員進行治療。

醫療隱私對公民和退伍軍人都非常重要，如果對其診斷和治療的細節洩漏，它可能會影響他們目前的就業，未來就業，安全許可或生活的其他領域。更糟糕的是，雇主可能會根據申請人或僱員洩漏的病歷或疾病的可能性來歧視申請人或僱員的恐懼。這就是為什麼保護醫療記錄如此重要的原因，必須採取每一步的網絡安全步驟。

該網站已註冊給馬里蘭州的Emerson Wickwire博士博士。根據他的個人網站，“我的研究興趣著重於生物行為睡眠過程，包括睡眠作為身體和大腦的治療，最常見的睡眠障礙，特殊人群中的睡眠以及最佳實踐的傳播。”

幸運的是，該數據庫並未成為Harak1r1的受害者，這是0.2比特幣勒索軟件 - 一個惡意演員，針對世界各地未受保護的蒙古德。在我們向數據庫發送電子郵件通知後不久，儘管沒有開發人員的任何言語或評論。

我們要感謝DataBreaches.net的異議，以協助掩蓋/確保違規行為。請確保在這裡閱讀她的故事。

在感染了數千個類似配置的Mongo數據庫並將所有數據刪除並將贖金的0.2比特幣以恢復其文件恢復文件之後，就發現了Morialsleep.org數據庫僅在一天之後發現了一天。這種不幸的數據洩漏可能剛剛保存了他們的數據免於被HARAK1R1比特幣勒索軟件刪除。本週早些時候，Mackeeper研究中心發現與Emory Healthcare連接的數據庫是估計的。

世界摔跤娛樂洩漏300萬封電子郵件

世界摔跤娛樂公司也被稱為WWE是一家受歡迎的美國娛樂公司，也是專業摔跤的發起人。儘管摔跤是他們的主要重點，但他們也從電影，音樂，視頻遊戲，產品許可，直接產品銷售等中獲得收入。

本週，來自MacKeeper的安全研究人員發現了兩個開放且公開訪問的Amazon S3存儲桶，其中包含第三方機構專門用於WWE營銷目的的大量信息。我們估計，所有信息（幾千兆字節）的大約12％設置為“公共”訪問權限，並適用於具有Internet連接的任何人查看和下載。

什麼數據WWE洩漏包含

首先，無抵押的Amazon S3存儲桶包含TXT文件中的大量電子郵件。這些數據是從2014 - 15年開始的，其中包含粉絲的姓名，電子郵件，物理地址以及通過詢問教育，年齡和種族，兒童年齡和兒童性別對粉絲進行人口調查的結果。記錄總數為3,065,805，研究人員檢查了是否有重複項，在抽樣中，看來它們都是獨一無二的。

3M記錄的數據字段：

儘管所有劇本和可以說是上演的比賽，但他們仍有大量的粉絲群和關注者。 WWE每週僅在美國就會觀看1500萬球迷，並在2016年宣布，他們將擴展到中國，這為他們提供了14億個新的粉絲群！

包含公共訪問的檔案之一還包括一個配置文件，其中還有另一個與WWE相關的存儲桶名稱。

第二個存儲桶也部分設置了公共訪問的數據（約12-15％），並包含另一個巨大的營銷和客戶數據，包括2016年以來數十萬歐洲客戶的計費詳細信息（地址，用戶名等）。

這些文檔還包括通過社交媒體跟踪WWE社交媒體帳戶的電子表格，例如YouTube，每週的戲劇，分享，評論，以及更深入地了解他們如何管理社交媒體和範圍的粉絲互動。該清單甚至被國家 /地區分解了，因此人們可以想像他們可以更好地針對自己的廣告或本地化內容。

另外，發現的是Twitter帖子的大量緩存，作為與WWE相關的指定關鍵字的搜索結果保存。

大型娛樂公司永遠不會公開分享這種東西，因此對於WWE如何使用大數據來了解其粉絲群和產生的內容是一種罕見的看法。

在我們向WWE Corp開發人員的電子郵件發送通知消息後的幾個小時內，這兩個存儲桶都在第一個存儲桶中找到的電子郵件發送後確保了。但是，尚未收到有關這些數據已暴露多長時間，有多少客戶的信息公開的答案或反饋，以及目前可能已經訪問了多少IP地址。

儘管是一個全球娛樂組織，但對私人擁有的公司的幕後內部運作知之甚少。根據一些估計，WWE的價值高達40億美元。許多文件夾受到保護，不允許外部訪問。無法訪問有關摔跤手或員工的信息，但是粉絲電子郵件，名稱和其他數據的洩漏是網絡安全喚醒電話。

這一消息緊隨一系列黑客涉及WWE Divas洩露的裸照，甚至是涉及英國超級巨星Paige的性愛錄像帶醜聞。此外，WWE明星Maryse，Victoria和Alexia Bliss也被黑了。

注意 - 如果正確引用並將信用授予Mackeeper Security Research Center，則本文的某些部分可用於出版。

Harak1r1的另一個受害者0.2比特幣勒索軟件

如您所知，根據聯邦和州法律，醫療記錄在美國受到保護。當醫療記錄在網上洩漏時，醫院，醫生和保險公司可能會面臨罰款和處罰。 2016年12月30日，Mackeeper Security Research Center發現了一個錯誤配置的Mongo數據庫，其中包含數十萬個看來是患者記錄和其他敏感信息的數據庫。


該IP託管在Google Cloud上，並在該地址（反向IP）上託管的域名的結果確定了Emory Brain Health Center。 2017年1月3日，研究團隊回去審查數據，該數據庫已成為Harak1r1的受害者，是0.2比特幣勒索軟件。


這種非傳統贖金方法實際上採取並刪除了受害者的數據並將其保留，直到支付贖金為止。數據完全從數據庫中刪除，不像大多數常見類型的勒索軟件攻擊一樣被加密。請參閱此處的詳細信息。


在MacKeeper Security Research Center對數據庫的原始掃描中，暴露的估計記錄數量似乎超過20萬！他們被分解為以下文件名和記錄：

• “ Clinicworkflow”包含6,772個記錄（病歷號碼，地址，出生日期，名稱，姓氏）
• “骨科”包含31,482個記錄（名字，姓氏，病歷號碼，地址，電子郵件）
• “ Orthopaedics2”包含157,705個記錄（手機，名字，姓氏，地址，電子郵件）
• “ Orthoworkflow”包含168,354個記錄（手機，名字，姓氏，出生日期，地址，電子郵件）

在數據庫中找到以下消息：

Harak1r1現在提取的記錄和數據收集的文本示例是0.2比特幣勒索軟件。此示例是在刪除數據之前進行的。

一個大問題：Mackeeper安全研究中心發現的數據庫實際上屬於Emory Healthcare。他們是否採取了適當的步驟來告知其客戶和當局有關此數據盜用和違規的信息？


與Databreaches.net的異議合作，我們已經聯繫了多個聯繫人，以試圖確定與Emory Healthcare的聯繫，或者就他們計劃如何恢復數據或通知患者的聯繫發表評論。

Spasurgica：加拿大整形手術洩漏客戶的記錄

隆胸，植入物和減少圖片之前和之後包含的文件。 Spasurgica還提供唇部減少，吸脂和多種整形手術選擇，許多客戶想要私人。每個患者的圖片，描述和病史都對哪種類型的數據進行了深入的了解。這些不僅是家庭住址和病歷，而且是患者身體的親密圖片。還可以訪問未加密的文本文件，其中包含帳戶，打印機和其他受密碼受保護的登錄名的用戶名和密碼。

Mackeeper團隊感謝參加此調查的Databreaches.net的異議，並幫助通知Mohamed Elmaraghy博士的洩漏辦公室。此後，訪問已關閉，不再公開可用。我們從未聽到Spasurgica的回音，儘管發現後立即發送了幾封通知電子郵件。

在這裡閱讀她的故事。

網絡基礎架構密碼中的純文本。

患者圖片存檔包含數百張圖像。

患者的名字與圖像有關。

病歷可能非常私密和敏感。這只是成千上萬的掃描或傳真文件之一的一個例子，顯示了一名患者不僅分享了她的父母如何死亡以及她所面臨的每個重大醫療問題，還包括有關可卡因成癮的細節。不幸的是，吸毒成癮和健康記錄可能會影響就業或雇主如何看待私人醫療狀況或挑戰的僱員。

加拿大法律保護數據洩漏中的患者

根據安大略省信息和隱私專員的網站，關於私人醫療數據的盜竊或洩漏有一個嚴格的過程。根據《 2004年個人健康信息保護法》（PHIPA），醫生有義務將患者的個人健康信息保密。 Phipa還為醫生提供了一項法律義務，以維持和遵守信息實踐，以防止患者的個人健康信息免受盜竊，丟失或未經授權的使用或披露。如果個人健康信息被未經授權的個人偷走或訪問。

法律需要遏制和通知：

如果面對隱私漏洞，則必須立即解決兩個優先事項：

• 遏制：確定潛在違規的範圍，並採取所需的步驟以包含它。
  通知：必須盡快通知受影響的個體。
• 調查和補救：一旦違反行為並通知了受影響的當事方，就必須進行內部調查。

***

口譯員無限的個人數據洩漏

該設備包含私人信息（我們的估計是4,500個記錄），其中包括Excel電子表格和.TXT文件的一部分，純文本中的員工，薪金數據，社會保險號，電子郵件，電子郵件以及更敏感的數據。

特殊文件夾包括所有服務器訪問詳細信息，幾乎每個員工的所有電子郵件登錄，密碼。

該網站的技術管理員在WHOIS註冊中列出，設備上存儲了屬於IT管理器的個人文件。

作為一般規則，社會保險號碼絕不應存儲在純文本文檔中，並且與名稱，地址，電子郵件和其他可識別信息相結合，它提供的網絡犯罪分子提供了所需的所有信息。

Mackeeper研究人員發現的數據甚至在上一年與公司賺取了貨幣翻譯數量。該文件提供了足夠的信息，允許罪犯提交假納稅申報表，獲得貸款或其他形式的欺詐。

口譯員無限地提供翻譯服務，例如現場解釋，視頻，電話和一系列其他服務。根據他們的網站“我們充當“媒人”，找到適合您需求的最合適的語言服務”。他們的客戶資料包括Google，Boeing，美國郵政服務等公司。

我們一直在與ZDNet的Zack Whittaker一起工作，ZDNET能夠聯繫公司總裁併提醒他此事件（我們通過電子郵件發送給公司的IT經理的最初通知卻沒有引起人們的注意）。 NAS設備已被隔離。該公司正在尋求律師和第三方安全審計公司。但是該公司將向人們（翻譯人員）告知曝光。

他說，數據正在“四到六個月”中流傳輸。

您可以在ZDNET上閱讀Zack'sstory。

電話銷售公司洩漏了近40萬個敏感文件

MacKeeper Security Research Center的研究人員迄今為止最大的發現之一是公開可用的數十萬個文件。這些文件屬於有爭議的基於佛羅里達的營銷公司VICI Marketing LLC，其中包括數千份錄音，客戶在其中提供其姓名，地址，電話號碼，信用卡號，CV號等。 2009年，VICI Marketing LLC同意支付350,000美元，以解決佛羅里達州檢察長辦公室的投訴，即該公司獲得了被盜的消費者信息，並且沒有採取適當的措施來確保合法獲取數據。研究人員已經確認，儘管罰款和罰款仍未獲得客戶或公司數據，並且錄音的日期範圍可以追溯到幾年。根據協議：如果違反了禁令的條款，則VICI可能會受到100萬美元的民事罰款。


每個電話中都有足夠的信息為網絡罪犯提供竊取信用卡信息或犯有各種犯罪所需的一切。一些錄音沒有警告客戶記錄或存儲電話。 11個州要求每個一方同意打個電話或對話，以使錄音合法。這些“兩黨同意”法律已在加利福尼亞，康涅狄格州，佛羅里達州，伊利諾伊州，馬里蘭州，馬薩諸塞州，蒙大拿州，新罕布什爾州，賓夕法尼亞州和華盛頓採用。


大小公司可能會發生不正確的數據存儲或錯誤配置的數據庫，但是對於已經支付了巨額價格並且一直是監管違規行為的公司而言，他們似乎會更加認真地對待網絡安全。在2009年的情況下，他們被指控獲得了被盜的消費者信息維西的律師，羅比·伯恩鮑姆（Robby Birnbaum）聲稱“我們沒有證據證明”。根據2009年和解的條款，維基被永久禁止在沒有盡職調查的情況下獲取或使用數據，使用非法或可疑來源的數據，訪問和使用數據進行消費者電話銷售的數據，而無需進行背景盡職調查以及非法的電話銷售。


Mackeeper安全研究人員發現的文件包含數十萬個記錄，並且可能需要數週的時間才能瀏覽所有記錄，目前尚不清楚第三方是否出售或獲取了敏感數據。研究人員已下載了28 GB的備份副本以進行驗證，並在案件結束後將安全刪除公開可用的文檔。在數據成為刑事或民事調查的一部分的情況下，MacKeeper與執法和美國國土安全密切合作。目前尚無可疑的不法行為，只需用信用卡號和私人客戶文件洩露多達17,649張錄音。


還有375,368次錄音，可以被稱為“撥打電話”，其中一些包含個人信息。


互聯網如果充滿了有關VICI Marketing LLC如何運作或索賠和指控的投訴。在搜索客戶評論和員工評論時，我們發現了一篇博客文章，描述了VICI僅支付運輸費用，他們將如何給客戶提供促銷禮物。他們提供了皮膚DM/Rejuvaglow Cream，本來應該花費3.95美元，最終在一切結束後的價格為92.61美元。賈斯汀·蒂姆（Justin Tyme）的前僱員說：

當消費者意識到已經發生的事情已經超過100美元以上的賬單時……當客戶呼籲退款時，他們聽起來好像您無法通過提供保留產品並只給他們部分退款來獲得您的收益。我確定有些人將產品退還給發件人，拒絕貨物嗎？當您打電話詢問退款時，您告訴您不能擁有一個，因為您沒有正確地將產品寄回，也沒有將其處理回倉庫！ ！ ！同一個人告訴您可以在您的帳戶中清楚地看到該產品已成功返回，但它們將其標記為“沒有RMA”，因此該公司知道不退還您的錢。 ”


儘管我們無法驗證前員工的主張，許多在線投訴講述了相同的故事，並描述了完全相同的銷售和計費方法。

IndyCar數據洩漏

這些備份中的大多數似乎僅僅是運行的，但是引人注目的是Indycar員工登錄憑據以及包含電子郵件，物理地址，名字和姓氏，密碼哈希，用戶名，安全問題，安全問題，出生日期和性別等領域的200K用戶帳戶。從本質上講，這使找到身份盜竊寶藏。

重要的是要指出，這些帳戶從那以後已經退休了。因此，無需更改您的IndyCar論壇登錄密碼。但是，如果您是那種重複密碼的人（大多數人是可惜的），那麼您應該重置任何可能使用相同密碼的帳戶。如果惡意人士遇到了這些數據集，他們可能正在解密這些密碼，並試圖立即在其他在線帳戶上使用它們。

這使我了解了一段時間我想知道的事情 - 為什麼公司在關閉關閉網站很久之後會堅持密碼哈希？那隻是責任。他們將客戶帶來無收益的風險。通過堅持這些密碼哈希，IndyCar絕對沒有任何收穫。現在，他們面臨著負PR，因為這種情況向賽車迷來說。

我只能假設為IndyCar工作的律師和風險管理人員並不意識到正在存儲已解決的論壇登錄。冒著零機會的大風險並不是這些類型的人保持工作的方式。如果您正在閱讀此書，並且在一家大公司中管理風險，則應真正問您的IT員工兩個重要的問題：

1. 我們在存儲什麼？
2. 我們真的需要嗎？

PIP打印和營銷服務數據洩漏

400 GB服務器中的大多數專門用於設計與打印業務有關的文件和圖像。最敏感的信息包含在“ Outlook Archives”和“ Scans”文件夾中。這些包含大約50 GB的掃描文件，這些文件與法院案件，病歷，知名公司和名人有關。有一個信件檔案，公司的客戶要求管理人員副本副本。該檔案包含2200多條消息，其中一些包含信用卡號和純文本的計費詳細信息。

PIP印刷和營銷服務，Aprinting和Design Company是一家屢獲殊榮的印刷和製作公司，在美國和Ranksamong企業家專營權500號均設有特許經營地點。

這只是我們生活變得多麼數字化的另一個例子，甚至像打印文檔一樣簡單的東西可以揭示客戶的敏感數據。 MacKeeper Security建議任何接收和存儲敏感客戶數據的公司採取一切可能的步驟來保護和保護它。

在敏感數據中：前美國職業足球運動員的文件，包括NFL退休信息，社會保險號，S和一些醫療信息；拉里·弗林特（Larry Flynt）的Hustler好萊塢零售店的數千個機密檔案。該文件可以追溯到2010年，包括每個商店的人力資源文檔，內部調查，銷售數字，目標以及損益表。

再次向我們展示了任何大型或小型公司的危險，無法在線保護其數據。當洩漏洩露機密商店銷售數據和內部通信時，洩漏不僅僅是令人尷尬的。

重要說明

MacKeeper Security Research Center發現的信息已公開，不需要密碼訪問數據。

首先，它在2016年10月下旬出現在我們的雷達上。儘管我們試圖通知印刷公司，但我們的電話和電子郵件從未受到認真的處理。我們還記錄了與接待員的電話，後者表現得很奇怪，不願意進一步傳遞信息。

我們感謝威脅桿的湯姆斯普林（Tomspring）在此案中協助並進行了自己的調查。通過關注他的故事，了解更多詳細信息：https：//threatpost.com/printing-and-marketing-firm-leaks-high-profile-customers-data/123530/

英特爾機場的廣泛違反

洩漏的數據集包括從敏感的TSA調查信到員工社會安全號碼，網絡密碼和107千兆字節的電子郵件通信。直到上週二我通知了該設施的管理層，該美國機場的安全和安全存在真正的風險。

這是關於業務實踐如何導致數據洩露的重要案例研究。根據出席的材料，紐約和新澤西州的港口管理局將斯圖爾特國際的管理與一家名為Avports的私人公司簽約。然後，該公司與一個唯一的IT人簽訂了收入，該公司每月只有兩次或三次。

您不能指望一個人維護機場網絡基礎架構。這樣做是安全失誤的秘訣。這是私有化可能出問題的一個經典示例。營利性公司經常有動力將收入優先於最佳實踐。

AVPORTS事件響應性能強調了這一點。在機場管理層的一個行業中，每個員工至少需要進行粗略的數據洩露準備培訓。與我在Avports交談的第一個人對我來說非常好，但是曾經問我這是否可以等到明天”。

這個問題的答案是否定。當您的公司用“機密”，“僅供官方使用”和“未經授權的釋放可能會導致民事處罰或其他行動”等短語洩露政府創建的文件時，您不能只等到明天。它需要立即採取行動。

初始響應

幾分鐘後，太平洋時間12點左右，Avports COO確實給我回電時，我有些放心。他向我保證，我很快就會聽到他們的IT員工來進一步調查和糾正這種情況。

三個半小時後，我沒有聽到任何人的回音，數據洩露仍然存在。我決定致電港口管理局。他們指示我致電Stewart終端並提供電話號碼。在下一個電話中，致終端操作員，服務器的暴露端口已關閉到外界。尚不清楚這是否是偶然的時機，因為航站樓的人聲稱他們的部門無法做出這樣的改變。

它的傢伙

幾個小時後，太平洋大約晚上7點，我終於接到了IT Guy的電話。談話最初是低迷的。他告訴我，我通過下載這些數據犯下了犯罪，並使用了從某人的家中闖入並竊取物品的類比（這與事實相距甚遠）。

幸運的是，當我向他解釋我的行為絕不是犯罪的時候，談話均勻。該設備的配置方式是在沒有單個用戶名，密碼或其他身份驗證措施的情況下公開分發這些文件的方式。不管有意，這台機器本質上是充當公共Web服務器的。

可能的解釋

那麼，這是怎麼發生的？這裡有一些線索 - 我與我交談的IT人告訴我，幾個月前，機場已經嘗試使用稱為ShadowProtect的備份軟件。我被告知，該過程的一部分涉及在防火牆上打開端口873，而Shadowwestream Service（Shadowworpect的一部分）可能一直在利用遠程同步服務（RSYNC）的某些方面。這正是我在談話中被告知的。

不過，這可能有點紅鯡魚，只是難題的一部分。在備份中，我能夠找到一個電子郵件鏈，表明AVPORT在2016年3月購買了至少一台Buffalo Terastation備用NAS設備。

那些跟上我工作的人可能會回想起最近報導的Ameriprise財務數據洩露的同樣的NAS設備的品牌和模型。實際上，我最近做了其他一些涉及該特定設備的違規發現。

我的假設是，在某些布法羅terastations上，端口873可能會默認開放。請記住，在ShadowProtect的一部分實驗中，Stewart International的防火牆有意在Stewart International的防火牆上開放。

當前的工作理論是，這兩個因素統一併導致了違規情況。但是所有這些都引出了一個問題：如果Avports甚至在Stewart僱用了一個全職IT人，會發生這種監督嗎？

即使在其中，您也得到了所需的費用。

有關更多信息，請參見ZDNET文章。

***

如果正確引用並將其信用授予Mackeeper Security研究人員Chris Vickery，則可以使用本文的注意力。

亞馬遜AWS問題降低了互聯網

目前尚不清楚這些服務有什麼問題。此外，這個問題仍然存在，部分影響了東海岸的網站。正如亞馬遜在其官方Twitter帳戶中所說：“ S3正在經歷高錯誤率。我們正在努力恢復”。

AWS是一項亞馬遜雲存儲服務，在Netflix，Adobe Systems，Airbnb，BMW等大型公司中很受歡迎。 MacKeeper也依靠AWS來保持運營順利進行。但是，很難想像使用AWS的小型企業的數量。

您可以檢查Amazon Service Health儀表板上的最新修復程序更新。

但是，許多互聯網用戶發現停電很有趣，並向亞馬遜提供了建議：

Mackeeper安全研究人員發現敏感美國空軍數據

研究人員發現了一系列敏感文件，其中包括資格的人員和訪問報告，其中包含數百名服務成員的名稱，等級，社會安全號碼。在每個頁面的底部是一個通知：

“根據1974年的《隱私法》，您必須維護通過此系統檢索的人員信息。

最令人震驚的文件是開放調查的廣告表，其中包括名稱，等級，位置和指控的詳細描述。 The investigations range from discrimination and sexual harassment to more serious claims. One example is an investigation into a Major General who is accused of accepting $50ka year from a sports commission that was supposedly funneled into the National Guard. There were many other details from investigations that neither the Air Force or those being investigated would want publically leaked.

There is a file that contains Defense Information Systems instructions for encryption key recovery. This is a comprehensive step-by-step guide of how to regain access to an encryption key and all of the urls where someone can request information regarding a Common Access Card (CAC) and Public Key Infrastructure (PKI). The possible danger of leaking the email addresses and personal information of senior military officials is that through social engineering and other methods, bad actors could potentially gain access.

Among the sensitive documents was a scanned image of the Lieutenant's JPAS account (Joint Personnel Adjudication System) from the Department of Defence. This included the login URL, user ID, and Password to access the system. JPAS accounts are only provisioned for authorized individuals and we can assume there would be classified information to anyone who would access the account. The database also included a copy of the North Atlantic Treaty Organization (NATO) Information Security Training Manual and many other documents that may or may not be publically available.


The device has since been taken offline and it is unclear if anyone other than members of the MacKeeper Research Team had access to the files or how long they were available.

Please see more details on the story in Zack's feature at ZDnet: https://www.zdnet.com/article/leaked-us-military-files-exposed/

Schoolhouse data breach

Schoolzilla, a student data warehousing platform, made the all-too-common mistake of configuring their cloud storage (an Amazon S3 bucket) for public access. I discovered the bucket after noticing a few other unsecured buckets related to the Tableau data visualization platform. There was an exposed “sz.tableau” bucket, so I started looking for other “sz” iterations. That's when I came across “sz-backups”, which turned out to be the main repository for Schoolzilla's database backups.

I downloaded several of the production backups, the largest was titled “Web_Data_FULL” and weighed in at 12 gigs. After loading them into a local MSSQL instance I did some review and concluded that this was most likely real student data and did indeed come from Schoolzilla. The possibility of a false-flag operation is always in the back of my head (a scenario in which an unscrupulous company creates a false data breach that appears to originate from a competitor).

Schoolzilla was quick to respond when I submitted a data breach notification ticket. They secured the data and opened dialogue with me to learn the full extent of the issue. I applaud their incident response. This was the first situation of its kind for them and they reacted professionally. It must have been grueling for the CEO to phone each client and relay the unpleasant news, but they did it within only a few days of my report.

Additionally, Schoolzilla understood the problem and took responsibility. They did not try to shoot the messenger or claim that I had somehow “hacked” them. That's worth an extra-large gold star on the board for them.

Unlike most reports, I do not have any redacted screenshots to share for this one. The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion. I did however seek guidance from the US Department of Education before overwriting my copies just in case they wanted them preserved for any investigatory purposes. Unfortunately, the Department's voicemail box is currently full and I could not leave a message.

A message from Schoolzilla's CEO regarding the situation can be found here: https://schoolzilla.com/commitment-information-security/

Information for editors:

The MacKeeper Security Research Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks and following a responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the MacKeeper Security Research Center a reputation as one of the fastest-growing cyber data security departments.

Auto financing company leaks 500K of customer's info online

As part of our research on publicly available Amazon AWS S3 buckets, MacKeeper Security Researchers discovered yet another repository, (mis)configured for public access, which contained 88 megabytes of spreadsheet documents in *.csv format with names of hundreds of auto dealerships around the United States.

Upon further investigation we were able to identify what appeared to be customer purchase information (such as full names, address, zip,last 4 SSN digits), credit scores (FICO auto scores), year, makes, and models. Once it was clear this was automotive financing data we found the name of who we believed were associated with the exposed data.

The files allegedly belong to Alliance Direct Lending Corporation, an automobile finance company in that refinances auto loans or uses a network of dealers to match with pre-qualified buyers.

The leaked data contained 124 files (each of them containing from 5 to 10 thousand records, which brings us to 550K - 1M customer details in total), with financing records broken down by dealerships and 20 audio recordings of customers agreeing to auto loans or refinancing of auto loans. These consent calls were the customers agreeing that they understood they were getting an auto loan, confirming that the information was correct and true. They included the customers' name, date of birth, social security numbers, and phone numbers. These calls were in both English and Spanish.

A member of MacKeeper Security Research called and spoke with an IT administrator who looked at the url of the publically accessible data and confirmed that it appeared to belong to Alliance Direct Lending. When searching online for Alliance Direct Lending it appears that they really dohave a solid reputation and nearly all of the reviews are positive, but data breaches can and do happen. This is yet another wake up call for anyone dealing with financial data, social security numbers, or other sensitive data to audit your data often. One simple misconfiguration could allow your entire organization's data storage publically available online to anyone looking for it.

Did anyone else see this data?

It is unclear if anyone other than security researchers accessed it or how long the data was exposed. According to the bucket properties, it was last modified on Dec 29, 2016. It contained 210 public items and 790 private ones (not available but listed) - logs. The IT Administrator claimed that it had only recently been leaked and was not was not up for long. He thanked us for the notification and the data was secured very shortly after the notification call.

The danger of this information being leaked is that cyber criminals would have enough to engage in identity theft, obtain credit cards, or even file a false tax return. Alliance Direct Lending is based in California where the law requires notification of a breach when a California resident's unencrypted personal information is compromised. California was the first state in the US to require notification of security breaches (its law became effective in 2003).

Information for editors:

The MacKeeper Security Research Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks, and following responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the MacKeeper Security Research Center a reputation as one of the fastest-growing cyber data security departments.

Troy Hunt did a great job describing all details about that, so this is why I have reached out to him first to see if this dump is something special.

After running a sample set at his HIBP project, Troy identified 243,692,899 unique emails, with almost every single address is already in HIBP, mostly centred around the big incidents.

And while it is not the news itself, the availability of this data almost publicly (I mean, unprotected MongoDB equals publicly) is alarming.

During our research, we were surprised to see as many as 313 large databases, with a size over 1GB, with several terabytes of data, hosted in the US, Canada, and Australia.

The database in question is hosted on a cloud-based IP, and it is unclear who actually owns it. We sent notification emails to the hosting provider, but usually, it is not the quickest way to shut it down.

After a series of 'ransomware' attacks targeted on MongoDBs left without authorization in the beginning of this year, I was not sure if somebody still uses early versions of Mongo where default configuration is possible. It appears that “Eddie” did.

Database is 75 gigs in size and containsdata structured in a readable json format which included at least 10 previously leaked sets of data from LinkedIn, Dropbox, Lastfm, MySpace, Adobe,Neopets. RiverCityMedia, 000webhost, Tumblr, Badoo,Lifeboat etc.

The lesson here is simple: most likely, your password is already there and somebody might be trying to use this just now. So isn't that a good time to change it now?

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.

313 large databases went public

Troy Hunt did a great job describing all details about that, so this is why I have reached out to him first to see if this dump is something special.

After running a sample set at his HIBP project, Troy identified 243,692,899 unique emails, with almost every single address is already in HIBP, mostly centred around the big incidents.

And while it is not a news itself, the availability of this data almost publicly (I mean, unprotected MongoDB equals publicly) is alarming.


During our research, we were surprised to see as many as 313 large databases, with size over 1GB, with several terabytes of data, hosted in US, Canada and Australia.


The database in question is hosted on a cloud-based IP, and it is unclear who actually owns it. We sent notification email to the hosting provider, but usually it is not the quickest way to shut it down.


After a series of 'ransomware' attacks targeted on MongoDBs left without authorization in the beginning of this year, I was not sure if somebody still uses early versions of Mongo where default configuration is possible. It appears that “Eddie” did.


Database is 75 gigs in size and containsdata structured in readable json format which included at least 10 previously leaked sets of data from LinkedIn, Dropbox, Lastfm, MySpace, Adobe,Neopets. RiverCityMedia, 000webhost, Tumblr, Badoo,Lifeboat etc.


The lesson here is simple: most likely, your password is already there and somebody might be trying to use this just now. So isn't that a good time to change it now?

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.

Global communication software left a massive amount of data online

Online communication has become a vital part of today's business environment and it is essential that business owners have tools and analytics to gauge efficiency, communication, and a range of data sets. One of the top companies that provide cloud-based unified communications has just leaked more than 600GB of sensitive files online.

The MacKeeper Security Center has discovered not just one but two cloud-based file repositories (AWS S3 buckets with public access) that appear to be connected to the global communication software and service provider BroadSoft, Inc. They have created an infrastructure for cloud unified communications tools that can be service provider hosted or cloud-hosted by BroadSoft. The publically traded company has over 600 service providers across 80 countries and supports millions of subscribers according to their website. Their partners are some of the biggest names in the communication business, telecom, media, and beyond, including Time Warner Cable, AT&T, Sprint, Vodafone among many other well-known companies. When 25 of the worlds top 30 service providers by revenue all use BroadSofts infrastructure and with so many subscribers it is easy to see that this data leak could have a massive reach.

BroadSoft business applications

• UC-One = single, integrated business communications solution
• Team-One = chat, take notes, track tasks and share files in organized workspaces.
• Also provides access to Google, Drive, Salesforce and other apps? Team-One is integrated with over 50 other popular apps.
• CC-One= omni-channel, cloud contact center solution that uses predictive analytics to lower operating costs and improve business performance.
• Hub =unified experience, bringing together BroadSoft Business and cloud apps

Other BroadSoft Business Platforms include BroadWorks, BroadCloud, Carrier, PaaS, Reseller, BroadSoft Mobility.

How the leak happened

The problem is that the repository was configured to allow public access and exposed extremely sensitive data in the process. They used Amazon's cloud but misconfigured it by leaving it accessible. Amazon AWS buckets are protected by default but somehow were left publically available. It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents. Not only could they access the documents but any “Authenticated Users” could have downloaded the data from the URL or using other applications. With no security in place just a simple anonymous login would work.

This leak shows once again just how insecure data can be when improper security settings are used. In this instance the same mistake leaked the data and information of potentially millionsof BroadSofts customers and that their partners service. This is not unique to BroadSoft and happens to companies big and small, but what does stand out is the size and scope of their business. Their infrastructure and portfolio of applications is used by millions of customers and many of them had their data exposed. It is unclear if BroadSoft will be notifying affected customers of this data exposure or if the partner companies who use their infrastructure will.

How it was discovered

In July MacKeeper Security researchers discovered an Amazon S3 cloud-based data repository that was connected to the WWE (World Wrestling Entertainment) hosted on the public 'wwe-test' S3 domain. This raised the flag that many administrators could potentially open a back up for testing and never close it. After the discovery researchers began testing other variations of the '-test' suffix and came across 2 of the connected repositories (one using the underscore sign '_' - not recommended by Amazon). Searching for the test resporsities is how it was discovered and we can only assume there are many more cloud-based data leaks actively available that started out as a testing ground, but were never secured.

On Aug 29th a security notice was sent to engineers based in BroadSofts Indian office (Bangalore) whose email communications was found in the repository. He replied “Who gave you my contact and it does not belong to us”. Then ironically one of the two repositories was closed to public access almost immediately after the notification. This would logically conclude that engineers may have been trying to do damage control by denying that the 600GB of data belonged to Broadsoft or their clients.

The second bucket was quickly secured only after a notification email to Charter-related people was sent.

What the leak contained

In short, the repository contained a massive amount of sensitive information and researchers estimate It would take weeks to fully sort through all of the data. The most potentially damaging discovery was the fact that it contained internal development information such as SQL database dumps, code with access credentials, access logs, and more. These are all things that should not be publicly available online. The two repositories contained thousands and thousands of records and reports for a number of Broadsoft clients with Time Warner Cable (TWC) appearing to be the most prominent and including applications like Phone 2 Go, TWC app, WFF etc.

Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable, Bright House Networks (BHN/Charter). For example “User Profile Dump, 07-07-2017” text file contains more than 4 million records, spanning the time period 11-26-2010 - 07-07-2017, with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more. Other databases also have billing addresses, phone numbers etc. for hundreds of thousands of TWC customers.

Bob Diachenko, chief communications officer, MacKeeper Security Center:

The threat and risk

Cyber criminals and state-sponsored espionage is a real threat to major corporations, businesses of all sizes, and individuals. We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes. One example is the infamous Yahoo email breach and the belief that it was used to identify dissidents, trade secrets, and gather other sensitive data. The bottom line is that data is valuable and there will always be someone looking for it. Improperly securing data is just as bad if not worse because it was preventable. BroadSoft accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access their network and infrastructure.

The MacKeeper Security Research Center has downloaded the contents of the repository for verification purposes and it is unclear if anyone else has had access to the data.

As we continue to see more and more cloud leaks appear it reminds us that companies large and small must conduct regular audits to secure their data. Misconfiguration of cloud-based storage repositories that allow public or semi-public access can result in a devastating data leak that requires no hacking or password. The MacKeeper Security Team is dedicated to identifying threats and vulnerabilities and helping to secure them or bring attention that will help make data more secure online.

Alex Kernishniuk, VP of strategic alliances, MacKeeper:

UPDATE: The article has been updated to reflect that no evidence except a similar report name was identified to mention AMC among affected companies.

Mexican tourist tax refund company leaks customer records

Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The MacKeeper Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible. These tourists traveled from around the world to enjoy Mexico's beaches, warm weather, historical sites, or cities and had their private data exposed in the process.

The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.

MoneybBack is part of Prorsus Capital SAPI de CV, a Mexican Investment Fund. The most dangerous aspect of this discovery is the massive amount of data totaling more than 400GB.

How MoneyBack works

They have created a network of affiliate stores who offer the tax refund as a type of discount to lower the final purchase price of certain goods tourists buy. These refunds would make sense for luxury jewelry, gold, and diamonds that cost many thousands of dollars. According to MoneyBack's General Director Danielle Van Der Kwartel “International travelers can receive an 8.9% refund of the total amount they spend when shopping at any of the 6,500 MONEYBACK affiliated stores”. They also claim to provide service in more than 98% of Mexico's air and maritime points of departure and have 55 offices, airport booths, cruise ports, and shopping mall locations.

MoneyBack works closely with travel agents by providing training on its services to help them promote the tax refunds to their clients traveling to Mexico. It seems to be a profitable business and encourages shoppers to spend more but are customers really saving that much money? Some credit card companies charge 3% foreign transaction fees and it is unclear what fees MoneyBack charges customers or the travel agent commissions. There are some complaints online about the bureaucracy of the Mexican Government taking up to 6 months to disburse refunds. Are the savings worth it?

How the leak happened

During a routine security audit, MacKeeper Security Researchers discovered a misconfigured CouchDB that allowed public access to the data via browser. Those who follow cybersecurity news may remember that in early 2017 10% of CouchDB servers were victims of ransomware because of the same misconfiguration. Although MoneyBack is based in Mexico the hosting and IP address is located in the United States. The database was publically accessible and required no password protection or other authentication to view or download MoneyBack's entire repository.

Bob Diachenko, chief security communications officer, MacKeeper Security Center:

What was leaked and who is affected?

Researchers identified passports from all over the world who used MoneyBack's services. Among the top passports identified were citizens of the US, Canada, Argentina, Colombia, Italy, and many more. It appears to be every client that has used their services between 2016 and 2017.

• Over 300 GB database in size
• 455,038 Scanned Doccuments (Passports, IDs, Credit Cards, Travel Tickets & More)
• 88,623 unique passport numbers registered or scanned

Mexico has a booming tourism industry despite travel warnings to certain areas, a history of gang violence and kidnappings. It was estimated that the country welcomed a record 35 million international tourists in 2016. Many tourists who will be buying expensive items on their vacation likely love the idea that they can have a portion of the sales taxes returned, but is it worth having your data exposed online?

How Tax-Free Shopping in Mexico works?

Tax-free sounds great but their are some restrictions. Tourists must spend at least 1200 pesos ($67 USD) on Mexican goods (this does not apply to services such as hotel stays and food expenses). Tourists must also enter and leave Mexico by sea or air. The minimum purchase per store is 1,200 pesos with electronic payment and cash purchases can not exceed 3,000 pesos ($168 USD). Another issue to consider is that you will have to file yourself with the bureaucracy Mexican Tax Authorities or give your personal information, credit card, and identification to a 3rd party company such as MoneyBack.

• Tourists need to shop at an affiliated store with “Tax Free shopping”.
• They must ask for an official invoice with the stores tax id number
• When tourists leave the airport or by ship there are Tax Free booths, they can visit one of the offices, or several other ways to submit their tax paperwork.
• Although they estimate 40 days to receive a refund complaints state up to 6 months.

The danger of this data?

Alex Kernishniuk, VP of strategic alliances, MacKeeper:

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Center.

MacKeeper Research Center discovers massive Elasticsearch infected malware Botnet

One of our recent researches was focused on the publicly accessible Elasticsearch (ES) nodes and we discovered suspicious indices names that didnot have any relations to Elasticsearch file structure.

Among the many “red flags” some of the file names referenced to AlinaPOS and JackPOS malware. These are the type of POS (Point-of-Sale) malware that attempts to scrape credit card details using a range of different techniques. As an example of how this malware is so effective, JackPOS attempts to trick the system that it is java or a java utility. It can copy itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and can even encode the stolen credit card data to go undetected as it is extracted. This malware first became widespread in 2012, but it is still effective today and available for sale online.

In 2014 the family tree looked as follows:

Today the picture is much worse and much more widespread.

Despite some security warnings and industry-related news, It appears POS malware has been out of the headlines for a while, but the danger is still there for millions of cardholders. Kromtech researchers started looking for any updates about that specific type of malware and the status of files being distributed on unsuspecting servers. What surprised researchers is that there are new and updated versions of the malware that are currently for sale to anyone.

At Cybercrime tracker https://cybercrime-tracker.net/index.php?search=alina we've seennew samples of these malware types and low detection rate by the most popular AntiVirus engine (tested with VirusTotal).

Even for the relatively old C&C servers hosting sites (Command and Control servers), there is not enough information to flag the real risks. The VirusTotal URL Scanner indicated that only 6 of the antivirus engines and website scanners out of the 65 available were able to identify the new versions of the POS Malware.

為什麼會發生？

The lack of authentication allowed the installation of malware on the Elasticsearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the resources of the server and even launch a code execution to steal or completely destroy any saved data the server contains.

In our case, a bunch of AWS-hosted Elasticsearch instances was under attackfor malicious use. Moreover,every infected ES Server became a part of a bigger POS Botnet with Command and Control (C&C) functionalityfor POS (point-of-sale) malware clients. These clients are collecting, encrypting and transferring credit card information stolen from POS terminals, RAM memory or infected Windows machines.

Old C&C interface used by POS malware is displayed below (taken fromhttps://blog.malwaremustdie.org/2014/02/cyber-intelligence-jackpos-behind-screen.html)

We checked with Shodan (our commonly used IoT search engine which returnsservice banners with meta-data of the server) how many systems on the internet have similar signs of infection.

As of today, there are nearly 4000 infected Elasticsearch servers, and about 99% of them are hosted on Amazon.

Why are nearly all of the Elasticsearch servers hosted by Amazon Web Services?

Amazon Web Services provides customers with a free T2 micro (EC2 / Elastic Compute Cloud) instance with up to 10 Gb of disk space. These T2 instances are designed for operations that don't use the full CPU for general purpose workloads, such as web servers, developer environments, and small databases. The problem is that on the T2 micro, you can set only versions 1.5.2 and 2.3.2.

The Amazon hosting platform gives users the possibility to configure the Elasticsearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.

Kromtech Security Researchers discovered similar file structures on Shodan.io for Elastic Search Services. Then they compared the modification time of suspicious files on these infected Elasticsearch Servers and made some logical conclusions:

• There are different packages of C&C malware, ie servers were infected multiple times
• Different packages can be related to different Botnets (because POS malware was seen selling not only on Darknet but on public domains as well)
• There is a lot of servers infected, for the same packages on different servers the time of infection could be different due to periodical scans and Botnets network expansion
• Nearly 99% of infected servers are hosted on Amazon Web Services
• 52% of infected servers run Elastic Search 1.5.2 version, 47% - 2.3.2 version, and 1% for other versions.
• Recent infections were made at the end of August 2017

The following table represents Kromtech Security Centers findings and the attack distribution of the infected AWS instances through vulnerabilities in the Elasticsearch Server and the Amazon security configuration:

Kromtech Security Center highly recommend you to take the following actions required for effective incident response:

1. Check your log files on all servers in your infrastructure
2. Check connections and traffic
3. Make a snapshot/backup of all running systems
4. Extract samples of malware and provide it to us for further analysis (security@kromtech.com)
5. Reinstall all compromised systems, otherwise, you need to clean up all suspicious processes, check your systems with antivirus and also monitor your system during next 3 months for any anomaly connection
6. Install latest Elastic patch or completely reinstall it
7. Close all non-used ports from external access, or white-list only trusted IPs

Here are also some recommendations from Elastic Search site that need to be taken:https://www.elastic.co/what-is/elastic-stack-security

Vulnerability types in ELK

Infographics for infected ES Servers:

The following graph represents vulnerable versions of Elasticsearch Servers used by attackers to distribute and control malware through vulnerable or misconfigured Elasticsearch Servers:

Auto tracking company leaks hundreds of thousands of records online

Have you ever heard of the term SVR? The “SVR” stands for “stolen vehicle records.” The MacKeeper Security Center has discovered a repository connected to the vehicle recovery device and monitoring company SVR Tracking. And this is what we'll cover in this article.

In 2017 researchers found an Amazon AWS S3 bucket (public cloud-based storage) that happened to be misconfigured and left publically available. This breach exposed information on their customers and the reseller network, along with the device attached to the cars.

The repository we mentioned above had records of over half of a million logins and passwords, emails, IMEIs of GPS devices, VIN (vehicle identification number), and other information collected on their devices like customers or auto dealerships. What's curious, the exposed database also had the data where the tracking unit was hidden precisely in the car.

What was discovered?

A Backup Folder called “accounts” held the record of 540,642 ID numbers, information about accounts including many plates and VINs, hashed passwords, IMEI numbers, emails, and more.

• 71,996 (02/2016)
• 64,948 (01/2016)
• 58,334 (12/2015
• 53,297 (11/2016
• 51,939 (10/2016)
• 41,018 (9/2016)
• 35,608 (8/2016)
• 31,960 (7/2016)
• 31,054 (6/2016)
• 29,144 (5/2016)
• 38,960 (4/2016)
• 32,384 (3/2016)
• 116 GB of Hourly Backups
• 8.5 GB of Daily Backups from 2017
• 339 documents called “logs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records.
• Document with information on the 427 dealerships that use their tracking information.

The number of devices could be much higher because many of the resellers or clients had multiple devices for tracking.

If you feel at risk, learn how to act after a data breach occurred.

Detailed tracking 24hrs a day, even if the car is not stolen or missing

This software tracks wherever the vehicle has been during the last 120 days. What is even more terrifying is that all of the visited places are marked and pinpointed to the map. In addition to that, there's a feature showing anyone who has login credentials the best locations and stops where the car has been. The so-called “recovery mode” pinpoints every 2 minutes and creates zone notifications. With a 99% successful recovery rate being a great result, user logins and passwords for hundreds of unsuspecting drivers are leaked online?

According to their website “The SVR Tracking service enables lot owners to locate and recover their vehicles with live, real-time tracking and provides stop verification, enabling them to determine potential locations for their vehicles. Alerts will flag owners, making them aware of events of interest. The application dashboard provides real-time graphs and detailed vehicle data suited to tighter control and accurate measurements of vehicle activity.”

One can access the software on any device connected to the internet device (desktop, laptop, mobile, or tablet). The satellite locates the tracking unit and sends the data to its servers using the GPRS Data Network. Think of the potential dangers if cybercriminals find out a car's location by just logging in with the publicly available credentials and stealing that vehicle?

Shortly after sending the responsible disclosure note, the bucket has been secured, however, no words from the company.

In 2012 there were an estimated 721,053 automobiles stolen in the United States.

Verizon wireless employee exposed confidential data online

On September 20th, MacKeeper Security researchers discovered publicly accessible Amazon AWS S3 bucket containing around 100MB of data attributing to internal Verizon Wireless system called DVS (Distributed Vision Services).

DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data.

Although no customers data are involved in this data leak, we were able to see files and data named "VZ Confidential" and "Verizon Confidential", some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure.

Another folder contained 129 Outlook messages with internal communications within Verizon Wireless domain, again, with production logs, server architecture description, passwords and login credentials.

Upon analyzing the content of the repository, we identified the alleged owner of the bucket and sent responsible notification email on September 21st. Shortly after that, online archive has been took down and it has been later confirmed that the bucket was self-owned by Verizon Wireless engineer and it did not belong or managed by Verizon.

What the repository contained:

• Admin user info that could potentially allow access to other parts of the network
• Command notes, logs including
• B2B payment server names and info
• Internal PowerPoints showing VZ infrastructure, with server IPs, marked as “Verizon Wireless Confidential and Proprietary information”
• Global router hosts
• 129 saved Outlook messages with access info and internal communications

Damage control or denial?

Verizon had $126.0 billion in consolidated revenues in 2016 and it seems like they would not leave the keys to the front door of their data servers or network out for anyone? In the corporate world any bad news can affect stock prices or other aspects of the business. However, if these files were not sensitive, why not make this information open-source or publically available? access to production logs, scripts, instructions, and administrative credentials to protected areas of Verizon's internal infrastructure.

In the aftermath of the Equifax data leak it is easy to be skeptical considering that they waited 5 months to inform regulators or the public. Then remember that Equifax executives sold off stock before the price drop. It is not out of line to consider when someone has been approached with a data leak that they might deny it. As security researchers we often hear that data was not sensitive or that it was production or test data, when it is clearly not.

Bob Diachenko, chief security communications officer, MacKeeper:

Alex Kernishniuk, VP of strategic alliances, MacKeeper:

Report: virtual keyboard developer leaked 31 million client records

The MacKeeper team has discovered a massive amount of customer files leaked online and publically available. Researchers were able to access the data and details of 31,293,959 users. The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.

Ai.Type was founded in 2010 and According to their site, their flagship product for Android was downloaded about 40 million times from the Google Play store and the numbers of downloads and user bases are rapidly growing. They plan to integrate Matching Bots as a user types their conversation and that their Ai type keyboard will soon offer a “Bots Discovery Platform” Via Keyboard. There was also a notice of a name change from Ai.Type to Bots Matching Mobile Keyboard in the coming year.

Giving up data for personalized services and apps

Consumers give up more data than ever before in exchange for using services or applications. The scary part is that companies collect and use their personal data in ways they may not know. The concept is where people willing to provide their digital in exchange for free or lower-priced services or products. A study from the Annenberg School for Communication at the University of Pennsylvania concluded that a majority of Americans do not think the trade-off of their data for personalized services is a fair deal.

Once that data is gone users have little to no knowledge of what is done with their personal data. Why would a keyboard and emoji application need to gather the entire data of the user's phone or tablet? Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application.

How the data leak occurred and what it contained

Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to anyone with an internet connection. This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted from their phone or tablet.

MongoDB is a common platform used by many well-known companies and organizations to store data, but a simple misconfiguration could allow the database to be easily exposed online. One flaw is that the default settings of a MongoDB database would allow anyone with an internet connection to browse the databases, download them, or even worst-case scenario to even delete the data stored on them.

Summary of what the database contained:

Client registration

Client files that included the personal details of 31,293,959 users who installed ai.type virtual keyboard. This is highly sensitive and identifiable information.

例如：

phone number, the full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google , Facebook etc.), IP (if available), location details (long/lat).

Phonebook and contact records

6,435,813 records that contained data collected from users' contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users' phones, which include all their contacts saved/synced on linked Google account.

Additionally, user data from a folder titled 'old database' that contained 753,456 records were also available.

There was a range of other statistics like the most popular users' Google queries for different regions. Data like average messages per day, words per message, age of users, words_per_day': 0.0, 'word_per_session and a detailed look at their customers.

To avoid the negative consequences of such events, learn how to secure yourself against data breaches.

Ashley Madison's private picture went viral

Ashley Madison, the online cheating site that was hacked two years ago, is still exposing its users' data. This time, it is because of poor technical and logical implementations.

As a result, approximately 64% of Ashley Madison (AM) private, often explicit, pictures are accessible. This access can often lead to trivial deanonymization of users who had an assumption of privacy and opens new avenues for blackmail, especially when combined with last year's leak of names and addresses.

Let's look at how "Sarah" and "Jim," two hypothetical users on AM, can have their privacy broken.
AM has two types of pictures, public and private, neither of which are required. Public pictures are viewable by any AM user. Private pictures are secured by a "key." Sarah can send her key to Jim so he can see her pictures. Jim can request Sarah's key, requiring her explicit approval. Sarah can also revoke Jim's key, restricting his access.

This structure makes sense but, two issues open the door to problems:

• By default, AM will automatically share Sarah's key with Jim if he shares his key with her.
• Pictures can be accessed, without authentication, by directly accessing its URL

To protect her privacy, Sarah created a generic username, unlike any others she uses and made all of her pictures private. She has denied two key requests because the people did not seem trustworthy. Jim skipped the request to Sarah and simply sent her his key. By default, AM will automatically give Jim Sarah's key.

That's right, Jim can now see all of Sarah's private pictures, rated (aka explicit) and non-rated.
這是怎麼發生的？ When adding a picture, the box to share your private pictures is already checked. If you keep this box checked, it will apply the same setting to additional pictures of the same type (public or private).

There are two issues with this implementation. First, few understand the implications nor think through the way it could be exploited. Second, as Steve Gibson would put it, is the "tyranny of the default." As he explains it, "whatever the default settings are, most of the time that's what they end up being forever." People will simply click through the options, leaving them as recommended. The only way to change this configuration is to go deep into the settings page.

Let's go back to our metaphorical users. Sarah will at least get an email saying that she received Jim's key and can go to AM to validate the interaction and revoke the key Jim was given.

During testing, less than 1% of users revoked their key after it had been given. It is our assumption that this means that most users do not understand the impact of this policy. We believe it is far less likely that users who go through the effort to distinguish between public and private photos are ok with any random AM user seeing their private pictures.

Those that revoked their key, access is now denied.

Actually, that's not 100% true. Once Jim is granted access to Sarah's pictures, he is able to see the link, eg https://photo-cdn.ashleymadison.com/[picture_name] . Not only can he access the picture, with this link, anyone can access the picture without authentication, AM user or not. While the picture URL is too long to brute-force (32 characters), AM's reliance on "security through obscurity" opened the door to persistent access to users' private pictures, even after AM was told to deny someone access.

Data leakage


In order to prove the validity of this issue, we wrote a program to iterate through all IDs, aka profile numbers, (0-99,999,999) and gave a private key to a random sample of users that had private pictures. Based on this random sampling:

• 26% of users had private pictures
• 64% of users accounts that had private pictures automatically returned their key

AM's parent company, Ruby, also controls two other sites, Established Men and Cougar Life. Both of these sites also have automatic key exchange and require no authentication to directly access picture URLs; however, they at least force a user to pick if they want to enable sharing by default instead of defaulting it on and requiring a user to uncheck the box.

含義

The implications of these issues are many.

• At the core, pictures that AM users entrusted them to securely store are exposed.
• Users can be victims of blackmail. AM users were blackmailed last year, after a leak of users' email addresses and names and addresses of those who used credit cards. Some people used "anonymous" email addresses and never used their credit card, protecting them from that leak. Now, with a high likelihood of access to their private pictures, a new subset of users are exposed to the possibility of blackmail.
• These, now accessible, pictures can be trivially linked to people by combining them with last year's dump of email addresses and names with this access by matching profile numbers and usernames.
• Exposed private pictures can facilitate deanonymization. Tools like Google Image Search or TinEye can search the internet to try to find the same picture, including on social media sites like Facebook, Instagram, and Twitter. This sites often have your real name, connecting your AM account to your identity. Some users also include their first name in their username, eg Sarah1234. With your name, age, location, and now pictures, it can be easy to search Facebook or Google for a matching profile.

建議

• Remove automatic pictures sharing or adjust its logic. In our opinion, Sarah should have to explicitly give Jim permission to her private pictures.AM's parent company does not agree and sees the automatic key exchange as an intended feature.
• Limit key exchanges. If you limit how many keys a user can send out, you decrease the speed with which they can exploit automatic key sharing across the user base.AM's parent company has completed this.
• Restrict right-click functionality in the web page. While this is not perfect, it at least raises the difficulty in saving or stealing private pictures.
• Add authentication to all AM photos. Having pictures accessible, unauthenticated, is negligent.
• Only allow 1 user account per email address. We were able to create 7 user accounts under the same email address, which lowered the difficulty of conducting the scan of user accounts.

For more recommendations on keeping your data secure on the web, check out these tips on how to protect your privacy online.

Report: cybercriminals steal voter database of the State of California

If there is one thing that the 2016 US election has taught us it is that the entire electoral process needs to be revamped and a more uniform secure process. There have been several high-profile leaks of voter data in recent months but in this case the entire voting population of California has had their information taken by cyber criminals.

In early December, MacKeeper security researchers discovered an unprotected instance of MongoDBdatabasethat appear to have contained voter data. The database named 'cool_db' contained two collections and was available for anybody with Internet connection to view and/or edit.

One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records,allopen for public access.

According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.

MacKeeper researchers were unable to identify the owner of the database or conduct a detailed analysis due to the fact that the database has been deleted by cyber criminals and there is a ransom note demanding 0.2 bitcoin ($2,325.01 at the time of discovery).

We were able to analyze the stats data we saw in our report (metadata on total number of records, uptime, names of the collection etc.), as well as 20-records sample extracted from the database shortly before it has been wiped out and ransom note appeared.

Ransomware and stolen data

In January 2017 a 27k or roughly a quarter of MongoDB databases left open to the internet were hit by ransomware and again in September 2017 three groups of hackers wiped out an estimated 26,000 MongoDB databases. The cyber criminals demanded that the owners of those databases pay around $650 USD in the cryptocurrency BitCoin to regain their data. It is still unknown just how that stolen data was used or how many people paid to have it returned, and if it was even returned after the cybercriminals received the money.

Back in January MacKeeper Security came up with the initiative to help those who suffered an attack.Read more about last year 'massacre' here.

It is unclear who exactly compiled the database in questionor the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository ("cool_db”), but this is only a suspicion. Political firms assist campaigns in building voter profiles. This information of California voters is governed by state law that dictates what kind of information can be released, and for what purposes.

The danger of a state voter database leak

In this case security researchers were able to bring awareness to millions of California citizens that their data was not only publicly leaked online, but also that cyber criminals have stolen it for ransom. State voter registration databases store detailed information on each registered voter in the state, as required by federal law.

The criminals used ransomware to wipe out the voter data and likely backed it up on a server making it even riskier. Once in the hands of cyber criminals, this voter data could end up for sale on the “Dark Web”. If this were an official database, deleting parts of that data could affect someones voting process.

What the database contained?

The 4GB collectioncontained data structured with the following rows:

• 城市：
• 拉鍊：
• StreetType:
• 姓：
• HouseFractionNumber
• RegistrationMethodCode
• State: CA
• Phone4Exchng:
• MailingState: CA
• 電子郵件：
• Phone3Area:
• Phone3NumPart:
• Status: A
• Phone4Area:
• StreetName:
• 名：
• StreetDirSuffix:
• RegistrantId:
• Phone1NumPart:
• UnitType:
• Phone2NumPart:
• VoterStatusReasonCodeDesc: Voter Requested
• Precinct:
• PrecinctNumber:
• PlaceOfBirth:
• Phone1Exchng:
• AddressNumberSuffix:
• ExtractDate: 2017-05-31
• Language: ENG
• Dob:
• 性別：
• MailingCountry:
• AssistanceRequestFlag
• MailingCity:
• 中間名字：
• AddressNumber:
• StreetDirPrefix:
• RegistrationDate:
• PartyCode:
• Phone1Area:
• 後綴：
• NonStandardAddress:
• Phone4NumPart:
• CountyCode:
• MailingAdd3:
• MailingAdd2:
• MailingAdd1:
• UnitNumber:
• Phone2Exchng:
• NamePrefix:
• _id: ObjectId
• MailingZip5:
• Phone2Area:

The “Extract Date” is most likely is the indicator of when the database has been compiled. It appears to have been created on May 31st, 2017.

The purpose of the second much larger collection in the database, named '22GB appears to be the complete California voter registration records. It contains a massive 409,449,416 records in total.

The format and information in the document titled “22GB”

• ExtractDate: '2017-05-31',
• '區'：
• 'RegistrantId':
• 'CountyCode':,
• 'DistrictName':
• '_id': ObjectId

Bob Diachenko, head of communications, MacKeeper Security Center:

Here are the transactions for the wallet in the ransom note
https://www.blockchain.com/btc/address/1EPA6qXtthvmp5kU82q8zTNkFfvUknsShS

The database has been taken down since the initial discovery. Secretary of State of California was aware of the leak and "was looking into it", however, at the time of publication we did not receive any official statement.

Read more guides:

• What to Do If Your Data Was Leaked in a Data Breach
• How to Remove Personal Information from the Internet

以上是數據洩露報告檔案 - 2017年的詳細內容。更多資訊請關注PHP中文網其他相關文章！