Posts Tagged ‘Security’

#10 — Panera
Number of victims: 37 millionWho was targeted: All PaneraBread.com customer accountsWhat data was exposed: Names, email and physical addresses, birthdays, and the last four digits of the customers’ credit card numbersTimeframe: Disclosed April 2018What happened: Despite being warned by a cybersecurity expert in August 2017 that their website was leaking data, the Panera IT team failed to act until 8 months later when it announced the leak and took the site down for security maintenance.
#9 — Newegg
Number of victims: 50 millionWho was targeted: Newegg online shoppersWhat data was exposed: Credit card infoTimeframe: August 14, 2018 – September 18, 2018What happened: The online retailer was hacked by cybergang Magecart, who injected a credit card skimming code into the Newegg website. Whenever a customer bought something online, that payment info went straight to Magecart’s C&C (command and control server).
#8 — Elasticsearch
Number of victims: 82 million (57M consumers, 26M businesses)Who was targeted: Users and online businesses across the internetWhat data was exposed: From individual users — names, email and physical addresses, phone numbers, IP addresses, employers, and job titles. From businesses — names, company details, zip codes, carrier routes, latitudes/longitudes, census tracts, phone numbers, web addresses, email addresses, employee count, revenue numbers, NAICS codes, SIC codes, and more.Timeframe: Discovered November 14, 2018What happened: This is one of those cases we mentioned above where a regular security audit led to a researcher stumbling upon over 80 million records of sensitive, aggregated data. It is unknown how long the databases were sitting unguarded and who, if anyone, has had the opportunity to copy and steal all the data. Cybersecurity experts believe they have tracked down the source of the unguarded databases to a data management company that has since closed its doors, but it is still officially unknown.
#7 — Facebook
Number of victims: 87 millionWho was targeted: Facebook usersWhat data was exposed: Profile info, political beliefs, friend networks, private messagesTimeframe: Disclosed September 2018What happened: This is the notorious Cambridge Analytica scandal where the data-collecting firm illegally harvested users’ info without their permission. The secret operation was politically motivated—namely, to influence the 2016 US presidential campaign. And though the breach occurred a couple years ago, it’s only this year that investigatory conclusions have come out, giving us a clearer picture of what happened.
#6 — MyHeritage
Number of victims: 92 millionWho was targeted: MyHeritage usersWhat data was exposed: email addresses and hashed passwordsTimeframe: Alerted June 2018What happened: Cybersecurity researchers alerted the genealogy site in June 2018 that an outside server had been discovered with sensitive MyHeritage info. The company confirmed the info was legitimate and alerted its users that any account holders who signed up earlier than October 26, 2017 were at risk and should change their passwords.
#5 — Quora
Number of victims: 100 millionWho was targeted: Quora usersWhat data was exposed: Names, email addresses, hashed passwords, profile data, public and non-public actionsTimeframe: Discovered December 3, 2018What happened: Many questions still surround the details of this breach, but the question-and-answer site reported to its users that a third party had gained unauthorized access to one of their systems, expounding no further.
#4 — Under Armour
Number of victims: 150 millionWho was targeted: MyFitnessPal usersWhat data was exposed: User names, email addresses, hashed passwordsTimeframe: Late February 2018What happened: The company’s food and nutrition app was hacked, opening up the above info to the attackers, but not, thankfully, any payment info, which the company processes through a separate channel.
#3 — Exactis
Number of victims: 340 million (230M consumers, 110M businesses)Who was targeted: Users and businesses across the internetWhat data was exposed: Over 400 categories of detail, such as phone numbers, email and physical addresses, interests, ages, religions, pet ownership, etc.Timeframe: June 2018What happened: Data collection firm Exactis somehow had 2 terabytes of data relocated to a public site for all to see. It’s unknown who or how many people accessed the info before it was discovered.
#2 — Starwood
Number of victims: 500 millionWho was targeted: Starwood guestsWhat data was exposed: Names, email and physical addresses, phone numbers, passport numbers, account info, birth dates, gender, travel info, and accommodation info. Some of the breached info also included hashed credit card info.Timeframe: Discovered September 10, 2018, but could have stretched as far back as 2014What happened: Like many of the other official breach statements, the Marriott-owned hotel chain issued a statement that its servers had suffered “unauthorized access,” but recent discoveries from the investigation indicate the breach may have been caused by the Chinese government for political purposes.
#1 — Aadhaar
Number of victims: 1.1 billionWho was targeted: Indian citizensWhat data was exposed: Aadhaar numbers, names, email and physical addresses, phone numbers, and photosTimeframe: August 2017 – January 2018What happened: Anonymous sellers over WhatsApp charged Rs 500 and lower for a portal into India’s Unique Identification Authority where the records of virtually every citizen was at the payer’s fingertips.

In 2005, a research team led by the Electronic Frontier Foundation (EFF) broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.
“We’ve found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer,” said EFF Staff Technologist Seth David Schoen.
You can see the dots on color prints from machines made by Xerox, Canon, and other manufacturers (for a list of the printers we investigated so far, see: http://www.eff.org/Privacy/printers/list.php). The dots are yellow, less than one millimeter in diameter, and are typically repeated over each page of a document. In order to see the pattern, you need a blue light, a magnifying glass, or a microscope (for instructions on how to see the dots, see: http://www.eff.org/Privacy/printers/docucolor/).
EFF and its partners began its project to break the printer code with the Xerox DocuColor line. Researchers Schoen, EFF intern Robert Lee, and volunteers Patrick Murphy and Joel Alwen compared dots from test pages sent in by EFF supporters, noting similarities and differences in their arrangement, and then found a simple way to read the pattern.
“So far, we’ve only broken the code for Xerox DocuColor printers,” said Schoen. “But we believe that other models from other manufacturers include the same personally identifiable information in their tracking dots.”
You can decode your own Xerox DocuColor prints using EFF’s automated program at http://www.eff.org/Privacy/printers/docucolor/index.php#program.
Xerox previously admitted that it provided these tracking dots to the government, but indicated that only the Secret Service had the ability to read the code. The Secret Service maintains that it only uses the information for criminal counterfeit investigations. However, there are no laws to prevent the government from abusing this information.
“Underground democracy movements that produce political or religious pamphlets and flyers, like the Russian samizdat of the 1980s, will always need the anonymity of simple paper documents, but this technology makes it easier for governments to find dissenters,” said EFF Senior Staff Attorney Lee Tien. “Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?”
EFF is still working on cracking the codes from other printers and we need the public’s help. Find out how you can make your own test pages to be included in our research at http://www.eff.org/Privacy/printers/wp.php#testsheets.

Security Breaches
Florida Bar Association hacked, members’ data leaked
6.6 million plaintext passwords exposed as site gets hacked to the bone
Russian hackers leak Simone Biles and Serena Williams files
Russian internet giant Rambler.ru hacked, leaking 98 million accounts
Login details for 800,000 Brazzers users leaked
OneLogin security breach – Secure Notes exposed
Armenian Hackers leak Azerbaijani banking and military data
Alberta College of Paramedics privacy breach puts information of thousands of members at risk
UC San Diego School of Medicine notifying trainees whose SSNs were exposed on the Internet
Napa Valley Dentistry notifies patients after theft of server from storage facility
Dozens of clinics, thousands of patients impacted by third-party data leak
University of Ottawa missing hard drive with data on 900 students
County acknowledges ‘possible security breach’ of courthouse computers
Privacy breach shows names and addresses of military personnel’s families
County health care agency reports breach of patient data
Codman Square Health Center notifies members after breach at NEHEN
KidsPeace announces possible client information breach
Saint Francis investigating security breach
Personal information of La Joya ISD teachers accidentally released
CalOptima notifies members of breach 8 months later
Data breach in Oconee Co. causes employee pay issues
St. Elizabeth Physicians’ email gaffe exposed patient email addresses
Geisinger Health Plan notifies 2800 that processing error exposed their PHI to others
BDSwiss employee data allegedly stolen, investigations pending
Russian hackers release more confidential athlete data; WADA confirms
Trump’s campaign mute about data security #fail
Computer breach could have exposed trauma victims to further anguish
NBTC to probe alleged privacy breach by AIS employee
EurekAlert! goes offline following attack
Laptop stolen from U.S. Healthwork was encrypted but ,alas, the password was with it
VoIPtalk admits to possible data breach
One of Portland’s largest financial firms warns of possible data breach
‘Massive data breach’ at Almelo municipality
eThekwini shuts down e-services after user data leak
Owen Smith tweets login data to 16,000 followers
DHS exposes thousands of individuals’ private information — including feds, golfers and priests
Mat-Su campus hit by data breach
‘Variety’ hacked by OurMine, subscribers inundated with email
Network security breach with Milwaukee VA affiliate
Cyber AttacksNotice of data incident at Stallcup & Associates, CPAs
Keck Medical Center of USC discloses ransomware attack
Kennesaw State student hacks system, changes grades, steals data
Hacker tries to ransom housing authority data
Maplewood tax firm hacked; data held for ransom
University Gastroenterology notifies patients of ransomware attack
Hackers holding school computers hostage
Cyberattack cripples Appalaches school board, cancer support group
Al Zahra Private Medical Centre hacked
Computer hackers demanded ransom payment from Derriford Hospital
Misfortune cookie: Mr. Chow restaurants website hacked to distribute ransomware
Financial AttacksAF Smith warns customers of data breach fear
China hackers swipe millions in data breach
Someone just lost 324k payment records, complete with CVVs
Abilene police reveal details of restaurant credit card fraud
McDonald’s employee stole about 100 credit card numbers while working drive-thru
Massive unreported security breach, $2 million alleged fraud at NorQuest College
PoS vendor Lightspeed suffers data breach
OtherMarsJoke ransomware targets the government and K-12 educational sector
A single ransomware network has pulled in $121 million
Tesla issues software update after hackers report remote brake hack
Seagate faced with class-action lawsuit following whaling scam
Wells Fargo fined $185 million for phony account fraud – 5,300 employees fired
CaughtRomanian national sentenced to three years in prison for role in computer hacking scheme
Kosovo hacker gets 20 years in U.S. for helping Islamic State militants
Teenager to appear in court over alleged hack and data theft
Ex-LV employee in court over data leak
Guilty plea of Krystle Steed for taking over hospital patients’ bank accounts

The Open Web Application Security Project (OWASP) has opened a chapter in Canberra. Kicked off by Andrew Muller of Ionize, OWASP brings to Canberra expertise in web application security. It also brings the small community of security professionals to meet, discuss and engage in the crucial business of securing applications.
OWASP Canberra is committed to monthly meetings, and the occasional “special” meeting. See you there!
OWASP has a project called ‘The OWASP top ten project‘ which list the top 10 security threats for web-based applications.
OWASP Current Top Twelve Threats
Cross-Site Scripting (XSS) Malicious File execution Insecure Direct Object References Cross-site Request Forgery (spoofing) Information Leakage and Improper Error Handling (I’m guilty) Injections Flaws Broken authentication and session management Insecure cryptographic storage Transport Layer Protection (TLP) Failure to secure URL access (I’m guilty) Security Misconfiguration Unvalidated Redirects and ForwardsOk, which ones are you guilty of?