Search This Blog

Showing posts with label Data Exposure. Show all posts

Ghana’s National Service Secretariate Exposed 700K Individuals Data Due to Cloud Misconfiguration

 

Noam Rotem and Ran Locar researchers for VPNMentor stated that Ghana's National Service Secretariat – NSS – has encountered a significant database malfunction that compromised data of up to 700,000 individuals from and around the country, totaling 55GB of data. 

According to researchers, this leak poses a serious risk to Ghanian government employees affiliated with the organization as well as thousands of its people. The exposed database was identified on September 29, 2021, and the NSS and CERT-GH were contacted between October 6th and 12th, 2021. 

NSS is essentially a government initiative that oversees a year of mandatory public service for Ghana-based graduates of selected educational institutions. Every year, thousands of students enroll in this program to work in various public areas such as healthcare. 

As per the VPNMentor research, the NSS used Amazon Web Services (AWS) to store approximately 3 million files from its various applications. 

Although some of the documents in the cloud storage account were password-protected, the majority of the files were still accessible to the public as well as the database. 

“While the NSS had password-protected many documents stored on the S3 bucket, the bucket itself was left completely open, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills,” VPNMentor’s report read. 

This breach exposes the personal information of at least 700,000 people, leaving them vulnerable to fraud, identity theft, and hacking scams. Furthermore, employees working for the government agency have become subject to a variety of threats. 

The compromised database contains participants' program membership cards and identity documents, such as the Ghana National Health Insurance Scheme, professional IDs based on the candidate's placement industry, and so on. 

Moreover, the organization saved several types of passport photographs submitted by participants. The Computer Emergency Response Team of Ghana (CERT-GH) has acknowledged that the database was compromised and has stated that the problem will be resolved as soon as possible.

400,000 German Students Data Exposed due to API Flaw

 

A newly found API issue in Scoolio, a school software used by 400,000 German students, has exposed the personal information of those kids. Lilith Wittmann of the IT security collective Zerforchung discovered the issue and notified the applications team immediately. 

Scoolio employs targeted advertising based on data collected from users, the majority of whom are students, without their knowledge or permission. It does, however, assert that it does not collect any user information. 

Scoolio's API shortcomings, as per Wittmann's report, facilitate information extraction based on the user ID. Anyone who uses this technique can obtain the user's username, email address, GPS history, school name and class, interests, UUID data, and personal information such as origin, religion, gender, and so on. 

Furthermore, the researcher also gave a fake representation of the data types affected by the issue. 

The researcher also noted that the API patch to avoid data leak was relatively straightforward and that it arrived in 30 days, on October 25, 2021, after they were notified of the issue on September 21, 2021. She goes on to say that it is impossible to say how many students were affected as Scoolio inflates user statistics. The app's creators have produced an official paper outlining the patch and have confirmed it. 

Scoolio provides users with tools for managing time, homework planning, staying in touch with friends, and even contacting firms for job vacancies or internship options. The business behind this one collaborated with several German schools and marketed it as a remote teaching support software. It was created with funding from three state-owned investment groups: SIB Innovations und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen, so many students are compelled to use the software as a result of collaborations and government initiatives endorsing the same. 

The fundamental issue is that no security flaws are being audited. An initiative dubbed "EduCheck Digital" (EDCD) that began in August is attempting to evaluate which instructional media fulfills German data protection requirements and have the green signal for usage in schools. 

"I would like to thank Ms. Wittmann for the information and the SDS for the exchange and thank you for your feedback on our security measures," Danny Roller, CEO, and founder of the Scoolio app shared in a statement. 

"Fortunately, after extensive testing, we can confirm that No user data was intercepted by third parties before the investigation by Ms. Wittmann and we have successfully closed the gaps found."

Confidential Terrorist Watchlist With 1.9Mn Records Exposed Online

 

Cyber security researcher Bob Diachenko has unearthed an unsecured ElasticSearch server containing nearly two million terrorist watchlist records, including "no-fly" list indicators, which were left exposed for a period of three weeks between July 19th and August 09th. 

Earlier this week, Diachenko posted a message and said, “On July 19, I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it." The unprotected server had a Bahrain IP address but it remains unclear whether the server was owned by the US or any other country.

Diachenko immediately reported his discovery to the US Department of Homeland Security, but the records weren't taken down until August 09. The leaked records contained passport details, full name, dates of birth, citizenship, gender, TSC watchlist, country of issuance, and no-fly indicator. 

“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI, which maintains the country's no-fly list, a subset of the larger watchlist. A typical record in the list contains full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more,” he informed. 

No-fly list

The exposed data belongs to the people who are suspected as terrorists but have not necessarily been charged with any crime. "If it falls in wrong hands, this list could be used to oppress, harass or persecute people mentioned on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list," Diachenko said. 

Prior to 2015, the terrorist watchlist was completely confidential. Then the US government modified its policy and began privately informing US citizens who were added to the list, but foreigners still often can't find out whether they're on the no-fly list until they try to board a plane. 

Several media reports suggest that the US officials are recruiting informants in exchange for keeping their names off the no-fly list. Some past or present informants' identities could have been exposed. The Terrorist Screening Center (TSC) was set up by the US Federal Bureau of Investigation (FBI) in 2003.

The discovery of the exposed records comes just a month after the DHS, the Department of Justice, and other federal agencies -- launched a new website with the sole motive of combating the threat of ransomware.

Indian Startup Exposed Byju's Compromised Server Data

 

Salesken.ai, an Indian-based technology secured a compromised server that was leaking out private and sensitive data on one of its clients, Byju's, a startup and one of the leading educational startups. The server was left uncompromised since June 14, says Shodan, who provide the historical data. Shodan is a search engine for compromised devices and databases. Anyone could access the server data as it was left without the password. 

The compromised server was discovered by security researcher Anurag Sen, who also asked for assistance from Tech Crunch. "WhiteHat Jr. spokesperson Sameer Bajaj said the company is currently communicating with Salesken.ai about the incident and will take appropriate action in accordance with our rigorous security policies," reports Tech Crunch. Salesken.ai offers companies like Byjus customer-relationship technology. It is a Bangalore-based start-up that recently raised $8 Million in Series. 
Funding from Sequoia Capital India in 2020, after two years of its founding. 

Most of the data stored in the compromised server containing information related to an online school that teaches coding to students in India and the U.S. Byjus bought Whitehat for $300 Million last year. The server had the names and addresses of the students and the email addresses and contact numbers of the parents and teachers. Besides this, the exposed server contained other data related to students, such as chat logs between parents and staff, and remarks given by teachers to their students. The compromised server also contained email copies that had reset codes for restoring accounts and other data pertaining to Salesken.ai. 

Co-founder and chief executive at Salesken.ai, Surga Thilakan says the company is currently investigating the issue but didn't disclose any information related to what kind of data was exposed in the compromised server. "Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India-based end-of-life sales logs for a fortnight." Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device," reports Tech Crunch.

Cloud Misconfiguration is Still the Leading Source of Cloud Data Violations

 

Almost everybody by now is workings from home and 84 percent are worried that new security vulnerabilities have been generated with the quick move towards 100 percent remote working. 

Cloud service providers built their administration panels' user interface purposefully to mislead consumers and charge for more services than originally intended. 

Although it was never demonstrated as a systematic business strategy, reports and alerts of a data breach have overwhelmed the internet in recent years since a cloud-based database has indeed been misconfigured and confidential information ultimately leaked. 

Throughout the past month, Censys, a security company that specializes in census-like inspections on the internet, looked closely at the cloud-based services, hoping to uncover what the best potential origin of misconfiguration might be for cloud-based businesses. As per the study, Censys has found over 1.93 million cloud server databases that have been displayed publicly without even any firewall or other authentication measures. The security company arguments that threat actors will discover and target these databases utilizing older vulnerability exploits. In addition, if the database was unintentionally leaked, it could also use a weak or even no password at all, disclosing it to all those who have detected its IP address. 

Censys reported having been used to scan MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle and that nearly 60 percent of all disclosed servers were MySQL databases which represent 1.15 million of the 1.93 million overall exposed DBs. 

The security agency also searched to find ports that could also be exposed by clouds service as they are normally used for remote management applications like SSH, RDP, VNC, SMB, Telnet, Team Viewer, and PC Anywhere. Censys retained that access to all these remote managing port must not be easily discovered but rather secured by Access Control Lists, VPN tunnel, or other traffic filtering solutions, although the underlying cause of these applications is that the systems can be remotely logged into. 

Another very significant discovery was indeed the virtual exposure of the RDP login screens by more than 1.93 million servers. 

Microsoft and several others have also indicated that many violations of security have also been caused by attackers obtaining access to an enterprise through compromised RDP credentials. Which included attacks on a broad range of actors, including DDoS botnets, crypto mining activities, ransomware gangs, and government-funded actors. 

Most organizations do not operate internally with just one cloud services provider infrastructure, but instead use several solutions, many of which might not have the same access or default settings, allowing several systems to become accessible even though IT personnel are not supposed to do so. While some cloud providers have taken measures to improve their dashboards and to clarify how those controls operate, the wording of each cloud provider is still substantially different, and some system administrators are still often confused. 

Censys said, “it expects the issue of misconfigured services to remain a big problem for companies going forward.”

Tala Research Shows that European Telecommunication Websites Expose Sensitive Customer Data

 

In 7 EU countries, Tala assessed the websites of the leading MSPs for the European top mobile providers, data exposure is a major unacknowledged concern. Analysis of Europe's leading mobile providers' websites by Tala Security shows that critical information has been at risk of over-sharing and attack — with few appropriate security measures in place to discourage it. Tala Security's recent study reveals that data exposure is a real concern for Europe's leading mobile companies and by extension for more than 253 million customers who register up and share personal information. The main issue is the insecure website supply chains. 

For many valid reasons, European Telecommunication companies collect sensitive information as part of the digital sign-up procedure, including passport numbers, payment slips, and bank account details. The analysis by Tala shows that European Telco sites do not have enough protection against third-parties risk but also uncover them to other serious risks by using numerous third-party JavaScript integrations. Without command, all websites that have JavaScript code from each owner's website including the supply chain vendor can alter, grab, or release information via JavaScript facilitated client-side attacks. The average JavaScript integration among Telecommunications companies was 162 in the group; this is a very high risk of over-sharing and data visibility. If website owners do not protect sensitive data when entered on their websites, they actually do not leave it suspended; the only reason why it is not stolen is that criminals did not use it. 

“In many cases, data sharing or exposure takes place via trusted, legitimate applications on the allow list —often without the website owner's knowledge,” said Deepika Gajaria, VP of Products at Tala Security. 

Forms used to collect credentials, banking information, passport numbers, etc. are revealed to an average of 19 third parties at considerable risk through form data exposure. No responsive website protection was established on any of the sites. On a scale of 100 with a score of 50 at an average, the website average was only 4.5. 100 percent of the most widespread website attack that frequently led to a significant sensitive leakage in the data is cross-site scripting (XSS). 

“European Telco’s routinely collect sensitive data like passport scans, banking details, address, and employment information. When website owners fail to effectively secure data as it is entered into their websites, they’re effectively leaving it hanging, an accident waiting to happen,” said Gajaria.

Adorcam Leaks Thousands of Webcam Accounts

 

A webcam application installed by a huge number of clients left an uncovered database loaded with client information on the internet without a password. The Elasticsearch database belonged to Adorcam, an application for viewing and controlling a few webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine found the data exposure and reached Adorcam, which secured the database. Adorcam application is specially built for the P2P IP camera series. The clients just need to enter the camera ID and password to watch real-time video from any bought IP camera on their cell phone and no complicated IP or router settings are required. 

Paine said in a blog post shared, that the database contained around 124 million rows of information for the several thousand clients, and included live insights concerning the webcam —, for example, its location, whether the microphone was active, and the name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses. Paine additionally discovered proof of the camera uploading captured stills from the webcam to the application's cloud, however, he was unable to confirm since the links had expired. 

He likewise discovered hardcoded credentials in the database for the application's MQTT server, a lightweight messaging protocol often used in internet-connected devices. Paine didn't test the credentials (as doing so would be unlawful in the U.S.), yet alerted the application creator about the vulnerability, who at that point changed the password. Paine checked that the database was updated live by signing up with a new account and looking for his data in the database. Albeit the information was restricted in sensitivity, Paine cautioned that a malevolent hacker could create persuading phishing emails, or utilize the data for extortion. 

In his report on the matter, Paine pointed out that the data contained in the database distinguished between Adorcam's Chinese clients and its clients outside of China, saying, “One interesting detail about this database was that the user information was split between Chinese users and "abroad" users. For example: request_adorcam_cn_user vs. such as request_adorcam_abroad_user. Adorcam almost certainly has breach disclosure obligations based on what appeared to be a global user base. If they had users within the EU they absolutely have an obligation.”

Personal data of one million Moscow car owners were put up for sale on the Internet


On July 24, an archive with a database of motorists was put up for sale on one of the forums specializing in selling databases and organizing information leaks. It contains Excel files of about 1 million lines with personal data of drivers in Moscow and the Moscow region, relevant at the end of 2019. The starting price is $1.5 thousand. The seller also attached a screenshot of the table. So, the file contains the following lines: date of registration of the car, state registration plate, brand, model, year of manufacture, last name, first name and patronymic of the owner, his phone number and date of birth, registration region, VIN-code, series and number of the registration certificate and passport numbers of the vehicle.

This is not the first time a car owner database has been leaked.  In the Darknet, you can find similar databases with information for 2017 and 2018 on specialized forums and online exchanges.
DeviceLock founder Ashot Hovhannisyan suggests that this time the base is being sold by an insider in a major insurance company or union.

According to Pavel Myasoedov, partner and Director of the Intellectual Reserve company, one line in a similar archive is sold at a price of 6-300 rubles ($4), depending on the amount of data contained.
The entire leak can cost about 1 bitcoin ($11.1 thousand).Information security experts believe that the base could be of interest to car theft and social engineering scammers.

According to Alexey Kubarev, DLP Solar Dozor development Manager, knowing the VIN number allows hackers to get information about the alarm system installed on the car, and the owner's data helps to determine the parking place: "There may be various types of fraud involving the accident, the payment of fines, with the registration of fake license plates on the vehicle, fake rights to cars, and so on."

Against the background of frequent scandals with large-scale leaks of citizens data, the State Duma of the Russian Federation has already thought about tightening responsibility for the dissemination of such information. "Leaks from the Ministry of Internal Affairs occur regularly. This indicates, on the one hand, a low degree of information security, and on the other — a high level of corruption,” said Alexander Khinshtein, chairman of the State Duma Committee on Information Policy.