[BreachExchange] Cybersecurity Falls Short In September

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 2 20:07:38 EDT 2017


https://www.pymnts.com/news/security-and-risk/2017/deloitte-sonic-yahoo-sap-
cybercrime/

Since Sept. 7, the media has been abuzz over the security breach at credit
scoring company Equifax and the vast number of consequences the incident
set in motion, from the resignation of the company’s CEO to lawsuits filed
by state Attorneys General across the U.S.

While Equifax is clearly learning from (and paying dearly for) its
mistakes, it would have been nice to see some others take the lesson to
heart before they became the next victim. Unfortunately, if anything, the
number of blockbuster breaches in September seemed bigger than normal, not
smaller.

Here are a few of the places fraudsters found their “in” this month — some
of which were overshadowed by the Equifax news, some of which held their
own in headlines, but all of which have been cause for concern among
consumers, who are losing confidence in any company’s ability to keep their
personal information safe.

SAP Point of Sale

Luckily, this one was just a hypothetical hack — it could have been much
worse. It was a team of cybersecurity researchers from the firm ERPScan,
and not malicious hackers, who discovered that point-of-sale (POS) systems
made by SAP had a gaping loophole.

These white hat hackers found that the system did not authenticate or check
internal commands, so anyone with access to the store’s network could wreak
havoc with prices at the checkout, including setting discounts, capturing
card data or even remotely starting or shutting down the terminal.

When any devices around a store are connected by Ethernet, it’s practically
an invitation to hackers to launch a plug-and-play attack. SAP quickly
rolled out patches and fixed the vulnerability before less honorable
hackers could take advantage of it.

Yahoo Litigation Moves Forward

Though not a new hack, the data breaches at Yahoo nevertheless comprised
the largest cyberattack of all time, so it’s only fitting that we include
this month’s court decision to move forward with litigation.

The courts reportedly dismissed Yahoo’s claim that victims did not have the
standing to sue. The nationwide lawsuit represents the interests of one
billion users, all of whom face the risk of future identity theft thanks to
the Yahoo breach. Some plaintiffs also said they spent their own money
defending themselves against these potential future attacks — an
expenditure that would not have been made if Yahoo had not exposed their
personal data in the first place.

Instagram

Hackers reportedly stole celebrities’ contact information, including email
addresses and phone numbers, through an Instagram security breach. It was
later revealed that non-celebrity users of the photo-sharing social network
were also affected, though Instagram did not say how many.

While no passwords were stolen and the vulnerability was patched, the
stolen data had already made its way online, with sites such as Doxagram
claiming to sell celebrity contact information for as little as $10. This
incident occurred despite the fact that Instagram had introduced two-factor
authentication months earlier. Users who are not already using the more
secure two-factor option would do well to activate it, the platform
recommended.

Elasticsearch Servers

Due to a lack of password security and authentication technology, more than
4,000 Elasticsearch machines were infected by two types of malware, JackPOS
and AlinaPOS. Elasticsearch is an open-source search engine based on the
Apache Lucene software license.

Malware on its servers could herald more POS system attacks in the future,
according to Security Intelligence. The particular malware discovered would
allow attackers to wipe information or take control of computers.

Kromtech Security experts found that more than one-quarter of Elasticsearch
instances had been exposed to files with links to hidden
command-and-control servers. Most of the systems are hosted on Amazon Web
Services, the popularity of which could increase the potential for more
users to be exposed to these malicious files.

EDGAR Database

The U.S. Securities and Exchange Commission (SEC) revealed that its EDGAR
database for corporate filings had been compromised the previous year and
now, more recently, may have been hacked by individuals who wished to make
illegal insider trades based on the information from the previous breach.

Reportedly, the hackers leveraged a weakness in the EDGAR system, which has
since been patched. While the corporate reports filed in the system don’t
contain very sensitive information, the symbolic value of the attack is
weighty, especially since, ironically, the SEC’s new chairman has made a
point of focusing on cybersecurity enforcement.

National Bank of Canada

National Bank of Canada customers may have seen data belonging to other
customers while filling out an electronic form on the bank’s website. No
addresses, banking information or social insurance numbers were compromised
by the glitch.

Thankfully, this one was just a glitch caused by human error and not a
malicious attack. It impacted around 400 customers, all of whom have been
provided with free credit monitoring services since the incident.

Deloitte

Cyberattackers reportedly leveraged an administrator’s account to gain
unrestricted access across Deloitte’s email server, which stores around
five million emails for the Big Four accountancy firm.

The administrative account required only a single password rather than the
more secure two-factor authentication — odd and rather embarrassing, since
Deloitte prides itself on its cybersecurity chops and even provides
security services to clients.

The breach exposed emails and company plans of several of Deloitte’s
clients. Deloitte has notified some and is still investigating the impact
to others.

Sonic Drive-In

The first signs of a breach appeared in the Oklahoma City area on
Wednesday, Sept. 27, where financial institutions started noticing a wave
of bad card transactions. The common denominator? All had recently been
used at a Sonic.

Meanwhile on the dark web, five million new cards were flooding the bazaar
Joker’s Stash, many or all of which were tied to the Sonic breach (it was
unclear whether some had been mixed in from other eatery breaches).

Sonic owned up to the breach and launched an investigation, bringing on
third-party forensic experts and law enforcement as soon as it heard from
its credit card processor that there had been unusual card activity. It is
not yet known how many locations or individuals were affected.

Whole Foods

The good news is, if you buy your groceries at Whole Foods, your payment
data is safe. The latest blockbuster breach only affected the POS systems
used at the taprooms and full-service restaurants located at some Whole
Foods stores, which are different from the primary checkout systems.

Amazon customers need not worry: Although the eCommerce giant recently
acquired Whole Foods, the payment systems are not linked, so there has been
no impact to transactions on Amazon’s website.

At least, customers don’t need to worry about this breach exposing their
data through that channel. However, if they want to worry about a breach
exposing their data on some channel at some time — well, considering the
month we’ve just had, who could blame them?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171002/3f5ce69c/attachment.html>


More information about the BreachExchange mailing list