GovPayNow leak exposes 14 million records dating back six years

A government payment processing company — GovPayNet — leaked more than 14 million customer records, including names, addresses, phone numbers and partial credit card numbers.

A GovPayNet site — GovPayNow — handles online payments for more than 2,600 state and local government agencies across 36 states and had a feature that allowed customers to view payment receipts online as well. However, a security issue allowed anyone to view those receipts by changing certain numbers in a receipt URL. Because of this issue, the GovPayNow leak could have exposed at least 14 million customer records dating back to 2012.

In a statement to Brian Krebs — who first reported the GovPayNow leak — the company downplayed the severity of the exposed data.

“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means,” GovPayNet said. “Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”

Securus Technologies acquired GovPayNet in January 2018, and the GovPayNow leak is another case of privacy issues around a Securus service.

In 2015, Securus Technologies, a U.S. prison phone service provider based in Carrollton, Texas, leaked 70 million call records placed by inmates, including links to download call recordings. Also, in May 2018, Securus was found to be providing law enforcement with real-time mobile phone location data. And after that news broke, Securus was hacked, exposing usernames, email addresses, phone numbers and passwords for the company’s law enforcement customers.

Josh Mayfield, director of security strategy at Absolute Software Corporation, a cybersecurity company based in Austin, Texas, was skeptical about the company’s response to the GovPayNow leak.

GovPayNet issued a statement saying that there isn’t any evidence of unauthorized access … except, when you consider how the vulnerability was discovered.
Josh Mayfielddirector of security strategy, Absolute Software Corporation

“True, GovPayNet issued a statement saying that there isn’t any evidence of unauthorized access … except, when you consider how the vulnerability was discovered,” Mayfield wrote via email. “The very act of changing the URL to display receipts that are not yours is itself unauthorized access. Furthermore, if I know your name, address, phone number, and the service or charge for which you have a receipt, I have enormous detail about you personally. I may not use this data to set up fake accounts or steal your identity, but I don’t need to. I have those details locked away in another data set I retrieved from the dark web.”

Nishant Kaushik, CTO of Uniken, a cybersecurity company headquartered in New York, said the GovPayNow leak was yet “another reason to stop relying on personal information as part of your security processes.”

“While it may be technically true that the receipts ‘do not contain information that can be used to initiate a financial transaction,’ the most common usage of this kind of leaked data is to take over access to online accounts, either through the call center or through password reset processes, and then use the taken over account to commit financial fraud,” Kaushik wrote via email. “Organizations need to switch to more secure omnichannel authentication mechanisms that do not rely on PII to mitigate the threat of data breaches.”

Terry Ray, CTO of Imperva, noted the GovPayNow website “has a PCI DSS stamp” indicating that the service completed at least one PCI audit. 

“These audits are supposed to verify that companies taking and storing credit card information perform routine code and vulnerability reviews on their applications. This particular problem would not likely have presented as a vulnerability in most cases, but should have presented under poor coding practices,” Ray wrote via email. “Website usage or attacks of this type, whichever you prefer to call the situation, are avoidable whether it be through rewriting the code or the more common use of modern web application firewalls that validate cookies and prevent input injections and URL tampering.”

Jake Olcott, vice president of strategic partnerships at BitSight Technologies, a security rating company based in Cambridge, Mass., said government agencies across the country “must address cyber risks to their vendors.”

“Agencies rely on hundreds, if not thousands of vendors — like GovPayNow — to provide critical services, maintain sensitive citizen data, and perform key functions,” Olcott wrote via email. “While agencies are spending significant amounts of money protecting themselves, they often fail to ask even the most basic cybersecurity questions of their vendors. The bad guys know this and are now shifting their attacks to the supply chain.”

For Sale – Apple-Wireless-Keyboard-A1314 £30

Keyboard arrived, excellent packaging. Tested, and is in perfect working order with my Macbook air.

Also tested with my Win10 PC and worked perfectly with it. Doesn’t work with setting BIOS (of course, no bluetooth-only keyboard will) but works fine for login, waking up PC from sleep / hibernate etc.

For future reference, this is the A1314 (2 battery) 4-generation model (with Expose / Mission Control keys) that works fine with Win10. My old keyboard was the A1255, that doesn’t play with Win10.

Pleasure dealing with Karma12, thanks for the sale.

Sumo Logic breaks security data silos with cloud SIEM

Enhanced cloud SIEM analytics in Sumo Logic’s enterprise machine data analytics platform aim to serve up security watchdog capabilities for both line-of-business and DevOps users.

The addition of cloud security information and event management (SIEM) analytics capabilities to Sumo Logic’s machine data analysis platform will enable security engineers and non-IT users to detect and investigate threats throughout the application lifecycle.

The cloud-native Sumo Logic machine data analytics platform automates log event data collection and transaction analysis of infrastructure and production applications. This data helps businesses identify performance, business process and user experience issues.

Jeremy Proffitt, senior site reliability engineer for LendingTree, an online loan marketplace in Charlotte, N.C., said he spends half of his workday checking application and infrastructure status on Sumo Logic machine data analytics dashboards.

“With cloud SIEM on the platform, I can bring security information from multiple places together with the operational data we’re already monitoring,” Proffitt said at last week’s Illuminate user conference in Burlingame, Calif. “The result will be earlier identification and repair of security flaws.”

Cloud SIEM topples security data silos

Traditional server-based SIEM systems and cloud SIEMs offer similar functionality around consumption of alerts and log data, analytics and reporting, but on-premises SIEMs can make it difficult to relate security events to operational events and activities across the IT environment, said Eric Ogren, security analyst for 451 Research. With on-demand cloud SIEM services available as a machine data platform, users receive security data and notifications from a multipurpose dashboard, rather than from a separate, siloed SIEM system.

There’s an increased awareness that visibility into operational data can point security and security analytics in a more economical and organizationally cohesive direction.
Eric Ogrensenior security analyst, 451 Research

“There’s an increased awareness that visibility into operational data can point security and security analytics in a more economical and organizationally cohesive direction,” he said.

SIEM analytics and security performance analysis are expensive on premises, Ogren said. Cloud SIEM offerings remove in-house server deployment and maintenance costs and licensing fees, and they improve scalability and access to compute resources for analytics.

Cloud SIEM fills a security gap caused by the use of containers, microservices and serverless functions, which can be deployed, used and taken down before any on-premises log files or SIEM system knows about them. Ogren said he sees cloud SIEM as a more flexible platform than on premises for security oversight of these short-lived deployments.

Many SIEM vendors offer cloud versions, including Splunk, IBM, Micro Focus, LogRhythm, Securonix, Seceon and AlienVault, Ogren said.

Cloud SIEM reduces repetitive work

Brad Segobiano, senior software engineer, GenesysBrad Segobiano

Sumo Logic’s cloud SIEM capabilities reduce or eliminate some repetitive manual tasks, such as query activities in application development and compliance monitoring, said Brad Segobiano, senior software engineer for call center technology provider Genesys in Daly City, Calif. About 65% of queries posed against Genesys’ Sumo Logic platform come from nonproduction environments, and 55% of those queries are spurred by developers, he said.

“Building out queries is time-consuming, but now we can use cloud-native SIEM to write one query and apply it just about anywhere and with anybody,” Segobiano said.

Sumo Logic’s cloud-native foundation facilitates cross-application queries and other activities, such as monitoring and alerts, across cloud platforms and applications. The company’s cloud SIEM service is integrated across cloud applications and platforms, as well as cloud security tools, such as AWS GuardDuty, Palo Alto Networks and Zscaler.

On the production side, Segobiano said he will use cloud SIEM to chain queries together to provide a storyline for security and do root cause analysis for outages and other scenarios.

Jarrod Sexton, manager of information security architecture, GenesysJarrod Sexton

For compliance, every host and server Genesys uses is prepackaged with the Sumo Logic platform and its compliance monitoring features, which helps the company deploy software faster, said Jarrod Sexton, Genesys’ manager of information security architecture. “We can let Sumo Logic do what it does in logging, ideation and other compliance work, and we can focus on building software,” he said.

Sumo Logic’s move into cloud SIEM follows a company survey of over 2,000 customers, in which it found one in four have implemented threat intelligence services, such as CrowdStrike and GuardDuty, and over 1,000 respondents have implemented AWS CloudTrail, a security audit service.

For Sale – Apple-Wireless-Keyboard-A1314 £30

Keyboard arrived, excellent packaging. Tested, and is in perfect working order with my Macbook air.

Also tested with my Win10 PC and worked perfectly with it. Doesn’t work with setting BIOS (of course, no bluetooth-only keyboard will) but works fine for login, waking up PC from sleep / hibernate etc.

For future reference, this is the A1314 (2 battery) 4-generation model (with Expose / Mission Control keys) that works fine with Win10. My old keyboard was the A1255, that doesn’t play with Win10.

Pleasure dealing with Karma12, thanks for the sale.