Tag Archives: personally

Unprotected Firebase databases leaked over 100 million records

Thousands of mobile applications are leaking personally identifiable information from unprotected Firebase databases.

According to research from application security company Appthority, 3,000 mobile iOS and Android apps are leaking 100 million exposed records of user data. The records include 2.6 million

plain text
passwords and user IDs, at least 4 million records with protected

health  information
(PHI), 25 million GPS location records, 50 thousand financial records, and at least 4.5 million Facebook, LinkedIn, Firebase and corporate datastore user tokens.

These exposures happen “when app developers fail to require authentication to a Google Firebase cloud database,” according to the report from Appthority, which also notes that Firebase is one of the 10 most popular datastores for mobile apps with over 53,000 apps using it in 2017.

“The challenge for app developers is that Firebase does not provide adequate security capabilities out of the box. The only security feature available to developers is authentication and

rule-based
authorization,” Appthority explained in its report. “However, Firebase does not secure user data by default nor are third-party tools available to provide encryption for it.”

The report also noted that it would be easy for hackers to find unprotected Firebase databases and gain access to private data records.

“The result is a trove of data that is open to the public internet unless the developer explicitly imposes user authentication on each individual table or directory,” Appthority explained in the report. “Even when developers do implement authentication, they may not secure every database table.”

As a result, the Appthority researchers found that over 113 GB of data has been exposed through the 3,000 apps. They also found that 62% of enterprises are using at least one vulnerable app, spanning a variety of industries across the globe including banking, telecoms, postal services,

ride sharing
companies, hospitality

and
education. The apps that leaked the most data were health and fitness apps.

“Medical information can be worth ten times more than credit card numbers on the deep web,” the report said. “Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers.”

It’s misconfiguration and mismanagement of the backend infrastructure opening up these vulnerabilities.
Seth HardyDirector of Security Research, Appthority

Appthority said it notified Google of this issue with apps hosted on unprotected Firebase databases, but Seth Hardy, Appthority’s director of security research, doesn’t think the blame falls entirely to Google — despite Google not making the security features that would prevent these leaks set to default.

“They’re not directly responsible,” he told SearchSecurity. “When you make a tool and try to make it easy to use, then you’re probably not going to want to add that setting by default.”

Hardy noted that it’s also not the responsibility of the user to make sure the apps are secure.

“It’s definitely a developer issue,” he said. “It’s misconfiguration and mismanagement of the backend infrastructure opening up these vulnerabilities.”

The solution, according to Hardy, lies with the developers.

“It’s really just a matter of trying to educate developers in general about secure coding practices, making sure that they’re implemented in all parts of the software development lifecycle and giving users and enterprises the tools to verify whether these apps are implementing proper security controls on their data.”

A DHS data breach exposed PII of over 250,000 people

A data breach at the U.S. Department of Homeland Security exposed the personally identifiable information of over 250,000 federal government employees, as well as an unspecified number of people connected with DHS investigations.

DHS released a statement Jan. 3, 2018, that confirmed the exposure of “approximately 246,167” federal government employees who worked directly for DHS in 2014. It also disclosed the breach of a database for the Office of Inspector General that contained the personally identifiable information (PII) of any person — not necessarily employed by the federal government — who was associated with OIG investigations from 2002 to 2014. This includes subjects, witnesses and complainants.

In its statement, the department emphasized the DHS data breach was not caused by a cyberattack and referred to it as a “privacy incident.”

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized [sic] transfer of data,” DHS said.

The DHS data breach was initially found in May 2017 during a separate, ongoing DHS OIG criminal investigation in which it was discovered that a former DHS employee had an unauthorized copy of the department’s case management system.

However, individuals affected by the DHS data breach weren’t notified until Jan. 3, 2018. In its statement, DHS addressed why the notification process took so long.

“The investigation was complex given its close connection to an ongoing criminal investigation,” the department said. “From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

The DHS employee data breach exposed PII that included names, Social Security numbers, dates of birth, positions, grades and duty stations of DHS employees; the DHS investigative data breach exposed names, Social Security numbers, dates of birth, alien registration numbers, email addresses, phone numbers, addresses and other personal information that was provided to the OIG during investigative interviews with its agents.

DHS is offering free identity protection and credit-monitoring services for 18 months to affected individuals. The department said it has also taken steps to improve its network security going forward, including “placing additional limitations on which individuals have back end IT access to the case management system; implementing additional network controls to better identify unusual access patterns by authorized users; and performing a 360-degree review of DHS OIG’s development practices related to the case management system.”

While the affected government employees were notified directly about the breach, DHS stated, “Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data.”

DHS urged anyone associated with a DHS OIG investigation between 2002 and 2014 to contact AllClear ID, the Austin, Texas, breach response service retained by DHS to provide credit-monitoring and identity protection services to affected individuals.

In other news:

  • A group of senators has introduced a bill to secure U.S. elections. The Secure Elections Act is a bipartisan bill that aims to provide federal standards for election security. One measure proposed in the bill is to eliminate the use of paperless voting machines, which are regarded by election security experts as the least secure type of voting machines in use in today. Paperless voting machines don’t allow for audits, which the proposed legislation also wants to make a standard practice in all elections. The idea is that audits after every election will deter foreign meddling in American democracy like Russia’s interference in the 2016 U.S. presidential election. “An attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions,” the bill states. The bill was sponsored by Sen. James Lankford (R-Okla.) and co-sponsors Sens. Amy Klobuchar (D-Minn.), Lindsey Graham (R-S.C.), Kamala Harris (D-Calif.), Susan Collins (R-Maine) and Martin Heinrich (D-N.M.).
  • Attackers exploited a vulnerability in Google Apps Script to automatically download malware onto a victim’s system through Google Drive. Discovered by researchers at Proofpoint, the vulnerability in the app development platform enabled social-engineering attacks that tricked victims into clicking on malicious links that triggered the malware downloaded on their computer. The researchers also found the exploit could happen without any user interaction. Google has taken steps to fix the flaw by blocking installable and simple triggers, but the researchers at Proofpoint said there are bigger issues at work. The proof of concept for this exploit “demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years,” the research team said in a blog post. “Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.” The researchers went on to note that, in order to combat this threat, “organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”
  • The United States federal government is nearing its deadline to implement the Domain-based Message Authentication, Reporting and Conformance (DMARC) tool. In October 2016, the DHS announced it would mandate the use of DMARC and HTTPS in all departments and agencies that use .gov domains. DHS gave those departments and agencies a 90-day deadline to implement DMARC and HTTPS, which means the Jan. 15, 2018, deadline is soon approaching. According to security company Agari, as of mid-December, 47% of the federal government domains were now using DMARC, compared to 34% the month before. Another requirement within this mandate is federal agencies are required to use the strongest “reject” setting in DMARC within a year. This means emails that fail authentication tests will be less likely to make it to government inboxes — i.e., be rejected. Agari reported a 24% increase in the use of higher “reject” settings in the last month. On the flip side, Agari noted that most agency domains (84%) are still unprotected, with no DMARC policy.

Wanted – High-spec 13″ – 15” laptop

Sorry mate, but £1,000 is the max I can stretch to at the moment…

Also, cheers for the offer to drop it off personally but I’m probably going to be up around London at the end of December and was looking to get a replacement laptop sooner, as this thing I’m working on is literally falling apart in my hands lol.

Not sure how you feel about posting it at £1,000 inc P&P?

Wanted – High-spec 13″ – 15” laptop

Sorry mate, but £1,000 is the max I can stretch to at the moment…

Also, cheers for the offer to drop it off personally but I’m probably going to be up around London at the end of December and was looking to get a replacement laptop sooner, as this thing I’m working on is literally falling apart in my hands lol.

Not sure how you feel about posting it at £1,000 inc P&P?

Wanted – High-spec 13″ – 15” laptop

Sorry mate, but £1,000 is the max I can stretch to at the moment…

Also, cheers for the offer to drop it off personally but I’m probably going to be up around London at the end of December and was looking to get a replacement laptop sooner, as this thing I’m working on is literally falling apart in my hands lol.

Not sure how you feel about posting it at £1,000 inc P&P?

Wanted – High-spec 13″ – 15” laptop

Sorry mate, but £1,000 is the max I can stretch to at the moment…

Also, cheers for the offer to drop it off personally but I’m probably going to be up around London at the end of December and was looking to get a replacement laptop sooner, as this thing I’m working on is literally falling apart in my hands lol.

Not sure how you feel about posting it at £1,000 inc P&P?

Wanted – High-spec 13″ – 15” laptop

Sorry mate, but £1,000 is the max I can stretch to at the moment…

Also, cheers for the offer to drop it off personally but I’m probably going to be up around London at the end of December and was looking to get a replacement laptop sooner, as this thing I’m working on is literally falling apart in my hands lol.

Not sure how you feel about posting it at £1,000 inc P&P?

Wanted – High-spec 13″ – 15” laptop

Sorry mate, but £1,000 is the max I can stretch to at the moment…

Also, cheers for the offer to drop it off personally but I’m probably going to be up around London at the end of December and was looking to get a replacement laptop sooner, as this thing I’m working on is literally falling apart in my hands lol.

Not sure how you feel about posting it at £1,000 inc P&P?

Wanted – High-spec 13″ – 15” laptop

Sorry mate, but £1,000 is the max I can stretch to at the moment…

Also, cheers for the offer to drop it off personally but I’m probably going to be up around London at the end of December and was looking to get a replacement laptop sooner, as this thing I’m working on is literally falling apart in my hands lol.

Not sure how you feel about posting it at £1,000 inc P&P?