More Records Exposed - Database Found on Google Cloud Server

This case is particularly unfortunate as it represents both the intense desires entities have for our personal information and likely the more concerning problem of lax security protocols.

This instance revolves around a Voter database of approximately 154 million records.  As anyone who does genealogy knows, voter databases are considered public records and offer a great deal of information to family researchers.  However, not all voter information is included in the published records. Most states have similar laws dictating the portion of the voter registration that is public vs private; below is a general list, if you'd like to know the specifics for your state go to your state's Secretary of State website, it should have a link to voter information.  Public information typically consists of your name, address, party affiliation and date of birth.  The original application, social security number, and driver's license number are not to be released.

Depending on where you live additional information might also be collected: Education, Gun Ownership, Marital Status to name a few.  We live in a world of data and the more data someone has on you the more targeted they can be with their advertising or more nefarious scams.

The database that has just been discovered also came with a lot of additional information not typically seen in voter databases, including Facebook profile URLs, information on children, and email addresses.

Chris Vickery / MacKeeper - Sample Database Screenshot

Chris Vickery / MacKeeper - Database Screenshot

The compromised database was discovered by security professional Chris Vickery.  From MacKeeper it is reported that when Mr. Vickery found the database "it was configured for public access with no username, password or other authentication required."  With further research Mr. Vickery was able to determine that the database was owned by data brokerage company L2.  L2 was very responsive when contacted and had the database taken down and secured.

Bruce Willsie of L2 sent Mr. Vickery the following response: "Thank you for finding this and thank you for giving us the opportunity to respond.  We very quickly identified the national client, informed them immediately and they took down the site as quickly as they could.  The client told us that they were hacked, the firewall was taken down and then the probing began.  This was an old copy (from about a year ago) of the national file and it had only a very small number of our standard fields.  Needless to say, the client is doing its own research now to determine the extent of the incursion.  I’ve asked that they report back to us with their findings and their plan for hardening their system in the future.  It’s unfortunate and, again, we greatly appreciate your discovery of the problem."

While steps are being taken to rectify the open database, it cannot be under emphasized the damage that may have already been done by this database being open to the public.

As a part of his research Mr. Vickery also queried the server's log file.  What he discovered is very concerning considering the nature of the information contained in the database. On April 11th of this year the server logged a Serbian IP address,  Serbian IP addresses are under RIPE jurisdiction and querying RIPE lists this IP address as "Fixed IP for cable modem customers".  What the person did when accessing the database are either unknown or not being released. Copying the full database for sale on the black market, would be the worst case scenario, but is also most likely what occurred.

As individual's value lies in the data collected on them, there is a good chance someone no one wants having information on them, now knows a great deal more than they should!


Diary Queen Hit By Same Malware That Hit Target and The UPS Stores

DGMalware, named Backoff, has been found on Dairy Queen Point of Sale computers in numerous states including Nevada.  The states with known infections are Alaska, Alabama, Arkansas, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Iowa, Idaho, Indiana, Illinois, Kansas, Kentucky, Massachusetts, Maryland, Maine, Michigan, Minnesota, Missouri, Mississippi, Montana, North Carolina, North Dakota, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, Wisconsin, West Virginia and Wyoming.

In case you're keeping count, that's only Hawaii, Rhode Island, Louisiana, and Vermont without known Backoff infections.  This does not mean that every Dairy Queen in these states has been infected, for instance there are only two locations with known infections in Nevada both in Las Vegas.  Click here for a full list of affected Dairy Queens.

Most Dairy Queen locations are independent franchises and at the time of the malware detection Dairy Queen did not have a policy requiring the independent franchises to notify Dairy Queen corporate of the breach.  It is likely after these incidents Dairy Queen will put this kind of policy in place.  As a result there may still be additional Dairy Queens that have the Backoff malware, but have not yet disclosed that information.

Julie Conroy of Aite Group told KrebsOnSecurity, "This goes back to the eternal challenge with all small merchants, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don't' think they are a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they're not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule."

Most people are familiar with the Target, UPS Store, or Supervalu breaches, either because you've received a replacement credit card in the mail or from news coverage, but how does this malware work and why are we continuing to see new infections and breaches?

First while we call it by a single name, Backoff has multiple variants, each new variant trying to make it so that Anti-Virus software won't detect and thereby block it.  Second is like Julie Conroy said often smaller companies don't believe themselves vulnerable to attacks like Backoff and either aren't running a quality anti-virus or aren't keeping their anti-virus up-to-date.

Either of those choices can have disastrous consequences.  Backoff infections are multiplying at an alarming rate, in July 2014 SC Info Security News Magazine reported that "Nearly 600 U.S. businesses compromised by 'Backoff' POS malware." by the end of August the Wall Street Journal reported, "More than 1,000 businesses affected by 'Backoff' malware."  If you count each Dairy Queen as a separate business, they account for over 400 infections alone.

Backoff is installed on Point of Sale terminals typically by attackers compromising remote access tools that allow users to connect to the computers via the Internet; often the compromise is as a result of the remote access account having too weak or an easy to guess password.

(See our article on password security.)

Once access is gained Backoff works as a simple backdoor Trojan that installs itself as a running service that initializes itself after startup, making it survive a reboot.  After it's installed Backoff opens port 80 and waits for instructions from the command and control server.  Backoff also cleverly hides itself by pretending to be an Adobe Flash Player update in the system registry.

What can small businesses do to protect themselves and their customers?  Most of it comes down to putting the right processes and protection in place and from there it's about network vigilance.  One giveaway, that someone monitoring your network should catch, would be port 80 being open; this would be unusual for a Point of Sale system unless a particular software required it, and in that case the person or company you have overseeing your network would keep note of any possible security concerns that could arise.

If you're in Northern Nevada and have questions or concerns about the vulnerability of your business's Point of Sale system give Top Speed Computer Service a call and we'll come out do an evaluation.  775-852-4333

Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844


Physical Address:

800 South Meadows Parkway

Suite 600

Reno, NV 89521

Log in or Sign up