More Records Exposed - Database Found on Google Cloud Server

This case is particularly unfortunate as it represents both the intense desires entities have for our personal information and likely the more concerning problem of lax security protocols.

This instance revolves around a Voter database of approximately 154 million records.  As anyone who does genealogy knows, voter databases are considered public records and offer a great deal of information to family researchers.  However, not all voter information is included in the published records. Most states have similar laws dictating the portion of the voter registration that is public vs private; below is a general list, if you'd like to know the specifics for your state go to your state's Secretary of State website, it should have a link to voter information.  Public information typically consists of your name, address, party affiliation and date of birth.  The original application, social security number, and driver's license number are not to be released.

Depending on where you live additional information might also be collected: Education, Gun Ownership, Marital Status to name a few.  We live in a world of data and the more data someone has on you the more targeted they can be with their advertising or more nefarious scams.

The database that has just been discovered also came with a lot of additional information not typically seen in voter databases, including Facebook profile URLs, information on children, and email addresses.

Chris Vickery / MacKeeper - Sample Database Screenshot

Chris Vickery / MacKeeper - Database Screenshot

The compromised database was discovered by security professional Chris Vickery.  From MacKeeper it is reported that when Mr. Vickery found the database "it was configured for public access with no username, password or other authentication required."  With further research Mr. Vickery was able to determine that the database was owned by data brokerage company L2.  L2 was very responsive when contacted and had the database taken down and secured.

Bruce Willsie of L2 sent Mr. Vickery the following response: "Thank you for finding this and thank you for giving us the opportunity to respond.  We very quickly identified the national client, informed them immediately and they took down the site as quickly as they could.  The client told us that they were hacked, the firewall was taken down and then the probing began.  This was an old copy (from about a year ago) of the national file and it had only a very small number of our standard fields.  Needless to say, the client is doing its own research now to determine the extent of the incursion.  I’ve asked that they report back to us with their findings and their plan for hardening their system in the future.  It’s unfortunate and, again, we greatly appreciate your discovery of the problem."

While steps are being taken to rectify the open database, it cannot be under emphasized the damage that may have already been done by this database being open to the public.

As a part of his research Mr. Vickery also queried the server's log file.  What he discovered is very concerning considering the nature of the information contained in the database. On April 11th of this year the server logged a Serbian IP address, 89.216.31.2.  Serbian IP addresses are under RIPE jurisdiction and querying RIPE lists this IP address as "Fixed IP for cable modem customers".  What the person did when accessing the database are either unknown or not being released. Copying the full database for sale on the black market, would be the worst case scenario, but is also most likely what occurred.

As individual's value lies in the data collected on them, there is a good chance someone no one wants having information on them, now knows a great deal more than they should!

Read more...

The Hits Keep Coming To Apple's iOS

  • Published in Apps

iPadAnother bit of malware, named WireLurker, has been discovered targeting iPhones and iPads.

iPhone and iPads are infected when the device is connected through USB to a Mac computer where an infected OS X app has been downloaded. The source of the infection is reported to be third-party OS X apps in the Maiyadi App Store in China.  For the time being most of the reports of infection are located in China.  Apple devices are at risk whether they've been jailbroken or not.

Security firm Palo Alto Networks researcher Claud Xiao has said this "heralds a new era in malware attacking Apple's desktop and mobile platform" and is "the biggest in scale we have ever seen."

The larger the Apple market share, the more attractive Apple becomes as a target for cyber criminals.

Palo Alto Networks says the infected WireLurker app has been downloaded over 356,000 times to OS X computers, how many of those computers have attached via USB to an iPhone or iPad is unclear.  Once infected the malware has the capability of stealing "a variety of information" from the mobile device.

The recommendation is the same for iOS or Android, don't download from third-party app stores.

If nothing else, this malware is a proof of concept for malware / virus developers that Apple devices are not impenetrable.

Read more...

Operation Pawn Storm - Social Engineering Leaves Everyone Vulnerable to Cyber Attacks

  • Published in Security

If you've ever felt angry, irritated or upset at yourself for falling for some cleverly worded email and clicking on the attachment thereby infecting your computer or your company's network with something awful, you're not alone!

The point of social engineering is both to get around standard network security setups and to dupe individuals at all levels into opening that email attachment or entering their credentials into that look-alike site.

Operation Pawn Storm is a study done by TrendMicro into "economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies."  Looking at the list of targets it's clear that this is a group with heightened security concerns and those most of us would imagine are well equipped to fend off cyber-attacks, but the reality is they are just as susceptible to a cleverly worded email as the rest of us.  And no amount of available money put into network infrastructure can full mitigate human error.

Included in the study as targets are ACADEMI - defense contractor formerly known as Blackwater, SAIC, the Organization for Security and Co-operation in Europe, the Ministry of Defense in France, broadcasting companies, Ministry of Defense in Hungary, Polish government employees, United States Department of State and the Vatican Embassy in Iraq.

So how were these individuals tricked?  The simple answer is exact same way the attackers trick everyone else.  Spear-phishing schemes, carefully worded emails, and slightly changed / redirected domains.

Examples from Trend Micros report:

The Ministry of Defense in Hungary was tricked using an upcoming Exhibition / Conference.  The attackers purchased a domain similar to the actual conference and created a similar website then sent out targeted emails to those who could be expected to attend from Hungary.

  • Real conference domain - eurosatory.com
  • Malicious conference domain - eursatory2014.com

Similar to the Hungarian Defense Ministry, SAIC was the target of a spoofed conference website.  In this case it was for the "Future Forces 2014" conference and the intent was to trick email recipients into providing their webmail credentials.

  • Real conference domain - natoexhibition.org
  • Malicious conference domain - natoexhibitionff14.com

Additionally the attackers are using malicious attachments to install malware on unsuspecting victims computers.  This is exactly what they do to users not in heightened security industries, only in these cases the attachments tend to be more specific to get the intended victim to open them.

Whereas many people receive and unfortunately open attachments that say "Undeliverable USPS Parcel Shipping Details" those in who work for more security entrenched targets are more specifically targeted with documents they won't suspect as being malicious:

Military official in Pakistan received a Word document claiming to relate to the Homeland Security Summit in the Middle East.

Polish government employees received a document related to the shooting down of flight MH17 over Ukraine. Military officials in multiple countries received an Excel attachment posing as a list of journalists accredited at the APEC Summit 2013.

From Operation Pawn Storm - A Trend Micro Research Paper

Vatican Embassy in Iraq received a Word document claiming to be about a bombing the day before.

It's not USPS package that wasn't deliverable, it's specific, relevant information to the targeted recipient.

From these examples you can see how social engineering works across all spectrums and cyber criminals have become adept at exact targeting of their victims to get the desired information or result from the attack.

Read more...

The New And Improved CryptoWall 2.0

  • Published in Backups

Albeit improved in all the wrong ways.  

CryptoWall 2.0 is ransomware that falls into the same category as CryptoLocker, CryptorBit, TorrentLocker, the original CryptoWall, etc.  As one would expect with anything labeled 2.0 there have been improvements made to the original CryptoWall, in this case making it all the more insidious.

The original CryptoWall has made plenty of trouble for network administrators, encrypting local data and any data found across network shares.  There had been some loopholes network admins were using to recover the files without paying the ransom, including using data recovery to recover the original unencrypted files that CryptoWall had deleted.  However, with CryptoWall 2.0 the malware developers have made changes to make things harder on their victims.

(It's terrible, calling them developers as it almost gives them professional legitimacy. Admittedly they do consider this their job and as I've discussed before it is a very profitable endeavor.)

Changes included in CryptoWall 2.0 include unique wallet IDs for each victim to send ransom payments to, use of their TOR gateway, secure deletion of original [now] encrypted files, and a pretty handy FAQ / set of Instructions, which both covers what has happened to your computer and how to fix the problem.  Interestingly the Instructions make it sound like these guys are hear to help and not like they are the ones who caused the problem in the first place.

Here is a Bleeping Computer image of the Instructions.  Click here to read the full article on Bleeping Computer.Image from Bleeping Computer  

Always the recommended option for businesses is having a True Enterprise Backup, which allows for multiple copies your backed up material to be stored.  For many this has meant that yes the backup that happened last night was just a backup of the encrypted files, but the previous version from 3 nights ago is unencrypted.

Read more...

The Trouble With PastaLeads

Pasta.Leads PastaLeads is one of the most annoying Adware out there.  This isn't the kind of infection that just slows down your computer, this nasty piece of Adware creates a Windows service that constantly runs in the background and as if that weren't bad enough if also configures your web browser to use a proxy server.

What does that mean for my computer?  PastaLeads generates leads typically for outbound sales companies, for instance let's say you need auto insurance so you do a search.  Suddenly a window pops up with a form where you enter your information and then the program will send that "lead" to auto insurance sales people who will contact you.

Wait, you say, that seems helpful, not harmful.  As helpful as this program seems the problems caused are two-fold, first you will be inundated in pop-up advertisements, all kinds of insurance, tech support (which are often scams that will try and get you to spend a fortune for a non-existent problem, see this article for more details), home cleaning services, lawn care, etc.  Second any information you enter, consider what you enter whenever applying for any kind of insurance, is immediately shipped off to unknown 3rd parties to use for marketing or other more nefarious purposes.

 PastaLead

How does your computer end up with PastaLeads or PastaQuotes installed?  This is one of those infections that piggy backs on top of free software you download and install off of the Internet.  Remember the old adage, "There's no such thing as a free lunch", there's also no such thing as free software off the Internet.

It is very important you pay attention when installing any software onto your computer!  Sure it looks easy to just click through and select the Recommended install when you get to the screen that has installation choices like "Standard (Recommended)" or "Custom" sometimes also "Advanced", but if you want to know what 3rd party crud is being installed along with your software you should typically choose Custom or Advanced as that will often allow you to opt out.

Additionally when you read the license agreement (yes you should read it) or the installation screens and you find them telling you that they will be installing a toolbar or other addon along with the desired software now would be the time to cancel the install and go find another option.

Or more generally speaking simply avoiding "free" software is the best way to go, because if that free software includes something you have to pay a computer company to remove, then it really wasn't free in the first place. PastaLeads-Pop-up-Ads                  

Read more...
Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844

Email: info@tsis.net

Physical Address:

8755 Technology Way

Suite J

Reno, NV 89521

Log in or Sign up