At a glance.
- Domestic abuse emergency services app left data in an unsecured database.
- Clop ransomware users release data stolen from Indiabulls.
- FBI warns of an increase in ransomware attacks on schools.
- Privacy implications of social media breaches.
Well-intentioned emergency app left its S3 bucket open to the potentially ill-intentioned.
Researchers at vpnMentor have discovered another unsecured database, and this one is particularly nasty in its potential implications. A domestic violence prevention app, Aspire News App, was built with what appear to have been intelligent good intentions by a US, Georgia-based not-for-profit called When Georgia Smiled. The idea was to provide emergency services for victims of domestic abuse. Those included not only a help section with links to various resources, but also a function that enabled users to send emergency distress messages to “a trusted contact person.”
The app looks like an ordinary news app, presumably the better to escape the notice of an abuser, should the abuser paw through the victim’s phone.
Among the ways that distress signal could be sent is a voice recording that gives the victim’s “details, home address, the nature of their emergency, and their current location.” There were some 4000 voice recordings left accessible to the Internet on a misconfigured AWS S3 bucket.
TechCrunch independently verified the data exposure, and noted that When Georgia Smiled, the not-for-profit behind the Aspire News App was founded, backed, and promoted by Robin McGraw and her husband “Dr. Phil” McGraw. When Georgia Smiled secured the S3 bucket on June 24th, the same day both vpnMentor and Amazon Web Services told them about it. Neither CBS nor the Dr. Phil Foundation responded to TechCrunch’s requests for comment.
How one would disclose this data exposure to users without further endangering them is a touchy question, because the usual forms of notification could easily place these users at risk. “Given the sensitivity of the data,” TechCrunch wrote, “we did not reach out to app users for fear that it would compromise their safety.” Instead they downloaded the app themselves, recorded a short snippet, and found that indeed it was out there in the cloud for those who might be looking to find it.
Indiabulls hackers make good on their threat to leak stolen data.
The extortionists who compromised Indiabulls have made good on their threat to begin releasing data if the company didn't pay the ransom. The Hindustan Times reports that the first tranche of company information has been leaked. The information in that dump included a fair amount of sensitive personal data, including "scans of customers’ KYC (know your customer) documents, Aadhaar cards, voter ID, PAN cards and passports, employees’ official ID details and phone numbers, and private keys and certificates that can enable access to the IndiaBulls Group banks’ digital services." The attack was a ransomware hit; the crooks used the Clop strain to encrypt and steal the files. Security firm Cyble has an account of the incident on their blog.
FBI warns that ransomware attacks against primary and secondary schools have increased.
ZDNet has obtained a copy of a Private Industry Notification in which the US Federal Bureau of Investigation warns schools that "cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic because they represent an opportunistic target as more of these institutions transition to distance learning." Thus schools, many of which are poorly protected to begin with, are facing the additional stresses of COVID-19 distance work that have opened businesses and government agencies to new approaches through novel attack vectors. As the FBI puts it, "K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks." And ransomware attacks should now routinely be treated as tantamount to data breaches, with all the attendant implications for data privacy.
Comment on the Preen.Me breach.
The Preen.Me breach, that influencer-centric but sadly widespread privacy incident, prompts an essayist in Forbes to lament that there's not enough privacy in social media. People want their privacy there, but it too often exceeds their grasp. We heard about the consequences of incidents like the one at Preen.Me from James MacQuiggan, Security Awareness Advocate at KnowBe4. He commented:
"While people generally focus on breaches that involve passwords, credit card numbers, or other financial details, breaches of this magnitude that compromise a significant amount of personal information cannot be ignored.
"It is important to understand that not only was the information about the individual stolen, but other data such as Facebook friend lists and additional data that could even put others at risk. Given the volume of information lost here, it is important that the organization contact victims as soon as possible and that they provide a statement about the breach, something they have not done yet.
"The practice of doxing, or releasing personal information about people's addresses, phone numbers or even employers, has long been looked upon as grievous offence in the cybersecurity community due to the potential impact [...] on the victims. This breach has released the same information about hundreds of thousands of victims who also are now at risk.
"The 253,051 records that contain information such as Facebook account names and associated friend lists is a gold mine for social engineers. This information can be used to create fake lookalike accounts that can then be used to attack these friends. It is not uncommon to see these attacks used, often through a friend request or a message request that makes the user believe they are speaking to the real person, to spread malware or perpetrate other scams.
"These victims of the breach should be very vigilant toward future emails, text messages and phone calls, as these are prime attack techniques for this type of information."