At a glance.
- Marketing databases and intelligence collection.
- Privacy implications of the Twitter hack.
- Online learning platforms leak.
The power of commercial marketing databases.
Researchers at Mississippi State University have shown, the Wall Street Journal reports, the relative ease with which devices can be geospatially tracked through common, commercially available databases. The study is interesting because of the devices it chose to track: Russian cellphones in and around Moscow and a missile test site in northern Russia where there’d been some indications that an accident had occurred. The results indicate, the Journal says, the value such open commercial tools can have for intelligence collection.
Privacy implications of the Twitter hack.
Some personal data were taken during last week's Twitter hack, according to the Wall Street Journal. The hackers were able to change the passwords on forty-five of the accounts they compromised, which of course opened the possibility that they may have been able to access personal information. Up to eight of the one-hundred-thirty accounts affected are known to have suffered loss of personal information. Twitter's own Saturday update on the incident said in part:
"The most important question for people who use Twitter is likely — did the attackers see any of my private information? For the vast majority of people, we believe the answer is, no. For the 130 accounts that were targeted, here is what we know as of today.
- "Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
- "Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
- "In cases where an account was taken over by the attacker, they may have been able to view additional information. Our forensic investigation of these activities is still ongoing.
"We are actively working on communicating directly with the account-holders that were impacted."
So, a small number of people were affected, but the successful "social engineering" (Twitter has offered little in the way of details on what this amounted to, and how it was accomplished) that gained the hackers access to internal Twitter administrative tools has been disturbing.
The Journal draws several lessons for personal privacy from the incident. Multifactor authentication remains important, but it won't do users much good if an entire social platform is effectively hacked. End-to-end encryption would have kept direct messages out of the hands of hackers even as comprehensively successful as these were, but Twitter's DMs haven't got it (both iMessage and WhatsApp do, so implementing it isn't an impossibility).
Online educational records leaked.
The problem again was a set of misconfigured AWS S3 buckets or Elasticsearch servers, WizCase reports. Five distinct e-learning services were affected:
- Escola Digital (Brazil), a provider of online courses, exposed 75,000 student and teacher records: full names, email addresses, Brazilian ID numbers, school names, position, phone numbers, home addresses, and links to certificates of completion.
- MyTopDog (South Africa), a study platform for children, exposed over 800,000 records, many of them containing PII held in Excel and CSV spreadsheets.
- Okoo (Kazakhstan), also an online learning platform for younger students, exposed almost a million entries about user activity and associated analytics. 7200 records held PII. This exposure was an outlier: it involved an ElasticSearch as opposed to an AWS S3 bucket.
- Square Panda (US), a phonics learning system, exposed about 15,000 parents' and teachers' information.
- Playground Sessions (US), a provider of virtual piano lessons, exposed roughly 4100 user records, including some PII.
The potential consequences are the usual risks: identity theft, fraud, phishing, stalking, and extortion. We received some comment from industry experts on the data exposures. Chris Clements, VP of Solutions Architecture at Cerberus Sentinel noted that these incidents now occur "depressingly often." He thinks it's easy for organizations to overestimate their security, and he also thinks there's room for improvements in cloud configuration design: "It’s also not helpful that many cloud provider’s configuration interfaces are fairly inscrutable to beginners and it is easy to make mistakes unless you are well versed in each provider’s security configuration options."
Javvad Malik, Security Awareness Advocate at KnowBe4, wrote that cloud platforms are convenient and make a great deal of sense as schools move toward remote learning, but that it remains the responsibility of the school to ensure that they secure their data online with the right permissions.
Both Clements and Malik pointed out that in some ways children are particularly vulnerable to identity theft. "In many cases it is easier to open fake accounts with children’s information," Clements said, "as they are far less likely to be monitored by their parents and the data itself will have a much longer lifetime than that of say, a retirees' community." Malik observed that the impact of the theft of a child's data "may only be realized many years down the line when those students try to apply for a loan or have financial difficulties."