At a glance.
- Report: possible Instacart compromise.
- Permissions changed at GEDmatch DNA profile database.
- CouchSurfing user data for sale.
- Update on Twitter DM compromises.
- Cryptomining as a threat to privacy.
- Concern for personal privacy outstrips concern for the health of the business.
Instacart data compromised?
Data on an unknown but potentially very large number of Instacart grocery-delivery service users (nearly 300,000) has allegedly turned up for sale in dark web souks, BuzzFeed says. Instacart denies that it sustained a breach or a data exposure incident, but BuzzFeed says that the data seen online include names, credit card data, addresses, and information on transactions. The story is still developing, and the possibility that the sellers are offering fraudulent as opposed to genuine Instacart data cannot be ruled out.
GEDmatch DNA profile data briefly exposed.
In an apparent hacking incident, GEDmatch lost control of its DNA profile database when unknown parties changed permissions. The exposure lasted two days, TechCrunch reports, during which the records were accessible to search by law enforcement agencies. GEDmatch is designed to help people find genealogical information and trace their family tree. GEDmatch does permit users to opt-in to permit police use of their information, but granting general permission was the action of the unknown hackers. Data accessed from GEDmatch may, BuzzFeed reports, have been used in a credential-stuffing attempt on rival genealogical site MyHeritage.
Data breach at CouchSurfing.
ZDNet reports that data belonging to some seventeen-million users of CouchSurfing, an online service that enables people to find free lodgings, have appeared for sale in dark net souks. The sale began to be advertised in private Telegram channels last week. The data are now being sold in various higher profile criminal fora, including RAID. The sellers claim to have obtained the information last month.
The data appear to include "user IDs, real names, email addresses, and CouchSurfing account settings." No passwords are being advertised, which reduces the value of the information on offer, but ZDNet notes that it's not yet clear if the criminals don't have passwords, or if they're simply reserving them for later sale or their own subsequent use. CouchSurfing is said to be working with a security firm and law enforcement to respond to the breach.
It's not clear how the attackers accomplished the breach. Javvad Malik, Security Awareness Advocate at KnowBe4, emailed these comments:
"Organisations need to have layered controls - this means having security controls that make it difficult for attackers to gain access, as well as having detection and response controls that can help identify and respond to any attacks that are successful so that remedial actions can be taken in a quick manner. Along with technical controls, this means having good procedures in place, as well as providing security awareness and training to all employees so that they act as an extension to the security team in helping defend and detect attacks."
Twitter Direct Messages compromised for up to thirty-six targeted users.
Twitter has updated its account of last week’s account hijacking incident: “We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed.” Tripwire thinks the Dutch elected official was Geert Wilders, who confirmed to Yahoo that he was indeed the one affected. He’s now regained control of his account.
KrebsOnSecurity believes at least two of the New York Times’ sources in last week’s story on those responsible for the Twitter hack weren’t the more-or-less innocent collectors of original gangster usernames, but were themselves active resellers in the underground OG black market.
Monero mining as a threat to privacy.
Security researchers at Cisco Talos describe the low-key, unobtrusive workings of the Prometei botnet, quietly mining Monero since this March. Prometei is unlikely to escape the notice of defenders who are on the watch for the kind of activity it exhibits, but the researchers think that most end-users probably wouldn’t be aware of an attack. Prometei exhibits several features of the MITRE ATT&CK framework, “most notably T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1035 (Service Execution), T1036 (Masquerading) and T1090 (Connection Proxy).”
The botnet’s harvesting and validation of credentials, which it uses primarily to move laterally across networks, represent a threat to privacy. Stolen credentials have considerable value in the criminal-to-criminal market, and that might well be more of a threat than the degraded performance cryptojacking usually induces in victim devices.
Concerns about personal privacy run higher than concern for the health of the business.
PWC has published the results of a survey it took a week and a half ago to assess the state of cybersecurity awareness in businesses. The results showed that the leaders’ perceptions differed significantly from those of the led.
“The communication and training they offer on cybersecurity and cyber acumen aren’t resonating with employees,” the PWC survey concludes. It goes on to say that “Most workers have little awareness of how their employers are protecting them or their company from hackers, ransomware, phishing or other attacks. In some cases, employees are even flouting security rules by downloading unsecure apps or sharing their work device with family members.”
Among other recommendations, the report suggests that companies stress the personal implications of security to their employees. That is, don’t tell them about how a data breach could hurt the business. Instead, tell them how it could hurt them through identity theft.