At a glance.
- Follow-up on reports of breaches at Cloudflare customers.
- Third-party privacy risk and an investment firm's data incident.
- Amateur athletics managed service exposes student athletes' data.
- Twitter's vulnerability to social engineering was apparently of long duration.
- Comments on the third-party breach at Dave.
Follow-up on Ukrainian reports of exposed databases.
SiliconAngle reports that service provider Cloudflare says the breach Ukrainian authorities disclosed over the weekend had nothing to do with Cloudflare, and that the company itself was not breached. Ukrainian authorities had made a point of saying that many of the affected companies were Cloudflare clients, but of course Cloudflare has a lot of clients. The National Security and Defense Council of Ukraine qualified their initial account, noting in particular that some of the stolen data they found came from older breaches, or, as they put it, “information on some resources is outdated.” But they continue to maintain that they’ve seen evidence of some sort of largescale incident.
Cloudflare had this to say to HackRead: “[W]e have investigated in detail an alleged leak of DNS information concerning Cloudflare’s customers. The information posted on social media is not the result of a leak or breach of our systems. The published data is available through standard DNS queries on the open internet, rather than the result of a leak or breach.”
The company went on to add that, “Cloudflare provides different services to different customers. Some customers use us for security services. Some use us for performance services. Some customers make use of both. The published information reflects a small fraction of Cloudflare customers who either use Cloudflare only for DNS resolution or only for performing services and therefore have not configured Cloudflare to secure their origin server.”
Third-party privacy risk to investment funds.
The Wall Street Journal reports that customer data were taken from SEI Investments when M.J. Brunner, developer of an investment dashboard used by SEI, was compromised and the information was lost. SEI says its own systems weren’t hacked.
This is another case of third-party risk, or perhaps nth-party risk. SEI Investments manages funds. Some of its own clients were Angelo Gordon & Co., Graham Capital Management, Fortress Investment Group LLC, Centerbridge Partners and Pacific Investment Management Company. They were all exposed to the breach at M.J. Brunner through their business relationship with SEI Investments. So the breach at Brunner affected data belonging to SEI, which in turn affected SEI’s clients.
Computing quotes ZeroHedge as ascribing the incident to a RagnarLocker ransomware attack. Brunner declined to pay the ransom, and the RagnarLocker responded by dumping some 500 Gigabytes of stolen information online. The data included usernames and passwords, as well as “SQL files with live client data.”
Patrick Hamilton, cybersecurity evangelist at security awareness training provider Lucy Security commented in an email, “Ransomware attacks are rarely predicated upon a vulnerability within a network. Nine times out of 10 these attacks are predicated upon the vulnerability of humans. Networks never assume trust but humans do. Humans trust names that they’ve seen before, shared vendors, common connections, and on and on. Humans are the real endpoints, access points, and lowered defenses. Train humans, reduce risk.”
FrontRush discloses a data exposure.
FrontRush, a provider of athletic recruiting and amateur athletic management software, disclosed that one of its AWS S3 buckets was left exposed to the Internet. It contained personally identifiable information. The data included “transcripts, injury reports, or athletic reports) that were placed in the platform by the institutions.” Also in the bucket were attachments uploaded by student athletes (or prospective athletes) or their parents and guardians “in response to prompts in a recruitment questionnaire formulated and disseminated by the institutions.”
Twitter has been vulnerable for some time.
Twitter’s recent compromise and takeover of a large number of high-profile accounts seems to have been long in preparation. About fifteen-hundred employees and contractors had the sort of access required to reassign accounts. Bloomberg spoke with former Twitter employees and reports that it’s been that way for some time. “The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries,” Bloomberg writes. Those inquiries “allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses, two of the former employees said.” The piece concludes that Twitter's insider problems amounted to a known issue.
Follow-up: comment on the third-party incident affecting fintech unicorn Dave.
The breach that involved some seven-and-a-half-million users of Dave's fintech services, a breach claimed by the ShinyHunters and believed to have its origins in an attack on Waydev, a former partner of Dave's, elicited some comment on how one might approach third-party risk management. Brenda Ferraro, vice-president of Third-Party Risk at Prevalent says:
"Proactively, organizations’ third-party risk management programs should feature rigorous offboarding processes for partners they no longer do business with. One part of the offboarding plan should include customizable surveys and workflows that streamline information gathering regarding system access, data destruction, final payments and more for assurance that required contractual network and data security obligations are met.
"Reactively, there are solutions available that monitor criminal forums, dark web special access forums, threat feeds, hacker chatter and paste sites for leaked credentials that can spot activity sometimes even before the organization knows they’ve been breached. Seeing this activity and correlating it with a third-party’s response to their internal control and security assessment is a key point of validation to close the loop.
"Once the breach has happened, though, an organization will face potentially millions of dollars in recovery costs – everything from compliance fines to customer credit monitoring services – and can experience loss of customer trust and in this case a hit on their business valuation."
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, offered these comments:
"The data breach of Dave’s customer information highlights the dangers of improper IT security vendor management. Failing to quantify the risk of granting 3rd parties access to sensitive data leads to lax controls and monitoring by many organizations. As part of an effective vendor management program, all business partners that interact with sensitive systems or data should be contractually bound to regularly demonstrate that they are following information security best practices and have regular security testing or “ethical hacking” performed against their environment. The root cause of the breach at Waydev was a blind SQL injection attack that should have been caught by regular penetration tests and would have prevented this particular breach if remediated."