At a glance.
- Papua New Guinea's National Data Centre found to be insecure.
- Compromised data broker user accounts at the root of COVID-19 fraud campaign?
- Michigan State's online store sustains a card-skimming attack.
- Notes on Patch Tuesday.
Papua New Guinea's National Data Centre has security issues.
A report prepared at the request of Papua New Guinea’s National Cyber Security Centre by an investigator contracted by Australia’s Department of Foreign Affairs and Trade has concluded that Papua’s National Data Centre is insecure, Computing reports. Huawei built and staffed the National Data Centre in 2018. Computing’s account suggests careless implementation. The report read in part, "Core switches are not behind firewalls. This means remote access would not be detected by security settings within the appliances." The firewalls themselves were also a problem: they were beyond their 2016 end-of-life by the time the Centre came online. The Australian Financial Review is harshly direct in its assessment: the Centre was “built to spy,” the paper says, with the vulnerabilities constituting designed-in weaknesses. Personal data handled by the Centre are considered to be at risk.
COVID-19 fraud driven by stolen PII; data may have come from a breached data analytics company.
KrebsOnSecurity says that thieves engaged in identity theft as part of COVID-19 relief fraud appear to have accessed consumer data through compromised user accounts at a Florida-based data broker. Interactive Data LLC, appears to be the company affected, and it did confirm to KrebsOnSecurity that "consumer records sampled from the fraud group’s shared communications indicates 'a handful' of authorized [Interactive Data] customer accounts had been compromised."
The criminal group involved is thought to be large, with "several hundred members," and to have succeeded in stealing some tens of millions in public funds from fraudulent US Small Business Administration loans and several states' unemployment insurance programs. The individual personal data accessed from Interactive Data appear to include Social Security number, date of birth, current and known past physical addresses, current and known past mobile and home telephone numbers, names of relatives and known associates, email addresses, "IP addresses and dates tied to the consumer's online activities," vehicle registration and property ownership, lines of credit (with dates they were opened), bankruptcies, liens, judgments, foreclosures and business affiliations.
Card-skimming at Michigan State's online store.
Michigan State University yesterday disclosed that it had sustained a data breach. In this case it was an online card-skimmer that hit the university’s store. Michigan State said, in a statement, that about 2600 shoppers who bought at the store between October 19th of last year and this past June 26th had their credit cards exposed. “The university began notifying all potentially affected individuals of the breach today,” the University said yesterday, adding that “It is offering them free credit monitoring and identity protection, and making recommendations to further protect their information from exposure.” The university’s security team has remediated the problem.
Patch Tuesday notes.
Adobe has fixed twenty-six vulnerabilities in Acrobat, Reader, and Lightroom, eleven of which are rated “critical.”
Citrix fixed five vulnerabilities that affect versions of Citrix Endpoint Management on-premise (also known as XenMobile Server) instances. The company advises users to apply the patches as soon as possible. While Citrix says it’s seen no evidence of exploitation in the wild, attacks taking advantage of unpatched systems are probably only a matter of time.
Microsoft’s updates for August prominently address vulnerabilities in Windows 10. Windows 7 fixes are now only available through the paid Extended Security Updates.