At a glance.
- Misconfiguration issues in Apache Airflows.
- Content sprawl and security risk.
- Law firm data breach.
- Syniverse data breach revealed in SEC filing.
- Facebook outage as potential phishbait.
- Twitch breached.
Misconfiguration issues in Apache Airflows.
Researchers at Intezer have discovered data leaks resulting from user misconfiguration of Apache Airflows, a leading open-source, cloud-based workflow management platform. Configuration errors can result in the exposure of user credentials, and in versions of Airflow prior to v1.10, an Ad Hoc database query feature could allow anyone with access to the server to retrieve information from the database. Users are advised to promptly update to version 2.0, which has omitted the Ad Hoc query feature and requires login and authentication for all operations.
Content sprawl and security risk.
After surveying four hundred C-level IT leaders regarding the challenges of securing and governing data, Egnyte has released the 2021 Egnyte Data Governance Trends Report. The overview identifies content sprawl as one of the biggest difficulties, as the recent surge in remote work has resulted in increased reliance on multiple file storage solutions. The report found that on average an organization employs fourteen file repositories, and 20% of CIOs surveyed said they use over twenty different file services. While cloud repositories or on-prem file servers are prevalent, files are also transmitted and stored in informal, less secure repositories like email, collaboration portals, and messaging services. CIOs estimate that on average 49% of an organization’s files contain sensitive private data, and 65% say these files are saved on employee’s personal devices. Though 80% plan to employ new cloud security solutions over the next year, cost, lack of time for research, and a shortage of in-house administrative manpower could impede their efforts.
Law firm data breach.
New York-based law firm Coughlin & Gerhart, LLP (C&G) has disclosed they suffered a data breach in April. Though details are few, the breach resulted from an intruder gaining unauthorized access to “certain computer systems.” The resulting investigation determined “certain individuals'” private data was exposed, including names, addresses, Social Security numbers, driver's license and passport numbers, financial account information, and medical and health insurance info. C&G is notifying impacted individuals and offering recommendations for identity theft prevention.
Syniverse data breach revealed in SEC filing.
In a September SEC filing tied to a merger agreement, messaging services provider Syniverse disclosed it experienced a data breach in May. FierceWireless explains that an intruder gained unauthorized access to network databases on multiple occasions, compromising the Electronic Data Transfer (EDT) login credentials for over two hundred Syniverse customers. An anonymous source employed at a telephone carrier claims the attacker might have also accessed call metadata detailing call length and cost, caller and receiver’s numbers, locations data, and SMS text messages. In the filing, the company states “Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity.” Syniverse, which is valued at $2.85 billion and supports leading wireless carriers like AT&T, T-Mobile, and Verizon, has reset all EDT customer credentials and “implemented substantial additional measures to provide increased protection to our systems and customers.”
Vykintas Maknickas, Head of product strategy at Nord Security, wrote with advice on what affected users can do now to help protect themselves:
“There were several red flags with how Syniverse handled the hack, but one of the more dangerous aspects of this hack relates to 2FA. If the hackers could access user text messages, this would have enabled them to access other accounts that had 2FA enabled through text messages.”
“Security experts have almost a complete consensus that authenticator apps provide better protection than SMS 2FA, so one immediate action post-hack would be to switch your 2FA method.
“Another thing that people can do is look for the login history of their most critical accounts like their emails to see if there’s something suspicious. The reason being, even if 2FA was done enabled through SMS, even services like Gmail could miss that the attempt to log in was suspicious.”
Demi Ben-Ari, CTO and co-founder of Panorays, frames the incident as another case of third-party risk:
"The recent cyber incident involving telecom giant Syniverse is just one more example of how a third-party breach can impact millions. In this case, Syniverse, which works with companies like AT&T, T-Mobile and Verizon, discovered that hackers had access to billions of text messages over the past five years through approximately 200 clients. While one might be inclined to think that endless text messages seemingly containing nothing more than lots of emojis are worthless, that’s not the case. The reality is that those texts are someone else’s private data that could communicate business data—and that data can be bought. Therefore, this constitutes a massive breach.
"Cyber incidents like these illustrate why it’s so crucial for organizations, when assessing the security of their third parties, to understand the context of the business relationship with each third party and how much risk is involved. For example, if you are working with a vendor that is connected to all of your infrastructure, you must be sure to comprehensively assess and continuously monitor their cyber posture, as well as remediate any cyber gaps."
Third-party risk was also noted by Trevor Morgan, product manager with comforte AG:
“When any part of the backbone of our interconnected ecosystem—service providers—falls prey to threat actors, we are all reminded that nobody, not even tech companies, is immune from cyberattack. The fact that attackers had access, potentially for years, to the EDT (electronic data transfer) environment should make all enterprises no matter what industry rethink their security posture. We need to accept the fact that situating data behind fortified perimeters is only one method of protecting data, and one that hackers can overcome with enough time, patience, and creativity.
"What then? Organizations need to adopt more data-centric protections such as tokenization and format-preserving encryption to guard against hackers getting directly to the sensitive organizational data which is always their main target. Data-centric security replaces sensitive data elements so that, no matter who gains access to it, the attacker cannot read, understand, or leverage that information. Hopefully, every enterprise can receive this critical message: better ways to protect your valuable data are out there, so you simply have to prioritize it. An unwelcome breach will certainly do that.”
Facebook outage as potential phishbait.
Facebook has resolved the technical problems that knocked it offline earlier this week. Purandar Das, President and Co-Founder at Sotero, wrote to caution people that, as is the case with any high-profile incident, you can expect to see it referenced in phishing attacks:
“Social platforms that drive everyday communication and interactions, play an important role in consumers lifestyles. They also are revenue and lead generation platforms for many businesses. Apart from the inconvenience and potential loss of revenue they pose, they could also serve as a vehicle for increased criminal activity. Campaigns targeting unaware consumers and business to either be redirected to a fraudulent site or asks for user credential are possible.
"Consumers need to be aware and vigilant. Consumers and business need to be vigilant about inbound emails suggesting that the sites/apps are back up and to click on an embedded link to restore access. Consumers should also be on the lookout for emails, purportedly, from the platforms asking them to login and reset access. The attackers may even use text messages to spur action. The best way to be safe is to monitor press releases from the platforms themselves reporting the working of the platform. They should also go directly to the websites rather than clicking on embedded links in emails and text messages.”
Twitch, the video live-streamng service that focuses on serving gamers, has sustained a major data breach. The Video Games Chronicle reports that an anonymous hacker--and that’s “anonymous” with a small “a”--posted a 125 gigabyte torrent stream to 4chan this morning that’s said to include Twitch’s source code and user payout information in addition to other material that the report says amount to basically everything. It's apparently a hacktivist operation. The anonymous hacker wrote that the dump’s intention was to “foster more disruption and competition in the online video streaming space” because “their,” that is, Twitch’s ”community is a disgusting toxic cesspool.”
Twitch confirmed that there had indeed been a breach, tweeting, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”
Danny Lopez, CEO at Glasswall Solutions, wrote to comment on the sheer quantity of data the attacker accessed:
“The volume of data which the hackers of Twitch have gained access to is concerning. Such sensitive information such as source codes and financial information should be protected by the highest levels of security. With 15 million daily users, Twitch holds significant amounts of data, much of which contains personal information about its customers. It is essential that a proactive approach is taken to cybersecurity in order to protect such information - once hackers have access to systems, there is little else that can be done. At a time like this when details are unclear, Twitch users should also take immediate steps, which includes changing their passwords and enabling two-factor authentication.
"But even when all procedures and policies are well-executed, there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities. Often this is as simple as inserting malware using documents and files shared in their hundreds every day in a business environment. It's vital organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing both internal users and external customers to use the systems as expected.
"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers, it is crucial to strengthen all processes relating to access verification. Without a zero-trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.”
Javvad Malik, Security Awareness Advocate at KnowBe4, was also struck by the size of the breach, and recommends that users of Twitch take precautions:
"The Twitch breach is a large one and contains some potentially very sensitive information relating to some of its streamers. Changing passwords, especially if the same password has been used on other systems is a good first step for affected users. But it's also worth bearing in mind that not all attacks based on information on these leaks will come immediately. Criminals can use the data within the leak to formulate convincing phishing attacks over weeks or months. So it's important for Twitch users to remain vigilant of emails, text messages, physical letters or even phone calls claiming to be from Twitch, or a related service."
Jarno Niemela, Principal Researcher at F-Secure, agrees that users need to look to their own security:
"This leak is very serious for Twitch, but the question is what effects this will have for the regular Twitch user. From what we currently know, is that as password hashes have leaked, all users should obviously change their passwords, and use 2FA if they are not doing so already.
"But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked.
"And while it won’t help in this case as data has already leaked, users should always be cautious on what kind of information they provide to any social media platform."
Bill Lawrence, CISO at SecurityGate, sounds positively weary of news like this:
"Twitch was hit hard by someone supposedly trying to make things hurt enough to change their gaming community. Data loss prevention and exfiltration prevention don't seem to have worked, and the volume of the hack could point to an insider or very, very lax controls around the keys to the Twitch kingdom that an external hacker found.
“In the end, it is 'another day, another breach' to add to an ever-growing number. It is guaranteed that criminal organizations are working out ways to attack Twitch users with any PII or passwords in the trove.
“Monitor your credit, use MFA, change your passwords, and be nicer in forums online. Those will all be public and likely attributable sooner or later.”
Saryu Nayyar, Gurucul's CEO, points out that there's not always an immediate profit motive in even the biggest hacks, and she too advises users to take precautions:
“The Twitch video streaming platform has apparently had its entire business downloaded and made available to all on 4chan. This includes all source code, including Twitch clients, creator payouts, proprietary SDKs and services, and several affiliated properties. The hacker who claimed responsibility said that the goal was to foster more innovation away from a platform whose community '“has become a disgusting toxic cesspool.'
“So there’s no immediate profit motive here; even if some team uses the downloaded code as the basis for a competitive product, it will likely be identified as stolen, and the product sanctioned. But the theft of payout information may mean that personal identifying data is out there too.
“Although passwords are encrypted, Twitch users are advised to set up two-factor authentication. While it’s an extra step in the login process, everyone should be using two-factor authentication when available.”