At a glance.
- US border patrol maintains massive database of traveler data.
- Heightened demand for Chinese data on cybercriminal marketplaces.
- Researchers uncover vendor spoof operation.
US border patrol maintains massive database of traveler data.
Over the summer, US Customs and Border Protection (CBP) informed congressional staff that government officials have been compiling a massive trove of data collected from up to 10,000 electronic devices seized from travelers each year, most of whom are not connected to any crime. Congress has now learned that thousands of border patrol officers have access to the database, known as the Automated Targeting System, without a warrant, and that the data is retained for fifteen years. The Washington Post reports that in a letter to CBP Commissioner Chris Magnus, Senator Ron Wyden of Oregon called for heightened privacy standards and criticized the agency for “allowing indiscriminate rifling through Americans’ private records.” Although CBP’s collection of traveler data is nothing new, the recently revealed details have privacy advocates concerned about infringement of Americans’ rights against unreasonable searches and seizures.
CBP officials declined to share details about the number of Americans’ phone records in the database, the number of searches that have been run, or how long the data has been collected, but CBP spokesman Lawrence “Rusty” Payne says the agency conducts “border searches of electronic devices in accordance with statutory and regulatory authorities” and ensures the searches are “exercised judiciously, responsibly, and consistent with the public trust.” Indeed, a 2018 CBP directive stated that officers should only retain information relating to immigration, customs or “other enforcement matters” unless they have probable cause, but CBP officials have admitted that the search configuration often defaults to downloading all data regardless of need. Moreover, the practice raises questions about just how much passengers understand about what happens to their data. Faiza Patel, senior director of the Liberty and National Security Program at the Brennan Center for Justice stated, “It’s not just what you say or do that’s of interest to DHS, it’s what everybody you know says and does…And when you have 2,700 people having access, you have very little control over the uses to which they put this information.”
Heightened demand for Chinese data on cybercriminal marketplaces.
In July the data of approximately 1 billion Chinese citizens was offered for sale on a leading underground cybercriminal forum after the alleged breach of Shanghai’s police database, and since then, Bloomberg reports, there’s been a surge in the publication of Chinese personal data on popular dark web site Breach Forums. Shortly after the leak, Singaporean cybersecurity company Group-IB found an estimated 290 million records on online marketplace Breach Forums, and in August a seller offered up the data of nearly 50 million users of Shanghai's mandatory health code system for the price of $4000. Before the alleged Shanghai police leak, Group-IB says there were three China-related databases marketed on Breach Forums, and jumped to seventeen after the leak in July. Group-IB researcher Feixiang He told Bloomberg, “The forum has never seen such an influx of Chinese users and interest in Chinese data. The number of attacks on Chinese users may grow in the near future.” Though the nature of such forums makes it difficult to verify the authenticity of such datasets, the increased interest in leaked Chinese data highlights just how much data officials collect from citizens through the government’s extensive surveillance network, and just how vulnerable that data might be to theft.
Researchers uncover vendor spoof operation.
Email security firm IRONSCALES reports the discovery of a business email credential database being used by cybercriminals to spoof Microsoft Office 365 login pages to facilitate vendor impersonation attacks. Such operations are used to trick companies into paying fraudulent invoices, with the funds instead going into the attackers’ pockets. In this case, it appears the criminals are also using the credentials to carry out business email compromise attacks, using impacted accounts to defraud other companies or individuals or to launch account takeover attacks. In this case, the attackers sent phishing emails targeting realtors, real estate lawyers, title agents, and buyers and sellers, and then used emails to spoof the real estate vendors First American Financial Corporation and United Wholesale Mortgage.
Data breach reported at Uber.
Uber is investigating a breach of its systems, the New York Times reports. Yesterday, the company said in a tweet from its @/Uber_Comms account, “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”
The Times reports that the breach looks to have compromised a multitude of Uber’s systems, with the hacker sending the Times images of “email, cloud storage and code repositories.” Sam Curry, a security engineer at Yuga Labs who was in contact with the hacker, says “They pretty much have full access to Uber. This is a total compromise, from what it looks like.” The threat actor reportedly compromised a worker’s account on the company’s internal messaging service, Slack, saying, “I announce I am a hacker and Uber has suffered a data breach.” Two employees who weren’t authorized to speak on the situation publicly have said that they were told not to use Slack, and that other internal systems were inaccessible. The breach utilized phishing and social engineering, through sending a text to a worker convincing them to send a password that would gain the hacker access.
An Uber spokesperson says that the breach is under investigation by the company and that law enforcement officials are being contacted. The CyberWire has a roundup of industry reaction here.