At a glance.
- Another US university is impacted by the MOVEit hacks.
- No good deed goes unexploited (ask an Australian charity).
- How many bugs does it take to hack a lightbulb?
- Scraped Duolingo data remains accessible.
Another US university is impacted by the MOVEit hacks.
CBS News reports that US college the University of Minnesota has disclosed it discovered a data breach in late July. School officials say they "became aware that an unauthorized party claimed to possess sensitive data allegedly taken from the University's systems” and immediately launched an investigation. The breach appears to be linked to the mass-hack of the MOVEit file transfer app, and the intruder claims they hacked into a university database containing approximately seven million Social Security numbers collected between the late 1980s and 2021.
The Star Tribune notes that the hacker allegedly accessed the database to analyze the impact of affirmative action following a recent US Supreme Court decision limiting the consideration of race in college admissions. The school is still working to verify the attacker’s claims. Interim University President Jeff Ettinger stated, "First, you have to determine somebody claims something, but is there evidence that it actually is true?" He added that the school is working to determine which individuals were compromised in order to issue breach notifications. As for mitigation methods, University spokesperson Jake Ricker stated, "Alongside experts, the University has taken steps since 2021 to bolster its overall system security through actions such as enhancing multi-factor authentication capabilities and increasing the frequency of monitoring activities."
James McQuiggan, security awareness advocate at KnowBe4, wrote to explain why universities are attractive targets, and why they face some distinctive challenges. “Cybercriminals continue to target upper education institutions for several reasons, including financial gain, personally identifiable information, and access to research or other intellectual property. Having MFA is a solid step for securing access to the various network devices and endpoints. However, with cybersecurity, it's all about reducing risk and the likelihood of a breach occurring. It's what happens post-breach that is important—being able to respond to the incident quickly and having the necessary teams, departments, or third parties readily available to support fast and effectively." He added, "Educational institutions also face unique challenges when implementing MFA. Students expect convenient access to learning materials and systems, often from personal mobile devices. Faculty need flexibility to access school resources for teaching and research. The Rollout of new MFA policies needs to consider these needs and prioritize ease of use alongside better security. As cyberattacks on schools continue to rise, improving MFA defenses, security awareness, and network monitoring must become a top priority. IT security teams at educational institutions should thoroughly audit existing MFA coverage and policies, identify gaps in MFA protections for critical systems and data, and develop a plan to address them. As new standards like FIDO2 and WebAuthn make MFA stronger and easier to use, schools should accelerate adopting these technologies.”
Darren Williams, CEO and Founder at BlackFog, agrees that schools and universities are likely to remain attractive targets for cybercriminals. “The education sector has been heavily targeted by cyber gangs and continues to be a rich source of data for extortion purposes. A combination of the lack of controls, cybersecurity tools and older infrastructure exacerbates these problems. Unfortunately, minimal investment in both cybersecurity tools and qualified professionals means this sector is highly vulnerable to data exfiltration and therefore extortion at both the organization and individual level. Educational institutions must begin to implement a response strategy and incorporate preventative tools, such as anti data exfiltration, to minimize damages and be fully prepared to combat the inevitable attack.”
No good deed goes unexploited.
Australian telemarketing firm Pareto Phone has suffered a data breach that exposed the data of thousands of donors to Australian charities. As ABC explains, Pareto Phone was hit with a cyberattack in April, and the Department of Home Affairs responded by saying, "Australia's charities are an important part of our community and do critical work improving people's lives. This incident shouldn't stop you from donating to charities.” While over seventy charities use Pareto Phone, not all of them were impacted. However, the Fred Hollows Foundation claims that Pareto breached the privacy act by retaining nine-year-old documents without the charity’s knowledge, and The Cancer Council and Canteen have also confirmed that data connected to their donors have been published on the dark web. The Fred Hollows Foundation released a statement saying, "We worked with Pareto Phone only during 2013 and 2014. We were not aware our data was still held by them. Under the Australian Privacy Principles, there is a requirement for personal information data to be destroyed or de-identified once it is no longer needed for the purpose for which it was collected.”
The charity added that they’ve asked Phone to delete any remaining data on their donors. Canteen, which supports young Cancer victims, said it has taken time to determine exactly what data were compromised, but 2,600 donors from 2020 and 2021 have been notified so far. The exposed data include full names, date of birth, addresses, email addresses, and phone numbers. "We're deeply upset that our supporters have been impacted by a data breach at Pareto Phone … we understand that this will cause major concern for kind-hearted people who donate,” a Canteen spokesperson stated. Pareto Phone CEO Chris Smedley issued an apology stating, "We have not at this stage identified any identity documents such as tax file numbers, driver licenses and passports about any donor.”
How many bugs does it take to hack a lightbulb?
A group of Italian and British researchers has shed light on four cryptographic insecurities discovered in a popular smart light bulb. The TP-Link Tapo L530E, described as “currently [the] best seller on Amazon Italy,” has the ability to essentially turn itself into a Wi-Fi access point, and the researchers found that anyone with knowledge of the bulb’s workings can connect to that access point, even without a password. As Naked Security explains, the feature is intended to allow the user to connect with the bulb over their home Wifi, and it also allows the user to send setup commands to the bulb indirectly via a cloud account even when away from home. However, a savvy hacker could theoretically establish a fake access point, tricking the user into directing those commands to an imposter bulb device, and giving the hacker access to the user’s Wi-Fi password and TP-Link account details.
Security Week notes that the bug has a severity score of 8.8, with the other three bugs ranging from medium to high severity. The researchers’ report states, “Contrary to a potential belief that smart bulbs are not worth protecting or hacking, we found out that this model suffers four vulnerabilities that are not trivial and, most importantly, may have a dramatic impact.” Fortunately, there’s a light at the end of the tunnel: the researchers have reported the issues to TP-Link, and the manufacturer says it’s already working on patches. It’s recommended that users be on the lookout for firmware updates to fix the bugs on their devices.
Scraped Duolingo data remains accessible.
Data from some 2.6 million Duolingo users, scraped from an openly accessible API earlier this year, was dumped on an underground hacking forum. BleepingComputer reports that access is being offered for the equivalent of $2.13, as close to free as makes no difference. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, argues that data scraping is a risk that deserves to be taken seriously. "This is yet another example why every online service should take proactive security measures to prevent mass data scraping. This isn't a research project where some computer security defender noticed an error that needs to be fixed. This is real stolen data for sale on a hacking forum. For sure the ability of a scammer to link someone's service, in this case DuoLingo, to their email address and name will allow more realistic phishing attempts. More people will fall for those scams than they otherwise would."
Max Gannon, Senior Cyber Threat Intelligence Analyst at Cofense, thinks it unlikely the compromised data will pose a widespread risk. "The scraped data doesn't have much value outside of targeted attacks where the attacker spoofs DuoLingo, this is demonstrated by the fact that the dump is now only worth $2.13. The only mitigation steps that can be taken are for users of DuoLingo to be particularly suspicious of potentially spoofed communications."
Jason Kent, Hacker in Residence at Cequence Security, explained the risks of inadequately secured APIs. "The Duolingo data breach highlights the vulnerabilities posed by poorly secured APIs and the potential for business logic abuse by threat actors. In this case, the breach was not a result of traditional hacking methods but rather the exploitation of an exposed API that had been openly shared since at least March 2023. Threat actors leveraged content scraping to obtain sensitive user data, which they subsequently leaked on a hacking forum. This exposed information enables threat actors to execute targeted phishing attacks and could lead to more severe consequences, such as intellectual property loss, increased IT costs, and potential customer attrition due to a compromised user experience." He went on to note that an interest in APIs is growing in the cybercriminal underworld. "This incident underscores that not all attacks on digital resources involve traditional hacking techniques. Instead, attackers are increasingly focused on manipulating the functionalities of web apps, mobile apps, and APIs using automated tools like bots. To mitigate the risks posed by content scraping attacks, organizations must adopt robust security measures encompassing traditional cybersecurity practices and newer strategies to defend against business logic abuse. Ensuring API security, conducting regular security audits, implementing access controls, and staying informed about emerging threats are vital steps to protect valuable user data and uphold customer trust."
(Added, 5:45 PM ET, August 23rd, 2023.) Other industry experts offered comment over the course of the afternoon, and they have some things to say about the state of security that enabled the breach. George McGregor, VP of Approov:, thinks it's a bad look for the language-learning company. “This unfortunately makes Duolingo look extremely negligent for a number of reasons," he wrote. “Let's list out some of the issues:
- "The API returning public profile data based on a username without any other checks.
- "Automated scraping was possible because scripts can be run against the API: in other words no backend check that requests are coming from a genuine app.
- "The issue had actually been previously identified but not addressed.
“A good mobile security solution can be used to address these issues and restrict API access to properly validated app instances.”
Richard Bird, Chief Security Officer at Traceable AI, wrote as a frustrated customer. “As both a customer of Duolingo and a security professional I find this breach to be irritating and inexcusable. As a customer I don't need one more company exercising poor stewardship over the data that I've entrusted them with. I want to enjoy my experience learning Spanish without having to worry about who has my information. As a security professional I find it unconscionable that Duolingo hasn't moved to secure the API that allowed the breach in the first place," he said. "Duolingo's delay or inattention to fixing the source of the API related data scraping is really unacceptable. Failing to act with urgency on an API breach like this is an open invitation to the bad guys to just keep picking and poking at your systems and processes trying to find a bigger payday. If companies' like Duolingo are informed of a problem and then drag their feet in addressing it, it sends the 'weak prey' signal to the bad actors of the world.”
(Added, 11:45 AM ET, August 24th, 2023.) Stuart Well, CTO at Jumio, thinks this incident should remind people that the threat isn't all snazzy AI and criminal innovation."While the recent cybersecurity focus has centered around generative AI and protecting against new fraud techniques, this situation is a reminder that fraudsters still revert to tried-and-true methods of data theft. The 2.6 million users whose usernames and email addresses were scraped, now face increased phishing attacks as their data is being sold on hacking forums. If victims fall for the phishing scams, they are further exposed to additional attacks that can steal even more vital data like personally identifiable information (PII), passwords, and financial information," he writes. "Cybercriminals will continue to leverage known methods of attack and develop new and innovative ways to steal data, meaning organizations must prepare for everything from the new to the old. In order to better equip themselves against all forms of fraud, organizations must build a strong foundation starting with user verification and authentication. It’s essential for organizations to implement digital identity verification to prevent attacks by cross-referencing the biometric features of an onboarded user with those of the cybercriminal attempting to breach the company. By establishing every user’s true identity, businesses can ensure the user accessing or using an account is authorized and not a fraudster, keeping user data out of fraudsters’ hands.”
(Added, 3:15 PM ET, August 24th, 2023.) Gil Dabah, CEO and co-founder of Piiano, thinks this incident shows the limitations of perimeter security. “As cyber threats evolve, businesses have remained primarily focused on perimeter security, often overlooking potential vulnerabilities within their application APIs. Duolingo's recent data leak incident underscores this oversight. The root of such vulnerabilities often lies in software coding—specifically, the absence of stringent access checks crucial for safeguarding user privacy. This isn't a new concern. In fact, the Open Web Application Security Project (OWASP) has long cautioned against such issues. Yet, as the Duolingo incident illustrates, even major companies can sometimes neglect these warnings. The good news is that solutions already exist. Tools that enforce rigorous access controls at both the data and code levels. Implementing these solutions isn't just about technical upgrades; it's about fostering a heightened awareness of evolving cyber threats and being proactive in defense.”