At a glance.
- Vulnerabilities offer on-ramp to a highway of private data.
- Job applicants' data exposed.
- Twitter hack results in massive data dump.
Vulnerabilities offer an on-ramp to a highway of private data.
A cybersecurity research team led by Sam Curry has discovered security flaws in nearly twenty car manufacturers and services including household names like BMW, Toyota, Mercedes, and Honda, as well as vehicle technology brands Spireon, Reviver and SiriusXM, Bleeping Computer reports.The vulnerabilities could give an intruder the ability to engage a in a variety of malicious activities from unlocking the vehicle to accessing the owner’s personal data. BMW and Mercedes-Benz were found to have the most severe bugs, connected to improperly configured single-sign-on (SSO) capabilities which allowed attackers to access internal systems. As Security Affairs notes, the researchers uncovered SSO vulnerabilities in BMW and Rolls Royce that gave hackers the ability to act as an employee in order to access any employee application data, internal dealer portals, and sales documents. For other brands including Porsche, flaws in the cars’ telematic systems allowed attackers to track vehicles in real time by retrieving vehicle locations and sending commands. Though these bugs have all been resolved by the carmakers, buyers are urged to limit the amount of private data they share with their car’s internal systems, set in-car telematics to the most private mode available, and read privacy policies to understand how their data are being used.
Job hopefuls exposed.
American fast food chain Five Guys was hit with a cyberattack in which the hackers infiltrated a file server and stole the personally identifiable information (PII) of job applicants, Dark Reading reports. In a notification letter sent last week to those impacted, Chief operating officer Sam Chamberlain stated that the breach was detected on September 17 and blocked the same day. "We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and [variable data],” Chamberlain wrote. The company has released few details about the incident, but Turke & Strauss LLP, a law firm investigating the matter on behalf of the victims, says the compromised information includes Social Security numbers and drivers' license data. Cybersecurity experts note that Five Guys suffered a previous data breach in which the attacker used the stolen data to conduct fraudulent banking transactions. As far as the current attack, Netenrich principal threat hunter John Bambenek predicts the stolen data could cause major issues for the impacted job seekers. "The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs," he says. "I imagine there will be scams and mule recruitment lures sent to those people in the near future."
Added, 10:00 AM, January 6th, 2023.
Arti Raman, CEO and founder, Titaniam, also offered some comment on the Five Guys incident. “It is unclear if the Five Guys data leak was part of a ransomware attack or if someone simply stumbled upon an unprotected cloud storage," she said, and then offered some considerations on response to beaches of this kind. "The first thing to do, as a community, is to extend empathy to those impacted. When it comes to data breaches and unauthorized access to files, any of us could find ourselves in the midst of a data leak having our PII exposed. With over 65% of attacks rooted in some type of human compromise, attackers can find a foothold in even the best-defended enterprises. In times like this, it is essential to reflect on best practices so that all can benefit from each others' experiences. In turn, this helps build resiliency based on attacks that have happened and still could happen again." Some steps she recommends taking are:
"Based on our work, Titaniam has found that cyberattack immunity is a three-part solution. First, enterprises must look into prevention and detection solutions so that attacks can be stopped before they execute or be identified before infection spreads. Second, data security focuses on preventing large-scale data exfiltration. This can be achieved through encryption at rest, in transit, and, most importantly, encryption-in-use. Encryption-in-use is an extremely powerful new technology that dramatically reduces ransomware, extortion, and other data-related attacks. This is potentially what can help in the case of unauthorized access to files. Finally, the third piece is backup and recovery. This is in place so that even if attackers successfully bring down systems, these can be recovered without expensive payouts. Implementing a three-part defense helps significantly neutralize attacker leverage and protect data and enterprises.”
Twitter hack results in massive data dump.
As the CyberWire noted on Tuesday, a hacker known as “Ryushi” claimed to be in possession of the data of over 400 million Twitter users allegedly obtained in 2021 by exploiting a since-patched API vulnerability. Ryushi demanded $200,000 in ransom from the social media platform to delete the data, but it appears Twitter has refused, as the records of 235 million Twitter accounts and the email addresses used to register them have now been posted for free to an online hacking forum. Alon Gal, the co-founder of the Israeli security company Hudson Rock who found the posting on popular underground marketplace Breached, told the Washington Post, “This database is going to be used by hackers, political hacktivists and of course governments to harm our privacy even further.”
As Computing notes, this is the latest chapter in a story that began back in 2021, when the database was likely first compiled using the aforementioned API bug. Twitter learned of the vulnerability in January 2022 through its bug reporting program, and the flaw was inadvertently introduced in a code update seven months before that. Twitter says it first realized the bug had been exploited when hackers were discovered selling a trove of 5.4 million Twitter account handles and associated emails and phone numbers in July. The Washington Post adds that the most recent data dump will likely lead to further regulatory scrutiny for the social media giant in the midst of its controversial purchase by billionaire Elon Musk. The Federal Trade Commission is currently investigating whether Twitter violated a deal promising to better protect user data, perhaps due to a lack of resources resulting from Musk’s personnel firings, and the breach is likely to attract the attention of international regulators.