At a glance.
- Stolen Indigo Books customer data could be released on dark web.
- Report shows fintech apps are vulnerable to attack.
- LastPass CEO issues mea culpa for recent data breaches.
Stolen Indigo Books customer data could be released on dark web.
As we noted previously, Indigo Books & Music, Canada’s largest bookstore chain, experienced a cyberattack last month. At first the retailer said only that it had suffered a “cybersecurity incident,” but it is now apparent Indigo was hit with a ransomware attack, and the company says the stolen data of current and former employees could be published on the dark web as soon as today. Indigo announced on its website that it will not meet the attackers ransom demands, noting that history has proven that payment is no guarantee the cybercriminals will not release the data. The Toronto-based bookseller says it is working closely with law enforcement in the US and Canada, both of which “discourage organizations from paying a ransom as it rewards criminal activity and encourages others to engage in this activity.” Global News notes that It was just last week that Indigo finally admitted that employee data had been compromised in the attack, but it appears customer data were not impacted.
Report shows fintech apps are vulnerable to attack.
End-to-end mobile security provider Approov has released a report that found that 92% of popular fintech apps expose valuable secrets that could be exploited by cyberattackers. Business Wire explains that Approov evaluated the top two hundred financial services apps available on the Google Play Store in the US, UK, France, and Germany, and the results showed that sensitive data like API keys were easily extractable and could be used by cybercriminals to attack APIs and extricate data. Approov also discovered two critical runtime attack surfaces that could be used to steal API keys at runtime, and only 5% of the apps analyzed employed effective defenses against runtime attacks manipulating the device environment. Approov CEO Ted Miracco commented, “Have we all unknowingly become beta-testers for financial services apps? Is this putting our personal finances at risk? Continuing news about breaches seems to indicate this is the case and it is unacceptable!” It’s worth noting that the report showed that apps deployed in Europe were better protected than apps available only in the US, perhaps due to the EU’s more stringent privacy rules.
(Added 8:15 PM ET, March 2nd, 2023. Rajiv Pimplaskar, CEO of Dispersive Holdings, Inc., wrote to offer some perspective on lessons that might be drawn from this incident for cloud security generally.
“Cloud security is always constant battle between convenient access and secure access. In the examples of the reports, the wide majority of the applications contained “pre-baked” API keys that provided access to certain “secured” public services just by the presence of the API key. Once compromised, the security of the API is completely out the window.
“API keys for accessing *any* public service should not last indefinitely and they should never come directly with a mobile or enterprise application install. The most secure way is requiring that the API keys be received after proper authentication (and most likely Multi Factor Authentication, MFA). In today’s day and age, MFA is not difficult to set up and while it isn’t perfect, it provides meaningful resistance to most hackers and malicious actors looking for low hanging fruit.
“Once the API key is obtained, accessing the service is still a potential waving flag for malicious actors. The transport mechanisms and source/destination addresses can become immediate targets.
“That’s why stealth networking and solutions can be truly innovative. Obfuscating and encrypting and protecting data in transit can provide the enhanced security from mobile endpoint all the way to cloud. Additionally, with a stealth networking solution, the ability for a malicious actor to set up a MITM attack is severely hindered. By removing “known” open endpoints, malicious actors can’t easily setup the MITM to try to intercept and capture/modify packets.”)
LastPass CEO issues mea culpa for recent data breaches.
Popular password manager LastPass has been under attack for a lack of communication in the wake of two cyber incidents the company suffered in August. LastPass CEO Karim Toubb published a blog post yesterday in which he took full responsibility for the company’s lack of transparency regarding the incidents. "I acknowledge our customers’ frustration with our inability to communicate more immediately, more clearly, and more comprehensively throughout this event," Toubba wrote. "I accept the criticism and take full responsibility." As Axios recounts, LastPass initially told users that the first data breach was limited to LastPass' development environment and that no customer data were accessed. Then in December, the company disclosed there was a second breach that took advantage of the first hack, resulting in the exposure of sensitive user data. This week LastPass released a security advisory explaining that attackers initially gained access to LastPass' systems by targeting a key employee's home computer, and that the attackers in the second breach had access to LastPass' cloud storage between August and October. However, the notification was not widely shared and even included an HTML code to prevent it from appearing in search engines. In his blog post, Toubba apologized for the way the information was distributed and offered a rundown of the events, but even his statement lacked important details that had been previously divulged about the incidents. The good news is, it appears that LastPass users' "master passwords" were not exposed, as LastPass doesn’t store that information, and Toubba says the company is implementing "several new security technologies across our infrastructure, data centers, and our cloud environments to further bolster our security posture."