Security round up
With so much cyber security news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI Security round-up of the three top cyber security stories.
Federal bug bounty programmes seem to pay off
The United States Marine Corps is a branch of the United States Armed Forces, responsible for conducting expeditionary operations with the United States Navy, the Army and/or the Air Force.
October saw the Marine Corps present findings from its public Hack the Marine Corps, or more specifically, an invitation to hack 200 or so public facing Marine Corps websites and report back on any interesting findings, such as vulnerabilities. Bounties were up for grabs for good insecurity finds.
“Hack the Marine Corps was an incredibly valuable experience. When you bring together this level of talent from the ethical hacker community and our Marines we can accomplish a great deal,” said Maj. Gen. Matthew Glavy, commander of the U.S. Marine Corps Forces Cyberspace Command, in a Marine Corps press release.
The programme, supported by HackerOne and kicked off at a live event in August 2018, paid participants a total of $151,542 in payouts. The entire project cost just over double this amount, $350,000, which is pretty lean spending when you compare it to contracted security assessments.
One of the biggest single payouts, of $10,000, went to a team which managed to access sensitive military personnel records, according to military news sources.
Hack the Marine Corps is the eleventh bug bounty program run by the Department of Defense, with over 600 vulnerabilities uncovered and $500,000 in rewards handed out in the last few years.
Facebook on the ropes
Facebook is still on the back foot after the Cambridge Analytica scandal, which drove the social giant to promise major changes in the way it operates and is still bringing in some hefty fines from regulators.
Following this up with a massive data breach in September, affecting at least 30 million users although perhaps not quite the 50-90 million initially thought to be hit, was less than ideal. The added public attention focused on the firm threw up more gleeful stories in the press, such as the Facebook-hosted cyber security event in London losing its list of attendees, along with email addresses – fortunately the document was only temporarily mislaid.
At the end of the month, another big Facebook story broke, this time a leak of private messages. The BBC’s Russian Service unveiled news of messages from 81,000 compromised accounts being posted online, along with claims that a further 120 million accounts were available for sale on underground forums.
The issue had been under investigation since September, when the batch of stolen details first hit the market. Facebook denied any responsibility for the leak, passing the buck back to users by claiming the data was filched using malicious browser extensions and plugins.
Whoever should take ultimate responsibility, this latest incident is yet another nail in the coffin of public trust in social network providers. The message that free online services aren’t always working in the best interests of their users is hitting home, and more and more of us are locking down, clamming up or pulling out completely.
This could have some serious consequences in the long run. Huge numbers of micro-businesses have long relied on Facebook as a cheap and simple platform for reaching their customers, avoiding the need to build and maintain a “proper” web presence.
As more people drift away from the platform, this approach will become less viable, forcing more business owners to bite the bullet and find other ways to present themselves to the online world. If this means more small companies with limited IT skills running poorly secured and maintained websites, it could mean more security worries for the rest of us.
Travelers continue to bear the brunt of data leaks
Aside from social media providers, hotels and airlines seem to have taken over from retail and food providers as the main headline-grabbers when it comes to leaking customer data.
Following September’s news of a major issue at British Airways, the airline has since expanded its estimates, confirming the leak may have affected an additional 185,000 suspected victims, on top of the 380,000 already thought to be involved.
The hack allowed scraping data as it was fed into the company’s website, so the crooks were able to access CVV security numbers not usually recorded by websites and thus usually immune from more traditional data leaks taken from back-end databases.
Another airline, Cathay Pacific, was hit by one of those too, revealing in late October that an unauthorised third party had accessed their systems, containing data on 9.1 million customers.
According to their statement, the data included “passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information” – a wealth of useful data for phishers, even if no payment information was included.
Right at the end of the month, the Radisson hotel chain informed its Radisson Rewards programme members that a data leak may have divulged similarly phisher-friendly data, including names, addresses, email addresses, and potentially phone numbers and frequent flyer numbers in some cases. The number of customers affected was not divulged.
With the incident apparently first spotted on October 1st (and according to news sources, the breach active since September 11th), there are some questions as to why the disclosure took so long to emerge, particularly given the 72-hour time frame specified by GDPR.
Being away from the safety of home has always made travelers a vulnerable target for scammers and thieves, so the added stress of worrying if your transport and accommodation providers can be trusted with your information is unlikely to be welcomed.
You might also like: