Lock down those databases, watch for updates from Sennheiser and Zoom
Welcome to Cyber Security Today. It’s Monday December 3rd. To hear the podcast, click on the arrow below:
On Friday Marriott Hotels admitted that for four years someone had access to the customer database of many of its Starwood brands, including Sheraton and W Hotels, and copied personal information on 500 million customers. If you’ve stayed at one of these hotels by now you should have got an email notice and are watching your credit card statements.
But thieves don’t always have to break into a company to steal data. Sometimes it’s sitting on the Internet in plain view because it hasn’t been protected. Another example was discovered last week when security researchers at HackenProof found a company’s database of more than 56 million U.S. citizens listing their names, employers, job title, email, address, phone number and Internet address. They did it by searching the Internet for open servers. This particular database had been assembled using a tool called ElasticSearch, which companies use to search through their data. However, the resulting file or files have to be locked down or anyone can find them if the server they’re on is open to the Internet. That means IT staff need to train employees using ElasticSearch on security principles, and the server has to be password protected. As this example shows, sometimes the message doesn’t get through.
Here’s another example: Also last week, a security researcher discovered another ElasticSearch database open, this one owned by a British company called Urban Massage, whose app is used to book massage appointments. Left exposed were about 300,000 user and therapist records and comments, including serious allegations of impropriety. Again, some staffer didn’t get the message about security.
Sennheiser is one of the most respected makers of headphones, but there’s a problem with the HeadSetup software used with its computer-connected headphone and speakerphones. Quite simply, one of the security features was poorly implemented. According to the security company Secorvo, which found the problem, the bug could allow an attacker to get into a user’s computer. Sennheiser said a fix would be available by the end of November.
Finally, if you use the Zoom desktop conferencing application make sure you’ve installed the latest update. A bug has been found that allows an attacker to hijack screen controls, spoof chat messages or kick and lock attendees out of meetings. The upade is available for Windows and MacOS.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.