DriveSure customers data exposed, data theft at Washington State’s auditor, employee data at Wind River Systems hacked and more.
Welcome to Cyber Security Today. It’s Wednesday, February 3rd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Personal information on perhaps hundreds of thousands of American car owners who subscribe to the DriveSure roadside assistance program offered by car dealerships is being shared on a hacking forum. On January 4th researchers at the security firm Risk Based Security discovered that a 22-gigabyte database of customer information from DriveSure and a five-gigabyte database from its companion firm Krexinc were available to crooks. Apparently the databases had been dumped there on December 19th. Data includes customers’ names, addresses, phone number, email addresses, messages between dealerships and clients, car models and their vehicle identification numbers. That data could be used for email phishing and fraud. DriveSure told the security company it is investigating.
Data theft by hacking companies that sell software or services to others has been in the news since December with the report about a compromise at SolarWinds. That incident led to intrusions at U.S. federal departments and companies. This week the auditor of the U.S. state of Washington admitted the personal data of 1.4 million people in the state who had made unemployment insurance claims may have been stolen through a similar supply chain hack. The company hit is called Accellion, which sells software that helps companies transfer large files. Washington State was using a product from Accellion for file transfers. The data crooks could have include names, social security numbers, driver’s licence numbers, and bank information — in other words, information that can be used for fraud and impersonating people.
There’s another angle to this story: Accellion told the Seattle Times that the auditor’s office was using one of its older products called FTA. It says FTA isn’t as secure as a newer one it sells. The auditor’s office was in the process of moving to the newer product at the time of the data breach. Apparently the hackers found a vulnerability in FTA. That vulnerability was used not only to get into the auditor’s office, but also 49 other companies using of the old software. For its part the Washington state auditor says it had no indication the older product wasn’t secure. By the way, users of FTA will want to know that the vulnerability has now been patched.
Here’s another supply chain hack story: If you use the NoxPlayer emulator for running Android games on Windows and Mac computers be careful about installing updates. Security firm ESET has discovered the software update mechanism was compromised to infect NoxPlayer with malware. Then computers of select victims in Asian countries using the player were hacked. Parent company BigNox says NoxPlayer is used by people in more than 150 countries. BigNox told ESET it wasn’t affected. Just because initially this attack was highly targeted doesn’t mean those behind it won’t use it more widely. NoxPlayer users should look for evidence of suspicious activity on their computers. The news site The Hacker News quotes an ESET researcher saying one option is uninstalling NoxPlayer until BigNox says it has mitigated the threat.
Security researchers combing the internet for poorly-secured databases have found another example: A database of images of passports and identity documents of reporters and volleyball players. According to the Bleeping Computer news service the database belongs to the European Volleyball Confederation. Apparently the documents were submitted over time as part of an accreditation process. This particular database may have been a backup. They were stored, as many unprotected backups tend to be, on a cloud provider’s system. In this case it was Microsoft Azure. Now it could be the volleyball association has all of its systems on Azure, which explains why the database was there. Or an employee just used it for backup storage of this particular data. Or someone copied the database without permission and stored it on Azure.
Employees at software maker Wind River Systems are being notified that someone got into the company’s computer system last September and copied personnel files. The information included names of staff and their dates of birth, social security numbers driver’s licence numbers, passport or visa numbers and possibly bank account information — in other words, data that can be used for fraud and impersonation. Wind River makes a version of the Linux operating system for systems used in the automotive, defence, industrial, medical and telecom industries.
Attention IT administrators: If your firm uses VMWare’s EXSi for virtual machines make sure the application has the latest security patches. The ZDNet news service reports it has vulnerabilities that are being used by a ransomware gang.
Finally, last week I told you that there are updates available for internet browsers to fight a new kind of website cyberattack. This week Apple released updates to the Safari browser and the mac operating system to close the hole in those applications.
That’s it for today. Links to details about these stories can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.