Millions of files on Americans found open on Internet, and how to avoid juice-jacking
Welcome to Cyber Security Today. It’s Monday January 13th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
Employees at companies continue to be sloppy at protecting personal data. Here’s another example: Someone at Front Rush, a U.S. firm which provides management software for college athletics programs, left a server open to the Internet. That server had more than 700,000 files including athletes’ medical records, performance reports, drivers licences and other personal information. Often this is a configuration problem where the person creating a database or file forgets to check a setting, or an IT staffer doing maintenance or an upgrade does something wrong. Regardless, managers around the world aren’t doing enough to make sure this doesn’t happen in their organizations. This incident was originally reported by Vice.com.
Here’s a similar incident: According to The Register, a researcher found an open database with details on 56 million American residents including home addresses and phone numbers. The database appears to belong to a web site called CheckPeople.com, where, for a fee, you can look up peoples’ names and find addresses. Most of the information seems to be available from public sources. Still, why it was unprotected isn’t known. The server is in China. We don’t know if this was a database stolen from CheckPeople, or an employee put it there and misconfigured it. As of the recording of this podcast CheckPeople hadn’t responded to questions.
Misconfigured cloud storage is a big problem for companies. If your firm uses Amazon AWS for storage, there are tools like AWS Security Hub and the new Identity and Access Analyzer that help track down mistakes. If you use Microsoft Azure, there’s Azure Security Center. If your firm uses other cloud storage firms, find out what — if any — security tools they offer.
Let’s talk about juice-jacking. No, it’s not a way to steal fruit drinks. Juice-jacking is slang for delivering malware through infected public USB charging stations in airports, hotels and conferences. These stations are offered as a convenience for you to charge mobile devices. But if they’ve been compromised your smartphone, laptop or tablet will be too. That’s right, the power plug and charging cable can deliver malware. That’s they’re used for both delivering power and transferring data. Security researchers have demonstrated how it can be done. But how big a problem is it? We’re not sure, writer Mike Elgan says on IBM’s Security Intelligence blog. But it’s better to be safe by not using public charging stations. Nor should you charge your device through someone else’s computer. Instead, carry your own charging adapter and cable. If you buy a duplicate, make sure they’re from a packaged brand name and not from an open box of adapters and cables in a store beside the cash register. Worried about running out of power? Buy and carry a rechargeable USB mobile battery.
Finally, tomorrow is Microsoft’s monthly Patch Tuesday, when it will release security updates for Windows and other company software.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon