Security News
A security researcher claims he's found an Internet-connected "leaky database" that apparently is storing voter registration records for 191 million Americans. But after one week of working with others in an attempt to identify the owner of the exposed and insecure database and lock it down, no one has come forward to claim responsibility.
See Also: Healthcare Breaches - The Next Digital Epidemic
"I believe this is every registered voter in the entire country. To be very clear, this was not a hack," says the security researcher, Chris Vickery, in a Dec. 28 Reddit post. "The mysterious, insecure database is currently configured for public access. No password or other authentication is required at all. Anyone with an Internet connection can grab all 300+ gigabytes."
Subsequently, however, he updated that post to note that the database had finally been taken down. "I'm happy to confirm that the database is now offline!" he says. "Thank you to whoever finally took if down!"
News of the exposed data was first reported by CSO as well as the blog DataBreaches.net, which reports that the information appears to be current as of March 2014.
Vickery says the leaked information includes first, middle and last names; home and mailing addresses; phone numbers; dates of birth; political party affiliation; and a record of whether or not individuals voted in primary or general elections, dating from 2000. "I looked myself up in the Texas table. It's accurate. It is not known whether or not 'high risk professionals' are included in this database," he says. "However, I have looked up several police officers in my city, and their data is indeed present. I've been working with journalists and authorities for over a week to get this database shut down or secured. No luck so far."
Databreaches.net reports that accurate information for a police officer - referred to as "Sam" to protect his privacy - is also in the database. That's a concern, because Sam doesn't have a publicly listed phone number or address to help protect both him and his family. "Oh man. ... I deal with criminals every day who know my name," he tells the blog. "The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable. I'm also annoyed that people can get my voting record. Whether I vote Republican or Democratic should be my private business."
Vickery couldn't be immediately reached for comment. But Vickery tells CSO that after finding his own information in the voter database: "My immediate reaction was disbelief. ... How could someone with 191 million such records be so careless?"
Databreaches.net, CSO and Vickery all report that after seven days of related queries to organizations that might be responsible for amassing and selling this type of voter information, they have been unable to identify the owner of the misconfigured database. They have also now alerted the California Attorney General's office, the FBI's New York field office and the Internet Crime Complaint Center - a multi-agency task force run by the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance about the exposed information.
The FBI declined to comment. Likewise, California Attorney General spokeswoman Kristin Ford tells Information Security Media Group: "I can't comment on a potential or ongoing investigation, or even confirm or deny an investigation, in order to protect the integrity of any investigation."
Vickery's research shows that if he can find this type of unsecured data on the Internet, then theoretically others could have already done the same.
Any leak of genuine voter registration information could lead to repercussions for the organization or individual that lost control of the data. Related state laws vary. But according to the NationBuilder community organizing system owned by CDNA Corp., the state of California mandates that its residents' voting information "may not be made available to persons outside of the U.S.," while South Dakota stipulates that its residents' voter registration information "may not be placed on [the] Internet for unrestricted access."
In a Dec. 28 statement, NationBuilder CEO Jim Gilliam denied reports that the database found by Vickery belonged to his firm. "While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns," he said. "From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database."
"Someone really screwed up their handling of this data," says Australian data security expert Troy Hunt, who runs "Have I Been Pwned?" - a free service that alerts people when their email addresses show up in public data dumps - in a blog post. "This is inexcusably poor management of a huge volume of sensitive data I hope that as the authorities get involved (and they will get involved), they manage to track down how such an horrendous oversight occurred."
Rolling Breach Alerts
Vickery, who's based in Austin, Texas, has described himself as an IT help desk employee by day and an amateur security researcher by night. He's been scanning the Internet for signs of insecure databases, then sharing those findings.
In September, for example, he found that Larkspur, Calif.-based Systema Software, which develops Web-based claims management software that's used in part for logging workers' injury claims, was insecurely storing information for at least 1.5 million people.
On Dec. 14, Vickery warned that by using the search engine Shodan - designed to find specific types of Internet-connected devices and configurations - he located a misconfigured MongoDB database containing 13 million sensitive customer records for a controversial application called MacKeeper. In response to those warnings, MacKeeper's developer, Kromtech Alliance, reported that it contacted Vickery and rectified the error he'd found "within hours of the discovery" (see MacKeeper: 13M Customers' Details Exposed).
Alliance Health: PHI Exposed
On Dec. 17, Vickery claimed he found a misconfigured database owned by Alliance Health in Salt Lake City, which helps those with chronic conditions to manage those conditions. The company says its 29 communities - covering conditions that range from asthma and diabetes to Crohn's disease and HIV - have more than 1.5 million members. And Vickery says that one of the files he found appeared to contain protected health information, with a total of 1.6 million records.
In a statement posted to the Alliance Health website, the company confirms that "a database containing Alliance Health customer records was misconfigured making it possible for some customer information to be accessible via the Internet using specialized data access tools." The company reports that after learning of the information exposure, it "immediately secured the database and began a thorough investigation," and that it plans to notify affected individuals and relevant government agencies once it understands the full extent of the breach.
On Dec. 19, Vickery claimed he found another unsecured MongoDB database containing information on 3.3 million fans of Hello Kitty and other characters owned by Japanese company Sanrio, including information on 186,000 minors. The information was contained in a database associated with the company's sanriotown.com online community. Sanrio reported that after conducting a digital forensic investigation of the apparently exposed database - as well as two other Internet-connected and likewise unsecured backup servers - it found that Vickery was the only outsider to have accessed the data.
But Hunt says that Vickery may soon find himself having to answer some pointed questions from authorities relating to his "research" activities in relation to the U.S. voter records. "Opening an unlocked door and stealing the contents behind it is still breaking and entering," Hunt says. "That may well lead to having to answer some very uncomfortable questions in the not-too-distant future."
Data Breach , Network & Perimeter , Technology
Crypto Backdoor Leaves Banks, Businesses, Government Agencies at Risk
Devices sold by Juniper Networks are being actively targeted by attackers using a hardcoded password in the technology giant's ScreenOS firmware that researchers publicly revealed on Dec. 20 (see Who Backdoored Juniper's Code?).
See Also: Exploring the Security Requirements for Virtual Machines
The attacks follow Juniper first warning Dec. 17 that it had discovered "unauthorized code" that introduced two vulnerabilities into ScreenOS - a crypto flaw dating from 2012, and a hardcoded password dating from 2013. The firmware is used to run Juniper devices designed to provide firewalls and virtual public networks. And the vulnerabilities - patched Dec. 17 by Juniper - are a concern because numerous industries, including government agencies and the financial services sector, rely on Juniper devices for network defense.
Security experts recommend that any organization that uses affected Juniper devices drop everything and patch the vulnerable devices immediately. "The 'backdoor' password is now known, and exploitation is trivial at this point," says Johannes Ullrich, dean of research for the SANS Institute, in a blog post. "Addressing this issue today is critical."
Attackers are already gunning for the hardcoded password. "We do continue to see an increasing trend in login attempts to our [SSH] honeypot using the backdoor password," Ullrich says. "We do not know what the attackers are up to, but some of the attacks appear to be 'manual' in that we do see the attacker trying different commands."
Who Backdoored the Backdoor?
Juniper first warned Dec. 17 that an internal code review discovered "unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices" via SSH or telnet. The vulnerability has been designated as CVE-2015-7755. And Juniper also warned that a separate flaw - CVE-2015-7756, which predates the first - could potentially "allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic."
The backdoor-password flaw is straightforward: it can be used to give attackers access to vulnerable devices. But security experts and cryptographers are still attempting to unravel the implications of the VPN flaw, which Ralf-Philipp Weinmann, a research associate at the Interdisciplinary Center for Security, Reliability and Trust at the University of Luxembourg, says appears to have been the basis for a "backdoored backdoor."
By that, he means that one attacker appears to have added the VPN crypto vulnerability in the firmware. Subsequently, the hardcoded password appeared in the firmware, and could have been added by the same attack group, or a different one. In the latter - hypothetical - scenario, for example, the NSA could have added the VPN vulnerability, and a Russian intelligence agency might have added the backdoor password to make it easier to exploit the VPN flaw.
Can VPN Flaw Decrypt Historical Traffic?
Ullrich says it's not yet clear whether the VPN vulnerability must be exploited in real time, or if attackers could simply intercept and store the traffic - perhaps in the victim's own network - and decrypt it at a future date. "The reason that makes a difference is that an attacker may already have recorded traffic out of your network, that they exfiltrated years ago. They could now go back and decrypt that traffic," he says.
The Juniper software flaws could allow attackers to decrypt previously intercepted communications, warns Johannes Ullrich from the SANS Institute.
Danger: Weak Random-Number Generator
Analyzing the ScreenOS firmware, multiple cryptographers report that one problem with the VPN technology is that Juniper has been employing the random-number generator called Dual-EC. And they have been at a loss to explain why, since many security experts believe that the U.S. National Security Agency designed Dual-EC so that it could provide the agency with backdoor access, by generating numbers that weren't random enough.
"Pretty much every cryptographic system depends on a secure random number generator," John Hopkins University cryptographer Matthew Green says in a blog post. "These algorithms produce the unpredictable random bits that are consumed by cryptographic protocols. The key word in this description is unpredictable: if an attacker can predict the output of your RNG, then virtually everything you build on it will end up broken." That includes VPNs, which are designed to encrypt communications from one side of a VPN connection to another, for example between banks or government agencies.
"If an attacker can predict the output of the [pseudo random-number generator] then they can know the keys that one or both sides of a VPN connection will choose, and decrypt it," says Adam Langley, a Google senior staff software engineer, in a blog post.
Juniper is an Intelligence Target
Many security experts have noted that they have seen no evidence yet that documents who might have added the backdoors to Juniper's code. The NSA is an obvious potential culprit. Then again, anyone might have hacked into a Juniper developer's workstation and added code commits to the source code repository without their knowledge.
But many security experts do suspect that one or more intelligence agencies were involved. "The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the U.S., the Chinese, or the Israelis," Nicholas Weaver, a researcher at the International Computer Science Institute and the University of California at Berkeley, tells Wired.
While it's no smoking gun, the Intercept on Dec. 23 published a document - labeled "top secret" and dated February 2011 - revealing that Britain's GCHQ intelligence agency "has exploit capabilities against" 13 different Juniper NetScreen firewalls. GCHQ is Britain's sister agency to the NSA. Given that Juniper is a U.S.-based company, "any GCHQ efforts to exploit Juniper must begin with close coordination with NSA," the document warns, although details no related plans. It also advocates undertaking "an effort to ensure exploitation capability" against future Juniper devices and firmware versions.
The Intercept says the document was written by an NSA analyst who was working with a GCHQ team, and provided to it by NSA whistleblower Edward Snowden. GCHQ declined to comment on the story, while the NSA did not immediately respond to a request for comment.
The document apparently shows that GCHQ was interested in exploiting targets' Juniper firewalls and VPNs. But cryptographer Matt Blaze, director of the Distributed Systems Lab at the University of Pennsylvania, says the documented capabilities do not appear to relate to the ScreenOS backdoor that first appeared in the August 2012 release of Juniper's ScreenOS firmware. "My guess from reading this is that the capabilities discussed here involved exploiting bugs and maybe supply chain attacks, rather than this [recently discovered] backdoor," he tells the Intercept.
Why Crypto Backdoors Are Bad
One upside to the Juniper flaws is that they show why attempting to add backdoors to products can weaken security for everyone, says the operational security expert known as The Grugq.
Shout out to the unknown threat actor that demonstrated the problem with backdoors. You're the real hero!
Green from Johns Hopkins says he hopes that message doesn't get lost on policymakers. "For the past several months I've been running around with various groups of technologists, doing everything I can to convince important people that ... the sky will fall if they act on some of the very bad, terrible ideas that are currently bouncing around Washington - namely, that our encryption systems should come equipped with 'backdoors' intended to allow law enforcement and national security agencies to access our communications," he says.
.@stewartbaker Backdoors are a beautiful target for attackers because they do most of the attacker's work for them. It will happen again.
The Juniper vulnerabilities have now demonstrated exactly how encryption backdoors could be subverted by people with malicious intent. "A backdoor intended for law enforcement could somehow become a backdoor for people who we don't trust to read our messages," he says. "Normally when we talk about this, we're concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that."
×Close
Forgot Your Password Message:
Close
Breach Response , Data Breach , Fraud
Asst. U.S. Attorney Camelia Lopez on Getting Federal Agencies Involved
Organizations that discover they're victims of business email compromise exploits should immediately contact law enforcement officials to report the attacks, says Camelia Lopez, a federal prosecutor for the Eastern District of Texas.
See Also: Mobile Banking: Authentication Strategies to Mitigate Fraud
Business email compromise exploits use well-thought-out socially engineered scams that con unsuspecting accounting staff members at businesses into scheduling fraudulent wire transfers. Lopez urges organizations to overcome their embarrassment and report the exploit.
"[T]he earlier you contact law enforcement the better ... the earlier we know about it, the earlier agents can ... identify where the vulnerabilities are, take a look at the systems and help you identify what happens. Sooner is better. More communication is better," Lopez says.
In a video interview at the recent Information Security Media Group 2015 Fraud Data Breach Prevention and Response Summit Dallas, Lopez explains that the FBI, Secret Service and other agencies can help organizations to analyze the compromise, paving the way for quicker indictment and prosecution of the perpetrators.
"The response time can be very quick especially if the entity already has an established relationship with an agent. ... They can have somebody at their offices responding within hours," Lopez says.
In this interview, Lopez also discusses:
The top trends in data breach investigations; The importance of having a data breach response plan in place before an attack; and The ways in which law enforcement agencies can partner with agencies overseas to apprehend wrongdoers.A federal prosecutor based in Plano, Texas, Lopez prosecutes fraud-related cases, including mail and wire fraud, data breaches and money laundering. She also is the district coordinator for the Computer Hacking and Intellectual Property program. Before joining the U.S. Attorney's office in 2009, she worked as an assistant district attorney in Dallas County, where she focused on white collar crime, including identity theft and online fraud.
Data Breach , Insider Threat , Risk Management
Prosecutors Sought Prison Time for Theft of 730K Customers' Data
The former Morgan Stanley financial adviser who in September pleaded guilty to stealing confidential customer information and saving it on his home server will not serve time in prison.
On Dec. 22, Galen Marsh was sentenced to three years' probation and ordered to pay $600,000 in restitution. Marsh was also ordered to forfeit certain computer hardware that he used to export and store sensitive and confidential customer information, according to a statement from the U.S. Attorney's Office for the Southern District of New York.
See Also: 2015 Breach Preparedness and Response Study: The Results
Prosecutors had sought a sentence of more than three years in prison, according to Reuters.
Marsh's Data Theft
Between June 2011 and December 2014, Marsh, who worked in Morgan Stanley's private wealth management division, conducted nearly 6,000 unauthorized searches of confidential client information and then uploaded information about 730,000 of those clients to a server at his home in New Jersey, according to court records. In January, after Morgan Stanley found that data about some 900 of its clients had briefly been posted online, Marsh was fired.
The financial services firm has said that it is not aware of any clients who have been impacted by fraud or have lost money because of the breach.
Marsh later admitted in court that he illegally accessed accountholders' names, addresses and other personal information, along with investment values and earnings. But he said he never posted anything online. A computer forensics investigation into the data theft later confirmed that Marsh's home network and server had been hacked, court records note.
"The government confirms that Mr. Marsh's home server, on which Mr. Marsh had saved the client data, had been compromised between Oct. 6, 2014, and Oct. 31, 2014, only a few weeks before the client data appeared on the Internet," a Dec. 1 sentencing memorandum filed by Marsh's attorney states. "It is probable that the client data was extracted from Mr. Marsh's home as a result of outside hackers. In fact, based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online."
Prosecutors say that Marsh accessed the information to use it for his personal advantage. They say he was engaged in discussions regarding potential employment with two other financial institutions that compete with Morgan Stanley. Marsh had contended he accessed the information to analyze how other advisers managed clients' money so he could do a better job, court records state.
In announcing the sentence that did not include prison time, U.S. District Judge Kevin Duffy warned Marsh "to expect the roof to fall in" if he violates any terms of the probation, Bloomberg reports. "I will hit you with everything possible," Judge Duffy said, according to Bloomberg. "I'll make sure you spend your time in one of the worst places I can find."
Reaction to Sentencing
Financial fraud expert Avivah Litan, says the sentencing seems fair, although the exposure of sensitive customer data will have long-lasting effects.
"We need a method to quantify the potential damage so we can take the guesswork out of it," she says. "Hopefully the laws will keep up with the crimes in this new cyber-era."
Penalties need to be in line with the potential damage these data breaches cause, she adds.
Attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says data theft by disgruntled employees is on the rise, highlighting the need for more stringent cybersecurity and internal auditing controls (see Insider Lessons from Morgan Stanley Breach).
"Courts and prosecutors are trying to keep pace with whether this is unauthorized access under CFAA [Computer Fraud and Abuse Act] or an issue of internal policy violation," Pierson says. "No matter which, the act of taking what is not yours is a wrong that is further blurred in the access-anywhere-on-any-device environment of the current technology state. Companies try to implement controls to identify when these acts occur, but due to the expanse of data storage options and locations, it is a constantly evolving challenge. Technology and controls can do little when internal moral compasses go awry."
×Close
Forgot Your Password Message:
Close