Database Security Digest – October 2018
A leading fitness software company may have exposed millions of their customers’ accounts containing personal information. That happened due to a failure to protect their cloud database.
Researchers are saying that they found the exposed Elasticsearch database hosted on AWS using a very simple technique. The cloud store has 119GB of data belonging to the FitMetrics company. The researchers also found a ransom note attached to the database, though it seems that the hacking attempts were unsuccessful. And now the database is lying there exposed and unprotected. The exposed data included name, gender, email address, birth date, home and work phone, height, weight and much more. The total number of affected records is millions. The database was secured again by the company five days later.
One more airline, namely Cathay Pacific, has fallen prey to a major data breach. It has been reported that data on 9.4 million passengers may have been stolen. The airline declared that it had found traces of unauthorized access to its IT system containing a lot of sensitive personal information, mostly of its customers.
The exposed personal data contains the following: passenger name; nationality; date of birth; phone number; email; address; passport number; frequent flyer programme membership number; customer service remarks and historic travel information. The airline is saying that no bank card information has been leaked. It’s yet unknown how the hacking attack has been carried out, but the company is contacting all the affected passengers and providing them with information on steps they can take to protect themselves.
IT security experts are saying that after one successful hacking attack there will be more attempts to hack the system again and they may be successful again.
The cyber-risk team UpGuard found an AWS S3 server exposed online. The server belongs to the Washington State internet provider Pocket iNet. The company left its server without any password and virtually anyone could see what’s inside their databases. The exposed information included 73 gigabytes of downloaded data. The data included passwords and other sensitive information, ranging from spreadsheets to pictures and diagrams. It took Pocket iNet about a week to secure the exposed data.
Internet service providers being a part of US Critical Infrastructure are of special interest for adverse nation-state threat groups. Pocket iNet AWS misconfiguration is reported to be the reason for this data exposure. The issue of AWS misconfiguration, unfortunately, is not uncommon and that doesn’t depend on the size of a company.
Security updates for databases
MS SQL Serverhttps://nvd.nist.gov/vuln/detail/CVE-2018-3251
Google Cloud SQLhttps://nvd.nist.gov/vuln/detail/CVE-2018-1819