Security News Bites for the Week Ending Oct. 12, 2018
Data Aggregator Apollo Loses Data on 200 Million
Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.
Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public. In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce. Billions of data points.
Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships. This data is all in the wild now. Source: Wired.
CA SB 327 Bans Weak Passwords on Internet of Things Devices
California is making history again. It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords. In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.
It does allow a weak password if the system forces the user to change the password before it connects online.
It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.
While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).
Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts. Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.
I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely. After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act? Source: The Register
Web Sites Using Symantec HTTPS Certificates Beware!
As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days. When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser. If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted. Site owners need to replace the SSL certificate to get rid of the error message. Source: Google’s Blog .
Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates. I am not sure that this will make a difference since Chrome is the majority browser. Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid. Source: The Register .
Well, I Was Wrong – U.S. Snares Chinese Spy
In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.
WELLLLLLLLLL.
A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk. The spy represented himself as an official of a Chinese university.
The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium. The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium. It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.
However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.
Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration. As long as he is not acquitted, it would be a very rare win for the Feds.
Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid. Score one for the good guys. Source: WaPo .
Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records
One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password. 113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible. The data includes name, birth date, email, emergency contact information, height, weight, phone numbers and a bunch of exercise stats. If this includes residents of the European Union, we will have another GDPR related breach.
And, one more time, it took almost a week to get someone’s attention at Mindbody. Once they did get someone’s attention the databases were quickly secured.
Source: Hacken .