Security news for the Week Ending May 24, 2019
SalesForce Gives Users Access To All of Your Company’s Data
In what can only be called an Oops, SalesForce deployed a script last Friday that gave users of certain parts of SalesForce access to all of the data that a company had on the system. The good news is that it didn’t show you anyone else’s data, but it did give users both read and write access to all of their company’s data.
In order to fix it, Salesforce took down large parts of its environment, causing some companies that depend on SalesForce to shut their company down and send employees home.
This brings up the issue of disaster recovery and business continuity. Just because it is in the cloud does not mean that you won’t have a disaster. It is not clear if replicating your SalesForce app to another data center would have kept these companies working. Source: ZDNet.
Google Tracks Your Online Purchases Through GMail
While this is probably not going to show up as a surprise, Google scans your emails to find receipts from online purchases and stores them in your Google purchase history at https://myaccount.google.com/purchases . This is true whether you use Google Pay or not. One user reported that Google tracked their Dominos Pizza and 1-800-Flowers purchases, as well as Amazon, among other stores.
You can delete this history if have masochistic tendencies, but I doubt anyone is going to do that because it requires you to delete the underlying email that caused it to populate the purchase, one by one. There is also no way to turn this “Feature” off.
It appears that it keeps this data forever.
Google said they are not using this data to serve ads, but they did not respond to the question about if they use it for other purposes. Source: Bleeping Computer.
President Trump Building An Email List to Bypass Social Media
Welcome to the world of big data. The Prez has created a survey for people to submit information about how they have been wronged by social media. And get you subscribed to his email list. Nothing illegal. Nothing nefarious. Just a big data grab.
If you read the user agreement, it says you “grant the U.S. Government a license to use, edit, display, publish, broadcast, transmit, post, or otherwise distribute all or part of the Content. (NOTE: That “content” includes your email address and phone number). The license you grant is irrevocable and valid in perpetuity, throughout the world, and in all forms of media.”
This seems to be hosted on the Whitehouse.Gov servers. It is not clear who will have access to this data or for what purpose. Source: Vice.
Colorado Governor Declares Statewide Emergency After Ransomware Attack
Last year the Colorado Department of Transportation suffered a ransomware attack. Initially the state thought it was getting a handle on the attack, but ten days later it came back.
It was the first time any state had issued a Statewide Emergency for a cyberattack. Ever! Anywhere!
It had the affect that the state was able to mobilize the National Guard, call in resources from other departments, activate the state Department of Homeland Security and Emergency Management and get help from the FBI and the US Department of Homeland Security. It also allowed them to call for “Mutual Aid”, the process where neighboring jurisdictions – in this case neighboring states – provided assistance.
It worked and since then, other states have begun to do this.
When you have a disaster, even a cyber disaster, you need a lot of resources and an emergency declaration is one way to do it. Source: StateScoop.
Latest Breach – 885 Million Records
First American Financial, one of the largest title insurance companies, exposed 885 million records going back to 2003 due to a software design flaw. The records include all kinds of sensitive records that are associated with real estate closings. Source: Krebs on Security.