By Uzair Amir The ransomware attack disrupted the screens for two days. In a nasty ransomware attack, flight information screens at the United Kingdom's Bristol airport were taken over and hijacked by malicious hackers on September 15th Friday morning. The ransomware attack forced the airport staff to go manual by using whiteboards and hand-written information to assist passengers regarding their […] This is a post from HackRead.com Read the original post: Hackers disrupt UK's Bristol Airport flight info screens after ransomware attack
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
Indianapolis-based GovPayNet, doing business online as GovPayNow.com, serves approximately 2,300 government agencies in 35 states. GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.
On Friday, Sept. 14, KrebsOnSecurity alerted GovPayNet that its site was exposing at least 14 million customer receipts dating back to 2012. Two days later, the company said it had addressed “a potential issue.”
“GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” the company said in a statement provided to KrebsOnSecurity.
The statement continues:
“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means. Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”
In January 2018, GovPayNet was acquired by Securus Technologies, a Carrollton, Texas- based company that provides telecommunications services to prisons and helps law enforcement personnel keep tabs on mobile devices used by former inmates.
Although its name may suggest otherwise, Securus does not have a great track record in securing data. In May 2018, the New York Times broke the news that Securus’ service for tracking the cell phones of convicted felons was being abused by law enforcement agencies to track the real-time location of mobile devices used by people who had only been suspected of committing a crime. The story observed that authorities could use the service to track the real-time location of nearly any mobile phone in North America.
Just weeks later, Motherboard reported that hackers had broken into Securus’ systems and stolen the online credentials for multiple law enforcement officials who used the company’s systems to track the location of suspects via their mobile phone number.
A story here on May 22 illustrated how Securus’ site appeared to allow anyone to reset the password of an authorized Securus user simply by guessing the answer to one of three pre-selected “security questions,” including “what is your pet name,” “what is your favorite color,” and “what town were you born in”. Much like GovPayNet, the Securus Web site seemed to have been erected sometime in the aughts and left to age ungracefully for years.
Data exposures like these are some of the most common but easily preventable forms of information leaks online. In this case, it was trivial to enumerate how many records were exposed because each record was sequential.
E-commerce sites can mitigate such leaks by using something other than easily-guessed or sequential record numbers, and/or encrypting unique portions of the URL displayed to customers upon payment.
Although fixing these information disclosure vulnerabilities is quite simple, it’s remarkable how many organizations that should know better don’t invest the resources needed to find and fix them. In August, KrebsOnSecurity disclosed a similar flaw at work across hundreds of small bank Web sites run by Fiserv, a major provider of technology services to financial institutions.
In July, identity theft protection service LifeLock fixed an information disclosure flaw that needlessly exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness that exposed millions of customer names, email and physical addresses, birthdays and partial credit card numbers.
Got a tip about a security vulnerability similar to those detailed above, or perhaps something more serious? Please drop me a note at krebsonsecurity @ gmail.com.
By Carolina Another day, another trove of medical records leaked online, thanks to a misconfigured AWS S3 bucket. Medical records are considered to be sensitive documents and when a malicious third party has access to them it is a bad news as these records can be used for fraud, blackmailing and marketing purposes against patients' will. However, […] This is a post from HackRead.com Read the original post: Medical records & patient-doctor recordings of thousands of people exposed
By Waqas Security researchers at Palo Alto Networks’ Unit 42 have discovered modified versions of the notorious Mirai and Gafgyt Internet of Things (IoT) malware. The malware have the capability of targeting flaws that affect Apache Struts and SonicWall Global Management System (GMS). Moreover, the Unit 42 researchers also discovered new versions of Mirai and Gafgyt (aka BASHLITE) […] This is a post from HackRead.com Read the original post: Apache Struts & SonicWall’s GMS exploits key targets of Mirai & Gafgyt IoT malware
By Waqas There is good news for pro-anonymity web users who rely upon the Tor browser for using the internet. The first ever mobile browser app for the Tor browser has been released by the Tor Project, the organization behind the Tor network. The mobile version of the Tor browser is available for download at the Google […] This is a post from HackRead.com Read the original post: Official mobile version of Tor Browser released for Android – Download now
By Uzair Amir The town of Midland, Ontario, Canada, has decided to pay cybercriminals after its servers were targeted and infected with a nasty ransomware on Saturday, September 1, at approximately 2 a.m. The total amount of ransom payment has not been disclosed but the demand from cybercriminals was that they must be paid in Bitcoin if the town wants […] This is a post from HackRead.com Read the original post: Canadian town forced to pay Bitcoin after nasty ransomware attack
By Waqas Data management software companies are mandatorily believed to be having perfectly capable of managing their own data. However, it turns out that some companies, the most popular ones too, struggle to do so. The well-known cloud data management firm Veeam has been in the news lately for grave mismanagement of its customer data, something the […] This is a post from HackRead.com Read the original post: Cloud data management firm exposes database with over 440M emails & IP addresses
By Uzair Amir A Russian national namely Peter Yuryeich Levashov has pleaded guilty to operating the Kelihos botnet, which was used to launch a huge spamming and credential stealing campaign across the globe. Levashov, a 38-year old resident of St. Petersburg, Russia, was presented before a Connecticut US District Court and admitted to being involved in a large […] This is a post from HackRead.com Read the original post: Russian Cybercriminal Pleads Guilty to Operating Kelihos Botnet
By Waqas Adware Doctor and Trend Micro Apps have been kicked out by Apple. Apple Inc. has always propagated its products as designed with most advanced security and privacy practices. The company has also promoted itself as the only firm that prioritizes and safeguards user privacy. The iOS and Mac App Stores are referred to as the […] This is a post from HackRead.com Read the original post: Apple removes top anti-malware apps from its store for “stealing data”
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org