CyberWisdom Safe Harbor Commentary on Misconfigured Databases
- The MDIA (MDJIA, with offices in Ellicott, Maryland) leaves Internet access open to the client file database, which contains information such as customer name, address, phone number, date of birth, and complete social security number; and checks Pictures, complete bank account numbers and insurance numbers and other financial data. ISO ClaimSearch’s MDJIA access credentials are also disclosed, a third-party insurance database that contains “tens of millions of reports about individual insurance claims” against industry professionals. The problem is a NAS server with open port 9000.
2. Octoly, the Paris-based brand marketing company, left for internet access to AWS S3 buckets. It includes details of its IT operations, including sensitive personal information used by more than 12,000 social media influencers in its marketing efforts. Details include real name, address, phone number, email address (including addresses used with PayPal), birth date, and thousands of hashed passwords.
Both of these misconfigurations were discovered by Chris Vickery, director of network risk research at UpGuard. Researcher Vickery has discovered many misconfigurations that have provided open access to sensitive, often personal, information over the past few years. For example, details of 191 million U.S. voters, nearly 1.4 billion user records of known spammers, and sensitive military data belonging to the U.S. National Geospatial Agency (NGA) released by contractor Booz Allen Hamilton.
These misconfiguration does not require any hacking or skills to use, but only need a computer with Internet access. If white-hat researchers like Vickery can find them, potential malicious actors may find their catastrophic consequences. The question then arises as to why the 6th false configuration in the top 10 threat lists in OWASP happens so often – and how should organizations prevent these misconfigurations?
The Maryland Joint Insurance Association provides Homeowners, Dwelling and Commercial Property coverages to individuals and businesses of the State of Maryland who are unable to obtain coverage through the voluntary insurance market. The Maryland Joint Insurance Association is established under provisions of the Annotated Code of Maryland. The Association is not a government agency or organization.
Octoly, a French company that’s launched a unique platform for brands to quickly and inexpensively get their products in front of millions of eyes.
Bryce Karen; Washington State Department of Commerce CIOs point out that MDJIA is a small business with only a handful of full-time IT staff. He warned that there may be more small organizations in similar positions. “If this organization looks like a small organization, then none of these are real surprises.If you have a budget for only one or two IT staff or contractors, you may not be specialized in the generalists you work for Security personnel or deep security expertise. “He added that the problem is that small organization do not understand the risks until a cybersecurity incident occurs because protecting data is not based on the core business that uses the data.
The Octoly event is similar to many other examples of exposed AWS S3 buckets. “Every time I look at the AWS Dashboard, it seems that there are new services available, each with new setup and configuration switches. As you keep your internal environment confronting changing threats in a constantly changing work environment, this It’s especially tough, “Carlen said.
He fears that the cloud will only increase “safety fatigue”, leading to simple mistakes. “This is one of the things that scares me about the cloud, and some of them look like competent organizations that are capable of cloud computing configuration settings.”
According to Randy Potts, director of information security at Real Time Resolutions, Inc., the issue remains a “safety culture” in many organizations. “Both of the incidents that took place last week were because the people who deployed them did not think of bad actors and they only considered engaging people who needed it rather than blocking those who should not.
He believes this is a continuing tension between IT and information security. “IT is measured by uptime and capabilities, but information security is measured by controlling access to data, and from an IT perspective, information security can disrupt access and compromise capabilities.” He believes IT staffs need A better understanding of security: “They need to respect this, and saving time without extra steps may now have a serious impact.”
But the problem is not just about IT and security, but about the entire enterprise culture. Ie “Everyone deals with the moral obligation of sensitive information to correspond to the PII.” This includes business owners as well as IT staff and security teams.
This is a theme agreed to by Graham Mann, Managing Director of Cyber Space Defense Ltd. “Management has to be part of the responsibility because they do not care about safety at all,” he said. He thinks it is an area that can be resolved by legislation – independence
Two more misconfigured databases exposing the personal details of thousands of people were disclosed late last week. read more Engaging post, Read More…
thumbnail courtesy of securityweek.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »