Thought leadership. threat analysis, news and alerts.
How to Prevent Accidental Database Leaks
Florida-based marketing and data aggregation firm Exactis is the latest organization that accidentally leaked critical database online.
Security researcher Vinny Troia disclosed to Wiredthat early this month, Exactis exposed nearly 340 million records, 230 million of which pertain to U.S. consumers, while 110 million on business contacts.
"It seems like this is a database with pretty much every US citizen in it," Troia told Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
The close to 2 terabytes of data exposed by Exactis didn’t contain credit card information or Social Security numbers. It, however, revealed highly personal information, including phone numbers, home addresses, email addresses, religion, age, gender of the person's children, and interests like plus-size apparel and scuba diving.
Wired confirmed the authenticity of the data exposed by Exactis, commenting that in some cases the information is inaccurate or outdated.
Prior to his disclosure to Wired, Troia said he contacted both Exactis and the FBI about his discovery. He said Exactis has since protected the data so that it's no longer accessible to the public.
The number of data unintentionally exposed by Exactis exceeds that of the 2017's Equifax breach of nearly 148 million consumer’s data. The difference though is that in the case of Exactis, victims aren’t even aware that they’re part of the company’s database.
Past Incidents of Accidental Database Leaks
While the Exactis data may have been the largest accidental database leak, in the past few years, reports about accidental database leaks have come up again and again.
Another security researcher Chris Vickery discovered a number of accidental database leaks. In December 2015, Vickery discovered that the database that housed 3.3 million Hello Kittyaccounts was exposed as a result of a misconfigured MongoDB (a free and open-source cross-platform document-oriented database program) installation.
In April 2016, Vickery discovered that voter registration details of 93.4 million Mexican citizenswere exposed via publicly accessible database hosted on an Amazon cloud server.
In January 2017, Vickery also discovered that an Ontario-based plastic surgery clinicleaked thousands of customer’s medical records online via unprotected remote synchronization (rsync), a service which allows synchronization of files between two computers or servers over the internet.
In October 2017, Redlockresearchers reported that attackers infiltrated the Kubernotes (open-source platform designed by Google to automate deploying, scaling and operating application containers) console of Aviva, a British multinational insurance company, after the company failed to secure it with a password. One of Aviva’s Kubernetes pod contained credentials to the company’s Amazon Web Service Inc. account. According to Redlock, this enabled the attackers to steal the cloud compute resources of Aviva for cryptocurrency mining, in particular, mining the cryptocurrency Bitcoin.
In February 2018, Redlockresearchers reported that attackers similarly infiltrated the Kubernotes console of Tesla after the company failed to secure it with a password. One of Tesla’s Kubernetes pod contained credentials to Telsa’s Amazon Web Service Inc. account. Redlock said this enabled the attackers to steal the cloud compute resources of Tesla to mine the cryptocurrency Monero quietly in the background.
Accidental Leaks Discovery
According to Troia, he discovered the exposed Exactis’ database by simply using Shodan, an alternative search engine used by researchers and security professionals. Troia said he used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses.
This search query resulted in about 7,000 results, Exactis database being one of them, unprotected by any firewall. ElasticSearch is a document-oriented database that's designed to be easily searched over the internet.
For his part, Vickery told ZDNet that he finds accidental database leaks via Shodan as well. There’s, however, no stopping for malicious hackers to use tools like Shodan to discover accidental database leaks. It’s a challenge then for ethical hackers like Troia and Vickery to discover and report to the concerned organizations regarding accidental database leaks before malicious hackers do.
"I’m not the first person to think of scraping ElasticSearch servers," Troia said in the case of Exactis’ accidental data leak. "I’d be surprised if someone else didn't already have this."
Data Leak Prevention
Here are some of the security best practices in preventing accidental database leaks:
1. Monitor Firewall Traffic
A firewall is your first line of defense in preventing accidental database leaks.
A firewall, which can be a hardware, software or both, monitors incoming and outgoing network traffic. It decides based on a defined set of security rules whether to allow or block specific traffic. For instance, a firewall can be configured to block data from certain locations or applications while allowing relevant data in.
RedLock reported that while firewall is one of the industry’s best practices, “85% of resources were found to have no firewall restrictions on any outbound traffic”.
While firewall is a good first line of defense, it can’t be the cure-all remedy in preventing accidental database leaks.
2. Monitor Configurations
Proper configuration is critical in preventing accidental database leaks. Configuration refers to the “Settings” menu in any software. A simple configuration monitoring could have prevented the Tesla breach.
3. Monitor Suspicious User Behavior
As shown by the above-mentioned examples, it’s not uncommon to find accidental database leaks in public cloud environments. Your organization needs to detect accidental database leaks as soon as possible before the bad guys do.
Monitoring has to go beyond geo-location or time-based anomalies but also monitoring event-based anomalies such as unusual volume of traffic or unusual volume of downloaded data.
When you team needs help, our team of experts is a phone call away. Contact ustoday and stay safe!
DDoS Attacks: Dangers and Ways to Protect your Network
DDoS (Distributed Denial of Service) attacks continue to make headlines. In the past week, one such act caused severe traffic issuesduring a key political debate in Mexico, affecting a website opposing presidential candidate Andres Manuel Lopez Obrador.
Elections are set to take place on 1 July, and the target domain has been openly critical of his policies. During the attack, 185,000 visits took place in just 15 minutes; the majority originated in China and Russia.
This was a blatant attempt to crash the site, and the culprits have yet to be identified. Doing so can be incredibly difficult, as the traffic originates from compromised systems that disrupt sites involuntarily.
This isn’t the first time DDoS attacks have disrupted political websites, and countries are taking action to defend themselves. The US Election Assistance Commission has dedicated over $380m in funding for cybersecurity.
DDoS attacks defined
As discussed above, DDoS attacks involve flooding the target website with traffic from numerous origin points, possibly numbering in the thousands. As a result, stopping the DDoS attack in its tracks is basically impossible; there’s no single IP address causing the issue, and blocking all traffic will be restricting access for legitimate visitors.
They’re different to DoS attacks, which involve just a single computer and IP address working in conjunction to flood a vulnerable system.
There are a few common types of DDoS attack, including traffic-based ones.
Bandwidth attacks are another danger, which overload the system with overwhelming loads of ‘junk’ data, disrupting network bandwidth. This can cause a total denial of service.
Application DDoS attacks use data messages to reduce the application layer’s resources and make the system unable to function as it should.
When a website is unable to provide its customers or members with the services they expect, it can damage their reputation and disrupt their revenue. There’s a risk to security too, with consumers left wondering how safe their personal data may be.
This is a major concern for today’s more tech-savvy users, who are much more aware of the dangers lax security measures and cyber-attacks pose.
Taking action against DDoS attacks
How can you protect your network against DDoS attacks and ensure your business or organization is prepared to handle one if the worst happens?
Minimize the potential
Minimizing the surface area that would be vulnerable to attacks is key, as it essentially reduces the number of options available to would-be DDoS attacks.
To do this, consider guarding resources with Load Balancers or Content Distribution Networks. You can also place restrictions on traffic reaching vital parts of your system, such as your database servers, for further protection.
Create a plan of action
You need a plan for every major cybersecurity risk threatening your business and customers. With a DDoS plan, the key aspect is determining how you will keep delivering services if an attack manages to disrupt your system.
You should make sure everyone within your company is made aware of what a DDoS attack is, how it may manifest, and how their work would be affected.
The aim is to make sure your company as a whole would essentially be able to roll with the proverbial punches, to minimize the disruption and get back on track as soon as possible.
Get to know the signs
It’s best to learn the warning signs of an impending DDoS attack. While high-volume situations are common and can be damaging, low-volume ones may be triggered by troublemakers as a test of your network’s capabilities. These attacks allow cybercriminals / hackers to identify potential holes within your security.
Pay attention to your average traffic patterns. This may help you spot significant changes in geographic sources and volumes, enabling you to take preventative action before the attack is fully underway.
Capture the packet
When you start to notice a DDoS attack is in effect, you should try to spot the key characteristics in order to take action against it. DDoS attacks typically rely on forceful traffic volumes your system simply can’t handle, and while it may be impossible to sort the ‘good’ traffic from the ‘bad’, you can identify telltale similarities between sources.
Run a fast packet capture of the attack, and you should be able to find similarities fairly easily as the majority of traffic hitting your website will be part of the attack. Giveaway details might reveal themselves in the user agent or URI, but once you find a pattern you’ll be able to initiate a block via router ACL or firewall.
Routers and firewalls can stop specific IP addresses and filter unnecessary protocols, but they’re not a complete defense against high-volume attacks. Firewalls in particular should not be depended on to keep your entire network safe.
Again, having a plan in place and being prepared to shift gears is critical to minimize the disruption as much as possible.
DDoS attacks are, sadly, not going to go away any time soon. Your business or organization has to take steps necessary to stay as protected as possible and put a contingency plan in place to stop your infrastructure collapsing if an attack takes place.
Working with cybersecurity specialists and running a vulnerability assessment of your network can help you prepare. Want to know more about the options available to you?
Give our expert team a call!
What is Remote Code Execution Attack & How to Prevent this Type of Cyberattack
Microsoft recently rolled out its latest security update, fixing 50 security vulnerabilities. Out of the 50 security vulnerabilities fixed by Microsoft in its June 12thsecurity update, 14 security vulnerabilities allow remote code execution.
What is Remote Code Execution?
Remote code execution (RCE) refers to the ability of a cyberattacker to access and make changes to a computer owned by another, without authority and regardless of where the computer is geographically located.
RCE allows an attacker to take over a computer or a server by running arbitrary malicious software (malware). "RCE (remote code execution) vulnerabilities are one of the most dangerous of its kind as attackers may execute malicious code in the vulnerable server," Impervasaid.
Remote Code Execution Example #1: Microsoft Excel Remote Code Execution Vulnerability
One example of a remote code execution vulnerability is the CVE-2018-8248vulnerability – one of the security vulnerabilities fixed by Microsoft in its June 12thsecurity update. The CVE-2018-8248 vulnerability, also known as “Microsoft Excel Remote Code Execution Vulnerability”, allows an attacker to run a malware on the vulnerable computer.
The CVE-2018-8248 attacker could take full control of the compromised computer if the owner of the compromised computer logs on to the computer with administrative user rights. In taking full control of the compromised computer, the attacker could view, change or delete data; install programs; or create new accounts with full user rights.
According to Microsoft, the delivery method in exploiting the CVE-2018-8248 vulnerability could be in the form of a malicious email with an attachment that contains a specially crafted file with an infected version of Microsoft Excel. Another delivery method in exploiting the CVE-2018-8248 vulnerability is in the form of a web-based attack scenario, whereby an attacker could host a website or compromised website that accepts or hosts user-provided content containing a specially crafted file designed to exploit the CVE-2018-8248 vulnerability.
In the 2 scenarios, malicious email and web-based attack, the attacker has to convince users to click on the attachment or a link to open the specially crafted file. To date, there’s no report that CVE-2018-8248 vulnerability has been exploited into the wild.
Remote Code Execution Example #2: Microsoft Windows SMB Vulnerability
On May 12, 2017, hundreds of thousands of computers worldwide were infected by WannaCry, a malware that encrypts computer files, locking out computer users and asks for ransom payment to decrypt or unlock the computer files.
WannaCry, as it turns out, is a malware that allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block (SMB) – a protocol used for sharing access to files, printers and other resources on a network.
Unlike other remote code execution attacks which leverage on malicious emails and web-based attacks as delivery methods, WannaCry’s delivery method was scanning the internet for vulnerable SMB ports and using one of the alleged U.S. National Security Agency (NSA) spying tools called “EternalBlue”, which takes advantage of the vulnerability in Microsoft’s SMB. Once an attacker detects SMB vulnerability, the DoublePulsar (another alleged NSA spying tool) is then used by an attacker to allow for the installation of the WannaCry malware.
EternalBlue and DoublePulsar are 2 of the spying tools allegedly used by the NSA that were leaked in April 2017 by a group of hackers who called themselves Shadow Brokers. According to Microsoft, the security vulnerabilities exposed by Shadow Brokers were fixed by the security update released by the company in March 2017 – a month before Shadow Brokers publicly released the alleged NSA spying tools.
Researchers at Renditionreported that in late April and the first few days of May 2017 – several days after Microsoft issued a security update fixing the security vulnerabilities exposed by Shadow Brokers, more than 148,000 computers were compromised by EternalBlue and DoublePulsar.
Hundreds of thousands of computers were infected by WannaCry as many compromised machines were used as servers and because of the worm or self-propagating capability of this malware. As a result, computers connected to the infected servers were also infected by the WannaCry malware.
Remote Code Execution Attacks and Cryptocurrency Mining
At the height of the cryptocurrency boom in December 2017, Imperva reported that cryptocurrency mining drove almost 90% of all remote code execution attacks.
Imperva said 88% of all remote code execution attacks in December 2017 sent a request to an external source to try to download a cryptocurrency mining malware.
“These attacks try to exploit vulnerabilities in the web application source code, mainly remote code execution vulnerabilities, in order to download and run different crypto-mining malware on the infected server,” Imperva said. “The malware usually uses all CPU computing power, preventing the CPU from doing other tasks and effectively denies service to the application’s users.”
Timely patching or timely installation of software update ranks as the top cybersecurity measure in preventing remote code execution attacks.
For instance, to prevent remote code execution via CVE-2018-8248 vulnerability, Microsoft’s June 12, 2018 security update has to be installed. In the case of WannaCry cyberattack, remote code execution via the exploitation of Microsoft Windows SMB vulnerability could have been prevented if only Microsoft’s March 2017 security update had been timely applied.
To prevent attackers trying to infect vulnerable servers with cryptocurrency mining malware, the initial attack must be blocked. As an initial attack, cybercriminals typically exploit remote code execution vulnerabilities to launch their malware, similar to what WannaCry attackers did.
If your organization is using computers or servers that are known to be using software that’s vulnerable to remote code execution, the latest vendor patch to mitigate this particular cyberattack should be timely applied.
As a rule of thumb, to significantly minimize the risk, your company must collect, analyze and act on the most recent threat intelligence. Your IT team must be equipped with the best tool to apply patches timely thus mitigating the risk of a data breach. Better yet, workstation and server patching can and should be automated to prevent remote code execution and other cyberattacks.
Steve E. Driz, I.S.P., ITCP