Ford bug exposed customer and employee records from internal systems
A bug on Ford Motor Company’s website allowed for accessing sensitive systems and obtaining proprietary data, such as customer databases, employee records, internal tickets, etc. The data exposure stemmed from a misconfigured instance of Pega Infinity customer engagement system running on Ford’s servers. This week, researchers have disclosed a vulnerability found on Ford’s website that let them peek into confidential company records, databases and perform account takeovers. The vulnerability was discovered by Robert Willis and break3r, with further validation and support provided by members of Sakura Samurai ethical hacking group—Aubrey Cottle, Jackson Henry, and John Jackson. The issue is caused by CVE-2021-27653, an information exposure vulnerability in improperly configured Pega Infinity customer management system instances.
Secret terrorist watchlist with 2 million records exposed online
A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it. July this year, Security Discovery researcher Bob Diachenko came across a plethora of JSON records in an exposed Elasticsearch cluster that piqued his interest. The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status. The exposed server was indexed by search engines Censys and ZoomEye, indicating Diachenko may not have been the only person to come across the list: The researcher told BleepingComputer that given the nature of the exposed fields (e.g. passport details and “no_fly_indicator”) it appeared to be a no-fly or a similar terrorist watchlist.
Survey finds vast majority of people reusing personal passwords in the workplace, despite security training
Regular readers of Hot for Security understand the pitfalls of reusing passwords in multiple places. If you use the same password in more than one place, the risk is that the password will be breached by hackers in one location and then used against you elsewhere. For example, in 2012, it became apparent that the passwords for almost 6.5 million LinkedIn passwords had been stolen from the business networking site and posted online. (That would have been bad enough, but four years later it was revealed that the breach was much worse than previously thought – and had actually exposed over 100 million LinkedIn users’ passwords). Following the breach, hackers tried to crowbar their way into users’ other accounts by using the passwords that had been used on LinkedIn. Infamously, one high profile victim was a fellow you may have heard of called Mark Zuckerberg – who had made the elementary mistake of using the same password for his Twitter, Instagram, and Pinterest accounts as his LinkedIn profile. That password? The hardly complex “dadada”.
Pearson to pay $1M fine for misleading investors about 2018 data breach
Pearson, a London-based publishing and education giant that provides software to schools and universities has agreed to pay $1 million to settle charges that it misled investors about a 2018 data breach resulting in the theft of millions of student records. The U.S. Securities and Exchange Commission announced the settlement on Monday after the agency found that Pearson made “misleading statements and omissions” about its 2018 data breach, which saw millions of student usernames and scrambled passwords stolen, along with the administrator login credentials of 13,000 schools, district and university customer accounts. The agency said that in Person’s semi-annual review filed in July 2019, the company referred to the incident as a “hypothetical risk,” even after the data breach had happened. Similarly, in a statement that same month, Pearson said the breach may include dates of birth and email addresses, when it knew that such records were stolen, according to the SEC.
Serious vulnerability turns home tech into spying tools
Security researchers working with the Cybersecurity and Infrastructure Security Agency (CISA) have disclosed a critical vulnerability that affects millions of Internet of Things (IoT) devices. Disclosed by security vendor Mandiant, the vulnerability impacts IoT devices that are powered by ThroughTek’s Kalay platform, which is often used by IoT cameramanufacturers, as well as in smart baby monitors, and Digital Video Recorder (DVR) products. “This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality,” explained Mandiant.
Pharmacist faces 120 years in prison for selling vaccination cards on eBay
An Illinois pharmacist arrested today faces 120 years in prison for allegedly selling dozens of authentic COVID-19 vaccination record cards issued by the Center for Disease Control and Prevention (CDC). “Knowingly selling COVID vaccination cards to unvaccinated individuals puts millions of Americans at risk of serious injury or death,” said FBI Special Agent in Charge Emmerson Buie Jr. “To put such a small price on the safety of our nation is not only an insult to those who are doing their part in the fight to stop COVID-19, but a federal crime with serious consequences.” 34-year-old Tangtang Zhao from Chicago worked as a licensed pharmacist for a nationwide chain of stores and pharmacies that also distributed and administered COVID-19 vaccines. According to the indictment, Zhao sold 134 real vaccination cards to 11 buyers who paid him roughly $1276, amounting to around $10 per vaccination card.