Cybersecurity Week in Review: 9/14
Posted by: GuidePoint Security
Hard to believe we are in the third week of September already. This month has already produced some interesting reports in the security world, with this past week being no exception. Let’s dive in and look at some of the more newsworthy situations that showed up over the last seven days.
Campaign App Leaks Personal Data
With the election coming up just around the corner, there is no shortage of targeted ads, apps, and news flooding our heads at any given moment. In today’s world, everything has an app, you shouldn’t be surprised that the presidential candidates are creating their own. One such app, the official Biden campaign app, was built to help voters encourage other voters to, well, vote.
The app allows the user to upload their phone contact list to see if their friends and family members are registered to vote. It then takes that information and cross-matches it with voter files supplied by a political marketing firm, with over 191 million American voter files in their database. When the app finds a match, it displays the voter’s name, age, birthday, and the most recent election they voted in. Much of this information is public elsewhere; the app just brings the information to the person requesting it.
However, the problem is that the app contained a bug that allowed anyone using it to access any voter’s information. The bug, found by a mobile expert and detailed in his eponymous blog, lets you put just the name of a person into your contact list, and the app would pull in the matching voter’s data. The app enables you to access information on any person by entering their name into your contact list.
Furthermore, when the analyst monitored the traffic flowing in and out of the device where the app was installed, he could see that far more private data was being passed into the app. Other information, such as their home address, date of birth, gender, ethnicity, and political party affiliation. The campaign has since sent out an update for the app to resolve the flaw and publicly stated, “We are committed to protecting the privacy of our staff, volunteers, and supporters.”
View the article here
Pandemic on Multiple Fronts
This year has been intense on many levels. Virus outbreak, fires, hurricanes, social unrest, the political polarization and more, have already given most people enough distress for a lifetime. On top of all of this, with the shift to remote working and learning, the number of intrusion attempts in just the first six months of 2020 outnumbered the entire year of 2019.
This all comes from a recent study by security company CrowdStrike where they detailed in their report that in 2019 intrusion attempts were at 35,000. Whereas, in the first six months of 2020, intrusion attempts were at 41,000. The increase is shown to be primarily in eCrime, or crime involving computers and networks. The details also show that eCrime made up 82% of intrusion observed in these first six months. Crowdstrike links this increase to the fact that these actor types see immense success with their hunting campaigns and the widespread availability of Ransomware-as-a-Service, which gives access to stock style malware for use.
The vertical that has seen the most massive increase in activity this year as well is manufacturing. CrowdStrike notes that this industry has seen an increase and sophistication in the number of attacks.
To put it into perspective, in 2019, the manufacturing industry had a relative frequency of 3.8% in intrusions, whereas in only the first six months of 2020, they had 11.1% frequency. That’s quite a bump.
Check out the full report here.
Final Words
Looking at all the things happening in the world right now, the only quote that comes to mind is from the Wicked Witch of the West in her last melting breath, “What a World, What a World!”.
Now, like I mention every week, there was a lot more happening out in the ether; these are just some of the stories I found to be interesting. Still, we need to remember it’s best to take a “watch and learn” approach, and not forget our essentials.
Just because we trust a person, company, or group doesn’t mean that we should make assumptions about their security practices. Anytime we download an app or go to a website that asks for our or other people’s personal information, we should take heed of what they are doing with that information and how much of it they need. When personal information is leaked, it can have effects that nobody sees right away and can be used for nefarious purposes of many types.
As always, we need to have a security mindset when setting passwords, opening emails, and clicking on links. Attackers don’t have to be sophisticated in their approach to access a company’s environment when an employee can just let them in.
In closing, we need to know that attacks are increasing pretty rapidly. We are seeing more eCrime this year than last, and with the constant stories about web skimming attacks, it doesn’t look to be slowing. Learning from others and the landscape is how we stay ahead of the curve and keep ourselves protected as best we can. Be informed, be vigilant, and be proactive in your security pursuits.
As always, security is an action. We get out what we put into it.