May 182019

Sergiu Gatlan reports:

Over 12,000 unsecured MongoDB databases have been deleted over the past three weeks, with only a message left behind asking the owners of the databases to contact the cyber-extortionists to have the data restored.

Although not on this scale, these types of attacks targeting publicly accessible MongoDB databases have happened since at least early-2017 [1, 2, 3, 4]. Attackers looking for exposed database servers using BinaryEdge or Shodan search engines delete them and demand a ransom for their ‘restoration services’.

Read more on Bleeping Computer.

May 182019

Sam Clark reports:

Lithuania’s data protection authority has fined a payments processing company for breaching three provisions of the GDPR.

The State Data Protection Inspectorate has levied a €61,500 fine against fintech company MisterTango for inappropriate data processing, disclosing personal data and failing to report a breach, it said today. The authority said that the fine should be seen as a “significant signal to other companies”.

MisterTango suffered a data breach in July 2018, when its customers’ personal information became available online. More than 9,000 screenshots of banking transactions also appeared online, according to the authority.

Observers said it is not yet clear whether the disclosure happened as a result of a technical error or a hack, though the company claims it was the former.

Read more on Global Data Review.

If you can’t access the article, maybe you can read this one.

May 172019

Catalin Cimpanu reports:

Threat intelligence analysts have long said that hacktivism was dead but new data published by IBM X-Force today confirms the complete collapse of hacktivism scene, with activity levels going down by 95% since 2015.

According to IBM, security incidents caused by hacker groups operating under hacktivism causes has been on a decline since 2015, when the company recorded a peak, with 35 publicly reported incidents.

Read more on ZDNet.

May 162019

Renee Dudley and Jeff Kao report that two firms that advertised technology solutions to responding to ransomware incidents — Proven Data Recovery of Elmsford, New York and Florida-based MonsterCloud – were really just paying ransom to the attackers.

Read more on ProPublica.

I suspect that ransom payments have been the dirty little secret for the past three years or so. Once the FBI came out at one point and said it didn’t recommend paying ransom, I think firms were more hesitant to disclose that they had paid. Who wants to be named and shamed as a company encouraging attackers by paying them, right?

But payment seems to be happening a lot more than we might have guessed. As a lawyer from a prominent law firm that handles hundreds of breaches every year told me, it’s an economic/business decision.  What is it going to cost you if you don’t pay? That law firm also claims that in 94% of their cases, working decryption keys are obtained when victims pay the ransom.  Both that law firm  and a whitehat from an intel firm tell me that these days, they are seeing 7-figure ransom demands in some cases.

At this rate, I think that paying ransom may become the first option – instead of the last resort  option – for firms that don’t have backups that are usable or can’t afford what could be a lengthy disruption to their business or patient care.  So is every firm looking at their cyberinsurance policy to see if they have coverage to pay ransom in the event of a ransomware attack? Do they know how to obtain BTC in a hurry if they don’t have an incident response firm already on board and ready to react?

The times, they are a-changing.

May 162019

From the for-the-love-of-a-free-press-would-someone-PLEASE-teach-these-people-about-the-first-amendment? dept.

Earlier this week, this site noted reporting by Paterson Times about an alleged breach involving the Paterson Public Schools in New Jersey.  We also picked up a follow-up report that covered some… um…unexpected claims by the District as to how many threat actors might be involved and whether it was a former employee, and…. a whole bunch of other claims that seemed premature, at best.  Usually, entities shut up and say they are investigating.  Paterson Public Schools seems to have decided to take another approach that is not adverse to making themselves look inexperienced at handling a data security incident.

And now they are providing students and their community with an embarrassing example of what happens when the district is ignorant about the First Amendment and laws protecting journalists and responsible journalism.

Today, the Paterson Times reports:

After a news story exposed a massive data breach at the Paterson Public Schools, superintendent Eileen Shafer threatened to sue the Paterson Times for purported “serious reputational harm” to the school district, a lawsuit that would be prohibited by law. The letter also suggested the district would use legal means to obtain materials related to the breach held by the Times, which would be prohibited by the state’s reporter’s shield law.

Shafer issued her threat in a letter signed by the district’s attorney Robert E. Murray. Her spokesman Paul Brubaker emailed the letter at 4:42 p.m. on Monday, 52 minutes after the story appeared on the frontpage of the newspaper website.

“This is serious reputational harm to the entire school district. Thus, a civil court action must be pursued,” reads Murray’s letter. He asserts the breach, which claimed more than 23,000 account passwords and was not detected until the Paterson Times brought it to the district’s attention, has caused the school system to be “unfairly held out for ridicule in the community.”

Read more on the Paterson Times.

The basis for  any ridicule of the district is the district’s response to the reported or alleged breach. They have repeatedly been shooting themselves in the foot and need to get a real professional in there to handle incident response properly.  Their claims, demands, and legal threats  are, to put it bluntly, bullshit, and should be called out as such.

How sad that those with the responsibility of educating our youth seem to be totally ignorant about the First Amendment.  Hopefully, the Paterson Times’ lawyers will hand them a clue stick.