Airplane boarding display leaks passenger data

Symantec researcher Candid Wueest spotted Airport boarding gate displays putting passengers at risk by leaking booking codes.

Wueest followed an IP address from a boarding gate display to access a landing page listing debug information listing databases containing information about the next flights which could be used to hack into passenger accounts, according to a Jan. 10 blog post.

An attacker would only need to guess a passenger’s last name and their booking reference codes, also known as passenger name record (PNR) locators, to access details about the flight and other passengers on the same booking including full names, email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.

Wueest said the information was available to anyone that knew about the publicly accessible server. The airline has since patched the flaw.

SOURCE: Robert Abel | SCMagazine

Australian Red Cross hit by biggest data breach in the country

1.3 million personal and medical records leaked in Australia’s biggest data breach

Australian Red Cross Logo

How many victims? 1.28 million records

What type of information? Personal and medical information such name, gender, physical and email address, phone number, date of birth, blood type and country of birth. It also contains sensitive data such as whether someone has engaged in high-risk sexual behaviour.

What happened?  An anonymous source found 1.74GB file containing 1.28 million donor records going back to 2010 on a publicly accessible website and notified Troy Hunt. The discovery was made via a scan of IP address built to search for publicly exposed web servers that returned directory listings containing .sql files.

What was the response?  The Australian Red Cross has said that it had made contact with the Australian Cyber Security Centre and the Australian Federal Police and notified the Office of the Australian Information Commissioner of the data breach. “We are deeply disappointed this could happen. We take full responsibility for this mistake and apologise unreservedly,” said Jim Birch, chair and Shelly Park, chief executive of the Blood Service. “We would like to assure you we are doing everything in our power to not only right this but to prevent it from happening again.”

Quote: “With sensitive data often passing between multiple companies during partnerships and sales, it’s essential that organisations have a data-centric security strategy in place to ensure that data is secure wherever it goes,” Steve Murphy Senior CP EMEA, Informatica told SCMagazineUK.com

Web Hosting Service Weebly suffers major data breach

data-breaches-notificationWeb hosting service Weebly has confirmed a major data breach reported by LeakedSources.com.

How many victims? 43.4 million accounts

What type of information? Usernames, Email addresses, Passwords and IP addresses. Fortunately, the passwords were heavily encrypted.

What happened?  LeakedSource.com acquired the stolen Weebly data from an anonymous source and reports that they were stolen from the company’s main database in February 2016.

What was the response?  Weebly has responded by resetting passwords and sending out breach notification emails. In a company statement sent to SCMagazine, the company noted: “Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers,” It went further to say “At this point we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident.” The statement went further to say: “Our security team, with support from outside security consultants, is working to protect our customers and to enhance our network protections. This includes initiating password resets, implementing new password requirements and a new dashboard that gives customers an overview of recent log-in history of their Weebly account to track account activity,”

Quote: “This mega breach affects not only tens of millions of users but tens of millions of websites and with Weebly being one of the most popular hosting platforms in the world, this breach could have been far more disastrous in the wrong hands had they not strongly hashed passwords,”  – LeakedSource.com’s blog post.

Hutchinson Community Foundation hit by Data Breach & Ransomware

The Hutchinson Community Foundation in Kansas was hit with a data breach and ransomware attack.

How many victims? Nearly 5,500

What type of information? Personal and financial information.

What happened? On September 19, officials at the foundation found ransomware on the foundation’s network server after clicking on a file and finding its contents encrypted. Upon further investigation they found that intruders had done more than infect their files with ransomware and had actually made it into the foundation’s systems.

What was the response? The foundation didn’t pay the ransom and was able to restore all of their data from backup files however; officials said the data breach could have allowed attackers to access the databases and files on its servers and declared the incident a breach. Not all of the donor records contained sensitive information, but those who had their financial information and other sensitive data stored on the compromised serves are being notified of the incident and will be offered up to a year of free identity monitoring services. Continue reading

Bluetooth enabled POS Skimmers now in use

anonymous-hacker-hacktivistSecurity researcher, Brian Krebs has described the operations of a specific skimmer that is bluetooth enabled. The skimmer fits neatly over the top of an Ingenico ISC250 point of sale terminal. The skimmer has its own battery and can grab data and send it to a mobile device within the bluetooth coverage area.

This makes it possible for cybercriminals to leave the mobile device running nearby and return for it later or store up the stolen information in the skimmer and download them later, SC Magazine reports.

​New Zealand online dating site data leaked

Personal information including usernames, passwords, e-mail address, gender, date of birth, country of residence and photos, as well as sexual preferences of over 1.5 million online dating users were found in an unsecured MongoDB database by MacKeeper researchers accessible on the internet. The data was found to belong to a New Zealand based company that runs haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, hookupdating.mobi and the mobile application “Hook Up Dating.

In response to MacKeeper’s notification to the company, they claimed that the database is mostly dummy data used to test migrating data from SQL to MongoDB. The researchers are not okay with this claim considering the massive number of accounts.

Also, a one by one analysis of a random selection of more than 300 records shared with ZDNet proves otherwise.

The company is taking the leak lightly claiming that only the researchers had accessed the data. They did not invalidate the affected passwords and only notified users to change their password because they were upgrading their system for security reasons.