Selections from the top news items this week in the world of identity and application security.
Thousands of etcd installs are leaking secret server keys online
From ZDNet: According to security researcher Giovanni Collazo, a quick query made through the Shodan search engine revealed a total of 2,284 etcd servers which are leaking credentials, including the passwords and keys required for cms_admin, mysql_root, and postgres server infrastructure. Collazo said at least 750mb of leaked data is available online.
Deconstructing the DOJ Iranian Hacking Indictment
From Dark Reading: On March 23, the United States Justice Department unsealed an indictment against nine attackers operating out of Iran, believed to be working on behalf of the Iranian government. The indictment outlined the tools and techniques used, who was targeted, what the attackers were after, and how successful they were in compromising their targets.
A new data leak hits Aadhaar, India's national ID database
From ZDNet: Aadhaar, India’s government ID database, is packed with identity and biometric information -- like fingerprints and iris scans -- on more than 1.1 billion registered Indian citizens, official figures show. Anyone in the database can use their data -- or their thumbprint -- to open a bank account, buy a cellular SIM card, enroll in utilities, and even receive state aid or financial assistance. Even companies, like Amazon and Uber, can tap into the Aadhaar database to identify their customers.
Under Armour Admits Huge MyFitnessPal Data Hack
From Forbes: Under Armour has admitted that around 150 million MyFitnessPal user accounts were hacked in February of this year but it only became aware of the breach earlier this week. "The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident," read a statement. The data includes usernames, passwords, and email addresses but not bank, driving license, or social security information.
Data Protection And The Cloud: A Hybrid World Deserves Hybrid Security
From Forbes: Companies are moving data into the cloud. While we haven’t reached a hockey-stick growth curve, the forecasts I’ve seen point to an increase in cloud storage and use over the next few years. Companies are going to the cloud because it’s cheaper to rent applications and storage than to buy infrastructure and build it out from scratch. With software that’s designed specifically for the cloud, employees get access to data anywhere and on multiple devices.
How the Facebook privacy debacle is connected to the movement of IAM to containers
From CSO Online: Personal data privacy and Facebook have never been comfortable bedfellows. This latest Facebook privacy debacle, where the data of 50 million users was shared without consent, with political marketing consultancy, Cambridge Analytica, may be the final straw. That seemingly little thing, that most people don’t really think too much about, consent, is raising its head above the virtual parapet and making people sit up and take notice.
My Cow Game Extracted Your Facebook Data
From The Atlantic: If you played Cow Clicker, even just once, I got enough of your personal data that, for years, I could have assembled a reasonably sophisticated profile of your interests and behavior. I might still be able to; all the data is still there, stored on my private server, where Cow Clicker is still running, allowing players to keep clicking where a cow once stood, before my caprice raptured them into the digital void.
Five Ways Machine Learning Can Save Your Company From A Security Breach Meltdown
From Forbes: $86 billion was spent on security in 2017, yet 66% of companies have still been breached an average of five or more times. Just 55% of CEOs say their organizations have experienced a breach, while 79% of CTOs acknowledge breaches have occurred. One in approximately four CEOs (24%) aren’t aware if their companies have even had a security breach.
Blockchain to ‘radically’ transform anti-fraud, anti-money-laundering efforts
From Computerworld: Blockchain could be the answer to increasingly tough anti-money laundering (AML) statutes and enterprise fraud management (EFM) requirements looming for the financial services industry. In a report released this week by Forrester Research, blockchain's distributed ledger technology – because it is both secure and immutable – is ideal for meeting new government requirements and serving as a trusted repository for identification purposes.
Is blockchain a game-changer for revolutionizing IT infrastructure?
From Digital Insurance: Many companies feature products today that incorporate this incredible technology. For example, Okta is building an identity cloud with blockchain to streamline and secure the online identity process. Git is a popular version control system used in software development, where speed, data integrity, and distributed data are really the entire game. Git repositories utilize a distributed ledger system to maintain the integrity of rapidly changing and moving files.
What Are 'Data Brokers,' and Why Are They Scooping Up Information About You?
From Motherboard: Even when consumers are aware of both the existence of data brokers and the extent of data collected, it's difficult to determine which data they can control. For example, some data brokers might allow users to remove raw data, but not the inferences derived from it, making it difficult for consumers to know how they have been categorized. Some data brokers store all data indefinitely, even if it is later amended. The industry is incredibly opaque, and data brokers have no real incentive to interact with the people whose data they are collecting, analyzing, and sharing.
Mozilla launches Firefox Facebook container extension to isolate browsing data
From ZDNet: Mozilla is rolling out a new Firefox container extension that isolates web activity from Facebook and makes it harder for the social network to track user activity on other websites via third-party cookies. The browser maker said the Facebook Container add-on is based on technology it's been working on for the last couple of years, and that its release was accelerated in response to the controversy surrounding the misuse of Facebook user data.
Yahoo had the biggest data breach in history and this podcast won’t let you forget it
From Fast Company: Breach, a new podcast from Carbonite and Midroll, takes a long look at the history of data security breaches, starting with the biggest: Yahoo. Back in 2016, Yahoo announced that all 3 billion of its customers’ accounts had their login information stolen. Not only that, but Yahoo took three years to tell the public about it. Breach looks at the hack, and every misstep made by Yahoo in the wake of the attack. It also explores what these breaches mean for businesses, consumers, and the future of data privacy.
UK organisations urged to develop cyber security skills
From Computer Weekly: Failure to develop cyber security skills is exposing organisations to cyber attacks and exacerbating the skills gap, according to research into the levels of expertise in cloud security and data protection. More than half (51%) of 500 IT professionals and IT decision-makers at UK organisations believe they need to grow these skills in the next five years, according to a study by Rackspace and researchers at the London School of Economics (LSE) with sponsorship from Intel.
Only 16% of organizations believe their current security can protect them in the cloud
From TechRepublic: Cybersecurity experts expressed worry about the surge in cloud computing, highlighting a wide variety of potential issues that have either already cropped up or will crop up in the near future, according to a survey by Crowd Research Partners.