February 12, 2020
Data about inmates and jail staff spilled by leaky prison app
By Lisa Vaas
Inmates’ and correctional facilities employees’ data has been sloshed onto the web, unencrypted and unsecured, in yet another instance of a misconfigured cloud storage bucket.
Security researchers at vpnMentor came across the leak on 3 January during a web-mapping project that was scanning a range of Amazon S3 addresses to look for open holes in systems.
The leaky bucket belongs to JailCore, a cloud-based app meant to manage correctional facilities, including by helping to ensure better compliance with insurance standards by doing things like tracking inmates’ medications and activities. That means that the app handles personally identifiable information (PII) that includes detainees’ names, mugshots, medication names, and behaviors: going to the lavatory, sleeping, pacing, or cursing, for example.
JailCore also tracks correctional officers’ names, sometimes their signatures, and their personally filled out observational reports on the detainees.
Some of the PII is meant to be freely available to the public: details such as detainee names, dates of birth and mugshots are already publicly available from most state or county websites within rosters of current inmates. But another portion of the data is not: that portion includes specific medication information and additional sensitive data, vpnMentor says, such as the PII of correctional officers.
JailCore closed down the data leak between 15 and 16 January: 10 or 11 days after vpnMentor notified it about the breach (and about the same time that the security firm reached out to the Pentagon about it). The company initially refused to accept vpnMentor’s disclosure findings, the firm said.
Read more at https://nakedsecurity.sophos.com/2020/02/12/data-about-inmates-and-jail-staff-spilled-by-leaky-prison-app/
US charges four Chinese military members with Equifax hack
By Lisa Vaas
The US has charged the Chinese military with plundering Equifax in 2017.
The Justice Department (DOJ) on Monday released a nine-count indictment that accused four members of the People’s Liberation Army (PLA) of being hackers behind the breach, which was one of the largest in US history.
The breach exposed millions of names and dates of birth, taxpayer ID numbers, physical addresses, and other personal information that could lead to identity theft and fraud. Besides the original estimate of 145.5 million Americans who were affected, the breach also hit 15.2 million Brits and some 100,000 Canadians.
The indictment charged the four with a three-month campaign during which they allegedly hacked into computers of the credit-reporting agency and siphoned off the sensitive financial data and other personally identifiable information (PII) from all those people.
The accused are Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei: all members of the PLA’s 54th Research Institute, which is part of the Chinese military.
How they allegedly pulled it off
According to the indictment, the four allegedly pried open Equifax by exploiting a vulnerability in the Apache Struts Web Framework software used by the credit reporting agency’s online dispute portal.
We already knew it was done via a web app vulnerability and that it was a months-old Struts vulnerability: specifically, a nasty server-side remote code execution (RCE) bug made known to the public in March 2017.
Read more at https://nakedsecurity.sophos.com/2020/02/12/us-charges-four-chinese-military-members-with-equifax-hack/
Mozilla issues final warning to websites using TLS 1.0
By John E Dunn
Sometime this March, the Firefox, Chrome, Safari and Edge browsers will start throwing up warnings when users visit websites that only support Transport Layer Security (TLS) versions 1.0 or 1.1.
Announced in October 2018 as part of a joint plan to phase out support, the implications for any holdout sites are stark – enable the later TLS 1.2 or, ideally, 1.3, or face having no traffic.
According to the latest Mozilla reminder, visitors using Firefox will start seeing a ‘Secure Connection Failed’ message with accompanying SSL_ERROR_UNSUPPORTED_VERSION for anyone in doubt.
Initially, it will be possible to override this but only for so long. Sooner rather than later, Mozilla says that too will disappear:
We’re committed to completely eradicating weak versions of TLS because at Mozilla we believe that user security should not be treated as optional.
Other browsers will follow suit, with the Chrome browser having adopted ‘Your connection to this site is not fully secure’ messages last month with full blocking due to begin in March.
Read more at https://nakedsecurity.sophos.com/2020/02/12/mozilla-issues-final-warning-to-websites-using-tls-1-0/