Security
cancel

October: Beer, Pumpkins and Ghosts of breaches past

October: Beer, Pumpkins and Ghosts of breaches past

Micro Focus Frequent Contributor

October is an awesome month. We get Oktoberfest beers, pumpkin flavored everything, cooler weather, trick or treating (I can still do that as an adult right?) and National Cyber Security Awareness Month. For those of you that aren’t familiar with National Cyber Security Awareness Month, was created as a collaborative effort between government and industry to ensure every American has the resources, they need to stay safer and more secure online. Unfortunately, the need for more security online continues to grow and 2018 has proven that once again. Let’s take a look back at some of the biggest breaches of the year so far and what caused them to happen.

Meltdown & Spectre

 

October Beer Pumpkins and Ghosts of breaches past2 .pngMeltdown and Spectre exploited critical vulnerabilities in modern Intel processors. It allowed a rogue process to read all memory, even when it is not authorized to do so. This discovery lead to Intel announcing in March of 2018 that they would be redesigning their CPUs. The redesigned CPUs are expected to be released sometime this month.  

Fitness Trackers - Strava

San Francisco fitness startup company, Strava, posted an online global heatmap at the beginning of this year. The goal was to create a searchable database that reveals popular exercise routes. But people soon found out that the data Strava was collecting for this heat map was created a major national security risk. The map revealed red and yellow squiggles in the middle of Afghanistan and Syria that turned out to be United States soldiers jogging around the parameters of their bases, which literally highlighted the locations of possible secret military facilities. Only a few months later, the Polar Flow App, another fitness tracking application, exposed geolocation of soldiers and secret agents. 

Github

On Feb 28th, GitHub.com was offline from 17:21 to 17:26 (UTC time) and intermittently unavailable from 17:26 to 17:30 due to a massive memcache DDoS attack. According to GitHub, the first part of the attack peaked at 1.35Tbps, but was followed by a second attack that peaked at 400Gbps. This became the biggest DDoS attack of all time but was topped four days later by a 1.7Tbps attack using the same method on an unnamed US service provider.

Facebook/Cambridge Analytica

The Facebook–Cambridge Analytica data scandal became a major political scandal earlier this year when it was revealed Cambridge Analytica, had harvested the personal data of millions of people's Facebook profiles without their consent and used it for political purposes. 

Under Armor MyFitnessPal

In March of this year, Under Armor announced that their fitness app MyFitnessPal, which they acquired in 2016, had a security breach that affected 150 million accounts. Users’ usernames, email addresses and passwords were affected, but Under Armour says no payment information was affected by the data breach because it is collected and processed separately. 

Panera

In August of 2017, Dylan Houlihan reported a vulnerability to Panera Bread that their website has an unauthenticated API endpoint that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This leak of information was ignored for over 8 months, affecting 37 million records before it was finally patched. 

Routers

In June of this year, the FBI warned that a malware product called VPNFilter had infected over 500,000 devices, including wireless routers and network-attached storage systems. The VPNFilter is capable of collecting intelligence that can track your actions online, along with demolishing embedded Linux CPU architectures on network-attached storage devices. 

Reddit

In August, hackers gained access to Reddit's internal systems by bypassing their SMS-based two-factor authentication on employee accounts by hijacking the SMS messages. No critical information was gained, but revealed to Reddit how insecure SMS-based authentication was. 

T-Mobile

Again in August of this year, T-Mobile alerted 2.3 million of its customers to a breach of its website that resulted in subscriber names, zip codes, phone numbers, email addresses and account numbers being stolen. The attack targeted a specific leaky API tied to an undisclosed part of its website. 

These examples, which are just some of the breaches that have taken place this year, reinforce the need to have security awareness, not just in October, but all year long. The best way for businesses to practice cybersecurity awareness and take security seriously is to manage, govern and secure information; detect and respond to data breaches and govern identity and access.

All these breaches have me wanting to crack open a fresh Oktoberfest beer, cheers!

 

Footnote*
Don’t be a headline. Protect your enterprise end-to-end. Micro Focus just had their Security Summit in September, and if you missed it, you can register for FREE and view the sessions at the Micro Focus Digital Cybersecurity Summit starting on October 30. Read my last blog to get the key AppSec takeaways from the Summit! 

0 Kudos