Monday, July 29, 2019

Unsecured Database May Have Exposed Some Big Companies

An UpGuard research team recently discovered several unsecured Amazon S3 buckets belonging to the Israeli IT Services firm Attunity.

The company left the buckets unsecured, exposing more than a terabyte of sensitive information belong to a number of prominent companies including Ford, TD Bank and Netflix.
To provide a sense of scale, Attunity has more than 2,000 clients worldwide, including many on the Fortune 100 list.

Three different Amazon S3 databases were left open.  These were:
  • Attunity-it
  • Attunity-patch
  • Attunity-support
Upon discovery, the UpGuard research team contacted Attunity and by the next day, all three databases had been secured.  At this time, it's not known with complete certainty whether an unauthorized third party was able to download the databases. Early indications say they weren't, but if they did, they're now in possession of a treasure trove of information.

An UpGuard analysis of the three databases revealed that they contained:
  • A massive 750GB trove of email backups
  • A variety of Microsoft OneDrive account details
  • System passwords for a variety of network assets
  • Sales, marketing and contact information
  • Project specifications
  • Other similar data
Qlik is a larger company in the process of buying Attunity, and they released a statement that reads, in part, as follows:

"We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations.  We take this matter seriously and are committed to concluding this investigation as soon as possible.  At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us."

The UpGuard research team added the following:
"The risks to Attunity posed by exposed credentials, information and communications, then are risks to the security of the data they process.  While many of the files are years old, the bucket was still in use at the time detected and reported by UpGuard, with the most recent files having been modified within days of discovery."

Kudos to UpGuard for finding the issue and alerting Attunity, and to Qlik for their timely response.  Here's hoping the early indications hold, and hackers somehow missed the exposed databases.


SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255
https://spartantecwilmington.business.site

Monday, July 22, 2019

Large Percentage Of Mobile Apps Have Security Flaws

How many apps do you have on your phone?If you're like most people, you've likely got dozens or more. Considering how much storage is available on mobile devices these days, people tend to install apps and when they no longer want them, they don't bother to uninstall them. Whatever your number is, the statistics recently published by Positive Technologies in their report "Vulnerabilities and Threats in Mobile Applications 2019" will alarm you.

Here are a few of the key findings:
  • 35 percent of all mobile apps tested had vulnerabilities relating to the insecure transmission of sensitive data.
  • 35 percent had issues with the incorrect implementation of session expiration
  • 20 percent had problems relating to sensitive data being stored in the app source code and insufficient protection against cyber attacks using brute-force techniques
  • 29 percent of tested apps contained vulnerabilities relating to insecure inter-process communications, which are classed as high risk
Overall, high-risk vulnerabilities were found in 38 percent of tested iOS apps, and 43 percent of Android apps.  Even worse, 89 percent of the vulnerabilities that were discovered could be exploited via malware.  The hacker targeting the device would never even need to take physical control of the device.

Leigh-Anne Galloway (one of the people responsible for the report) said:

"Developers pay painstaking attention to software design in order to give us a smooth and convenient experience and people gladly install mobile apps and provide personal information.  However, an alarming number of apps are critically insecure, and far less developer attention is spent on solving that issue. We recommend that users take a close look when applications request access to phone functions or data.  If you doubt that an application needs access to perform its job correctly, decline the request."

Wise words, and very good advice.  So back to the initial question, and with the statistics above in mind, how many apps do you have on your phone?

SpartanTec, Inc. of Wilmington is here to protect your company's data again cyber attacks regardless of the source. Call us today for a free analysis of your vulnerability.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255
https://spartantecwilmington.business.site


Google Post