Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label KrebsonSecurity. Show all posts

Data Leak: Critical Data Being Exposed From Salesforce Servers


According to a post by KrebsOnSecurity published on Friday, servers running Salesforce software are leaking private data controlled by governmental bodies, financial institutions, and other businesses.

According to Brian Krebs, Vermont had at least five websites that gave anyone access to critical information. One of the programs impacted was the state's Pandemic Unemployment Assistance program. It revealed the applicants' full names, Social Security numbers, residences, contact information (phone, email, and address), and bank account details. Vermont adopted Salesforce Community, a cloud-based software solution created to make it simple for businesses to quickly construct websites, just like the other organizations giving the general public access to sensitive data.

Among the other victims was Columbus, an Ohio-based Huntington Bank. It recently bought TCF Bank, which processed commercial loans using Salesforce Community. Names, residences, Social Security numbers, titles, federal IDs, IP addresses, average monthly payrolls, and loan amounts were among the data components that were revealed.

Apparently, both Vermont and Huntington discovered the data leak after Krebs reached them for a comment on the matter. Following this, both the customers withdrew public access to the critical data.. Salesforce Community websites can be set up to require authentication, limiting access to internal resources and sensitive information to a select group of authorized users. The websites can also be configured to let anyone read public information without requiring authentication. In certain instances, administrators unintentionally permit unauthorized users to view website sections that are meant to be accessible only to authorized personnel.

Salesforce tells Krebs that it provides users with clear guidance on how to set up Salesforce Community so that only certain data is accessible to unauthorized guests, according to Krebs.

Doug Merret, who raised awareness in regards to the issue eight months ago, further elaborated his concerns on the ease of misconfiguring Salesforce in a post headlined ‘The Salesforce Communities Security Issue.’

“The issue was that you are able to ‘hack’ the URL to see standard Salesforce pages - Account, Contact, User, etc.[…]This would not really be an issue, except that the admin has not expected you to see the standard pages as they had not added the objects associated to the Aura community navigation and therefore had not created appropriate page layouts to hide fields that they did not want the user to see,” he wrote.

Krebs noted that it came to know about the leaks from security researcher Charan Akiri, who apparently identified hundreds of organizations with misconfigured Salesforce sites. He claimed only five of the many companies and governmental agencies that Akiri informed had the issues resolved, among which none were in the government sector.

Hacking of the US InfraGard Critical Infrastructure Intelligence Portal

 


One of the FBI's central databases had been hacked by a hacker. It appears to have been caused by a crucial security lapse on the part of the bureau, resulting in the possible theft of sensitive information. 

It has been reported by KrebsonSecurity that InfraGard has been used by hackers as a social media intelligence hub for high-profile people. 

An imperative aspect of the FBI's InfraGard program is that it links "critical infrastructure owners and operators with the FBI to provide education, information sharing, networking, and training regarding emerging threats and technologies." To put it simply, it is a database of people who are highly visible and who are concerned about security.  

A database with contact information for over 80,000 InfraGard members was listed on the Breached cybercrime forum for the cost of $50,000. It gives you access to the contact information of thousands of InfraGard members. 

A Python script from a friend was used to query the InfraGard API and obtain all of the user data after USDoD completed the sign-up process using email verification and then ran it to gather all of the data.  

One of the most concerning aspects of this data theft is that the FBI appears not to have conducted any security checks at all. The people's identities that were used to create this account have confirmed that they had never been contacted by the FBI before the account was approved. Although when the identities of people were used for this purpose. 

There has also been confirmation from the FBI to Krebs that they are aware of the possibility of a false account associated with the InfraGard system. They also stated that, currently, they are unfit to provide any additional information regarding the situation.  

A spokesperson for the USDA admitted that the $50,000 price tag placed on the databases was too high. As a result, it is imperative to make sure it is enforceable to allow for price negotiation if someone shows interest in purchasing it. While the InfraGard account is still active, there is nothing to stop hackers from contacting these high-profile figures at any time during the investigation.