Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label OWASP. Show all posts
TransUnion
Customer Data Customer Data Exposed Data Breach Fidelity Investment fraud OWASP TransUnion

Fidelity Investments Data Breach Affects 77,099 Customers

 

Fidelity Investments recently disclosed a data breach that impacted 77,099 customers, with details made public in an October 9 filing with the Maine Attorney General’s Office. The breach occurred on August 17, 2024, and was discovered two days later on August 19. According to a letter sent to those affected, unauthorized access was gained to two newly established customer accounts. Using these accounts, the attackers were able to view and obtain personal information, although Fidelity noted that account balances or transactions were not viewed. 

While Fidelity did not disclose the specific types of data stolen, it has assured affected customers by offering 24 months of free credit monitoring and identity restoration services through TransUnion. The absence of service disruptions during the breach suggests that the attack was likely not ransomware-based, although the form of the attack remains undisclosed. Fidelity’s spokesperson, when addressing the breach, said the attackers “viewed customer information” without directly accessing customer accounts. Security experts believe that this kind of attack likely exploited a vulnerability in Fidelity’s web applications. 

Venky Raju, the field chief technology officer at ColorTokens, noted that the attack vector likely involved a misconfiguration in customer-facing applications, allowing the attackers to establish new accounts and access customer information through them. This method aligns with known vulnerabilities in web security, including those listed in the OWASP Top 10 Web Application Security Risks. Exploiting these vulnerabilities can allow attackers to bypass account security and access sensitive data. Cybersecurity analysts have speculated that the breach was primarily an information-gathering exercise. According to Sarah Jones, a cyberthreat intelligence research analyst at Critical Start, the motive behind the breach likely involved gathering data that could be used for future attacks. 

These could range from identity theft and phishing campaigns to more severe scenarios like ransomware demands. The personal information obtained through such breaches can be valuable on its own, or it can serve as a means for launching further, more sophisticated cyberattacks. As the investigation continues, Fidelity is working with external cybersecurity experts to understand the scope of the breach and to implement additional security measures. Customers are encouraged to stay vigilant and monitor their accounts for unusual activity. By providing affected users with credit monitoring and identity restoration services, Fidelity aims to mitigate the risks posed by the breach while ensuring that proper measures are put in place to prevent future incidents.  

While the exact impact of the data breach remains unclear, it serves as another reminder of the growing threats to personal information in the digital age. The evolving tactics of cybercriminals, particularly in exploiting vulnerabilities in web applications, highlight the importance of continuous security assessments and prompt responses to emerging threats.
Read more »
wiki misconfiguration
Cybersecurity Data Breach OWASP Personal Information Security vulnerability wiki misconfiguration

OWASP Reveals Data Breach Stemming from Wiki Misconfiguration

 

The OWASP Foundation has recently made public a data breach incident where the resumes of certain members were inadvertently made accessible online due to a misconfiguration of its previous Wiki web server.

OWASP, which stands for Open Worldwide Application Security Project, is a nonprofit organization established in December 2001 with a focus on enhancing software security.

Over the years, it has garnered a large membership base, boasting tens of thousands of members and over 250 chapters worldwide, which organize various educational and training events. The breach was identified by OWASP in late February subsequent to numerous support requests.

The breach primarily impacted individuals who became members of the foundation between 2006 and 2014 and had submitted resumes as part of the membership process during that period.

Andrew van der Stock, the Executive Director of OWASP, disclosed that the exposed resumes contained sensitive personal information such as names, email addresses, phone numbers, and physical addresses. He clarified that during the mentioned period, OWASP used to collect resumes as a requirement for membership, aiming to establish a connection with the OWASP community. However, the organization no longer follows this practice.

Although many of the affected individuals are no longer associated with OWASP, the foundation has committed to notifying them via email about the breach. Despite this, the exposed personal data, in numerous cases, may be outdated.

In response to the breach, OWASP has taken several steps to mitigate the situation. This includes disabling directory browsing, reviewing the web server and Media Wiki configuration for other potential security vulnerabilities, and removing all resumes from the wiki site while also purging the Cloudflare cache. Furthermore, OWASP has approached the Web Archive to request the removal of the exposed resume information from its records.

Van der Stock reassured the affected individuals that OWASP has already taken measures to remove their information from the internet, thereby alleviating the immediate concerns. However, he advised caution for those whose information might still be relevant, urging them to exercise usual precautions when dealing with unsolicited communications via email, mail, or phone.
Read more »
Web Application Firewall
CRS OWASP Vulnerabilities and Exploits Web Application Firewall

Severe flaw Identified in OWASP ModSecurity Core Rule Set

 

The developers of the OWASP Foundation have admitted the breach in the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project that could allow threat actors to bypass security protections offered by the in-built CRS web application firewall (WAF). 

The flaw – tracked as CVE-2021-35368 has the ability to bypass CRS without being inspected, due to a combination of two bugs in the CRS Drupal rule exclusion package. The flaw has not only affected the CRS Drupal rule exclusion package but is present in every CRS installation that includes these rule exclusions – regardless of whether they are enabled or not.

"If the backend is broken and configured with the correct trailing pathname information setting… then anything is possible. If the backend looks into the trailing path info as it should, then you are on the safe side. The vulnerability has been around for several years. When we did the early rule exclusion packages in 2016 and 2017, we were not really used to the rule-writing techniques that we had to employ,” Christian Folini, co-lead of the volunteer-led Core Rule Set project explained. 

Andrew Howe from Loadbalancer.org identified the vulnerability in the ModSecurity engine last year, Folini said. Howe reported the two flaws in the CRS in June. All known CRS installations that offer the predefined CRS rule exclusion packages are affected. This also applies to end-of-life CRS versions 3.0.x, 3.1.0, 3.1.1, as well as the currently supported versions 3.2.0 and 3.3.0.

Folini pinpointed on a lack of financial support as a key barrier in running a volunteer-led project such as CRS. “Open source is not inherently more secure than closed source – it just means that people can look at the code. Yet the security advantage can only play out when people actually do look at the code, like Andrew Howe did,” he explained.

“If we have these reviews, then the inherent transparency of an open-source project will bring an advantage over traditional software, namely in the security domain where users really want to see what is going deep down in their software.”

“Open-source projects also tend to be more open about their shortcomings so they are often able to build up more trust and confidence with their user base. A commercial project is often tempted to avoid bad press by keeping a problem under the rug, or hiding a fix in the changelog,” Folini concluded.
Read more »
Subscribe to: Posts (Atom)