A misconfigured app has exposed NASA employees’ personal details including their names and email address, as well as details about ongoing projects, according to a security researcher. The data was exposed for three weeks in 2018 after an administrator set permissions in Jira incorrectly. A filter misconfiguration was also found exposing how NASA tasks and categorises projects and who oversees them.
According to security researcher Avinash Jain, a system administrator may have misunderstood the definition of “all users” and “everyone” when assigning permissions to newly-created dashboards within the app, interpreting these terms to mean everyone within the organisation. Jain added that such access can “give an attacker an idea of what kind of information may be housed within the application and what projects team is working upon along with showing features of different projects.”
He reportedly notified the NASA Security Operations Centre and US-CERT on 3rd September 2018, and was informed the issue had been resolved three weeks later, on 25th September.
Many cloud services are intentionally designed to promote collaboration and data sharing, however accidental data breaches can occur when organisations using cloud services fail to apply the security settings needed to keep information private.
Under old models of information security, making some data available to ‘everyone’ meant ‘everyone within the organisation, but no-one else’. In the cloud it can mean that same thing, or by design it can mean that ‘everyone on the Internet can see it’.
The NCSC has published measures which organisations can take to make such incidents less likely, such as setting sharing to be ‘off’ by default.
International hacker-for-hire jailed for cyber attacks on Liberian telecommunications provider
A British cyber criminal has been jailed for conducting attacks that disrupted a Liberian telecommunications provider, resulting in losses estimated at tens of millions of US dollars.
Daniel Kaye pleaded guilty in December 2018 to creating and using a botnet and possessing criminal property. He was sentenced to 2 years and 8 months following an investigation led by the NCA’s National Cyber Crime Unit.
Kaye began carrying out intermittent DDoS on the Liberian telecommunications provider Lonestar MTN in October 2015 using rented botnets and stressor. He was hired by a senior official at Cellcom, a rival Liberian network provider, and paid a monthly retainer.
From September 2016, Kaye used his own Mirai botnet, made up of a network of infected Dahua security cameras, to carry out consistent attacks on Lonestar. In November 2016, the traffic from Kaye’s botnet was so high in volume that it disabled internet access across Liberia.
The attacks had a direct and significant impact on Lonestar’s ability to provide services to its customers, resulting in revenue loss of tens of millions in US dollars as customers left the network.
A European Arrest Warrant was issued for Kaye and when he returned to the UK in February 2017, he was arrested by NCA officers.
Time running out for Windows 7
On the 14th January 2020, extended support for Windows 7 will end. This means that devices using an enterprise network will be at greater risk to unpatched vulnerabilities unless they upgrade away from Windows 7.
Microsoft have published an article outlining the risks. Working on unpatched, old systems, increases the risk of infection with viruses, spyware and malicious software designed to steal personal information.
The NCSC advise that the latest version of Windows should be used (at present this is Windows 10, version 1803). Whilst there is a cost to upgrading obsolete platforms, it is the most effective way of ensuring networks and devices are secure.
An NCSC blog post was published earlier this week which offers clear advice for those using Windows 7. You may also find the Obsolete Platforms guidance useful if you really cannot upgrade when the time comes.