Jeremiah Fowler reports on another unsecured elasticsearch database that his firm has found: On March 27th I discovered an unsecured Elasticsearch database that contained what appeared to be members of a medical evacuation membership service. Upon further inspection of the data there were many references that the data allegedly belonged to Florida based SkyMed. It…
China Ministries Jointly Release Guidelines for Protecting Personal Information Online
Hunton Andrews Kurth writes: On April 11, 2019, the People’s Republic of China’s Network Security Bureau of the Ministry of Public Security, the Beijing Network Industry Association and the Third Research Institution of the Ministry of Public Security jointly released a “Guide to Protection of Security of Internet Personal Information (the “Guide”). The Guide presents…
Audit: HHS Info Security Program ‘Not Effective’
Marianne Kolbasuk McGee reports: The Department of Health and Human Services’ information security program has received a “not effective” rating as a result of several weaknesses found in an annual review of compliance with the Federal Information Security Management Act of 2014. The HHS Office of Inspector General report is based on an audit conducted…
Eddie Bauer Agrees to $10M Data Breach Class Action Settlement
Emily Sortor writes: Eddie Bauer and Veridian Credit Union have reached a $9.8 million settlement, ending claims that Eddie Bauer’s lack of adequate security led to more than 1 million Veridian customer accounts being exposed to a data breach that occurred in January 2016. The proposed settlement deal was filed on Friday in Washington federal…
Leak Reveals Iran’s Wildest Hacker Crew Stole 13,000 Passwords From 98 Organizations
Thomas Brewster reports: Earlier this month, a prolific hacking group said to be sponsored by Iran had its cyber arsenal leaked. A bundle of tools and target information belonging to the crew, dubbed OilRig, were thrown up on the web for all and sundry to see, marking the most significant leak of Iran’s cyber weaponry…
Over Dozen Popular Email Clients Found Vulnerable to Signature Spoofing Attacks
Swati Khandelwal reports: A team of security researchers has discovered several vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients. The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate,…