Just another week in Threatwatch.
In case you missed our cyber incident coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:
Researchers found some serious security gaps in Confide, a secure messaging app reportedly used by White House staffers, including the ability to impersonate contacts and alter messages in transit.
Confide promises end-to-end military-grade encryption and its messages self-destruct after they are read. “Even we at Confide cannot decrypt or see any messages. Yes, after messages are read once they disappear,” Confide’s website says.
But IOActive researchers identified a number of critical vulnerabilities in the app’s messaging, account management and website, including:
- Possibly of a man-in-the-middle attack because the application didn’t require a valid SSL server certificate, which would allow an attacker to impersonate other users.
- Unencrypted messages could be transmitted without indicating they weren’t encrypted.
- Some messages could be changed in transit because the app didn’t use authentication encryption.
- Users were allowed to select easy-to-guess passwords that could be cracked with brute-force attacks.
- An attacker could access email addresses and real names of Confide users. IOActive was able to get 7,000 records of people who signed up for the service Feb. 22-24, according to its report.
- The app’s website was also vulnerable to an attack that could allow social-engineering attacks against its users.
Confide moved quickly to fix the issues: IOActive notified Confide Feb. 28 and Confide released fixes March 2.
Confide CEO Jon Brod told Dark Reading the company found no indication the vulnerabilities had been exploited prior to the updates.
A security researcher found a major spam organization’s database of more than 1.34 billion email addresses and details about the network it operates.
Listed on the Register of Known Spam Operations, River City Media basically exposed its database of future spam recipients because of a misconfigured backup. The database includes email addresses, full names, IP addresses and some physical addresses, according to Mackeeper Security Researcher Chris Vickery, who discovered it and then shared the information with Salted Hash, spam-tracking organization Spamhaus and law enforcement.
“Imagine the privacy and legal implications here. Law enforcement agents normally have to go through a subpoena process before a service provider will hand over the name behind an IP address or account. This list maps out 1.4 billion,” Vickery wrote on his blog.
The leak also exposed River City Media’s chat log, emails and how it ran day-to-day operations. Salted Hash dives into the techniques used, including a set up with 2,199 IP addresses, 60, IP blocks, 140 active DNS servers the company rotates, 100,000 domains it used for campaigns and tens of thousands of email accounts from Gmail, Hotmail, AOL and Yahoo.
Pennsylvania Democratic state senators and employees continue to be locked out of their network by a ransomware attack that started Friday morning.
Party leader Sen. Jay Costa told NBC News Friday they were working with law enforcement and Microsoft for a solution and didn’t say what the hackers were asking for ransom.
On Monday, Costa confirmed the senators and staff were still locked out of email and their networks, and they refused to pay up for their information, according to the Pittsburgh Post-Gazette. The network backs up nightly, but Costa told reporters they were still waiting to find out if those files were affected.
The ransomware attack comes as the minority party is prepping for a budget battle. It is continuing its work but runs into occasional inconveniences—like not being able to print.
“We did this work before we had computers. I think it’s more difficult for younger staff, who’ve never known a work world without the internet,” Tim Joyce, chief of staff for Sen. Jim Brewster, told the Gazette.