All is relatively well here at Woesnotgone
Meadow, where everyone has above average bandwidth.
In the Meadow, we are working towards more of a
green future. We are recycling, and starting to use solar panels. There are
other projects in the works. We do use electricity from the grid to power our
computers, lights, stoves, microwaves, and other services at home and work.
Margie is the local manager for the power company, and she generally manages
all of the things we need to be done individually and for the Meadow, so we
know it is done right and timely. Fortunately, we have not had a problem with this.
Another electricity provider appears to not have been so lucky.
Eskom is the largest electricity utility in
South Africa. In this case, when a third party detects an issue on your system,
and reports this vulnerability to you, seemingly someone in the company would
thank the researcher and start working on closing the issue. This does not seem
too outlandish or out of the realm of reality. This did not quite happen in a
recent case with Eskom.
The security researcher detected the
vulnerability. This was located in Eskom’s information system with its
database. This issue had been open for weeks. A company may not listen to
someone without evidence. This issue was documented to other parties with a
screenshot. The specific vulnerability operations at that time had not been
disclosed. This may be from the Trojan Azorult, downloaded from a game. With
this specific issue, the user who “allegedly” downloaded the Trojan had also
been identified. The end result and detectable issue was the vulnerability was leaking
customer data.
The researcher informed them multiple times of
the vulnerability and its effects. A news organization also had informed Eskom.
There also had been direct messages on Twitter to Eskom. Still no action on
this significant issue. After everything else failed, the issue was posted in a
public forum (Twitter).
The user’s data being exposed was the alarm for
the researcher to focus on. The vulnerability was leaking the customer’s full
name, type of credit card, partial credit card number, and credit card CVV.
When you receive a gift, generally you don’t
ignore this, especially the ones of this type. To receive this data early
before the industry at large would have saved them a mass amount of time,
money, overhead if they would have acted upon this. This also highlights the
need for more user education. It should be obvious, however, the users should
not load games on business computers.
Thanks for visiting Woesnotgone Meadow, where
the encryption is strong, and the O/Ss are always using the latest version.
Resources
Abrams, L. (2019, February 9). Power company has
breach due to downloaded game. Retrieved from https://www.bleepingcomputer.com/news/security/power-company-has-security-breach-due-to-downloaded-game/
Dissent. (2019, February 6). Eskom data leak
exposes sensitive customer information-security researcher. Retrieved from https://www.databreaches.net/eskom-data-leak-exposes-sensitive-customer-information-security-researcher/
Finnegan, C. (2019, February 7). Eskom data leak
may have exposed personal details of a number of customers. Retrieved from http://thechiefobserver.com/1304/eskom-database-flaw-may-have-exposed-personal-details-of-a-number-of-instances/
NAVVA. (2019). Eskom data leak exposes sensitive
customer information-security researcher. Retrieved from https://navva.org/africa/africa/eskom-data-leak-exposes-sensitive-customer-information-security-researcher/
Vermeulen, J. (2019, February 6). Eskom data
leak exposes sensitive customer information-security researcher. Retrieved from https://mybroadband.co.za/news/energy/295030-eskom-data-leak-exposes-sensitive-customer-information-security-researcher.html
No comments:
Post a Comment