The latest craze has been with
finding out about one’s history. This does not refer to those events that have
molded our life, but to where we and our families originated. This may be in the
UK, Europe, Africa, or another part of the globe. Once DNA testing became
reasonably priced, this market opened up. We’ve seen the tests with the swab.
While these are non-intrusive physically, these are able to tell much about
you. This can show your relative who has also taken the test with the same
service, health disposition, and much more.
One such
manufacturer is The Family Tree maker software. Their software, first released
in 1989, has gone through many corporate owners over the years. These include
Broderbund, The Learning Company, Mattel, Ancestry.com, and finally to McKiev,
who presently is tasked with managing the code.
Oops!
These
services hold a large amount of data, accumulated from each person. This
information has value and needs to be protected. By the company accepting this,
they are responsible for its safekeeping. The issue in this instance, much like
too many others, was a misconfigured cloud server. This was found by a team
from WizCase led by Avishai Efrat. The Elastic Search server was not configured
correctly. This allowed the server, along with all its data, to be insecure and
accessible by anyone who wanted to check it. If the data would have at least
been encrypted, it would have been a little bit better, however, this was not
even the case.
The
cloud server had 25 GB of data available with 60,000 users data. This included
a nice selection of data for people to view and download. This included the
user’s email addresses, geolocation data, IP addresses, system user IDs,
support messages, technical data (e.g. error logs), refunds (if applicable),
and subscription type and status. Imagine what you could do with a credential
stuffing attack with this data!
This is
also very useful for a phishing attack. With this data, the attackers would be
able to create more and better content for their phishing attacks. This data is
also perfectly usable for spam. Interestingly enough, competitors could also
use this for their business. They could use a script to filter for keywords of
unhappy customers or subscription status and target them as clients.
Post-Detection
This was
unfortunately was not a surprise. There have been too many of these being noticed.
WizCase did notify the company of the oversight. WizCase did not receive a response
from the company. They must have received this though since the company closed
the cloud server after the email was sent.
Recurring
The
misconfigured cloud servers are not new, unfortunately. Many of these have been
found and successfully attacked. Many of these attacks have been published
showing the extent of the issue. When you read through a handful of these, it
makes you wonder if the engineers just threw it up there and hoped for the
security through obscurity. It never ceases to amaze how the misconfigured
cloud servers keep happening. There are so many resources available, this
really shouldn’t happen this often. This is not even considering the secondary
person the engineers have looking at the build prior to signing off on the
cloud server being in production.
Affected
If you
know someone who was affected by this, or for general information, there are a
few helpful hints. On the bright side, at least they did not collect the user’s
social security numbers. Going forward, users should continue to watch what
they share online. People want to share everything on social media. If possible,
they should share as little as possible. This is not the popular route to take
these days, but I prudent.
With
phishing emails, the email service stops most of these. Generally the filter is
dialed in well so this is not an issue. A handful will make it through though.
The users should not open just any attachment or link unless they are
expecting it. UPS is not going to send the same notice of delivery with the
same shipping number to 30 people. Your bank is not going to send you an email with
their link.
Resources
IT Security News. (2020, July). Unsecured server leaks
family tree maker customer details-Experts’ comments. Retrieved from https://www.itsecuritynews.info/unsecured-server-leaks-family-trees-maker-customer-details-experts-comments/
Muncaster, P. (2020, July 21). Genealogy software maker
exposes data on 60,000 users. Retrieved from https://www.infosecurity-magazine.com/news/genealogy-software-maker-exposes/
RT. (2020, July 21). Not keeping it in the family: Personal
data of 60,000 genealogy software users LEAKED. Retrieved from https://www.rt.com/news/495417-genealogy-software-users-leaked/
Terabitweb. (2020, July 21). Gealogy software maker exposes
data on 60,000 users. Retrieved from https://www.terabitweb.com/2020/07/21/genealogy-software-maker-exposes/
Williams, C. (2020, July 30). Family history search software
leaks users private data. Retrieved from www.wizcase.com/blog/mackiev-leak-research/
No comments:
Post a Comment