The Caravan and Motorhome Club (CAMC) and the experts it drafted to help clean up the mess caused by a January cyberattack still can't figure out whether members' data was stolen.β¦
Infosec In Brief Nearly half the citizens of France have had their data exposed in a massive security breach at two third-party healthcare payment servicers, the French data privacy watchdog disclosed last week.β¦
More than 70,000 presumably legit websites have been hijacked and drafted into a network that crooks use to distribute malware, serve phishing pages, and share other dodgy stuff, according to researchers.β¦
In disclosing yet another vulnerability in its Connect Secure, Policy Secure, and ZTA gateways, Ivanti has confused the third-party researchers who discovered it.β¦
Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including which devices customers bought, as well as each productβs warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal.
Sunnyvale, Calif. based Juniper Networks makes high-powered Internet routers and switches, and its products are used in some of the worldβs largest organizations. Earlier this week KrebsOnSecurity heard from a reader responsible for managing several Juniper devices, who found he could use Juniperβs customer support portal to find device and support contract information for other Juniper customers.
Logan George is a 17-year-old intern working for an organization that uses Juniper products. George said he found the data exposure earlier this week by accident while searching for support information on a particular Juniper product.
George discovered that after logging in with a regular customer account, Juniperβs support website allowed him to list detailed information about virtually any Juniper device purchased by other customers. Searching on Amazon.com in the Juniper portal, for example, returned tens of thousands of records. Each record included the deviceβs model and serial number, the approximate location where it is installed, as well as the deviceβs status and associated support contract information.
Information exposed by the Juniper support portal. Columns not pictured include Serial Number, Software Support Reference number, Product, Warranty Expiration Date and Contract ID.
George said the exposed support contract information is potentially sensitive because it shows which Juniper products are most likely to be lacking critical security updates.
βIf you donβt have a support contract you donβt get updates, itβs as simple as that,β George said. βUsing serial numbers, I could see which products arenβt under support contracts. And then I could narrow down where each device was sent through their serial number tracking system, and potentially see all of what was sent to the same location. A lot of companies donβt update their switches very often, and knowing what they use allows someone to know what attack vectors are possible.β
In a written statement, Juniper said the data exposure was the result of a recent upgrade to its support portal.
βWe were made aware of an inadvertent issue that allowed registered users to our system to access serial numbers that were not associated with their account,β the statement reads. βWe acted promptly to resolve this issue and have no reason to believe at this time that any identifiable or personal customer data was exposed in any way. We take these matters seriously and always use these experiences to prevent further similar incidents. We are actively working to determine the root cause of this defect and thank the researcher for bringing this to our attention.β
The company has not yet responded to requests for information about exactly when those overly permissive user rights were introduced. However, the changes may date back to September 2023, when Juniper announced it had rebuilt its customer support portal.
George told KrebsOnSecurity the back-end for Juniperβs support website appears to be supported by Salesforce, and that Juniper likely did not have the proper user permissions established on its Salesforce assets. In April 2023, KrebsOnSecurity published research showing that a shocking number of organizations β including banks, healthcare providers and state and local governments β were leaking private and sensitive data thanks to misconfigured Salesforce installations.
Nicholas Weaver, a researcher at University of California, Berkeleyβs International Computer Science Institute (ICSI) and lecturer at UC Davis, said the complexity layered into modern tech support portals leaves much room for error.
βThis is a reminder of how hard it is to build these large systems like support portals, where you need to be able to manage gazillions of users with distinct access roles,β Weaver said. βOne minor screw up there can produce hilarious results.β
Last month, computer maker Hewlett Packard Enterprise announced it would buy Juniper Networks for $14 billion, reportedly to help beef up the 100-year-old technology companyβs artificial intelligence offerings.
Update, 11:01 a.m. ET: An earlier version of this story quoted George as saying he was able to see support information for the U.S. Department of Defense. George has since clarified that while one block of device records he found was labeled βDepartment of Defense,β that record appears to belong to a different country.
We've had to write the word "Fortinet" so often lately that we're considering making a macro just to make our lives a little easier after what the company's reps will surely agree has been a week sent from hell.β¦
Webinar As artificial intelligence (AI) technology becomes increasingly complex so do the threats from bad actors. It is like a forever war.β¦
Somehow, an hour and a half went by in the blink of an eye this week. The Spoutible incident just has so many interesting aspects to it: loads of data that should never be returned publicly, awesome response time to the disclosure, lacklustre transparency in their disclosure, some really fundamental misunderstands about hashing algorithms and a controversy-laden past if you read back over events of the last year. Phew! No wonder so much time went on this! (and if you want to just jump directly to the Spoutible bits, that's at the 8:50 mark)
The Reserve Bank of India (RBI) announced on Thursday it would make its digital currency programmable, and ensure it can be exchanged when citizens are offline.β¦
Singapore-based infosec firm Group-IB has detected a group that spent the last two months of 2023 stealing personal info from websites operated by jobs boards and retailers websites across Asia.β¦
The US government has placed an extra $5 million bounty on Hive ransomware gang members β its second such reward in a year. And it also comes a little over 11 months since the FBI said it had shut down the criminal organization's network.β¦
Analysis The FBI's latest PR salvo, as it fights to preserve its warrantless snooping powers on Americans via FISA Section 702, is more big talk of cyberattacks by the Chinese government.β¦
LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install.β¦
Researchers suspect the criminals behind the Raspberry Robin malware are now buying exploits for speedier cyberattacks.β¦
A cybersecurity researcher and his pal are facing charges in California after they allegedly defrauded an unnamed company, almost certainly Apple, out of $2.5 million.β¦