DropBox

Online application glitch may lead to data breach

March 7th, 2015

A nonprofit organization, Painted Turtle based in California which runs a camp for children with life-threatening diseases and their families free of charge suffered data breach when some personal information may have been exposed because of online application glitch.

The affected information includes names, addresses, Social Security numbers, driver’s license numbers, personal medical information, and employment information.An error in the database of the painted Turtle’s online application server for campers and volunteers caused the data breach. Bank account and credit card information were not present on the server.

“We immediately brought the database offline to prevent anyone from being able to access your records,” Maher wrote. “Also, in an effort to prevent similar data breaches in the future, before bringing the system back online we updated our database’s code to prevent the issue from occurring again.”

According to the statement on the website:

Your information would not have been viewable unless a specific chain of events occurred.

Specifically: (1) you would have had to identify someone as a Reference in your application in 2013–2014, and (2) that person would have had to begin filling out an application as well, and (3) while that person’s application (and your application) was still pending, (4) they would have had to access their pending application and click “show related profiles” and your name. Again, your information would not have been accessible to anyone outside of the persons you listed as References in your application.

We became aware of this issue on January 12, 2015. As soon as this error was brought to our attention, we began taking steps to address and mitigate the risk to you. We immediately brought the database offline to prevent anyone from being able to access your records.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

New Dyre Banking Trojan

June 15th, 2014

A new banking Trojan also known as Dyre or Dyreza was discovered by Researchers at CSIS and PhishMe. It was found that this virus is designed to bypass SSL protection and steal banking credentials.

PhishMe researchers warned of this new malware, being delivered via phishing emails with the subject lines “Your FED TAX payment was Rejected” and “RE: Invoice.” The emails contain links to files on LogMeIn’s Cubby.com file storage service. “Since Dropbox has been quick to block phishing links, the attackers needed a new legitimate service,” noted PhishMe’s Ronnie Tokazowski.

Process of attack is as follow – Click on the link in the email, and you’ll download a zip file. If you open the zip file, and malware is installed, which monitors all of the victim’s browser traffic, including SSL traffic, with the aim of stealing and uploading online banking login credentials.

“[Bank credentials] should be encrypted and never seen in the clear,” Tokazowski wrote. “By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality, your traffic is redirected to the attackers’ page. To successfully redirect traffic in this manner, the attackers need to be able to see the traffic prior to encryption, and in the case of browsers, this is done with a technique called browser hooking.”

Krause told Dark Reading that the malware seems to represent a new banker Trojan family, unrelated to the Zeus Trojan. “One of the biggest differences between Zeus and Dyre is how communication with the command-and-control infrastructure takes place,” he said. “With Zeus, data is usually encoded or encrypted, then passed back as raw binary data. With Dyre, the data is POSTed in the clear, making detection for enterprises with IDS capabilities very straightforward.”

But that may well change in the near future. “Since data is being posted back unencrypted, I believe this malware is only in its infancy, and we should expect more refinements from the malware author,” Krause said.

Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, told eSecurity Planet by email that the threat from Dyre is being enabled at least in part by the blind trust too many users have in SSL/TLS. “In fact, 40 percent of mobile online banking applications are estimated to be vulnerable to man-in-the-middle (MITM) attacks without any cyber criminal effort,” he said.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Legal disputes over data theft rising

August 6th, 2013

The number of High Court legal disputes over the data theft from businesses has reached a record high, as the popularity of cloud storage services making it easier for confidential data to be stolen.

According to commercial law firm EMW, last year there was a growth by 58 percent of legal disputes taken to the High Court, with 167 cases during 2012, up from 45 in 2010 and 106 in 2011.

The majority of these cases are civil claims against former employees launched by businesses, with the aim of preventing them from taking confidential data from company database.

Popularity of cloud storage systems such as DropBox has made it easier for employees to steal information outside the business. This is one of the reasons for the increase in businesses taking action against employees, said Mark Finn, principal at EMW.

Finn said “The boom in cloud computing and the widespread use of services like Dropbox have made copying a large database something that can be accomplished by virtually anyone in seconds”.

Finn added that many of the cases which have appeared in court have concerned financial services firms, estate agents and recruitment businesses which have had databases of contacts taken over to rival firms by their employees. This has become more of a problem as the tough economic climate of the past years has meant that more staff has been moving from one company to another.

“Employment contracts are generally very clear on this issue – all know-how, databases and other forms of intellectual property developed by staff during their work time is the property of the employer. Occasionally, disgruntled staff may misguidedly feel they have a ‘moral right’ to take data they have developed. This simply is not the case” he said.

“As the economy improves and businesses increasingly see employees leave to join rivals, they will have no choice but to undertake potentially lengthy and costly legal action to protect their interests”.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Dropbox or Spambox

June 11th, 2013

Dropbox users are reporting spam emails for dedicated email accounts associated with the cloud storage service, in what appears to be leftover problems from last year’s data security breach.

But the cloud storage company has not seen anything to believe that this may be a new problem or a fresh data breach. The firm said in a public posting that it “remains vigilant given the recent wave of security incidents at other tech companies.”

One user explained the problem in a nutshell:

I have an internal to my company email address that I used for Dropbox only and I am getting the same fake PayPal scam emails. This has been happening since about Monday.

There was concern among forum members that following the hack of Zendesk, Dropbox users may have been at risk. “If Dropbox was affected, they should have already announced this like Twitter, Tumblr and Pinterest did,” said another user.

Last July, Dropbox suffered a data breach after it investigated suspicious incidents on its network. After bringing in outside experts to assist with the probe, the company found that usernames and passwords were stolen and some accounts were accessed. This was exacerbated by the successful intrusion of a Dropbox employee’s account containing a project document with user email addresses.

The file storage company then bolstered its accounts with two-factor authentication as well as automated back-end services to weed out suspicious activity.

Dropbox is not only used by small-medium sized businesses but also caters for enterprise clients. Dropbox for Teams added to the company’s freemium model by offering generous storage and a back-end dashboard to administrate Dropbox accounts, such as adding and deleting users.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.


Enhanced by Zemanta