Virtual keyboard app exposes personal data of 31 million users

By Tomáš Foltýn

Personal data belonging to more than 31 million users of a third-party smartphone keyboard app called ai.type were exposed online due to an unprotected online database.

In total, nearly 580 gigabytes of user records were left visible in a MongoDB database after the app’s Israel-based developer failed to use some form of authentication to secure its database server.

The developer’s keyboard apps boast 40 million users across Android and iOS, but only Android users were affected by the security lapse.

CEO and founder of ai.type, Eitan Fitusi, was later reported as having secured the data with a password after being alerted to the issue several times. Before that happened, however, the treasure trove of information was there waiting to become ‘manna from heaven’ for electronic miscreants.

Perhaps just as worryingly, however, is the sheer scope of information sucked up by the on-screen keyboard app, which offers an alternative to the standard smartphone keyboards.

Reports suggest that the breadth of personal information left visible runs the whole gamut, apparently based also on whether the users had installed the app’s free or paid version. The information collected included users’ full names, email addresses, location data, a device’s IMSI and IMEI number, its make and model, Android version, details from users’ public Google profile, and contents of users’ address books.

Also found was a database table containing over 8.6 million entries of text that had been entered on the keyboard and that reportedly included email addresses and their passwords.

Meanwhile, Fitusi was quoted as saying that the data in jeopardy had not been as extensive as claimed and that the app is not snooping on users.

“It was a secondary database,” he told the BBC of the reports, adding that the geo-location data was not accurate, that no IMEI information had been hoovered up, and that the user behavior collected by the company involved only which ads they clicked.

In response to such data collection practices, ESET security specialist Mark James said that “that in itself is a massive hoard of data to hold on a well secured server away from harm’s reach, but sadly that was just not so”.

“The database was not configured correctly and thus enabled full access from the internet to all the data being held, making it essentially free for all access,” he added.

Another keyboard app, SwiftKey, had its share of security issues last July after it was reported that some users had received predictive text messages intended for other people, including email addresses and phone numbers. Blaming the glitch on a bug in the keyboard’s synchronization program, the app’s maker temporarily suspended cloud syncing.

Users are advised to exercise caution when installing mobile apps. This is, perhaps, doubly the case with keyboard apps which, by their very nature, have access to all data typed by users, including the most sensitive of information, such as passwords and credit card details.

https://www.welivesecurity.com/2017/12/07/keyboard-app-personal-data-31-million-users/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Cryptocurrency exchange Bitfinex plagued by DDoS attacks

By Tomáš Foltýn

Digital currency exchange Bitfinex has been going through a sticky patch of late, having been knocked temporarily offline on Monday due to a distributed denial-of-service (DDoS) attack that was reminiscent of a similar incident from a few days prior.

After first tweeting that “Platform is currently under heavy load and we are working to bring it back online”, the Hong Kong-based cryptocurrency exchange platform confirmed shortly afterwards the true nature of the cyberattack.

Normal operations were back up and running within an hour. This outage was preceded by another DDoS attack, on November 26, which “started during earlier maintenance and has been ongoing since”, according to a tweet posted by Bitfinex that same day.

The cast of characters behind the attacks, or their motives, are unclear. However, the onslaughts come at a time when the bitcoin price hits new highs, possibly triggering efforts on the part of cybercriminals to manipulate and cash in on the price.

Sandwiched between the two attacks was a ‘flash crash’ that reportedly hit Bitfinex last Wednesday and prompted some traders to report severe losses after the prices of cryptocurrencies NEO, OMG, and ETP plummeted by as much as 90%, causing the closing of their positions. Bitfinex argued that it was operating as normal, however.

Another major digital currency exchange, Coinbase, experienced its own flash crash in June, ultimately drawing regulatory scrutiny.

Trading also went berserk a little over two years ago, resulting in a drop of 14% in Bitcoin’s price within a span of some 30 minutes.

Until last week, Bitfinex was the top exchange for U.S. dollar-bitcoin trading in terms of trading volume before it was surpassed by Coinbase.

Much like other cryptocurrency exchanges, Bitfinex is no stranger to being on the receiving end of cyberattacks. On top of experiencing multiple DDoS attacks, Bitfinex landed in hot water in August 2016 following a massive cyberheist. Before the exchange bounced back, the incident may have afforded many traders a sort of déjà vu experience, sparking fears that Bitfinex could go the way of Mt. Gox. That Bitcoin exchange collapsed in 2014 after losing $500 million of customer money to hackers, itself another stark reminder that cryptocurrency trading is not for the faint-hearted.

https://www.welivesecurity.com/2017/12/06/cryptocurrency-bitfinex-ddos-attacks/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

ISF predicts increasing impact of data breaches next year

By Tomáš Foltýn

The number, magnitude and costs of data breaches are all set to continue on their upward trajectories in the coming year, according to a forecast by the Information Security Forum (ISF).

This prediction is included in their Global Security Threat Outlook for 2018 and comes with a warning that the stakes are now “higher than ever before”.

The increased pervasiveness of data breaches and the higher volume of impacted records are expected to result in far higher costs for organizations of all sizes, notes the ISF, an independent and not-for-profit association of leading organizations from around the world.

The association expects the increased costs incurred in security breaches to come both from traditional areas, such as network cleanup and customer notification, and newer areas such as litigation.

As if in a chain reaction, the data breaches will spur “angry customers” to mount pressure on governments to tighten up data protection laws, which in turn will translate into additional and unforeseen costs. “The resulting mess of international regulations” will trigger new compliance headaches while doing little to deter cybercrime.

“In 2018, we will see increased sophistication in the threat landscape with threats being personalized to their target’s weak spots or metamorphosing to take account of defenses that have already been put in place … These days, the stakes are higher than ever before. High level corporate secrets and critical infrastructure are regularly under attack and organizations of all sizes need to be aware of the significant trends that we forecast in the year to come,” ISF Managing Director Steve Durbin is quoted as saying.

These trends will be underpinned by these five most prevalent threats that the ISF expects to loom large on businesses next year:

·         Crime-as-a-service (CaaS) is set to expand available tools and services, as criminal organizations won’t let up on their efforts to make their malicious wares increasingly more sophisticated. Criminal groups will make forays into new markets and will commoditize their activities globally, which is poised to result in more persistent and damaging cyber incidents than ever before.

·         The Internet of Things (IoT) will add unmanaged risks due to the organizations’ embracing of IoT devices but losing sight of the fact that these devices are often insecure by design, thus affording bad actors ample opportunities for attacks. “In a worst-case scenario, when IoT devices are embedded in industrial control systems, security compromises could result in harm to individuals or even loss of life,” reads the ISF’s prediction.

·         Supply chain remains the weakest link in risk management, according to the ISF, which points to the perils of sharing valuable and sensitive information with suppliers, as it leads to “an increased risk of its confidentiality, integrity or availability being compromised”.

·         Regulation adds to complexity and, as a result of additional resources required to address the obligations enshrined in the EU’s General Data Protection Regulation (GDPR), businesses may – on top of facing extra compliance and data management costs – have their attention and investment drawn away from other important initiatives.

·         Lastly, misalignment between a board’s expectations and the actual ability of information security officers to deliver also constitutes a threat. The ISF notes that many boards don’t realize that it takes time to make substantial improvements to information security, which is why the association anticipates that this mismatch will be most exposed by major incidents. “Not only will the organization face substantial impact, the repercussions will also reflect badly on the individuals and collective reputations of the board members,” according to the ISF.

The ISF was quick to note that the key five threats “are not mutually exclusive and can combine to create even greater threat profiles”.

https://www.welivesecurity.com/2017/12/05/isf-predicts-data-breaches-2018/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29