Late last week, the personal data of 1.8 million Chicago registered voters was accidentally exposed by a third-party vendor. A file containing the names, addresses, dates of birth and other information was published online and was publicly accessible for an unknown period of time, according to the Chicago Board of Election Commissioners.
Researchers from cyber risk company UpGuard made the discovery last Saturday and privately reported the leak to a government regulator who connected them to the Chicago FBI field office. The exposed data was found in an Amazon Web Services bucket configured for public access, according to Threatpost. The data was a backup stored in AWS by a voting machine and election management systems vendor called Election Systems & Software (ES&S).
Election Systems said in a statement that the files "did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems." The company said it had "promptly secured" the files on Saturday evening and had launched "a full investigation, with the assistance of a third-party firm, to perform thorough forensic analyses of the AWS server."
Rich Campagna, CEO of Bitglass, says that it doesn’t take much for outsiders – malicious or not - to find unsecured data stores such as the one that housed the personal data of Chicago voters. "Where data is publicly accessible because of accidental upload or misconfiguration of a service like AWS, outsiders don't need a password or the ability to crack complex encryption to get at sensitive information," states Campagna. "Unfortunately, Election Systems & Software has no way to tell whether anyone got their hands on this data prior to UpGuard discovering the exposed data."
Campagna goes on to say that there has been a run of simple and avoidable AWS misconfigurations that recently led Amazon to introduce ‘Macie’ to discover, classify and protect sensitive data. In most cases, the misconfigurations have been by well-meaning employees with excessive privilege and little security oversight. "Organizations must leverage security technologies, such as those provided by the public cloud providers, IDaaS providers, and CASBs, which provide visibility and control over cloud services like AWS," says Campagna.
According to the Bitglass CEO, it could also be argued that any of these misconfigurations or accidental uploads could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Preventative measures, my friends.
Our second story takes a look at some new research/a new study from Agari which revelas that a whopping 92 percent of Fortune 500 companies rather "miss the boat" when it comes to adequately protecting their customers from phishermen.
The report, titled “Global DMARC Adoption Report: Open Season for Phishers,” examines DMARC adoption rates for the Fortune 500. DMARC is an email authentication standard deployed via DNS that prevents domain name spoofing and phishing.
Unfortunately, more than two-thirds of the Fortune 500 have not deployed DMARC. Even worse, more than 90 percent of the Fortune 500 remain vulnerable to phishing because existing DMARC deployments are set to monitor, instead of quarantine or reject. Worst of all, it is the consumers that suffer for this lack of security since they will be targeted by phishing campaigns.
“It is unconscionable that only eight percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing,” said Patrick Peterson, founder and executive chairman of Agari in the official press release. “Phishing and other forms of digital deception are preventable, and the first step is for our largest companies and organizations to deploy DMARC, a highly-effective open standard.”
According to Shehzad Mirza, Director of Operations of Global Cyber Alliance, DMARC is an "essential tool" that helps prevent spam, phishing and data loss. This should serve as a call to action for providers to urge organizations to embrace this technology standard to eliminate direct domain spoofing.
Our final story this week examines one of our favorite topics: "Is Russia spying on us." According to Business Insider, White House cybersecurity head honcho Rob Joyce warned the public against using software developed by Kaspersky Labs in an interview with CBS News Wednesday. “I don’t use Kaspersky Lab products,” said Joyce.
Joyce's statements come one month after the Trump administration made the move to prevent government agencies from using Kaspersky’s software. If you remember, the General Services Administration announced in July that it had removed Kaspersky from the list of approved vendors government agencies can utilize. You know, because of suspicion.
Kaspersky’s products are well-known and quite widely used in the United States, worrying officials that Russian state actors could exploit Kaspersky’s software and gain access to U.S. user data as well as critical infrastructure. Michael Morell, the former deputy director of the CIA, believes, along with a good majority of the intelligence community, that there is a link between Kaspersky and the Kremlin. “There is a connection between Kaspersky and Russian intelligence, and I’m absolutely certain that Russian intelligence would want to use that connection to their advantage,” Morell told CBS.
Stay tuned on this one, folks. Definitely more to come on this story.
The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.