Open database with unprotected passwords found, COVID test results sent to wrong person and a defence against Zoombombing.
Welcome to Cyber Security Today. It’s Wednesday November 18th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
More sloppy work by someone working on a database. This time an employee at a Texas-based application hosting provider called Cloud Clusters left a sensitive database open to the internet that anyone could have accessed. It held more than 63 million records. The data included usernames and passwords for accounts on the Magento e-commerce and WordPress publishing platforms. Other data included backups and monitoring logs of IT systems of customers. This blunder was found last month by a security company called Secure Thought and a security researcher and is only now being publicized. It isn’t known how long the database was open, but someone could have copied it, used passwords to fraudulently get into companies and spread malware, buy products or attack WordPress content. Allowing any corporate database open to the internet to be unprotected by a password is bad security. Holding any unencrypted passwords of either your own company or customers is really bad security.
Speaking of unencrypted data, there’s news that a temporary employee of the Delaware state public health department twice accidentally sent emails to the wrong person with files holding unencrypted COVID-19 test results of people. The emails were supposed to go to another department. The incident happened in August but the state is only now admitting it. There are no details of how the mistake happened, but there are two possibilities: Either the employee misspelled the name of the intended recipient, or they hit the wrong name in the email contact list. Fortunately no harm was done: The person who got the files reported the mistake and deleted the files. It could have been worse. Strangers knowing who has tested positive for the virus could have tried extorting them. The Delaware health department said it has retrained staff on appropriate email policies and procedures. Hopefully that included when files should be encrypted. It’s another example of why you have to slow down when reading, reacting to or sending emails.
Finally, some mischief-makers take delight in interrupting private videoconferences if they can get hold of meeting passwords and URLs. Most recently an online meeting of the Gonzaga University Black Student Union in Washington State was interrupted by jerks who uttered racial and homophobic slurs. This week Zoom announced a new service aimed reducing the odds of that happening on its platform. When you organize a videoconference links should only go to those who are invited or registered. But some participants may post the link to a friend on a social media account like Facebook or Twitter. They think the message is private. But their account or their friend’s may not be. If someone unauthorized finds that link they can also join in. To fight this Zoom now constantly scans the internet looking for publicly available Zoom meeting links. When it finds one it notifies the meeting administrator that the meeting is at risk of being infiltrated. The administrator can then decide if the meeting should be rescheduled, with better security.
That’s it for Cyber Security Today. Links to details about these stories are in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.