One Vendor, Two Unprotected Servers Equal Disaster
Agilisium, a cloud storage vendor to Universal Music Group, exposed UMG’s internal FTP credentials, AWS Secret Keys and Passwords and the internal and SQL root password to the open internet – all via two instances of the Apache Airflow server with no password.
Your Vendor Cyber Risk Management Program (VCRM) manager needs to work with all vendors, especially those who are high risk, to make sure their cyber security program matches your risk, because you are the one who is going to take the heat (Source: Threatpost).
Online Ticket Service TicketFly Hacked, Shuts Down As a Precaution
Online Ticket Service TicketFly and some of the venues that it provides service for shutdown last week after it was hacked. It came back up briefly but is down again today, June 4. Concert venues that use TicketFly have had to delay ticket sales and concert goers that did not print out paper tickets for concerts going on during the outage will have to wait on line at the ticket office of the venue and hope they can get them tickets. Ultimately, if that fails AND they paid for their ticket with a credit card, they will get their money back under federal law. If they had to fly to the venue and didn’t get in, well that may be a different story. The dangers of an always online world that is not always online. Eventbrite bought TicketFly last year for $200 million (Source: CBS).
Stingrays in Use Near the White House
It has long been suspected that the Ruskies (or Chinese. Or both) have been using cell site simulators near sensitive areas to capture information. When Sen. Wyden whined about it, DHS said that it wasn’t in the budget for them to protect the White House or Congress from those pesky Ruskies. Well after they were sufficiently embarrassed, they did a small pilot and, well, it is true. And, on top of it, the bad guys are hacking the public phone networks control system, called SS7, written in the 1980s, and which has very little security in it. Fixing SS7 is a major world wide undertaking, would cost billions and take decades to fix. So DHS still says that they don’t have money to fix it, but we do know that, along with hacking the elections, the Ruskies are hacking our phones. (Source: The Register).
What Did Atlanta Lose?
When Atlanta got hit by a ransomware attack, they seemed to downplay the impact, but now they are telling a different story. The city has spent $5 million in the aftermath of the attack, both to recover and to improve security, but it is not all sunshine.
The did lose years’ worth of police dashcam footage – never to be recovered. If that was important evidence in a case, the case may need to be dismissed. It did not affect body cam video, however. What other files will be discovered to have been lost – that we will need to wait to find out (Source: We Live Security).