The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks. Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.
ISBuzz Team
It is well over a year now since the EU General Data Protection Regulation (GDPR) came into effect. It was a defining moment in the history of data privacy. It shone a spotlight on data protection, helping to turn it into a top priority for organisations worldwide. It engendered stricter laws in California, New Zealand and Brazil and a range of other states and countries. According to the European Data Protection Board, regulators in 11 countries issued fines totalling €56 million for GDPR violations over the first year of GDPR. Recent months, however, have seen some particularly high-profile cases and heavy…
Suprema has reportedly suffered a biometric database breach including facial recognition records, fingerprints, log data and personal information being found on “a publicly accessible database.” The damage is not yet clear, but the report claims that actual fingerprints and facial recognition records for millions of people have been exposed.
Hackers claim to have stolen 700,000 guest records belonging to Choice Hotels, one of the largest hotel chains in the world. Security researcher Bob Diachenko discovered the unsecured database, which was left exposed and accessible to anyone with an internet connection. Diachenko immediately notified the company of the exposed MongoDB instance, but it appears malicious actors got to it first. The hackers apparently stole and demanded ransom for more than 700,000 customer records belonging to major hotel franchisor Choice Hotels, including names, addresses, payment records, email addresses, and phone numbers. The company says the data was hosted on a vendor’s server, and no Choice Hotels servers were accessed. “The vendor was…
The recent credential stuffing attack at State Farm highlights the necessity to protect your company’s business applications, whether they’re web, mobile or API-based.
According to this article, https://www.bleepingcomputer.com/news/security/hvacking-remotely-exploiting-bugs-in-building-control-systems/, Security researchers have found a zero-day vulnerability in a popular building controller used for managing various systems, including HVAC (heating, ventilation, and air conditioning), alarms, or pressure level in controlled environments. Discovered using the automated software testing technique called “fuzzing,” the point of failure gives an attacker on the network full control of an unpatched system. They would be in a position to manage the various building controls connected to the vulnerable device The vulnerability is now tracked as CVE-2019-9569 and is a buffer overflow that leads to remote code execution when properly exploited Attacks can…
More bad news for British Airways, after its ticket system left hundreds of people stranded in airports due to IT failures last week, now a security bug has been discovered in its e-ticketing system, which has the potential to expose passengers’ data, including flight booking details and personal information. The researchers have estimated 2.5 million connections were made to affected British Airways domains over the past six months, so it could have a significant potential impact. More information about the story can be found here.
Researchers including Kevin Skoglund, an independent security consultant, found 35 election systems connected to the internet for months or longer including some in swing states as reported by Motherboard. Two backend systems which include the reporting system that tabulates votes and the election-management system are on a local area network, which is connected to the firewall through a switch.
According to Bleeping Computer, attackers are capitalizing on this by sending emails that pretend to be “Microsoft account unusual sign-in activity” alerts from Microsoft. When compared to the legitimate email notifications sent by Microsoft, they look almost identical with the same information fields and even the same sender address of “[email protected]”.
Security researchers have discovered a fundamental flaw within a Canon DSLR camera which could give hackers the ability to install malware via the camera’s Picture Transfer Protocol software. The researchers began by searching for and “dumping” the firmware of a free open-source software called Magic Lantern, used by a modding community of Canon owners to add new features to the cameras. Once obtained, they were able to hunt out vulnerabilities in the cameras themselves; in particular, flaws that could be used by hackers to install malware via the camera’s Picture Transfer Protocol. The protocol is an attacker’s delight because it’s both unauthenticated and supports “dozens of different…