The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches. In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
But I wanted to share an earlier experience of working with the Ecuadorian government to ensure the cyber and data security of my home nation. We restructured the security backbone of all Registration Institutions and National Public Data Recording Address (DINARDAP Spanish acronym), by implementing endpoint, perimetral, database security amongst others.
The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.Much of the usernames and passwords were not encrypted, Rotem told the Guardian.
“We were able to find plain-text passwords of administrator accounts,” he said.
“The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.”
“We [were] able to change data and add new users,” he said.
This would mean that he could edit an existing user’s account and add his own fingerprint and then be able to access whatever building that user is authorised to access, or he could just add himself as a user with his photo and fingerprints.In the paper about the discovery provided to the Guardian before being published by vpnmentor on Wednesday, the researchers said they were able to access data from co-working organisations in the US and Indonesia, a gym chain in India and Pakistan, a medicine supplier in the United Kingdom, and a car parking space developer in Finland, among others.
The researchers said the sheer scale of the breach was alarming because the service is in 1.5m locations across the world and because, unlike passwords being leaked, when fingerprints are leaked, you can’t change your fingerprint.
A malicious party gained access to the at the time Windows-based archive server () which we've been renting from Frantech/BuyVM, and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the researchers said in the paper.The researchers made multiple attempts to contact Suprema before taking the paper to the Guardian late last week. Early Wednesday morning (Australian time) the vulnerability was closed, but they still have not heard back from the security firm.Suprema’s head of marketing, Andy Ahn, told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.Rotem said the problem wasn’t unique to Suprema.
“It’s very common. There’s literally millions of open systems, and going through them is a very tedious process,” he said. “And some of the systems are quite sensitive.”He said supply chain vulnerabilities – where a company uses a third-party company for a service that doesn’t have appropriate security – was common but often some of the vulnerabilities discovered were with Fortune 500 companies.
Rotem said he contacts around three or four companies per week with similar issues. Earlier this year, Rotem pointed out a substantial flaw in Amadeus’s flight booking system. “Mistakes happen, and the real test is how you handle them,” Rotem said. “If you have a security team that can respond quickly and efficiently it’s good enough. If you have a security team that will send a legal team to threaten you, well, it’s less efficient.
“And this happens quite a lot. It’s unpleasant for someone to point out you have a vulnerability or weakness. Some people take it as an opportunity to fix it and some people are offended by it for some reason.”