tag:blogger.com,1999:blog-73270954653680125962024-02-06T21:44:10.510-05:00Vulnerable DisclosuresThe purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources. Unknownnoreply@blogger.comBlogger463125tag:blogger.com,1999:blog-7327095465368012596.post-55322067162526732592017-05-11T00:56:00.004-04:002017-05-11T00:57:22.546-04:00Huge Uptick in Russian ActivityOver the last two days we have observed a huge uptick in Russian activity.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8398g2WAlipu2hX2Rw9Lg187uQF4oI4jRNLSoyuu6uy7Xf-xS_gdNd90cBsPezjOdJZCkshnd1OKBKBkeAFOfsh16whoPlfP92NHB5utKc7iyS1FN5NWKDpF9d9iuHwCKjOlGo3Rpo6s/s1600/APT2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8398g2WAlipu2hX2Rw9Lg187uQF4oI4jRNLSoyuu6uy7Xf-xS_gdNd90cBsPezjOdJZCkshnd1OKBKBkeAFOfsh16whoPlfP92NHB5utKc7iyS1FN5NWKDpF9d9iuHwCKjOlGo3Rpo6s/s400/APT2.png" width="400" /></a></div>
<br />
It appears as though we will be seeing more of this.<br />
<br />
And here is the most recent update<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMv9YP64b3U_p3AwXYt7fDTmzkjfvW9XioG-gbOhZUD5Efb5ed4j5IkZzQ5ixg53DqS4OVvON0JryaWr3QOdiKtf70yrgzwuGBJirTiO_raCYquHrWtowpmWAFCazLeeVp4-g2riqMrVU/s1600/APT3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMv9YP64b3U_p3AwXYt7fDTmzkjfvW9XioG-gbOhZUD5Efb5ed4j5IkZzQ5ixg53DqS4OVvON0JryaWr3QOdiKtf70yrgzwuGBJirTiO_raCYquHrWtowpmWAFCazLeeVp4-g2riqMrVU/s400/APT3.png" width="400" /></a></div>
<br />
As you can see things in the malware world are about to get interesting.<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-35893292688194357772017-05-05T16:03:00.003-04:002017-05-05T16:04:29.817-04:00Motorola being targeted by Hackers<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNjCBDHB_eaWxkWTfePqeRcmkav0AIWyFpskNJx85bBFACQKcm1YWWszjS6KGwk1Qrlkd6y_5_gJPGkRkoi85iqAD_LxNH-C_aDMbK9fY1CTi4QA_jl8uD7tLlxYfYGZDkHl5Lhyphenhyphene-n_s/s1600/moto.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNjCBDHB_eaWxkWTfePqeRcmkav0AIWyFpskNJx85bBFACQKcm1YWWszjS6KGwk1Qrlkd6y_5_gJPGkRkoi85iqAD_LxNH-C_aDMbK9fY1CTi4QA_jl8uD7tLlxYfYGZDkHl5Lhyphenhyphene-n_s/s200/moto.jpg" width="143" /></a></div>
<br />
<br />
Yes we know it's been awhile but we haven't been hiding, simply busy. While working through our daily routine today we noted that there are quite a lot of Motorola like domains being registered by Chinese actors. This led to some research where we uncovered that over the last few days several hundred Motorola like domains were registered all with a central theme of being connected to motorola.3322.net, motorola,sytes.net and similar domains that we have observed used in Chinese attacks in the past.<br />
<br />
It's probably a good idea if Motorola started the process of getting these and the dynamic DNS services associated with their Trademarked name in check now before this activity starts affecting their customers.<br />
<br />
Have a great weekend!<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-73335756721082483872016-12-26T19:36:00.001-05:002016-12-26T19:37:10.948-05:00Bitcoin Leaded DataSearching through our platform we are seeing bitcoin transactions including full credit card numbers. Here is a redacted list of what we are seeing. These appear to be foreign but still interesting.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDeP8-wbxKA1UY7sRqiDxNhJVDu9nZZQ_i8b6uIjKqa9tube0sE5eHXnpXOEvx7ZXz7QrW5lT3lS32FU1JizMiDPz6Sd2b6ZnPNkj2WnOIGXNXUr-lBNiXYjOY7GSXiVNyWh_4SqxOmEo/s1600/Bitcoin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDeP8-wbxKA1UY7sRqiDxNhJVDu9nZZQ_i8b6uIjKqa9tube0sE5eHXnpXOEvx7ZXz7QrW5lT3lS32FU1JizMiDPz6Sd2b6ZnPNkj2WnOIGXNXUr-lBNiXYjOY7GSXiVNyWh_4SqxOmEo/s1600/Bitcoin.png" /></a></div>
<br />
<br />
<div class="de1">
sendername,senderlast,emailaddress,telephone,bitcoin,price,payment,visaCardName,visaCardNumber,visaCardCCV,visaCardYear,masterCardName,masterCardNumber,masterCardCCV,masterCardMonth,masterCardYear</div>
<div class="de1">
Avro,Ahmed,avro3030@gmail.com,035325325,"2 BTC","1255.32 USD",Visa,"Avro Ahmed",4364************,CVV,,,,,,</div>
<div class="de1">
</div>
<div class="de1">
Seems like this is an all too common occurrence lately. </div>
<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-90727778113827010972016-12-26T19:14:00.002-05:002016-12-26T19:14:49.681-05:00IBM of Brazil Credential ExposureLooking through the Jigsaw Analytics Platform (from Jigsaw Security) we noted today that there was an account being leaked at the br.ibm.com domain.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu_glGNY3Z-pyGTYMuBact0OQisf_FvezIAoNSvKBHhbtMhDrgKf9nSfQxIszwqg0j9oCFk-pchoa8IswMgr-mkvZ2WiiMhbxja5jNIemSngwoJSeQMvWdQm3ZUIp1PBvfo-9tK6djcFg/s1600/IBM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu_glGNY3Z-pyGTYMuBact0OQisf_FvezIAoNSvKBHhbtMhDrgKf9nSfQxIszwqg0j9oCFk-pchoa8IswMgr-mkvZ2WiiMhbxja5jNIemSngwoJSeQMvWdQm3ZUIp1PBvfo-9tK6djcFg/s1600/IBM.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
As 2016 comes to a close we have decided that instead of ignoring these issues we will be posting more and more. In fact we will be exposing these issues in 2017.<br />
<br />
Source: http://www.pastebin.com/5EM2yiuu.txt<br />
<br />
<br />
<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-11011610437196726862016-12-08T02:54:00.002-05:002016-12-08T02:54:25.865-05:00More Retail Breach DetailsWe are about to release some details on another retail breach. It seems it just keeps getting worse and worse. We are trying to contact these folks but if they don't respond we will just post the information here.<br />
<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-31803263745728363722016-10-26T05:04:00.001-04:002016-12-08T02:53:31.117-05:00What are we tracking today?Just a little over 20000 infected camera's, routers, Unix embedded operating systems.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji1xowroTcNMCKLdngseP9v-8KTAt-vKUOEgB5UT8d3QnN9zwvGB6OnHNur2lEAs9p0sZP_Esq0x9yI-EXWNw1UJvStMNjjbT7glgAK3FuNI2_B-SJ-WpFE1PcMsMNgnBpFm-jcyeTcKw/s1600/Tracking.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji1xowroTcNMCKLdngseP9v-8KTAt-vKUOEgB5UT8d3QnN9zwvGB6OnHNur2lEAs9p0sZP_Esq0x9yI-EXWNw1UJvStMNjjbT7glgAK3FuNI2_B-SJ-WpFE1PcMsMNgnBpFm-jcyeTcKw/s400/Tracking.png" width="400" /></a></div>
<br />
It's not looking good for the Interwebs at the moment. This list keeps growing and growing...<br />
<br />
Hopefully we don't see a repeat of what we saw last week!<br />
<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-73173625394508609502016-09-20T12:11:00.002-04:002016-09-20T12:15:21.197-04:00We Told You So!I just read a post on databreaches.net that talks about the issues at WakeMed. Remember this is not the first time they have popped up on this blog. We contacted them and received no response. If they were smart they would talk to us because we provided other information and to date they have done nothing about it.<br />
<br />
The response I received was that they didn't care because it was end users accounts that were affected. Just goes to show that all of this could have been prevented but their response to us was not what we would have expected.<br />
<br />
<b>Reference: </b><br />
https://www.databreaches.net/wakemed-exposed-patients-phi-in-bankruptcy-claims-uploaded-to-pacer-attorney/<br />
<br />
<b>Previous Warnings:</b><br />
http://vulnerabledisclosures.blogspot.com/search/label/wakemed <div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-79191530074563074702016-09-06T20:44:00.002-04:002016-09-06T20:44:31.091-04:00DNC Hacked Over a Year AgoWhat they are not telling you in the news is that the DNC was hacked at least as early as December 2015. Looking back through our data we noted the DNC FTP server information was publicly known and was obtained through the PONY malware attacks that dominated part of 2015.<br />
<br />
During forensics of a server in December of 2015 we noted that there were political information in the data set but did not really see the significance until recently when reviewing the forensics information.<br />
<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-63779646975417104172016-08-25T18:03:00.003-04:002016-08-25T18:03:54.995-04:00Represenative Wagner Pennsylvania - Just a quick noteSo we started seeing some references to Representative Wagner in PA in dumps today. It was his username and obvious password. Tried to contact them and let them know and was greeted with this:<br />
<br />
<pre wrap=""><a class="moz-txt-link-rfc2396E" href="mailto:dwagner@state.pa.us"><dwagner@state.pa.us></a>: host mx1.pa.iphmx.com[68.232.140.80] said: 550 #5.1.0
Address rejected. (in reply to RCPT TO command)</pre>
<pre wrap=""> </pre>
<pre wrap="">Now what if I was trying to email my state representative? I guess I would be screwed because Cisco decided that I can't email them right? </pre>
<pre wrap=""> </pre>
<pre wrap="">Well you can thank Cisco Ironport. Apparently Cisco has us on their blocklist and hasn't removed us. Maybe because we make them look stupid by posting their passwords such as this one...</pre>
<pre wrap=""> </pre>
<pre wrap="">August 24th 2016, 20:00:00.000</pre>
<table class="kbn-table table ng-scope"><tbody>
<tr class="discover-table-row ng-scope ng-isolate-scope"><td class="discover-table-timefield" data-column="" style="cursor: auto;" width="1%"><br /></td><td class="discover-table-datafield" data-column="date" style="cursor: auto;"><div class="truncate-by-height">
August 24th 2016, 20:00:00.000</div>
</td><td class="discover-table-datafield" data-column="IOC" style="cursor: auto;"><div class="truncate-by-height">
nhg@<mark>cisco.com</mark>|Gold*****</div>
</td><td class="discover-table-datafield click" data-column="event_id" style="cursor: pointer;">9988</td><td class="discover-table-datafield click" data-column="comment" style="cursor: pointer;"><div class="truncate-by-height">
<wbr></wbr></div>
</td></tr>
</tbody></table>
<pre wrap=""> </pre>
<pre wrap=""> </pre>
<pre wrap="">Don't you just love it when these companies rely on a useless piece of technology like the Ironport devices?</pre>
<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-31335551608757494002016-06-20T11:50:00.000-04:002016-06-20T11:50:54.857-04:00Deep Diving xDedic MarketplaceFirst off I would like to thank SecureList for posting the full unredacted IP address information on the servers posted to Pastebin in their <a href="https://securelist.com/blog/research/75120/the-tip-of-the-iceberg-an-unexpected-turn-in-the-xdedic-story/" target="_blank">recent article</a>. Upon seeing the file I decided to have our analyst take a look and see what servers were affected and figure out who owns those server (The companies affected).<br />
<br />
Using our Intelligence Platform to process the 70000+ entries and to perform analytic modeling on the data we came up with the following.<br />
<br />
<b>Ingest Time:</b> 35 seconds<br />
<b>Total Records Ingested:</b> 176,076<br />
<b>DNS Enrichment:</b> 5 minutes 25 seconds<br />
<br />
So now we have the data in our big data platform and we want to see exactly what the IP's resolve to. Our goal is to figure out what companies are affected by this and breached without them being aware of it and notify them.<br />
<br />
More information will be posted shortly...<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-7327095465368012596.post-37661659245388362402016-06-06T23:36:00.002-04:002016-06-20T00:51:04.534-04:00UPDATED: A look at Guardzilla - They have eyes even when you don't!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMiD3H5Qo22qgUFmrtYo3QwaQ7vUwh8n5qH5fQSqs97JeOH_lfUKem4z8L-UqaiR-ZlrSiexrY1js98MJyS8MbtAT7HNbAzjn8QLR03D4cLN2rsWAfHWdQftM1OpSfBkTz2lymEkvU2xw/s1600/Guardzilla.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMiD3H5Qo22qgUFmrtYo3QwaQ7vUwh8n5qH5fQSqs97JeOH_lfUKem4z8L-UqaiR-ZlrSiexrY1js98MJyS8MbtAT7HNbAzjn8QLR03D4cLN2rsWAfHWdQftM1OpSfBkTz2lymEkvU2xw/s200/Guardzilla.jpeg" width="200" /></a> Look familiar? Well this device started showing up in all the big box retailers last year so we decided to give one a try. Hooking the device up to a EVDO hotspot on Verizon was interesting at best. During our testing we discovered that the device streams continuously back to Guardzilla (even if you don't subscribe to their monitoring) all the time. So this "security" device has some serious "privacy" issues. The way most camera's work is that you access the camera and it streams the images to you directly but Guardzilla is not setup that way. When you setup the device it ALWAYS streams the video back to Guardzilla even if you don't subscribe to that service.<br />
<br />
This is troubling for a number of reasons as now Guardzilla get's a sneak peek into your "secure" area without your consent.<br />
<br />
<b>The Guardzilla Privacy Policy:</b><br />
<i>Practecol takes reasonable efforts to ensure that your personal information is protected while you use the Services.</i><br />
<br />
Oh and theres this line:<br />
<i> Also, video, audio, and other information received or recorded by your Guardzilla device may be stored on our servers or the servers of <b>third parties.</b></i><br />
<br />
<b>I wonder who these third parties are because they are not disclosed anywhere in the privacy policy or terms of use. </b><br />
<br />
<b>Wait what?!</b> So let me get this straight the information is protected while you use the services but not when your not using the services. So if I'm watching the video I'm now being protected by reasonable efforts to ensure that my information is protected but when I stop using the services they are not protected any longer? This is quite confusing honestly. So while your in bed sleeping your information is not protected because your not actively using the services? <br />
<br />
Here's the problem. Even when you don't subscribe to the recording and playback features offered by Guardzilla the devices still stream to Guardzilla and we assume that the video is being stored otherwise why would you send it? What tipped us off was the fact that the device uses nearly 1GB of bandwidth per day even when your not viewing the camera. So basically your allowing Guardzilla to see into your protected space and to hear everything that goes on in this space because these devices are constantly streaming even when you are not using them.<br />
<br />
We thought you might like to know. I can tell you this. Our Guardzilla test unit is about to be smashed in the parking lot never to be seen or heard from again.... Ever...<br />
<br />
<b>UPDATE:</b> So Guardzilla reached out to me via email and specifically stated that this is how the product works. I definitely would NOT recommend the purchase of these devices under any circumstances since the terms of service basically says they can do what they want with your videos, and the fact that it will use 30GB of data per month which is ridiculous. Best to purchase a camera that only sends the information to you and only when requested. <div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-7327095465368012596.post-6471095011714308402016-06-04T04:53:00.001-04:002016-06-04T04:53:22.592-04:00University of Berkely In Trouble AGAINStarted seeing reports from the University of Berkeley again this evening. Specifically 169.229.3.91 which has been observed trying to run shellcode against a rash of servers the last 2 weeks. The activity is very high today. Maybe the "Office of the President" at Berkeley can hire somebody to secure their network. Not that they have ever been breached or anything.<br />
<br />
We have a history with reporting on activity at Berkeley. Search our archives for more information. <br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-45784856927893086602016-05-24T02:39:00.002-04:002016-05-24T02:40:48.229-04:00Russia gets the jump with DMA LockerOver the course of the last few days we have been monitoring the malware known as DMA locker. It appears as though Russia is building some really good capabilities for infecting workstations with zero detection currently in any of the antivirus products that we have tested.<br />
<br />
In addition there is only 1 sample on Virustotal and none of the other vendors except MalwareBytes is even taking a look at this one.<br />
<br />
As you can see below our analytics products are pointing squarely at Russia on this one. Keep your eyes out and check out our threat intelligence for more information. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbRdKCstLZBKNjB9vhzb6pppfNyVKMumRQWY9Ic5hFGOhlO8TQakS0fgX4hlFubi4UbffpeJuEGLMl-D_udW0G4st-AL6dga-yaX_PF-APS62LSxOHXRKShLK7jM_4XRD-p0-CmaPDLAo/s1600/screenshot.17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbRdKCstLZBKNjB9vhzb6pppfNyVKMumRQWY9Ic5hFGOhlO8TQakS0fgX4hlFubi4UbffpeJuEGLMl-D_udW0G4st-AL6dga-yaX_PF-APS62LSxOHXRKShLK7jM_4XRD-p0-CmaPDLAo/s400/screenshot.17.jpg" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Screenshot Courtesy of Jigsaw Security (www.jigsaw-security.com) </b></div>
<br />
Keep an eye on this one!<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-34960538842491843902016-02-25T11:55:00.002-05:002016-02-25T11:55:47.745-05:00Cornell University looks the other wayAs part of a new initiative to notify users of leaked credentials Jigsaw Security a member of SLC Security notified Cornell of a security issue. The response from Tom McMahon was interesting.<br />
<br />
Quote:<br />
<i><span class="" style="background-color: white;">"Stop scaring our users."</span></i><br />
<br />
<span class="" style="background-color: white;">The interesting thing is that Cornell has been hacked numerous times as evidenced by the following: </span><br />
<span class="" style="background-color: white;">http://www.databreaches.net/u-of-hawaii-and-cornell-university-hacked-by-marxistattorney/ </span><i><span class="" style="background-color: white;"> </span></i><br />
<span class="" style="background-color: white;">http://pastebin.com/GRTDZ6Ns</span><br />
<span class="" style="background-color: white;">http://timesofindia.indiatimes.com/tech/it-services/Indian-student-in-Cornell-University-hacks-into-ICSE-ISC-database/articleshow/20450666.cms</span><br />
<br />
<span class="" style="background-color: white;">We could go on and on but we can certainly understand their reluctance to respond to notifications. Hopefully the end users are more concerned about these disclosures than the administration. </span><br />
<i><span class="" style="background-color: white;"><br /></span></i><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-91614067373446476692016-02-20T06:10:00.002-05:002016-02-20T06:10:35.949-05:00American Museum of Natural HistoryLooks to us like information from this site has been pulled down by hackers. We are notifying the affected users... <div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-59456911729853075182016-01-19T01:59:00.003-05:002016-01-19T01:59:32.396-05:00Large Numbers of MIT Email accounts leakedWe have noted a large amount of MIT related email accounts showing up on Darknet forums and in leaks posted to Paste sites.<br />
<br />
The information posted includes 98 accounts and additional information. The information is verified as we have been able to get confirmation from several students and staff.<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-46741479721647105812016-01-17T22:54:00.002-05:002016-01-17T22:55:00.444-05:00Credit Suisse accounts start appearing onlineWe started noticing credit-suisse accounts showing up online this evening. Our system that collects information on compromised accounts started alerting to accounts at the firm. It is not known if the accounts detected are end user accounts or corporate accounts. <div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-89246141386087391862016-01-13T05:23:00.001-05:002016-01-14T17:00:10.953-05:00State of Virginia DHRM fails to respond to notificationOn 1-7-2016 a researcher that assist Jigsaw Security noted some issues with documents posted on the DHRM website. A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.<br />
<br />
The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.<br />
<br />
As of the posting of this article the document remains on the web1.dhrm.virginia.gov website and there has been no response for the contact Nancy Tobin identified as the documents author. Our email was not returned as undeliverable.<br />
<br />
We can't show you the actual email because it would expose the actual issue but we did what we could to notify them of the issue. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNC3EeQQKjImdO5HFY5e7HbXpq7AGRHqm3UJqn9d3RESiAJ81bIdiAw-wtfFMn37582AliERdKASA1t4IHm9jxyZwMo8ebN2hE5huE65Bx2KsbKAsop1Yrk_sO53R-Qd-tek1648aTMMk/s1600/MAIL.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNC3EeQQKjImdO5HFY5e7HbXpq7AGRHqm3UJqn9d3RESiAJ81bIdiAw-wtfFMn37582AliERdKASA1t4IHm9jxyZwMo8ebN2hE5huE65Bx2KsbKAsop1Yrk_sO53R-Qd-tek1648aTMMk/s400/MAIL.JPG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We we notified them and followed up but no response. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOLr4ZWL0trlnFpxI6KCLqZuYC6ADmlHTHbNZlVzEJWlVY-OCKMSd_KR9Mo1MV7fsmEfdASLx2b2aUnWr30EbfIwe9t_7hijb63LzTDJ1JsqB_fotMskm0_dgo9nnW3-s9QoSVTbtIsbo/s1600/Email2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOLr4ZWL0trlnFpxI6KCLqZuYC6ADmlHTHbNZlVzEJWlVY-OCKMSd_KR9Mo1MV7fsmEfdASLx2b2aUnWr30EbfIwe9t_7hijb63LzTDJ1JsqB_fotMskm0_dgo9nnW3-s9QoSVTbtIsbo/s400/Email2.JPG" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So basically they tried to do the right thing by blocking out personally identifiable information in these documents but the method used was inadequate. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It is unknown of the individuals affected by this issue are still employed by the State of Virginia as we have not received any response to our inquiry. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Hopefully bringing this information to light will prevent this type of information disclosure in the future but the lack of response is troubling. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>UPDATE:</b></div>
As of 14 January, 2016 a response was received indicating that the issue is being corrected.<br />
<br />
<div class="MsoNormal">
<i>"DHRM takes any possible data breach very seriously,
and we wanted to notify you that measures are being taken to address
the issue:
</i></div>
<i>
</i><div class="MsoNormal">
<br /></div>
<i>
</i><div align="left" class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-align: left; text-indent: -.25in;">
<i><span style="font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Removal of the referenced documents and links from
DHRM’s servers so that data is no longer exposed that might impact
employee privacy and security;</i></div>
<i>
</i><div align="left" class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-align: left; text-indent: -.25in;">
<i><span style="font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Software that has proper redacting capability supplied to users;</i></div>
<i>
</i><div align="left" class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-align: left; text-indent: -.25in;">
<i><span style="font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Staff training introduced to ensure that no lapses will occur in the future.</i></div>
<i>
</i><div class="MsoNormal">
<br /></div>
<i>
Thank you for bringing this matter to our attention."</i><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-16281051238195485412016-01-08T18:24:00.002-05:002016-01-08T18:24:30.788-05:002 Big Stories Next WeekWe are currently reviewing 2 issues both of which are confirmed issues of PII and/or PHI data that we uncovered in the course of reading user submissions this week. Both involve some high profile entities of which neither has replied to our request for comments.<br />
<br />
We have provided evidence of the issues to both and are awaiting any response.<br />
<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-82025383917627965732015-12-21T16:29:00.001-05:002015-12-21T16:29:23.130-05:00Walmart Leaked Data Appearing OnlineWith the holiday season right around the corner we started noting post on forums with a list of usernames and passwords. We have begun notifying the end users of the leaked information to see if we can verify if they re legitimate.<br />
<br />
Of the 5 people that responded so far 3 of the accounts were legitimate and 2 were old login details that were no longer valid so the data looks somewhat dated. We are still notifying individuals of the leaked information.<br />
<br />
<br />
<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-13974329072356790152015-12-05T00:01:00.000-05:002015-12-05T00:01:15.948-05:00chaffey.edu BreachedA database containing the personal contact information at chaffey.edu was reported today. It appears through our research that the information is legitimate.<br />
<br />
In addition to name, phone number the breach also indicates if the employee is full or part time, departments and additional information that should not have been posted.<br />
<br />
It's interesting watching as these organizations fall victim to SQLi attacks.<br />
<br /><div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-57784121368626372812015-12-04T23:57:00.003-05:002016-09-20T12:13:57.147-04:00WakeMed again in the HIPAA Hot SeatWhile I previously have taken down a post at the request of WakeMed I felt that I had to report this one. As reported on WRAL:<br />
<br />
<div>
<div>
WRAL in North Carolina reports:<br />
<blockquote>
A Cary law firm has <a href="https://www.documentcloud.org/documents/2641927-Motion-for-contempt-sanctions-and-damages.html">filed a motion against WakeMed</a>,
accusing the hospital of releasing patients’ private information,
including Social Security numbers, making them susceptible to identity
theft.<br />
Cort Walker, a bankruptcy and civil business litigation attorney at
Sasser Law Firm, said he noticed a problem while reviewing records <b>WakeMed</b> had filed to collect debts from former patients who had declared bankruptcy.<br />
[…]<br />
The law firm says it found 158 cases involving its clients dating
back to 2013 where WakeMed violated federal bankruptcy code by including
Social Security numbers, full dates of birth and medical records.</blockquote>
Read more on <a href="http://www.wral.com/attorney-wakemed-violated-patients-privacy-released-sensitive-information/15154432/">WRAL</a>.<br />
<br />
As they note in their report, and as noted in the motion for contempt, sanctions, and damages, <b>Duke</b> <b>University Health System</b> had a similar situation three years ago. I had <a href="http://www.databreaches.net/duke-university-health-system-notifies-patients-of-breach-thats-not-called-a-breach/">covered that breach</a>
at the time, and noted that it had been reported to HHS as a HIPAA
breach. WakeMed will almost certainly report their incident to HHS,
although depending on how many patients, total, have had their PHI
exposed, we may not see it in the public breach tool.<br />
<br />
Like most HIPAA-covered entities, WakeMed has been noted on this site
before. Most recently, in 2014, this site noted reports by SLC Security
that <a href="http://www.databreaches.net/if-you-dont-respond-to-notifications-of-a-leak-the-problem-doesnt-go-away-it-gets-worse/">WakeMed was leaking patient PHI</a> and they had reached out to them and spoken to them, but <a href="http://www.databreaches.net/slc-security-to-wakemed-wake-up/">the leaks persisted</a>,
and WakeMed did not respond to attempts by SLC Security or this site to
alert them and get a response from them. It is not known to this site
whether WakeMed ever reported the alleged leaks to HHS, but there is no
entry in HHS’s public breach tool.</div>
</div>
<div>
</div>
<div>
Credit to DataBreaches.net for the heads up on this one. </div>
<div>
</div>
<div>
Previously we reported on a problem with communications from the EPIC system that is even more troubling. This entity continues to have issues. Maybe they should hire us to do a full assessment?</div>
<div>
</div>
<div>
</div>
<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-79551918854687840882015-12-04T23:52:00.004-05:002015-12-04T23:52:34.938-05:00Grace Life Church Compromisedgracelifechurchct.com appears to be distributing malware and appears to have been compromised. Login to the Threat Intelligence portal for more information. <div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-86574293450851623052015-10-21T21:04:00.001-04:002015-10-21T21:04:31.008-04:00Trinity College host being used as C2 by credential stealing malware (157.252.245.49)We notified Trinity College of the issue and have not gotten a response. <div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7327095465368012596.post-41934040204209986082015-09-29T04:34:00.003-04:002015-09-29T04:34:47.211-04:00New Blog LocationPlease update your blog location to our new <a href="http://www.jigsawsecurityenterprise.com/#!blog/bdv2b" target="_blank">blog</a>.<div class="blogger-post-footer">Provided by SLC Security Services LLC 919-441-7353</div>Unknownnoreply@blogger.com0