Inside Security - August 2nd, 2019

Inside Security (Aug 2nd, 2019)

Breaches galore with Bank of Cardiff, Honda dealership and Sephora/Asia

Subscribe to Inside Security

New blank template
Subscribe | View in browser

By now you have probably heard about the breach at Capital One and the arrest of the suspected attacker. This document from Cyberint provides a nice timeline and technical recap of what is known and how the attack took place. Sadly, there are other more recent breaches that haven’t received as much coverage that occupy the top news items in today’s newsletter.

If you use any iOS device, please update it immediately to v.12.4. Researchers found fatal security bugs in older operating systems. 

We here at have several newsletters in pre-launch mode we'd like to invite you to subscribe to:

If you have an idea for a newsletter we don't yet have but think we should launch, you can suggest it here. Thanks! 

We are also putting together the 100 most essential Twitter accounts in infosec, and we want to know who you think is a must-follow. The Security Twitter 100 List will not only be great for anyone who wants to keep up with goings-on in our field, but can exist as a living, breathing document of our vibrant industry and community. We want to go beyond the obvious to include those who capture the innovation, doing cutting-edge research and who are your go-to sources for current information and advice. Start by looking at my Twitter list of the folks that I have already highlighted in my previous newsletters and please reply to this email and let me know who you think belongs in the Security Twitter 100.

Finally, this research by Georgia Tech on EV SSL cert usage had lots of flaws brought up by others on Twitter. 

-- David Strom

1. Internal network configuration data on Honda was found on an unsecured ElasticSearch server by a security researcher. This data was spread across 40 GB of various files and appeared to be a census of all of its global endpoint equipment. “The data makes it clear which vendor they use and which machines have the endpoint security software enabled and up to date.” The company worked quickly to lock this down and acknowledged the mistake. The interesting fact in this story was that it took the researcher several days to track down the appropriate contact at Honda to take action. This should be a lesson for all corporations to provide these contacts clearly on their corporate websites. -- RAINBOW TABLES

2. An unsecured AWS S3 database containing a million recorded phone calls between employees of San Diego-based Bank of Cardiff and potential loan customers has been discovered by a security researcher. The files were quickly secured once the researcher contacted the bank last month. Reporters examined several of the calls and they appear to be legit. -- VICE

3. Asian customers of beauty retailer Sephora have been notified about a major breach. Personal data, including names and birth dates, potentially were exposed. The key word here is potentially: the company hasn’t yet seen any evidence that the data was actually accessed, and has reset passwords and offered free credit monitoring services to affected customers. -- ZDNET

4. Researchers have found four different cases of security software phoning home data to its own servers without the customers' permission or prior knowledge. Some of the exfiltrated data was sent to a known malicious IP address located in China that hosts malware. -- EXTRA HOP SECURITY (reg. req.)

5. One of the largest and longest-running DDoS attacks was observed this past spring. The botnet that caused the attack used more than 400,000 different computers, lasted 13 days and directed a peak flow of 292,000 Requests per second. It was successfully repelled, and this post has more details about its construction. (Note: it is also somewhat self-serving.)-- IMPERVA

6. Follow Friday: Allison Miller

Allison Miller is the SVP Engineering at the Bank of America in Charlotte, where she spends a lot of time “graphing the grey cybers,” as her Twitter account states. 

She has over two decades of cybersecurity experience, working for Google, PayPal, Electronic Arts and Visa. She helped organize the O’Reilly 2017 security conference in New York. In her spare time, she is also a trustee of the Center for Cyber Safety and Education, which helps to disseminate high quality cybersecurity tips to parents, educators and kids. The organization sponsors a series of events to identify cyber bullying among other activities.  

Here is a presentation she gave at a conference of the Society of Information Risk Analysts entitled, “When algorithms are our co-pilots.” She is a frequent speaker at BSides and other security events.

Her Twitter feed is often self-reflective and humorous, such as this recent Tweet:

  • “old me: what happens if we add functionality?
  • more experienced me: what happens if we tune the business logic?
  • current me: can we turn it off?”

7. Researchers have discovered three separate spear phishing campaigns that have targeted the utility operators. They have dubbed this LookBack. The malware tries to impersonate a US-based engineering licensing board.  They were delivered last month using infected VBA macros in Word documents. -- PROOFPOINT BLOG

8. Do you have a data security scientist on your staff? This post explains the responsibilities of such a title and why it is important to employ someone with these skills. The argument is that organizations need someone to focus on protecting valuable data and to examine the complete life cycle. -- TDWI BLOG

9. Eleven different zero-day vulnerabilities in the embedded OS VxWorks were discovered by security researchers. The issues range from remote code execution to logic flaws and many of them are critical. There are billions of IoT devices that run this OS, and all versions dating back to v.6.5 are affected. -- ARMIS BLOG

10. This report looks at the number of stolen credit cards that are available on the so-called "dark web." Researchers found 23 million card numbers and describe various ways that criminals can access this trove. There is one IRC bot for example that can “validate” the stolen cards, which was used hundreds of thousands of times. -- SIX GILL BLOG

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).

Copyright ©, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security