InfoSec News

PII

Pre-IPO online fashion marketplace Poshmark announces data breach

By

Pre-IPO online fashion marketplace Poshmark announces data breach

By William Knowles @c4i
Senior Editor
InfoSec News
August 1, 2019

Poshmark, the largest social commerce marketplace for fashion alerted users on Thursday via email and their blog that “data from some Poshmark users was acquired by an unauthorized third party.

“The data acquired does not include any financial or physical address information, and we do not believe your password was compromised.” Poshmark recommends that you change your password as a precaution and security best practice.”

According to Poshmark, Canadian users weren’t affected and this data breach was limited to U.S. users only.

The data that was stolen includes “certain user profile information specified for public use such as username, first and last name, gender, and city.” “Certain internal account information such as email address, user ID, size preferences, and one-way encrypted passwords salted uniquely per user (making it nearly impossible to use these passwords to access an account), as well as social media profile information collected when users connect social media accounts to Poshmark” and “Certain internal Poshmark preferences for email and push notifications”

The Poshmark security notice continues to say “We take the trust you have placed in us extremely seriously, and immediately upon learning of this incident, we expanded our security measures even further. We conducted an internal investigation and retained outside experts, including a  leading security forensics firm. The security forensics firm we retained ran extensive testing designed to find vulnerabilities in our software and systems. After the testing, the firm reported that it did not find any material vulnerabilities. While our security was already strong, we have implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future.”

How this data breach will affect Poshmark’s reported fall IPO is unclear, Poshmark has tapped Goldman Sachs Group Inc. and Morgan Stanley as its underwriters, according to the WSJ.

The Redwood City-based company was founded in 2011 by Manish Chandra, Tracy Sun, Gautam Golwala and Chetan Pungaliya and has raised about $153 million since its inception in 2011. Its last funding round, an $87.5 million Series E announced in November 2017, gave it a valuation of $600 million, according to its Crunchbase profile. Backers include Mayfield Fund , Menlo VenturesTemasek Holdings, and GGV Capital.

 

 

 

 

Someone repeatedly compromised NASA servers

By

By William Knowles @c4i
Senior Editor
InfoSec News
December 19, 2018

 

This isn’t going to improve NASA’s FISMA scorecard rating for 2018.

On Tuesday, December 18, 2018. Bob Gibbs, Assistant Administrator, Office of the Chief Human Capital Officer sent an agency-wide message to the 17,000+ NASA employees, according to SpaceRef which posted the memo on their site.

On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised.

Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents.

NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected.

NASA employees should be counting their lucky stars that this doesn’t happen more often, In 2016 NASA’s Office of Inspector General found that NASA lacks a mature cyber program, earning a score of 27 out of 100 under the Office of Management and Budget’s and DHS’ five-step maturity model.

In the 2017 Federal Information Security Modernization Act: Fiscal Year 2017 Evaluation of NASA came to the conclusion that…

Despite progress made to address previously identified weaknesses related to its cybersecurity program, we concluded that NASA, based on the results of our current review, has not implemented an effective information technology security program. Further, without implementing additional improvements to ensure that NIST requirements are implemented, the Agency may lose ground in its efforts to address the challenges in a rapidly evolving cybersecurity landscape. To strengthen its information security program, we believe the Agency should continue its initiatives in each of the seven IG FISMA domains.

  1. Risk Management. Strengthen the enterprise architecture risk management framework by closing the gap between mission systems and inventory, and complete the transition to RISCS.
  2. Configuration Management. Augment secure configuration settings, improve hardware and software asset management, and remediate configuration-related vulnerabilities including unsupported operating systems.
  3. Identity and Access Management. Increase the use of PIV authentication for unprivileged users.
  4. Security Training. Complete applicable role-based training for personnel with significant security responsibilities.
  5. Continuous Monitoring. Develop a comprehensive continuous monitoring strategy for automatic hardware and software inventory detection and data exfiltration defense capabilities.
  6. Incident Response. Bridge the gap between reactive and proactive intelligence gathering and analysis techniques.
  7. Contingency Planning.

Finally, we are concerned that many recommended corrective actions from prior FISMA and other IT-related reviews remain open after more than a year. We urge a renewed Agency commitment to addressing our previous recommendations given the constant and growing cybersecurity threats. Although this memorandum made no specific recommendations to NASA, management provided a brief response that is reproduced in Enclosure V. Technical comments provided by management have been incorporated, as appropriate.

Sadly, Its easier to blame this all on aliens.

Jimmy Kimmel Asks What Is Your Password?

By

By William Knowles @c4i
Senior Editor
InfoSec News
January 17, 2015

President Obama just unveiled a number of proposals to crack down on hackers. It’s great that the government is working on this but we need to do a better job of protecting ourselves. So Jimmy Kimmel sent a camera out onto Hollywood Boulevard to help people by asking them to tell us their password.

It’s too bad there’s no legislation planned for poor password choice.

ARRL Probing Web Server Breach by Hackers

By

CI6F0427

By William Knowles @c4i
Senior Editor
InfoSec News
October 10, 2014

Last month a web server at ARRL Headquarters was breached by an unknown party. ARRL IT Manager Mike Keane said that League members have no reason to be concerned about sensitive personal information being leaked, and assures members that there’s nothing of financial value on the compromised server.

Some ARRL servers were taken offline and isolated from the Internet when the hack was discovered. Some web functions were temporarily disabled. The ARRL expects to restore service by close of business, on Wednesday, October 8, 2014

ARRL’s Mike Keane stressed that it is highly unlikely that any sensitive information was compromised. Any information the hacker might have been able to glean from the ARRL server, he said, is already publicly available — data such as names, addresses, and call signs that appear in the FCC database.

The hacker may have been able to obtain site usernames and passwords that were established prior to April 2010, and that has not been changed since then. ARRL members who have not changed their ARRL website passwords since early 2010 should do so at this as soon as possible.

Keane said that in addition to reporting the security breach to federal law enforcement authorities, his department is working to increase the League’s Internet security posture.

Photo by C-Serpents via Compfight

AB Acquisition LLC and Supervalu Inc. Annouce Second Hacking Incident Involving Payment Card Data Processing

By

broker

By William Knowles @c4i
Senior Editor
InfoSec News
September 30, 2014

AB Acquisition LLC and Supervalu Inc. are the newest groups of retailers that have been hit by security breaches this year. This includes Aaron Brothers, Bartell Hotels, CVS, eBay, Goodwill Industries International Inc., Home Depot, Jimmy Johns, Michaels Stores, Neiman Marcus, Recreational Equipment Inc., Sally Beauty Supply, and Sears.

On September 29, 2014, AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc., was notified by its third-party IT services provider, Supervalu Inc. of a separate, more recent, attempted criminal intrusion seeking to obtain payment card information used in some of its stores. AB Acquisition has been informed that a different malware was used in this recently discovered incident that was used in the incident previously announced on August 14, 2014. The investigations into both this incident and the earlier incident are ongoing.

Supervalu Inc. (NYSE: SVUannounced on September 29, 2014 that they also experienced a criminal intrusion into the portion of its computer network that processes payment card transactions at Supervalu’s Shop ’n Save, Shoppers Food & Pharmacy, four franchised Cub Foods stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, MN, where implementation of the enhanced protective technology had not yet been completed.

For these four franchised stores, Supervalu Inc. believes that the malware may have been successful in capturing account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder’s name, from payment cards used at some checkout lanes during the period of August 27 (at the earliest) through September 21 (at the latest), 2014.

Both companies discovered that, in what it believes to have been late August or early September 2014, an intruder installed different malware into the portion of its computer network that processes payment card transactions

Because the point of sale systems are different across AB Acquisition divisions, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and their two Super Saver Foods Stores in Northern Utah were not impacted by this incident. However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois, and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were affected by this new incident.

AB Acquisition LLC and Supervalu Inc. have made no determination that any cardholder data was in fact stolen by the intruder. Given the continuing nature of the investigation, it is possible that time frames, locations, at-risk data, and/or other facts in addition to those described above will be identified in the future.

Both AB Acquisition LLC and Supervalu Inc. customers who used their payment cards at those locations listed above during the relevant time period will receive 12 months of complimentary consumer identity protection services through AllClear ID.

Creative Commons License Matt Baume via Compfight