Data-Enriched Profiles on 1.2B People Exposed in Gigantic Leak

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Republicans storm ultra-secure “SCIF,” some with cell phones blazing [Update]

The US House of Representatives.

Enlarge / The US House of Representatives.

On Wednesday, Republican lawmakers committed a major breach of security guidelines when they carried cell phones as they tried to force their way into a secure room where a closed-door impeachment hearing with a Defense Department official was taking place.

At least one House member, Rep. Matt Gaetz of Florida, got inside the Sensitive Compartmented Information Facility (SCIF) in the basement of the House of Representatives. Despite strict rules barring all electronics inside such closed-off areas, Gaetz openly tweeted: “BREAKING: I led over 30 of my colleagues into the SCIF where Adam Schiff is holding secret impeachment depositions. Still inside—more details to come.”

After the tweet came under criticism, Gaetz later tweeted “sent by staff.” It remained unclear how the representative was able to communicate with his members of his staff.

Rep. Mark Walker of North Carolina also issued a tweet that said he was “in the SCIF.” A picture published by The New York Times showed a man identified as a House Republican holding up his phone as if taking pictures or video as he entered the secure room. A sign on the door of the room said, “Cameras and other recording devices prohibited without proper authorization.” The room has lockers outside the doors where people are required to store electronics before entering.

Lawyers said bringing phones into the secure area was a potential felony. Security officials, meanwhile, stressed how damaging the move could be to national security. The SCIF is designed to prevent electronic eavesdropping so members of Congress can receive sensitive information that is often classified. Often, the materials in the room reveal sensitive operations or show how intelligence officers collect information on adversaries. SCIFs are carefully controlled to prevent electronic signals or electronic devices from leaving the rooms. Chief among these restrictions is no unauthorized electronic devices.

Compromising national security

Cell phones in particular are known to be a risk since it’s easily within the means of a nation to infect both iOS and Android devices with full-featured spyware. From then on, the hackers can make the devices record audio and video, take pictures and download and upload files. Lawmakers are particularly prone to such attacks given the large amount of sensitive data they often have access to.

“Storming the SCIF without respecting the security protocols that require people to leave their electronic devices *outside* the space is actually compromising our national security,” Mieke Eoyang, who regularly used the room while she was a former staffer for several security-related congressional committees, wrote on Twitter. “Bringing electronic devices into a SCIF, and this SCIF in particular, is *very* problematic, especially when done by members of Congress.”

The event has parallels to a covertly made recording in the White House situation room last year by then-Trump administration staffer Omarosa Manigault Newman.

Update: Hours after the protest, Rep. Bennie Thompson, a Democrat representing Mississippi and the chairman of the Committee on Homeland Security, sent a letter to the Sergeant at Arms calling the event “an urgent security matter.”

“Such action is a blatant breach of security, violates the Oath all Members of Congress sign to gain access to classified information, and contravenes security controls established by the Director of the Central Intelligence Agency for the protection of classified information,” Thompson wrote. “The unprecedented breach of security raises serious concerns for Committee Chairmen, including me, responsible for maintaining SCIFs.”

Wednesday’s event occurred as members of the House Intelligence Committee were preparing to hear from Laura K. Cooper, the deputy assistant secretary of defense for Russia, Ukraine, and Eurasia. Chanting “let us in, let us in,” the protesting lawmakers prevented the hearing from proceeding. House Intelligence Committee Chairman Adam Schiff turned the protesters away and called on the sergeant-at-arms to break up the crowd.

According to the Associated Press:

Lawmakers described a chaotic scene. Rep. Debbie Wasserman Schultz, D-Fla., said she had just walked into the room when the Republican lawmakers blew past Capitol Police officers and Democratic staffers. The staff member who was checking identification at the entrance was “basically overcome” by the Republicans, she said.

“Literally some of them were just screaming about the president and what we’re doing to him and that we have nothing and just all things that were supportive of the president,” Wasserman Schultz said.

Sen. Lindsey Graham criticized his Republican colleagues for the tactic, calling them “nuts” to make a “run on the SCIF.”

“That’s not the way to do it,” he said.

The Republicans were protesting the closed-door hearings taking place in the impeachment process underway in the House. Only members of the House Intelligence Committee (which includes both Democrats and Republicans) have been permitted to attend hearings, though Rep. Schiff has pledged to make transcripts available after they have been scrubbed of any classified information. Some Republicans have claimed the restrictions resemble a Soviet-style proceeding, even though Republicans routinely held closed-door hearings when they controlled the House.

Post updated at 16:44 California time to add details about Thompson’s letter.

Humble Bundle alerts customers to subscription reveal bug

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information.

bug notice

Click to enlarge

The mail reads as follows:

Hello,

Last week, we discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Your email address was one of the matches.

Now, this is the part of a breach/bug mail where you tend to say “Oh no, not again” and take a deep breath. Then you see how much of your personal information winged its way to the attacker.

Oh no, not again

For once, your name, address, and even your login details are apparently in safe hands. Either this bug didn’t expose as much as the attacker was hoping for, or they were just in it for the niche content collection.

The email continues:

Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.

I should explain at this point. You can buy standalone PC games on the Humble store, or whatever book, game, or other collection happen to be on offer this week. Alternatively, you can sign up to the monthly subscription. With this, you pay and then every month you’re given a random selection of video game titles. They may be good, bad, or indifferent. You might already own a few, in which case you may be able to gift them to others. If you have  no interest in the upfront preview titles, you can temporarily pause your subscription for a month.

This is the data that the bug exploiter has obtained, which is definitely an odd and specific thing to try and grab.

Security advice from Humble Bundle

Let’s go back to the email at this point:

Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle.

As a reminder, here are some tips to keep your account private and safe:

  • Don’t share your password, personal details, or payment information with anyone. We will NEVER ask for information like that.
  • Be careful of emails with links to unfamiliar sites. If you receive a suspicious email related to Humble Bundle, please contact us via our support website so that we can investigate further and warn others.
  • Enable Two-factor authentication (2FA) so that even if someone gets your password, they won’t be able to access your account. You can enable2FA by following these instructions.

We sincerely apologize for this mistake. We will work even harder to ensure your privacy and safety in the future.

Good advice, but what’s the threat?

One could guess that the big risk here, then, is the potential for spear phishing. They could exploit this by sending mails to subscribers that their subscription is about to time out, or claim problems with stored card details. Throw in a splash of colour text regarding your subscription “currently being paused,” and it’s all going to look convincing.

Phishing is a major danger online, and we should do everything we can to thwart it. While the information exposed here isn’t as bad as it tends to be, it can still cause major headaches. Be on the lookout for dubious Humble mails, especially if they mention subscriptions. It’ll help to keep your bundle of joy from becoming a bundle of misery.

The post Humble Bundle alerts customers to subscription reveal bug appeared first on Malwarebytes Labs.