Dow Jones watchlist of high-risk businesses, people found on unsecured database

Security researcher Bob Diachenko discovered an unprotected 4.4GB Elasticsearch database chock-full of more than 2.4 million records of people and businesses considered to be high-risk by Dow Jones. A third-party company left this Dow Jones watchlist on a public server without even so much as a password to protect it.

The proprietary watchlist, hosted on Amazon Web Services (AWS), includes “special interest persons,” current and past politicians, people with terrorism links, sanctioned companies and individuals, as well as those convicted of financial crimes, according to TechCrunch.

Diachenko explained the 2,418,862 unsecured records “contained the identities of government officials, politicians and people of political influence in every country of the world,” as well as “their relatives, close associates and the companies they are linked to.”

The leaky database, which is aggregated from publicly available news and government filings, is “indexed, tagged and searchable.” The records can include names, addresses, birth dates, location, and even photos. A sample record seen on TechCrunch of a person tagged as sanctioned and with terrorism links includes a physical description, primary language, job, and notes by the EU, UN and Federal Financial Monitoring Service.

Dow Jones told Diachenko, “At this time, our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.” Dow Jones declined to comment on the record when TechCrunch asked if the leak would be reported to U.S. regulators and European data protection authorities.

Other cybersecurity news

For sale on Dark Web: Admin access capable of allowing criminals to control a Chinese railway company

Israeli threat intelligence firm Sixgill, which detects threats on the Dark Web, discovered “chaos on the commute.” According to an email about the find, “an experienced threat actor” is “selling admin access to a Chinese railway company. This access would enable criminals to manipulate train control systems, affecting over one million residents living in the urban core of Hubei Province.”

Last month, Sixgill found access to content management systems being sold on a Russian-language hacker forum. One sale offered potential buyers the ability to edit or upload new stories on as many as 1,425 U.S. sites.

Imagine a bad actor gaining access to control the news; the publicly available news could be picked up by the likes of Dow Jones or other organizations that sell watchlists. To be fair, though, the Dow Jones watchlist is considered valuable, according to Diachenko, because it focuses “on premium and reputable sources.” Of course, if the purchased CMS access is to a reputable news site …?

Cellebrite smartphone hacking tool being resold online for cheap

Here’s your chance to play Johnny Law Officer and get hold of a smartphone hacking tool used by the FBI and other law enforcement agencies for a super low price. While it is true that the devices might be used, it is also true that it could contain personal and other sensitive information that was never wiped from the hacking tools.

A Cellebrite device, which when brand new costs government LEA about $6,000, can be found on eBay for between $100 to $1,000 a unit, reported Forbes. A quick search on eBay later showed a pre-owned Cellebrite device with a power supply for as low as $49.99.

Security researcher Matthew Hickey, aka Hacker Fantastic, told Forbes he bought a dozen such devices this month and discovered they still contained data on the types of devices searched, the type of data removed, IMEI codes and other phone identifiers. He later tweeted a screenshot of a Cellebrite equipment reminder, which states that the resale of Cellebrite equipment is not allowed without written approval from the company, “since it may be possible for these devices (including old devices such as the discontinued Touch) to access private information.”

Leave a Reply

Your email address will not be published. Required fields are marked *