Biometric security platform leaves 28M records unsecured

Plus, a phishing scam that uses Google and an executive order from the White House about freedom of speech on social media

During a routine web-mapping project, cybersecurity researchers found that large chunks of a massive database belonging to biometric security platform BioStar 2 were unencrypted and unsecured. Dark Reading reported that the researchers discovered  23 GB of leaked data comprised of 27.8 million records, including fingerprints, facial recognition data, usernames, passwords, permissions, employee records, and more. BioStar 2 is used around the globe at over 5,700 institutions such as governments, banks, businesses, and police stations to control access to high-security areas. Identifying users through facial recognition and fingerprint scanning, BioStar stores biometric information that can never be modified – users can change their passwords, but not their fingerprints. Avast Security Evangelist Luis Corrons said “This is not just another case of negligence in the protection of sensitive information. This company works on security, and the problem is not only that the data was in the open for anyone to read. The researchers who discovered the issue could also change the vulnerable information. Even worse, the information was unencrypted, which shows the lack of security protocols in place.” The researchers brought the leaked info to the attention of Suprema, parent company to BioStar, and the database was secured on August 13.

This week’s stat

In the Internet of Things, 100 vendors account for more than 90% of “smart” devices and 400 vendors account for 99% of devices. Read Avast’s report on the world of IoT.

Phishing scam uses Google Drive to bypass security

Targeting a company in the energy industry, a phishing campaign made use of Google Drive to get through the Microsoft email gateway without being identified as spam, reported Bleeping Computer. Because the attackers sent the email from Google Drive, the Microsoft security filter saw it as legitimate. The message appeared to come from the CEO of the company with an urgent message, and employees were sent an invitation to a Google doc. The doc redirected employees to a phishing landing page where they were instructed to enter their credentials in order to access the CEO’s message. Doing so would put their login passwords into the hands of the attackers. Despite the innovative use of the Google doc, telltale signs marked the emails, such as a bogus sender email address and key phrases repeated from phishing email templates used elsewhere.

This week’s quote

“Did someone forget to do the math?” – Commenter on FTC post explaining that Equifax data breach victims would not receive anything close to the $125 originally announced. Read more about Equifax, Capital One, and you

Draft executive order on social media weakens Decency Act

A draft order from the White House, if put into effect, would give the Federal Communications Commission and Federal Trade Commission jurisdiction over the policing of suppressed content on social media. CNN reported that the draft is titled “Protecting Americans from Online Censorship” and that it claims the White House has received over 15,000 complaints from social media users who allege that their political opinions have been censored. The order seeks to rectify the situation by restricting many of the protections granted to social media companies through the Communications Decency Act, which essentially allows each company to remove objectionable content from its platform, such as acts of bullying, hate manifestos, and obscenities. The draft order was created as President Trump prepared to meet with multiple tech companies to discuss the detection of violent extremism and ways to respond to it while at the same time protecting free speech.

This week’s ‘must-read’ on The Avast Blog

If you didn’t go to the Black Hat or DEF CON cybersecurity conferences last week in Las Vegas, we’ve got a quick summary of some of the best stories, presentations, social media, and just plain weirdness.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Related articles

--> -->