Things are getting messy at McDonald 's in India , and that 's not just for consumers of the Maharaja Mac - a double-stacked grilled chicken monstrosity with jalapenos and habanero sauce . The flaw , found Vulnerability-related.DiscoverVulnerability by payments company Fallible , exposed names , email addresses , phone numbers , home addresses and sometimes the coordinates of those homes , as well as links to social media profiles . And Fallible contends that the leak Attack.Databreach still has n't been properly fixed . I queried McDonald 's to see if it has tried to seal Vulnerability-related.PatchVulnerability the hole in the API and also whether it has notified customers or regulators , but I did n't get an immediate response . In a March 19 tweet , McDonald 's did n't issue any clear answers , instead taking the well-trodden path of seeking to reassure users by highlighting what was not breached Attack.Databreach . McDonald 's has dabbled in home delivery in many countries since the early 1990s , attracting budget diners willing to risk the short half-life of its sandwiches and fries versus the vagaries of home delivery . Fallible says it contacted McDonald 's India on Feb 7 , letting the fast-food chain know it could sequentially pull Attack.Databreach user information from the API using a curl request . `` An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access Attack.Databreach to all users personal information , '' Fallible writes in a blog post . But the issue appeared to remain unfixed Vulnerability-related.PatchVulnerability , so Fallible says McDonald 's another email on March 7 asking for a status update . Ten days later , it sent another email and received no response . Fallible chose to go public with the issue in a March 18 blog post Vulnerability-related.DiscoverVulnerability , prompting a public acknowledgement from McDonald 's on Twitter the next day . Fallible contends Vulnerability-related.DiscoverVulnerability the issue hasn't been fixed Vulnerability-related.PatchVulnerability , and it 's unclear from McDonald 's tweet if it was . India does n't have a specific law that requires mandatory reporting of data breaches Attack.Databreach . But there are regulations and laws that cover the disclosure of personal information .

By now , you may have heard that a hacking organization identifying itself as the Turkish Crime Family has gone hunting for a very big fish : It said that it has credentials for hundreds of millions of Apple accounts of various sorts ( including email and iCloud ) , and it ’ s threatening to wipe all of the iPhones in the cache unless a hefty ransom is paid Attack.Ransom . The group is asking for Attack.Ransom either $ 75,000 in Bitcoin or $ 100,000 in iTunes gift cards before the April 7 deadline . Turkish Crime Family ( let ’ s call them TCF ) was first reported by Vice ’ s Motherboard as having 559 million total accounts—and other reports say there are either 200 million or 300 million vulnerable iPhone accounts . Regardless of the number , it ’ s a lot—and on the surface the news , if TCF really does have those credentials , would indicate that Apple has suffered a major data breach Attack.Databreach . Apple said in a media statement : “ There have not been any breaches Attack.Databreach in any of Apple ’ s systems including iCloud and Apple ID . The alleged list of email addresses and passwords appears to have been obtained Attack.Databreach from previously compromised Attack.Databreach third-party services . We 're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved . To protect against these type of attacks , we always recommend that users always use strong passwords , not use those same passwords across sites and turn on two-factor authentication . '' Which means that the danger , if it does exist , isn ’ t new for these Apple users . And indeed , many of the accounts could be defunct : Some of the addresses are @ mac.com and @ me.com addresses , which could be almost two decades old . Motherboard confirmed a back-and-forth conversation between the hackers and Apple security teams , but TCF has yet to publicly provide solid proof of how and what information they have , besides a YouTube video ( now removed ) that Motherboard said shows someone logging into an iCloud account . Meanwhile , ZDNet said that it was able to get a data sample of 54 allegedly breached accounts from TCF—finding that they were all legitimate email addresses . The outlet also reached 10 users that said the listed pilfered passwords were correct . John Bambenek , threat systems manager of Fidelis Cybersecurity , said that he ’ s skeptical about the hacker group ’ s claims , noting that there are always people who make unfounded threats to organizations in the hope of an easy payday—or notoriety . “ The hacker group is not following what ’ s become typical operating procedure , ” he said via email . “ For example , if this were a real ransomware attack Attack.Ransom , they would be communicating privately with the company they are targeting . Based on previous incidents , the current threat has all the hallmarks of a stunt . If they really have the ability to wipe iPhones then they would have wiped a few already as ‘ proof of life ’ ” . But that said , do consumers really want to roll the dice with their pictures and other information on the phone ? Lamar Bailey , director of security research and development for Tripwire , said via email that the hackers may have indeed been able to meticulously assemble a cohesive database of previously stolen Attack.Databreach Apple credentials by making use of various former data breaches Attack.Databreach of sources outside of Apple—this is a good highlight once again of the widespread problem of password re-use . It would have required a large effort , but he noted that it could be done . “ If this is legit , the hackers would have had to obtain access Attack.Databreach to the individual user accounts via breaking the passwords of each of the user accounts or have acquired access to the Apple iCloud servers , ” he said . “ The access to each user account is much more realistic since we have seen numerous reports of all the weak passwords people use for their computers and accounts ” . And , he added , if the hackers have password access to individual user accounts , they can indeed erase phones remotely and change passwords for the Apple account . “ The hackers can not remove backups for Apple devices from the cloud , but changing the passwords will make it hard for the legitimate users to reset and recover their devices , ” he noted . “ Once the end-user has access to their account , they will be able to restore their device ” . Apple users—and indeed all users of any online-facing service—should make sure they ’ re using strong passwords and enabling two-factor authentication as an added protection . “ Having a local backup of your device is always a good idea too . It is faster to restore a device locally than over the internet , and having a small NAS ( Network Attached Storage ) device at home for pictures and backups is a good investment to supplement the cloud backups , ” Bailey added

The Cyber Division of the U.S. Federal Bureau of Investigation ( FBI ) has issued an alert to warn the healthcare industry that malicious actors are actively targeting File Transfer Protocol ( FTP ) servers that allow anonymous access . According to the law enforcement agency , attackers have targeted the FTP servers of medical and dental facilities in an effort to obtain access Attack.Databreach to protected health information ( PHI ) and personally identifiable information ( PII ) , and use it to intimidate , blackmail and harass business owners . “ The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode . If businesses have a legitimate use for operating a FTP server in anonymous mode , administrators should ensure sensitive PHI or PII is not stored on the server , ” the FBI said . These servers allow users to authenticate with only a username , such as “ anonymous ” or “ ftp , ” and either a generic password or no password at all . The FBI pointed out that vulnerable FTP servers can also be abused to store malicious tools or to launch cyberattacks . In 2015 , IBM named healthcare as the most attacked industry , with more than 100 million records compromised Attack.Databreach , after in the previous year this sector did not even make it to the top five . An IBM report for 2016 showed that the volume of compromised records was smaller , but the number of data breaches Attack.Databreach increased , causing operational , reputational and financial damage to healthcare organizations . A report published recently by Fortinet showed the top threats targeting healthcare companies in the last quarter of 2016 , including malware , ransomware , IPS events , exploit kits and botnets

Positive Technologies has today confirmed it has detected Vulnerability-related.DiscoverVulnerability vulnerabilities in SAP Enterprise Portal Navigation , SAP NetWeaver Log Viewer and SAP Enterprise Portal Theme Editor , which are the components of the SAP NetWeaver platform . By exploiting these security flaws , attackers can intercept Attack.Databreach login credentials , register keystrokes , spoof data or perform other illegal activities that could potentially lead to a system compromise . Four Cross-Site Scripting ( XSS ) vulnerabilities were detected Vulnerability-related.DiscoverVulnerability in the following SAP Enterprise Portal components : SAP Enterprise Portal Navigation ( CVSSv3 score 6.1 ) and SAP Enterprise Portal Theme Editor ( three flaws with CVSSv3 scores 5.4 , 6.1 , and 6.1 ) . Exploiting these vulnerabilities , an attacker could obtain access Attack.Databreach to a victim 's session tokens , login credentials or other sensitive information in the browser , perform arbitrary actions on the victim 's behalf , rewrite HTML page content and intercept Attack.Databreach keystrokes . The relevant remediation guidelines are described in SAP Security notes No . 2369469 , 2372183 , 2372204 , and 2377626 . Another vulnerability—Directory Traversal ( CVSSv3 score 5.9 ) —allows arbitrary file upload in SAP NetWeaver Log Viewer . Attackers can upload a malformed archive that contains files with special characters in their names . When the web application unpacks the archive , it resolves symbols `` . '' and `` / '' as a part of the correct file path , so attackers can exploit the Directory Traversal vulnerability and upload files to an arbitrary place on the server file system . The consequences of arbitrary file upload can include total compromise of a system , overload of a file system or database , expanding attacks to back-end systems and defacement . The impact of this vulnerability is high , as arbitrary code can be executed on the server . SAP Security note No . 2370876 describes the activities required to eliminate this flaw . Dmitry Gutsko , Head of the Business System Security Unit at Positive Technologies said : `` Large companies all over the world use SAP to manage financial flows , product lifecycle , relationships with vendors and clients , company resources , procurement , and other critical business processes . It is vital to protect the information stored in SAP systems as any breach Attack.Databreach of confidential information could have a devastating impact on the business . '' In order to identify vulnerabilities in SAP products , perform inventory checks on these systems , manage updates and analyze settings , configurations , and permissions , Positive Technologies ’ MaxPatrol vulnerability and compliance management solution has been certified by SAP for integration with SAP NetWeaver . In addition , Positive Technologies Application Firewall ( PT AF ) detects attacks , including those that leverage zero-day vulnerabilities , in SAP NetWeaver , SAP ICM , SAP Management Console , and SAP SOAP RFC using special security profiles . Positive Technologies Application Inspector also supports analysis of Java applications for the SAP NetWeaver Java platform .