News
Breaches and leaks
- Barnes & Noble had a ransomware-sounding breach: link.
- Data from Ubisoft and Crytek posted on ransomware data site: link.
- Dickey's BBQ had info on 3 million credit cards stolen: link.
- International law firm Seyfarth discloses ransomware attack: link.
- Home security cams hacked in Singapore, and stolen footage sold on adult websites: link.
- Broadvoice had an unsecured database with 350 million customer records and voicemail transcripts: link.
"Bad Neighbor": Windows ICMP vulnerability can lead to DoS and (maybe) remote code execution
There was a lot of news on this one, and rightfully so. By sending a maliciously created ICMPv6 packet you could trigger a good ol' Blue Screen of Death, and code execution seemed plausible too. I did just notice the update in the article that the issue is not routable over the Internet and that RCE is unlikely given other default counter measures. Still, you'll want to patch up.
Google warns of 'zero-click' Bluetooth vulnerability in Linux-based IoT devices
Another week, another badly named Bluetooth issue ("BleedingTooth" this time). An attacker in close proximity could cause a denial of service or possible code execution. I hope someone is still paying attention to these, because I admit my eyes are starting to glaze over when I read them.
Ransomware attackers buy network access
Great explanation of the economics on how certain threat groups break in to corporate networks, asses the size of the target, and then sell access to that network to other groups like ransomware operators. The most often used entry points, as expected, are compromised RDP connections and unpatched VPN services.
Hacker groups chain VPN and Windows bugs to attack US government networks
It must be good times for the abovementioned network sellers. There are quite a few VPN vulnerabilities known (plus a new one, affecting 800.000 publicly reachable SonicWall VPN's).
Combined with an often yet unpatched Zero-Logon Windows vulnerability it makes quite a package. The FBI and CISA warn that they see many attacks against both government and other networks.
Canva design platform actively abused in credentials phishing
Nothing specifically against Canva, or for that matter Basecamp, which is in a similar situation. More a general reminder that legit looking services and links can still be trouble.
Zoom rolls out end-to-end encryption
It's important to note that quite a few things will stop working when using e2ee: join before host, cloud recording, streaming, live transcription, breakout rooms, polling, 1:1 private chat and meeting reactions. I'm not sure how that will change in the future. They say this is phase one out of four around the e2ee rollout.
GDPR fine of £20 million for British Airways
It relates to the 2018 British Airway breach where over 400.000 customers had personal information and payment data stolen. The fine is as high as it is because it was judged that BA's security measures were severely inadaquate. They do note that BA have improved considerably since then.
Singapore regulates security requirements for new home routers
This is pretty sweet. Starting in April next year routers sold in Singapore will have to fulfill various security requirements like randomised login credentials and default automatic downloads of firmware updates for security patches.
US Department of Justice reignites the battle to break encryption
We're probably all familiar with the debate by now, but I found this article to be a nice, easy to read overview of where we stand.