Issue 42

Breach at Equifax exposes data of 143 million people

No doubt the biggest news item of the week. I'll try to digest it into a TL;DR and list some links for further reading.

TL;DR:

  • Equifax is a credit reporting company, one of the three largest, serving 820 million customers and 91 million businesses.
  • It was breached through the Apache Struts vulnerability back in mid-May. The breach was discovered at the end of July and disclosed this week.
  • The breach exposes personal data of 143 million customers, including some UK and Canadian residents.
  • The leaked data includes names, social security numbers, dates of birth, addresses, some drivers licenses and 209,000 credit card numbers.

Links:

  • Good short overview, with a bit of tongue-in-cheek and facepalm thrown in, by Graham Cluley: link
  • Reddit megathread to dive in as deep as you want: link
  • Equifax's site where it provides updates about the breach: link

Dieter Van der Stock

 

Blueborn: Bluetooth zero-day vulnerabilities affect Android, Windows, Linux and iOS

Researchers found eight zero-days affecting all of the above operating systems. They can be exploited for a man-in-the-middle attack or complete device take-over. It's all wireless and doesn't require user interaction, pairing or discovering mode to be enabled.
The latest OS versions of the above vendors include fixes, although a huge amount of older versions will be left vulnerable.

helpnetsecurity.com

 

New wave of MongoDB ransomware: 26,000 unsecured instances compromised in a week

Also related, this week about 4,000 unsecured ElasticSearch instances were compromised to host malware.

zdnet.com

 

Lenovo settles for $3.5 million over Superfish

In case you don't remember: a few years ago Lenovo's laptops shipped with built-in spyware called Superfish. It looked at everything you did in order to show matching ads, and even hijacked your SSL connections with a man-in-the-middle attack.
After a few years in court they finally settled for (only) 3.5 million.

sophos.com

 

Samsung starts bug bounty program with up to $200,000 in rewards

The company promises to respond to reports in 48 hours, and will try to fix any vulnerabilities within 90 days.

helpnetsecurity.com

 

Hijacking voice assistants through ultrasound commands

Researchers were able to issue commands to Siri, Cortana and others using ultrasound voice commands with frequencies over 20kHz, which we can't hear. Among other things they were able to let the phone navigate to a malicious website.
The attack has serious limitations, like needing very close proximity, but a cool bit of research nonetheless.

sophos.com

 

NIST releases guidelines on dealing with ransomware and other data corruption events

I can't say I've read it, it's quite expansive :-) But seems like a very useful resource.

nist.gov

 

Patches and updates

  • Android's September update fixes 81 vulnerabilities, of which 13 are remote code execution bugs (link)
  • Microsoft's Patch Tuesday also fixes 81 vulnerabilities, including one zero-day in .NET which is being exploited in the wild (link)
  • Chrome 61 fixes 22 vulnerabilities and adds support for 'WebUSB', an API for non-standard USB devices (link)

Dieter Van der Stock

 

Important High Sierra changes for IT admins

A deeper dive in some of the upcoming changes in High Sierra, including AFPS and "User Approved Kernel Extension Loading".

tidbits.com

 

Taking a look at how artificial intelligence can be used on the offensive side

I generally try to stay away from the whole AI-for-security stuff until we have more concrete examples to work with. But this article gave a pretty cool example of using machine learning already: training an AI to learn about hundreds of individuals on Twitter, and then send a customised spear phishing tweet designed specifically for that person. It had a much better conversion rate than the human competitor.

gizmodo.com