Brazil bested by hackers, Virgin plugs hub bugs, and France surrenders… records
It was pretty hectic security week, between the Sharpshooter malware attack, a massive Patch Tuesday, and yet another Facebook privacy fail.
Here’s what else broke:
Message apps leave the side door open
Researchers with Cisco Talos are warning that secure messaging apps including Signal, Telegram, and WhatsApp are leaving themselves (and their users) open to attack.
The problem, says researcher Vitor Ventura, is a while the apps themselves are secure, users can be fooled into doing things like not enabling secure settings, falling victim to session-stealing malware, and other side-channel attacks that don’t break the apps themselves, but rather circumvent their protections.
“This is a serious problem, considering users download these apps in the hopes that their photos and messages will stay completely protected from third parties,” Ventura explained.
“These apps, which have countless users, cannot assume that their users are security educated and understand the risk of enabling certain settings on their device.”
Good news, Brazillians: Half of you still have a secure tax ID
The other half, however, will want to be keeping a close eye on your tax documents and other personal information after researchers found that a database containing the CPF numbers of some 120 million people had been left exposed to the open internet.
This from researchers with InfoArmor, who say they were unable to notify the owner of the database for several weeks. While the archive was eventually put behind a password wall, InfoArmor warns that anyone from nation states to cybercrime groups may have hacked it.
Emphasis on the may at this point. Data exposure is not the same as data theft, and thus far there is no evidence of the data being sold.
Firefox and Chrome slip out updates
In addition to the massive Microsoft and Adobe Patch Tuesday releases, both Chrome and Firefox pushed out patches as well.
The two self-updating browsers got updates that included in the case of Chrome a fix for a high-severity PDF vulnerability and in Firefox five high-severity fixes, including use after free and buffer overflow vulnerabilities.
As the browsers get these updates on their own, you should already be patched, but you can always update to the latest version to be sure.
Blizzard of Mac malware blows in for Christmas
Researchers with Malwarebytes are sounding the alarm after discovering a fresh batch of Mac malware.
So far, the security firm has spotted two new samples circulating in the wild. One is a malicious Word doc that uses breaks out of Apple’s sandbox to allow macros to download and install additional backdoor code.
The second is a poisoned clone of the Discord chat app that not only installs a backdoor on the infected machine, but also occasionally takes screengrabs and uploads them to a command and control server.
Let this once again be a warning: Macs get malware too. Be smart and never open documents attached to unsolicited or strange emails, and only download your applications from trusted sources.
French fried by database theft
The French ministry of foreign affairs is warning that some 540,000 citizens have had their contact information stolen after one of its databases was copied.
IT security staff sacré bleu it when the hackers were able to get into Ariane, an emergency contact system that allows travelers to let the government know when they were traveling to potentially unsafe nations and who to contact in case of emergency.
While it is never a good look for a government database to get popped, in this case the exposed data was pretty minimal: Email address, phone numbers, and names were all that was contained, so the threat of fraud from this incident should be pretty minimal.
Scrub-a-Hub-bub
If you have a Virgin Media Hub, you will want to do two things: First, update your firmware. Second, check out this interesting deep dive from NCC Group with all of the details on a set of nasty security vulnerabilities in the home box.
The write-up includes all the details on exploiting bugs for remote command execution, back door installation, cross-site-scripting, and even DNS rebinding.
While the researchers said that nearly all of the vulnerabilities (save for the DNS rebinding) have been fixed, Virgin was hardly responsive to their reports.
“Although Virgin Media had other issues with this device, it took 1.5 years to fix the reported issues,” writes researcher Balazs Bucsay.
“The proposed roll-out date was postponed many times and finally the new firmware (version 9.1.116.608) was rolled out in end July 2018.” ®
READ MORE HERE