Daily Archives: October 16, 2020

Weekly Update 213

Weekly Update 213

The week's update comes on the back of a very long week for me, but it's good to be "out there" speaking at events even if they are just from the comfort of my own home. There's also more adventures in IoT, Chrome's experiment with URL paths in their omnibox and Apple messing around with MAC addresses on my phone and watch. Oh - and I did manage to track down what my favourite Norwegian beer is following a question from the audience:

Weekly Update 213
Weekly Update 213
Weekly Update 213
Weekly Update 213

References

  1. I've ordered some Xiaomi Aqara wireless switches (these are Zigbee based and will trigger various Home Assistant automations)
  2. Watching the reactions to Chrome's omnibox experiment to hide the path has been... entertaining 🤣 (but seriously, there's an interesting discussion to be had around people's ability to interpret URLs and how much value there is in removing this "noise")
  3. In iOS 14 and watchOS 7, Apple is randomising the MAC when connecting to new networks (good for privacy, but it messes up a bunch of things including my nice Ubiquiti icons)
  4. Sponsored by Varonis. SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen

The Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

The Google Cloud team revealed that back in September 2017 it has mitigated a powerful DDoS attack that clocked at 2.54 Tbps.

This attack is the largest distributed denial of service attack recorded to date.

“Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack. Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact.” reads the post published by Damian Menscher, a Security Reliability Engineer for Google Cloud.

“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us.”

DDoS

Google researchers pointed out that the attack they mitigated was four times larger than the 623 Gbps attack launched from the Mirai botnet in 2016.

Experts noticed that this attack is bigger than the 2.3 Tbps DDoS attack mitigated by Amazon’s AWS in February.

A report published by the Google Threat Threat Analysis Group (TAG) speculates that the attack was carried out by a state-sponsored threat actor.

“we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years. For example in 2017, our Security Reliability Engineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.” reads the report published by Google.

Menscher revealed that the attack was part of a campaign that leveraged multiple DDoS amplification methods to hit Google’s servers.

Google decided to disclose the DDoS attack today to warn of an increasing trend of state-sponsored actors abusing DDoS attacks to target online resources.

Experts believe that DDoS attacks are becoming even more dangerous and would intensify in the coming years.

Pierluigi Paganini

(SecurityAffairs – hacking, distributed denial of service)

The post Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen appeared first on Security Affairs.

Phishers Capitalize on Headlines with Breakneck Speed

Marking a pivot from COVID-19 scams, researchers track a single threat actor through the evolution from the pandemic to PayPal, and on to more timely voter scams -- all with the same infrastructure.

Threat Roundup for October 9 to October 16

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 9 and October 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201016-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 9 to October 16 appeared first on Cisco Blogs.

Cyber Security Today Week in Review for October 16, 2020

The Weekend version of the podcast takes a look at the top stories for the past seven days with analysis by Dinah Davis of Arctic Wolf Networks. On the agenda: The value of Cybersecurity Awareness Month and how to stop phishing attacks

The post Cyber Security Today Week in Review for October 16, 2020 first appeared on IT World Canada.

Stop playing whack-a-mole and put threats to rest with Cisco Stealthwatch Cloud

I was recently able to grab some time with a Cisco customer to hear about their experience with Cisco Stealthwatch Cloud, a SaaS-based Network Detection and Response (NDR) solution. Aspire Technology Partners, a Managed Security Service Provider, explained their use of the product for one of its customers that was in a dangerous situation involving some slippery malware floating around in the network. As I worked on this case study, I couldn’t help but think of one thing in particular…The North Carolina State Fair.

I am a relatively new North Carolina resident. Prior to working from home, I was no stranger to the commute up I-40 to building 9 of Cisco’s RTP campus. As I found my way around my new home state, I kept hearing that the NC State Fair is a rite of passage for new residents. I decided to check it out. What an experience that was. I got to see a monster truck show, a lot of farm animals and the world’s largest pumpkin. I also ate more fried food on a stick than my heart could handle. We also got to play whack-a-mole, a game that requires you to smash each mole as they poke their heads out of the machine with a mallet. As you progress, you earn points for each successful ‘whack’. Unfortunately, you can never really win since they never stop popping up.

Without an NDR tool like Stealthwatch Cloud in place, the modern Security Operations Center (SOC) is effectively doing the same thing. Their endpoint and perimeter solutions, while critical to network safety, are playing whack-a-mole: stomping on malware and isolating devices as they become infected while still knowing that the network is still at risk. Without east-west monitoring and visibility into encrypted traffic, businesses are susceptible to subsequent attacks once malware has established a foothold on the network. If your security team can’t identify how threats are accessing the network, malware could stay hidden for months…or even years.

Aspire Technology Partners was working with a customer who deployed an Incident Response (IR) team to contain a threat, believed to be ransomware, that was surfacing all over their network. The Aspire SOC team decided to deploy Stealthwatch Cloud to track the malware through east-west traffic monitoring. Here are a few reasons why Stealthwatch Cloud was critical to not only detecting the threat, but also stopping it dead in its tracks:

Stealthwatch Cloud deploys almost instantly       

The Aspire SOC team deployed Stealthwatch Cloud on the customer’s private network in just 2 hours. This allowed the team to immediately start digging through east-west flows to hunt down the threat.

Stealthwatch Cloud detects threats behaviorally     

Stealthwatch Cloud uses the network itself as a sensor, and offers both automated threat detection and the ability to search manually for threats. The team needed to identify the foothold of the attacker, and with comprehensive visibility provided by Stealthwatch Cloud, was able to discover that the malware found its way into the network via a vulnerable 3rd party device. No endpoint or agent-based solution could have figured this out.

Built-in remediation methods enable quick response to threats       

Stealthwatch Cloud offers a wealth of integrations with 3rd party and Cisco solutions that allow users to go one step further and communicate across their organization, pivot into other tools to carry on an investigation and much more. Alerts come alongside their supporting observations that contain bits of context that users can leverage as they continue to investigate. A simple firewall rule blocked out this malware for good.

So, stop playing whack-a-mole, unless you’re at the fair. Even with proper agent-based and perimeter protection, your network may still be at risk. You can fill that gap and gain comprehensive visibility on-prem or in the cloud with Stealthwatch Cloud.

To learn more, read the full Aspire Technology Partners Case Study.

Be sure to check out the Stealthwatch Cloud webpage and sign up for a free 60-day trial today.

The post Stop playing whack-a-mole and put threats to rest with Cisco Stealthwatch Cloud appeared first on Cisco Blogs.

Biden Campaign Staffers Targeted in Cyberattack Leveraging Antivirus Lure, Dropbox Ploy

Google's Threat Analysis Group sheds more light on targeted credential phishing and malware attacks on the staff of Joe Biden's presidential campaign.

Juniper fixes tens of flaws affecting the Junos OS

Juniper Networks has addressed tens of vulnerabilities, including serious flaws that can be exploited to take over vulnerable systems.

Juniper Networks has addressed tens of vulnerabilities, including serious issues that can be exploited to take control of vulnerable systems.

The vendor has published 40 security advisories related to security vulnerabilities in the Junos OS operating system that runs on Juniper’s firewalls and other third-party components.

The vendor addressed multiple critical flaws in the Juniper Networks Mist Cloud UI. The vulnerabilities affect the Security Assertion Markup Language (SAML) authentication, they could be exploited by a remote attacker to bypass SAML authentication.

“Juniper Networks Mist Cloud UI, when SAML authentication is enabled, may incorrectly handle SAML responses, allowing a remote attacker to bypass SAML authentication security controls.” reads the security advisory published by Juniper.

“If SAML authentication is not enabled, the product is not affected. These vulnerabilities can be exploited alone or in combination. The CVSS score below represents the worst case chaining of these vulnerabilities.”

Multiple vulnerabilities in Juniper Networks Junos OS have been fixed by updating third party software included with Junos OS devices.

Juniper fixed a critical remote code execution vulnerability in Telnet server tracked as CVE-2020-10188.

“A vulnerability in the telnetd Telnet server allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.” reads the advisory.

“This issue only affects systems with inbound Telnet service enabled. SSH service is unaffected by this vulnerability.”

The company also addressed high-severity denial-of-service (DoS) and arbitrary code execution issues.

The good news is that Juniper is not aware of attacks in the wild exploiting the vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urges organizations to apply the security updates released by the vendor.

“Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.” reads alert issued by CISA.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.”

Pierluigi Paganini

(SecurityAffairs – hacking, Junos)

The post Juniper fixes tens of flaws affecting the Junos OS appeared first on Security Affairs.

Celebrating 200 episodes of the “Smashing Security” podcast

Carole and I have been producing a light-hearted look at the world of cybersecurity and privacy just about every week since December 2016. And this week, after millions of downloads, we released our 200th episode! We wanted to celebrate reaching that milestone, and thank the many many people who listen each week, by doing something special... and so last night we met up on YouTube for a livestream party.

Cyber News Rundown: Child Smartwatch Backdoored

Reading Time: ~ 2 min.

Backdoor Found in Children’s Smartwatch

Researchers have discovered that the X4, made by Norwegian smartwatch seller Xplora, contains a backdoor that could allow for information to be stolen. The X4 watch is designed specifically for children with a limited number of capabilities, mostly for children’s security. The backdoor, however, could allow attackers to take snapshots, view messages, call records, and access geolocational data from the wearer. The watches are designed and built in China and it remains unclear who has access to data created and stored on the devices.

Ransomware Strikes London Borough

The London borough of Hackney recently fell victim to a ransomware attack, taking several of the council’s primary services offline. While still little is known about the attack, it’s likely that encrypted files were also stolen for auctioning to the highest bidder. Council officials are working with law enforcement to determine the initial attack vector and information that may have been targeted.

Carnival Reveals Updates to Recent Cyberattack

Nearly two months after a ransomware attack compromised a third-party vendor for the Carnival Corporation, the company announced sensitive passenger information has indeed been exposed. An undetermined number of customers and employees may be affected across three Carnival cruise lines. With 150,000 employees worldwide, and upwards of 13 million customers, this data breach could be affect millions of individuals.

Ransomware Takes Aim at International Law Firm

International law firm Seyfarth Shaw has confirmed a ransomware attack targeted their systems over the weekend. While the extent of the attack remains unclear, several systems were forced offline after encryption was executed to stop additional spreading. Firm officials stated that no client information was stolen or illicitly accessed, but they are still operating without email or a live website. Some systems were saved from the attack but officials have yet to confirm if customers were affected by the breach.

Software AG Suffers Major Data Breach

German IoT specialist Software AG suffered a ransomware attack that was able to exfiltrate significant amounts of data. Officials have confirmed that, while they have been able to maintain online services throughout the attack, the malicious downloading of an unknown amount of sensitive data did take place. The attacking group has not yet been identified, but other attacks of similar scale have cost companies anywhere from $20 to $70 million in ransoms for the return of their data.

The post Cyber News Rundown: Child Smartwatch Backdoored appeared first on Webroot Blog.

Need faster application performance? Here are some tips

Graph databases and Field Programmable Gate Arrays (FPGA) can dramatically increase application performance by multiple orders of magnitude to respond to these high expectations and ever more demanding systems.

The post Need faster application performance? Here are some tips first appeared on IT World Canada.

DDoS Attacks Disrupt Massachusetts Schools

DDoS Attacks Disrupt Massachusetts Schools

Students learning remotely in Massachusetts have had their lessons disrupted by distributed-denial-of-service, or DDoS, attacks.

Sandwich Public Schools suffered a week of connection issues after what was first identified as a firewall failure occurred on October 8. A new firewall put in place to resolve the issue subsequently crashed, prompting the technology department to source a firewall from a different vendor. 

After further connectivity issues were experienced with the schools' OpenCape Network despite the new firewall, the source of the problem was determined to be a DDoS attack. 

Superintendent Pamela Gould said the district has reported the attack to Sandwich police as well as to the FBI’s Cyber Crime Unit.

"This is not a capacity issue for the district," wrote Gould in an email to parents. “This is something that is happening to us."

Repeated internet outages have also been occurring this month at Tyngsboro's high school and middle school, interrupting the district's best efforts to deliver education remotely to their students.

Superintendent Dr. Michael Flanagan said the Tyngsboro district’s IT professionals and cybersecurity provider have determined that the outages were not caused by an internal hardware issue or an issue with the district’s internet provider, but instead were the result of a DDoS cyberattack, apparently from a device being brought into the Norris Road campus each morning,

“We are frustrated and disappointed that this outage has disrupted what has been a very successful and positive start to our school year here in Tyngsboro,” Flanagan said in a news release. 

“We have all pulled together and worked so hard to create a positive learning environment in spite of the challenges and disruptions of the COVID pandemic."

Tyngsboro's outage is currently under investigation by state education officials, an IT solutions company, and local police. It is not yet clear whether lessons were sabotaged deliberately or via a device that had been compromised unbeknownst to its owner.

"While we are confident that we will soon rectify this situation, I am upset for the difficulty and disruption this has caused our students, families, and staff,” said Flanagan.

Britain’s information commissioner fines British Airways for 2018 Hack

Britain’s information commissioner has fined British Airways 20 million pounds for the 2018 hack that exposed data of 400,000 customers.

In September 2018, British Airways suffered a data breach that exposed the personal information of 400,000 customers.

The hackers potentially accessed the personal data of approximately 429,612 customers and staff. Exposed data included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Experts believe the hackers also accessed the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

An investigation conducted by researchers at RiskIQ revealed that the attack on the airline was carried out by the notorious crime gang MageCart.

Now Britain’s information commissioner (British ICO) has fined British Airways 20 million pounds (approximately $25 million) for failing to protect personal data belonging to its customers. This is the largest fine the British ICO has ever issued.

The ICO fined the airline because the company failed in implementing adequate security measures, the company detected the security breach to months later the initial compromise.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.” said Information Commissioner Elizabeth Denham.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

The ICO issued the penalty under the Data Protection Act 2018 for infringements of the GDPR.

Let’s remind that under the European Union’s General Data Protection Rules imposed in 2018, organizations face fines of up to 20 million euros ($23 million) or 4% of annual global turnover.

“The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.” concludes the ICO.

Pierluigi Paganini

(SecurityAffairs – hacking, British Airways)

The post Britain’s information commissioner fines British Airways for 2018 Hack appeared first on Security Affairs.

Watch Here: How to Build a Successful AppSec Program

Cyberattackers and threat actors won???t take a break and wait for you to challenge them with your security efforts ??? you need a proactive application security (AppSec) program to get ahead of threats and remediate flaws quickly. It???s critical that you stand up an AppSec program covering all the bases, from which roles each team member will have to alignment on KPIs and goals, and even a detailed application inventory to stay on top of your code.

But it isn???t enough to simply set ground rules and define your goals; good AppSec programs succeed because they come from the top-down, with stakeholders committed at the executive level. This helps maintain accountability and ensures that developers and security professionals are aligned when it comes to targets for flaw remediation. Part of that effort involves standing up a Security Champions program, too, enabling your developers to work alongside security and take ownership over securing their code.

If you follow these and other recommendations, your AppSec program should run like a well-oiled machine with the flexibility and security you need to keep creating innovative applications. Watch this video to learn about what goes into building a successful AppSec program, andツ?check out the full How-to Series here.ツ?

ツ?

Iran Reports Two Major Cyber-Attacks

Iran Reports Two Major Cyber-Attacks

Iran has reported falling victim to two large-scale cyber-attacks, one of which was leveled at the country's government institutions.

The Iranian government's Information Technology Organization on Thursday reported that two institutions had been compromised by attackers. No party has claimed responsibility for the attack, and Iranian government officials have not stated whether the attack was domestic or foreign.

The target of earlier attacks carried out on Monday and Tuesday has not yet been named. 

According to The Jerusalem Post, the Iranian government made an announcement concerning the attacks after news of the incidents began spreading on social media. 

An Iranian news agency reported on Friday that the cyber-attacks had impacted the electronic infrastructure of the country's ports. According to US-funded Radio Farda, unconfirmed reports in Iranian media named the country's banking system and Ports and Maritime Organization as among the targets. 

Quasi-official news agency Tasnim reported a spokesperson for the country's Ports and Maritime Organization as stating: "Sworn enemies have been trying for some time to carry out cyberattacks."

The statement went on to say that action had been taken to block further attacks and prevent any disruption of the "organization's missions."

Abolghasem Sadeghi, from the government’s Information Technology Organization, commented on the attacks on state TV on Thursday. Sadeghi said that the incidents had prompted several government bodies to temporarily shut down internet services as a precautionary measure. 

He described the attacks as "important and on a large scale," and said that an investigation into them had been launched. 

A previous attack carried out on Iran's Bandar Abbas port in May 2020 was blamed on Israel. The attack was supposedly a retaliation for an attack carried out against six Israel Water Authority facilities in April 2020.

Iran reported three cyber-attacks within a week in December last year, one of which the country said was sponsored by a foreign state. The country's telecommunications minister said at the time that a cybersecurity project known as the "Dejfa fortress" had repelled a cyber-onslaught involving the "well-known APT27" threat group that has been linked to Chinese-speaking hackers.

Senator Questions US Healthcare Giant Over Cyber-Attack

Senator Questions US Healthcare Giant Over Cyber-Attack

A major healthcare provider whose systems were knocked offline for three weeks by a ransomware attack has been asked by a US senator to answer questions about its cybersecurity practices. 

Universal Health Services announced on Monday that all 400 of its health system sites were back online after being hit by a cyber-attack in the early hours of September 27. 

UHS initially reported the attack as an "Information Technology security incident," but staff who took screenshots of the attack confirmed that ransomware was responsible for the disruption. 

As a result of the incident, UHS disconnected all systems and shut down the network to prevent further propagation. While some hospitals diverted ambulances and some lab test results were delayed, the company said that "patient care was delivered safely and effectively at our facilities across the country using established back-up processes, including offline documentation methods." 

Following the attack, former technology entrepreneur and vice chairman of the Senate Intelligence Committee, Senator Mark Warner, has written to UHS to express concerns regarding their cybersecurity measures.

Warner told the Fortune 500 company that with annual revenue of more than $11bn, it should have a cybersecurity posture "sufficiently mature and robust to prevent major interruptions to health care operations."

In his letter dated October 9, the senator questioned UHS over its vulnerability management process, third-party risk management, protection of clinical medical devices, and ability to isolate networks to prevent lateral movement by attackers.

Warner also asked UHS to state whether it had paid a ransom to its attackers and to confirm whether any patient medical records, HIPAA-protected data, or healthcare information has been affected or suffered a denial of access as a result of the attack. 

On October 12, UHS stated: "Throughout the IT remediation work we have had no indication that any patient or employee data was accessed, copied or misused."

UHS, which is headquartered in King of Prussia, Pennsylvania, operates facilities in Puerto Rico, the United Kingdom, and the United States. In a statement released on September 29, the company said that its UK operations were not impacted by the attack. 

University of Calgary launches master of data science and analytics degree

The University of Calgary is adding a new graduate program to help people with different disciplines become data scientists.

The Master in Data Science and Analytics (MDSA), which was unveiled this week, is a graduate degree program offered through a collaboration between the Faculty of Science, the Haskayne School of Business, the Cumming School of Medicine, and the Faculty of Graduate Studies.

According to the university, the new program is aimed at building capacity in Canada’s growing digital economy. Statistics Canada says the country’s digital economy – which itself isn’t an industry but for a sense of scale we’ll ignore that for a moment – was larger as a proportion of the total economy than mining, quarrying and oil and gas extraction (4.8 per cent), transportation and warehousing (4.6 per cent) and utilities (2.4 per cent) in 2015. On an annual basis, the digital economy increased more than the total economy every year except in 2011 and 2017 when Canada experienced strong growth in the energy sector.

“Realizing the changing needs in an increasingly data-driven economy in Alberta, Canada, and around the world, the new program will fill an important niche in meeting the needs of students with an interest in re-skilling and up-skilling towards the tech sector,” said Dr. Bernhard Mayer, PhD, interim Faculty of Science dean. “Students in the master of data science and analytics program can expect a leading-edge education that will help them transition to important roles in Canada’s tech economy.”

The University’s website says fundamental data science, business analytics, and health data analytics and biostatistics are the program’s three areas of focus. The degree can be completed full-time in 16 months (or 12 months if students choose an accelerated pathway) or part-time through a stackable certificate and diploma pathway.

Applications to the Master of Data Science and Analytics are currently being accepted for classes beginning in September 2021.

The post University of Calgary launches master of data science and analytics degree first appeared on IT World Canada.

Breach at Dickey’s Barbecue Pit compromises 3 million Cards

Dickey’s Barbecue Pit, the largest barbecue restaurant chain in the US, suffered a POS breach, card details for 3 Million customers were posted online.

Dickey’s Barbecue Pit is a family-owned American barbecue restaurant chain, the company suffered a POS breach and card details of more than three million customers have been posted on the carding portal Joker’s Stash.

The huge trove of payment card data was spotted by researchers from the cyber-security firm Gemini Advisory.

The Joker’s Stash dark web marketplace is one of the most popular carding websites, it is known for advertising and card details from major breaches.

The card details of Dickey’s Barbecue Pit‘s customers were included in a dump titled “BLAZINGSUN.” JokerStash originally claimed that the breach would be available in August, then again in September, and finally it was posted online on October 12.

“Gemini Advisory determined that the compromised point of purchase (CPP) was Dickey’s Barbecue Pit, a US-based restaurant franchise.” reads the post published by Gemini Advisory.

“The advertisement claimed that BLAZINGSUN would contain 3 million compromised cards with both track 1 and track 2 data. They purportedly came from 35 US states and “some” countries across Europe and Asia.”

This BLAZINGSUN breach contains 3 million compromised payment records that are available for a median price of $17 per card.

The experts worked with several partner financial institutions who independently confirmed the authenticity of the stolen data.

According to Gemini, the hackers obtained the card details after compromised the in-store Point-of-Sale (POS) system used at Dickey’s Barbecue Pit restaurants.

Crooks compromised 156 of Dickey’s 469 locations across 30 states, most of them in California and Arizona.

Dickey’s locations are marked by the blue restaurant icon while the locations confirmed to be compromised are marked in red.

The compromise took place between July 2019 and August 2020. Gemini reported that the root cause of the security breach was the use of the outdated magstripe method for payment transactions, which exposed car holders to PoS malware attacks.

The company published an official statement that confirmed that it has immediately started the incident response procedure.

We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved.” reads the statement provided by the company. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.” 

The payment card records are mostly for cards using outdated magstripe technologies and are being sold for a median price of $17 per card.

“Based on previous Joker’s Stash major breaches, the records from Dickey’s will likely continue to be added to this marketplace over several months.”concludes the post.

Pierluigi Paganini

(SecurityAffairs – hacking, Dickey’s Barbecue Pit)

The post Breach at Dickey’s Barbecue Pit compromises 3 million Cards appeared first on Security Affairs.

Heimdal™ Security Employee Spotlight: Adelin Ghenea

From an initially shy interviewee to one of the most valuable members of the Heimdal™ development team, Adelin Ghenea has had a great journey with us, one which will hopefully continue for as long as possible. Known as the guy who actively listens and quietly gets work done, also coming up with his own ideas […]

The post Heimdal™ Security Employee Spotlight: Adelin Ghenea appeared first on Heimdal Security Blog.

Google finally hangs up on Hangouts, says auto migrations to Chat begin in 2021

Google says it’s sunsetting Hangouts and pivoting to Chat, and Chat will become available as a free service—both in the integrated experience in Gmail and the Chat standalone app.  The news comes just days after the recent rebranding of G Suite to Google Workspace. Google says it will allow everyone to begin upgrading from Hangouts to…

The post Google finally hangs up on Hangouts, says auto migrations to Chat begin in 2021 first appeared on IT World Canada.

This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals are passing the time during the COVID-19 pandemic with online poker games, where the prizes include stolen data. Also, read about how VirusTotal now supports Trend Micro ELF Hash (aka telfhash).

 

Read on:

Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles

Cybercriminals have put their own spin on passing time during the COVID-19 lockdown with online rap battles, poker tournaments, poem contests, and in-person sport tournaments. The twist is that the prize for winning these competitions is sometimes stolen data and tools to make cybercrime easier, according to new research from Trend Micro.

Becoming an Advocate for Gender Diversity: Five Steps that Could Shape Your Journey

Sanjay Mehta, senior vice president at Trend Micro, was recently named a new board member at Girls In Tech—a noted non-profit and Trend Micro partner working tirelessly to enhance the engagement, education, and empowerment of women in technology. In this blog, Sanjay shares five steps that you can use to become an ally for diversity in the workplace.

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

In this month’s Patch Tuesday update, Microsoft pushed out fixes for 87 security vulnerabilities – 11 of them critical – and one of those is potentially wormable. There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

VirusTotal Now Supports Trend Micro ELF Hash

To help IoT and Linux malware researchers investigate attacks containing Executable and Linkable Format (ELF) files, Trend Micro created telfhash, an open-source clustering algorithm that helps cluster Linux IoT malware samples. VirusTotal has always been a valuable tool for threat research and now, with telfhash, users of the VirusTotal Intelligence platform can pivot from one ELF file to others.

New Emotet Attacks Use Fake Windows Update Lures

File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button. According to the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.

Metasploit Shellcodes Attack Exposed Docker APIs

Trend Micro recently observed an interesting payload deployment using the Metasploit Framework (MSF) against exposed Docker APIs. The attack involves the deployment of Metasploit’s shellcode as a payload, and researchers said this is the first attack they’ve seen using MSF against Docker. It also uses a small, vulnerability-free base image in order for the attack to proceed in a fast and stealthy manner.

Barnes & Noble Warns Customers It Has Been Hacked, Customer Data May Have Been Accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday, October 10th.

ContentProvider Path Traversal Flaw on ESC App Reveals Info

Trend Micro researchers found ContentProvider path traversal vulnerabilities in three apps on the Google Play store, one of which had more than 5 million installs. The three applications include a keyboard customization app, a shopping app from a popular department store, and the app for the European Society of Cardiology (ESC). Fortunately, the keyboard and department store apps have both been patched by developers. However, as of writing this blog, the ESC app is still active.

Carnival Corp. Ransomware Attack Affects Three Cruise Lines

Hackers accessed personal information of guests, employees and crew of three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed. Carnival Cruise Line, Holland America Line and Seabourn were the brands affected by the attack, which Carnival said they’re still investigating in an update on the situation this week.

Docker Content Trust: What It Is and How It Secures Container Images

Docker Content Trust allows users to deploy images to a cluster or swarm confidently and verify that they are the images you expect them to be. In this blog from Trend Micro, learn how Docker Content Trust works, how to enable it, steps that can be taken to automate trust validation in the continuous integration and continuous deployment (CI/CD) pipeline and limitations of the system.

Twitter Hackers Posed as IT Workers to Trick Employees, NY Probe Finds

A simple phone scam was the key first step in the Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say. The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said.

What is a DDoS Attack? Everything You Need to Know About Distributed Denial-of-Service Attacks and How to Protect Against Them

A distributed denial-of-service (DDoS) attack sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. DDoS attacks are one of the crudest forms of cyberattacks, but they’re also one of the most powerful and can be difficult to stop.

Cyberattack on London Council Still Having ‘Significant Impact’

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services. Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.

 

Surprised by the new Emotet attack?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash appeared first on .

Adobe fixes Magento flaws that can lead to code execution

Adobe released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Adobe has released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Eight of the vulnerabilities are considered either critical or important, only one is considered a moderate-severity flaw. The critical flaws are tracked as CVE-2020-24407 and CVE-2020-24400.

Below the list of affected versions:

ProductVersionPlatform
Magento Commerce 2.3.5-p1 and earlier versions  All
Magento Commerce 2.4.0 and earlier versions All
Magento Open Source 2.3.5-p1 and earlier versionsAll
Magento Open Source 2.4.0 and earlier versions All

One of the critical flaws addressed by Adobe is a file upload issue that can allow list bypass. Another critical SQL injection issue can lead to the execution of arbitrary code or arbitrary read/write database access. Both issues require an attacker to have already obtained admin privileges. 

Adobe has also addressed a vulnerability, tracked as CVE-2020-24402, that can allow attackers to manipulate and modify customer lists. 

Other flaws fixed by Adobe include a stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), and a security vulnerability that allows Magento CMS pages to be modified without permission (CVE-2020-24404). The company also addressed two restricted resource access bugs, tracked as CVE-2020-24405 and CVE-2020-24403 respectively, and unintended disclosure of a document root path that could lead to sensitive information disclosure (CVE-2020-24406).

This week, Adobe has also released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.

Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

The post Adobe fixes Magento flaws that can lead to code execution appeared first on Security Affairs.

BA GDPR Data Breach Fine Lowered to £20m Due to COVID-19

BA GDPR Data Breach Fine Lowered to £20m Due to COVID-19

The fine against British Airways for GDPR failings has been reduced to £20m from the original £183m intent to fine issued last July.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place, leading to a cyber-attack during 2018, which it did not detect for more than two months. It said the amount to be fined (£20m) was considered with both representation from BA and the economic impact of COVID-19 on the business.

The ICO also said, as the breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

According to the penalty notice, a proposed penalty of £183.39m was issued on July 4 2019 with a extension till March 21 2020 agreed in December. On April 3 2020, the ICO wrote to BA requesting information regarding the impact of COVID-19 on its financial position, and having considered BA’s representations, both BA and the ICO “agreed to a series of further extensions of the statutory deadline to 30 September.

Rachel Aldighieri, managing director of the Data & Marketing Association (DMA), said: “Brexit and coronavirus have put businesses under immense financial strain and a fine of this magnitude will get the attention of board members of organizations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO.

“This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.”

In the attack, an attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

The ICO said that since the attack BA has made considerable improvements to its IT security. Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

Piers Wilson, head of product management at Huntsman Security, said: “Whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgement of the ravages of COVID-19 on the airline industry or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as businesses and some in the security and privacy industry expect.”

Vanessa Barnett, commercial and IP partner at Keystone Law, added: “In the grand scheme of things, it’s important that the punishment fits the wrongdoing: whilst the GDPR certainly has teeth and can really bite quite hard, it’s great to see the ICO continuing with its attitude of proportionality that existed pre-GDPR. Don’t forget that before GDPR the statutory limit was £500,000.

“£500,000 to £20m is a big jump and will still very much focus the (compliance) minds! The ICO may have felt some moral pressure not to whack BA even more in the midst of a global pandemic which is affecting it hugely and luckily, its enforcement framework allows that.”

Cyber Security Today – Dickey’s Barbecue chain hacked, Barnes and Noble notifies customers and beware of this Windows Update scam

Today's podcast reports on customer payment card data of a US restaurant chain for sale, a bookseller warns customers their data may have been hacked and a warning about the latest Windows Update scam

The post Cyber Security Today - Dickey's Barbecue chain hacked, Barnes and Noble notifies customers and beware of this Windows Update scam first appeared on IT World Canada.

Election Security and Confidence Can Be Enabled Through Public-Private Partnerships

Election Security and Confidence Can Be Enabled Through Public-Private Partnerships

The security of democracy can be better protected if there is trust from the public and improved collaboration between public/private sectors and governments.

Speaking on a virtual roundtable, Shawn Henry, Crowdstrike CISO and president of Crowdstrike Services, said this is a political and cybersecurity issue. Henry began by claiming that foreign interference in an election is the “ultimate hack, not just of democracy, but of peoples beliefs, what they think and why they think it.” This leads to questions about whether the election is secure and valid, and whether casted votes do count, calling it “a national security issue.”

William Evanina, director of the National Counterintelligence and Security Center (NCSC), said foreign interference is not new, but in the past year it has travelled across to the US and “we’ve seen our adversaries amplify and accentuate over social media.” He also said too many western governments do not understand what disinformation looks and feels like, so the opportunities presented by social media present a vulnerability.

Commenting, Sir Rob Wainwright, senior partner at Deloitte, said disinformation is “a problem around the world” as social media has the opportunity to “spread false narratives, but there is a side to this that is even more dangerous and insidious.” Wainwright also cited cyber-attacks as part of a campaign of disinformation, as this “is about more than just spreading propaganda.”

Wainwright explained the complexity and cycle of the threat between 2016 and 2020 elections and said “we need to up our game as a result.” Evanina said time had been spent over the past few years driving partnerships with government agencies and industry “so the local CISO understands the intent and the adversary, and how they can be compromised.”

Asked by Henry what role a collaboration between public and private sector can play in this situation, Wainwright said there is a role in society to get this right, particularly for social media, and those companies are working more intensively than four years ago. “The big point is that this is not about what role governments can play on one side and private sector companies on the other, it is very much about the collaboration and getting that public-private partnership in the right space so it is all hands on deck in a uniform way,” he added.

Wainwright said the collective responsibility should be about getting the hygiene right, about common standards across the election infrastructure, as well as knowing where the threats are coming from and what the intelligence looks like.

Evanina agreed that public-private partnerships has never been more important. “We have to be willing and able to partner, and that partnership starts not only with intelligence sharing, but we have to find a happy medium where we can provide due diligence on sharing information at the same time, some privacy protections and privacy sanctions after a company is victimized,” he said. “Being a victim is not something that can carry penalties, we have to find a happy medium.”

Wainwright concluded by citing the importance of this issue, particularly in embedding confidence in the public, saying regardless of if you work for a social media company, in intelligence or in government “you need to see everything through that lens to get it right and prioritize it in a collective and successful way.”

Evanina said as a democracy, we need to provide free and open elections, so the public has confidence in the voting systems. “If we cannot ensure that, we have a lot more problems than we think we do.”

U.S. Federal Court Issues Restraining Order against Tech Support Scheme

A federal court in the United States issued a temporary restraining order against a tech support scheme that’s alleged to have targeted U.S. consumers. On October 15, the U.S. District Court filed Southern District of Florida submitted a complaint against Michael Brian Cotter, 59, of Glendale, California. The complaint alleged that Cotter had worked with […]… Read More

The post U.S. Federal Court Issues Restraining Order against Tech Support Scheme appeared first on The State of Security.

Dickey’s PoS Breach Could Hit Three Million Cards

Dickey’s PoS Breach Could Hit Three Million Cards

Another popular US restaurant franchise appears to have been on the receiving end of a major point of sale (PoS) data breach, with dark web traders claiming to have three million cards to sell.

Threat intelligence firm Gemini Advisory analyzed data uploaded to infamous carding forum Joker’s Stash and revealed that Dickey’s Barbecue Pit is the affected restaurant chain.

It said that customers in around a third of locations, 156 of 469, across 30 states may have had their cards compromised between July 2019 and August 2020.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of PoS device and processors that they utilize,” said the vendor.

“However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”

The dark web seller advertising the cards, BlazingSun, has not uploaded the entire stash yet, and will likely continue to add compromised data over the next few months, Gemini Advisory said.

“Gemini sources have also determined that the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks,” it concluded. “It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s.”

After the shift to EMV, merchants which continue to process magstripe could face legal action and fines if breached. The practice is far more common in the US, which made the switch to more secure cards relatively late compared to much of Western Europe, which is why PoS breaches like this still occur.

Other big names compromised in this way over the past year include convenience store chain Wawa, Planet Hollywood parent company Earl Enterprises and Rutter’s, another convenience store brand.

BA fined record £20m for customer data breach

Personal details of more than 400,000 customers accessed by hackers in 2018

A £183m fine levied on British Airways for a data breach has been reduced to £20m after investigators took into account the airline’s financial plight and the circumstances of the cyber-attack.

The £20m fine is nonetheless the biggest ever issued by the Information Commissioner’s Office (ICO), following the 2018 incident in which more than 400,000 customers’ personal details were compromised by hackers.

Continue reading...

Critical flaw in SonicWall’s firewalls patched, update quickly! (CVE-2020-5135)

Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution. About CVE-2020-5135 The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities. CVE-2020-5135 was discovered by Nikita Abramov … More

The post Critical flaw in SonicWall’s firewalls patched, update quickly! (CVE-2020-5135) appeared first on Help Net Security.

Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

The Tripwire VERT security team spotted almost 800,000 SonicWall VPN appliances exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

Security experts from the Tripwire VERT security team have discovered 795,357 SonicWall VPN appliances that were exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

“A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” reads the advisory published by SonicWall.

The CVE-2020-5135 is a stack-based buffer overflow that affects the SonicWall Network Security Appliance (NSA). The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler.

The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible.” reads the analysis published by Tripwire. “This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

This vulnerability is very dangerous, especially during the COVID-19 pandemic because SonicWall NSA devices are used as firewalls and SSL VPN portals allow employees to access corporate networks.

The vulnerability affects the following versions:

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

Security experts from Tenable have published a post detailing the flaw, they also shared Shodan dorks for searching SonicWall VPNs.

“Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

The combined results from Shodan using these search queries led to a total of 795,674 hosts. In the VERT advisory, they specified that 795,357 hosts were vulnerable.” wrote Tenable.

At the time of this post, the first search query provides 448,400 results, the second one 24,149, most of the vulnerable devices are in the United States.

SonicWall has already released updates to address the flaw, the company also recommends to disconnect SSL VPN portals from the Internet as temporary mitigation before installing one of the following versions:

  • SonicOS 6.5.4.7-83n
  • SonicOS 6.5.1.12-1n
  • SonicOS 6.0.5.3-94o
  • SonicOS 6.5.4.v-21s-987
  • Gen 7 7.0.0.0-2 and onwards

The CVE-2020-5135 is a critical vulnerability rated as 9.4 out of 10, it could be easily exploited by unauthenticated attackers.

At the time this post was published, no PoC exploit code was available for the CVE-2020-5135 flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-5135)

The post Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135 appeared first on Security Affairs.

Nearly 800,000 SonicWall VPNs Need Critical Flaw Patching

Nearly 800,000 SonicWall VPNs Need Critical Flaw Patching

Nearly 800,000 VPNs around the world need urgent patching after a vendor issued a security update for a critical flaw this week.

Researchers from Tripwire found the stack-based buffer overflow vulnerability in SonicWall’s Network Security Appliance (NSA), or more specifically, its underlying SonicOS software.

According to Tripwire security researcher Craig Young, who discovered the bug, the problem exists in the HTTP/HTTPS service used for product management and SSL VPN remote access. It can apparently be triggered by an unauthenticated HTTP request involving a custom protocol handler.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition,” Young continued.

“Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public internet.”

With over 795,000 SonicWall devices exposed according to a Shodan search made by Tripwire on Wednesday, the bug could be exploited to cause widespread damage.

According to SonicWall, the vulnerability has a CVSS score of 9.4, perhaps a reflection of the fact it could lead not only to denial of service but also arbitrary remote code execution.

The affected versions are: SonicOS 6.5.4.7-79n and earlier, SonicOS 6.5.1.11-4n and earlier, SonicOS 6.0.5.3-93o and earlier, SonicOSv 6.5.4.4-44v-21-794 and earlier and SonicOS 7.0.0.0-1.

The vendor released patches on Monday.

VPN systems are increasingly being targeted by attackers looking to find a way into corporate systems, given the large numbers of remote workers currently reliant on them.

In April it was confirmed that cyber-criminals were exploiting known bugs in Citrix and Pulse Secure VPNs to deploy ransomware in hospitals, while just this week it emerged that other attackers were chaining VPN exploits with Zerologon to compromise Active Directory (AD) identity services.

SonicWall sent Infosecurity a statement to confirm it takes every vulnerability disclosure seriously.

“Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis led to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring CVE listings based on CVSS,” it explained.

“The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.”

VoIP Firm Broadvoice Leaks 350 Million Customer Records

VoIP Firm Broadvoice Leaks 350 Million Customer Records

A US-based VoiP provider has been found leaking over 350 million customer records, after a configuration error left several online databases exposed.

Researcher Bob Diachenko found the unprotected Elasticsearch database clusters belonging to Broadvoice on October 1.

The trove of 10 databases included one containing more than 275 million records. It featured full caller name, identification number, phone number, state and city.

Perhaps more dangerous from a privacy perspective was another collection of over two million records that included names, phone numbers and, for 200,000 records, call transcripts.

According to Comparitech, which worked with Diachenko on the case, some of these transcripts themselves contained sensitive details such as voicemails left at medical clinics and financial services firms.

Comparitech claimed most of the data belongs to Broadvoice XBP customers.

“The leaked database represents a wealth of information that could help facilitate targeted phishing attacks. In the hands of fraudsters, it would offer a ripe opportunity to dupe Broadvoice clients and their customers out of additional information and possibly into handing over money,” Comparitech argued.

“For example, criminals could pose as Broadvoice or one of its clients to convince customers to provide things like account login credentials or financial information.”

Some exposed data, such as insurance policy numbers and financial loan details, could even be used to attempt identity fraud without the need for further phishing, it added.

However, Broadvoice reacted relatively quickly to the notification on October 1, fixing the privacy snafu by October 4.

The firm’s CEO, Jim Murphy, claimed the data had been “inadvertently” stored in an unsecured database on September 28, and said that law enforcement has been informed and an investigation has been launched.

“At this point, we have no reason to believe that there has been any misuse of the data,” he continued.

“We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time. We sincerely regret any inconvenience this may cause.”

Android Permissions Can Be Dangerous: Full Guide to Managing Them

Alexander Graham Bell’s invention of the telephone back in 1876 marked one of the most important cultural revolutions of mankind – its invention and everything that followed afterwards (the invention of the first dial phone, the apparition of the first mobile/cellular phone, the apparition of the 2nd, 3rd, 4th and 5th generation technologies) allowed us […]

The post Android Permissions Can Be Dangerous: Full Guide to Managing Them appeared first on Heimdal Security Blog.

Google Warns of Zero-Click Bluetooth Flaws in Linux-based Devices

Google security researchers are warning of a new set of zero-click vulnerabilities in the Linux Bluetooth software stack that can allow a nearby unauthenticated, remote attacker to execute arbitrary code with kernel privileges on vulnerable devices. According to security engineer Andy Nguyen, the three flaws — collectively called BleedingTooth — reside in the open-source BlueZ protocol stack

Microsoft Releases Patches For Critical Windows TCP/IP and Other Bugs

Microsoft on Tuesday issued fixes for 87 newly discovered security vulnerabilities as part of its October 2020 Patch Tuesday, including two critical remote code execution (RCE) flaws in Windows TCP/IP stack and Microsoft Outlook. The flaws, 11 of which are categorized as Critical, 75 are ranked Important, and one is classified Moderate in severity, affect Windows, Office and Office Services and