News Roundup for 12th July 2019
Posted by Peter Bassill on 12/07/2019Here is the round up of the last two weeks news.British Airways faces record-breaking GDPR fine after data breachThe UK’s data watchdog has announced plans to fine the airline British Airways a record £183 million over last year’s data breach. The Information Commissioner’s Office (ICO) saidthat “poor security arrangements” at the company lead to the breach of credit card information, names, addresses, travel booking details, and logins for around 500,000 customers. The fine would be the largest the ICO has ever issued, BBC News reports, far more than the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions. British Airways will now have 28 days to appeal the ruling before it is made final.https://www.theverge.com/2019/7/8/20685830/british-airways-data-breach-fine-information-commissioners-office-gdprMarriott Hotels face a £99,000,000 fine for poor securityInternational hotel group Marriott is facing a £99m fine after hackers stole the records of 339 million guests. The Information Commissioner’s Office, Britain’s data privacy authority, issued a notice of its intention to fine the group for infringements of the General Data Protection Ruling (GDPR) for the 2014 hack on the Starwood hotels group — two years before it was acquired by US-based Marriott. It comes just days after British Airways said it intended to contest a record £183m fine over a 2018 data breach.https://www.theguardian.com/business/2019/jul/09/marriott-fined-over-gdpr-breach-ico D-Link to Audit Every 2 YearsD-Link has settled a case with the FTC, by agreeing to implement a security program within the company and do audits every two years. They were forced to set up new security standards when the FTC sued then for having serious security flaws that threatened users including hard coded login creds, storing plain text credentials on mobile devices, implying their devices are secure, and failing tests and remediation measures.
Cyber Crim to Jail for 27 MonthsDerpTroll, also known as Austin Thompson, 23, has been ordered to pay $95,000 for damages to Sony, as well as spend 27 months in prison for DDOSing Sony and other gaming companies in 2013 and 2014. This is the same hacker who took down the gaming servers during Christmas of 2013 and bragged about it on Twitter. Don't do illegal attacks, kids!:
Canonical HackedCanonical's github account was hacked on July 6, when credentials were compromised and an attacker created new repositories and created issues. The compromised account was removed and Ubuntu's source code was not affected.:
Another hole is FirefoxA couple of Firefox flaws hit the news this week. First, downloading an HTML file via the browser and opening it on your local computer may be a severe threat thanks to a 17 year old known issue that was used in a POC recently. This would allow an attacker to steal files stored on a victim's computer. There is no fix in the works. Mozilla also has no intention of enabling DNS-over-HTTPS, which is used to keep ISPs from sniffing some user traffic. In the UK, ISPs wanted to sniff user data to block them from accessing innapropriate sites. DNS-over-HTTPS adds an additional layer of security, and you can still enable it via the step by step guide linked here:
China Against PrivacyChina border authorities are installing spyware on tourists’ phones when they cross into Xinjiang. The malware is used to find extremist Islamic files and data, but it also snoops on texts, emails, and phone logs. It's unknown what the Chinese government is using this data for, but we can make guesses based on their current surveillance state network in that region.:
Amazon Echo has No Data DeletionAmazon echo transcripts and voice data are officially kept indefinitely, according to a letter from Amazon to a US state senator. The data can be deleted via the Alexa app or website, but transactions are kept forever. Amazon is very interested in how many pizzas you order, apparently.:
OpenGPG AttackedPGP has been targeted in attacks via the OpenPGP protocol GnuPG. The attacks hit the signature feature of GnuPG, and break the encryption validation for messages or updates using that protocol. Chances are this won't be fixed anytime soon.:
Superhuman charges you to be the productSuperhuman is an invite only app for $30 a month, that allows users to see when and where their email recipients opened emails. That's creepy, especially for anyone who wants to collect and triangulate data about you. Superhuman wasn't informing recipiants of this, either. The app is using tracking pixels to do this, but in light of this controversy the app stated they'll stop tracking location and will delete existing location data. Read receipts will be off by default. Sometimes outrage can create change.
Tor fix releasedTor fixes a huge bug in 0.4.2 that was used for years to launch DDOS attacks against .onion sites. While some sites that were attacked were legitimate, lately the attacks have been targeting illegal marketplaces on the dark web. Tor devs are giving Onion site operators the option to enable an active defense against DDOS attacks.:https://www.zdnet.com/article/tor-project-to-fix-bug-used-for-ddos-attacks-on-onion-sites-for-years/Arlo flaw, Requires Physical AccessArlo Smart Home Cameras have serious flaws that affect customers, of which Netgear (owners of Arlo) state stream more than 100 million videos a day from security cameras. The flaw would allow an attacker to disable a video feed or manipulate the footage. Two announcements, one from Tenable and one from a pair of researchers, detail the flaw. Chances are low that you'd be targeted in an attack as they require physical access. Patches from Arlo are now available.:https://www.cyberscoop.com/smart-home-vulnerabilities-netgear-zipato/7-Eleven HackedHackers stole $500,000 USD (about 55 million yen) from 900 customers of 7-Eleven Japan, after their new 7pay apps were used to make illegal charges. The app had a design flaw, in which a barcode was shown on the screen to pay whenever a customer checked out - BUT the app would allow anyone to request a password reset for any other account, and the password link would be sent to the attackers email address. Why the app allowed password reset links to be sent to any random email address is beyond me. https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/Microsoft Security UpdatesIt is that time of the month already. The days seem to slip away at an astounding rate. This month we see three major revisions for issues:
Complete information for the July 2019 security update release can be found at:https://portal.msrc.microsoft.com/en-us/security-guidance