Cyber Round-up for 2nd August
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
While publishing this weeks edition we realised that amazingly, it has been a year since we first released the Cyber Round-up. Its format has evolved since the early editions, and hopefully like us you feel that it continues to improve.
In this week’s round-up:
Major credit card issuer, Capital One, has suffered a massive data breach compromising the personal data of about 106 million US and Canadian users; the company revealed that the stolen data included names, addresses and phone numbers of its customers. It was reported that the breach was possible because of a configuration vulnerability in the company’s infrastructure, which was discovered on 19th July. Following the hack, the attacker was found boasting about the breach on social media and has since been arrested; this is believed to be one of the biggest data breaches in banking history.
North Carolina county was recently hit by a business email compromise scam, which resulted in the theft of $1.7 million. The email appeared to be from Virginia-based Branch and Associates; it claimed to have changed their bank details and requested that payments be sent to the new account instead. The scam resulted in a total of $2,504,601 on 21 December 2018. The Bank of America was able to recover some of the stolen funds, but $1.7 million remains missing. The money stolen was supposed to be used to build a new high school in the county, but this project has since been halted.
Credential stuffing is becoming a bigger threat every day and maybe even more popular than phishing attempts. Credential stuffing involves using stolen or leaked usernames and passwords from previous breaches to brute-force a user’s account. In the last 18 months, content delivery network Akamai Technologies has detected around 3.5 billion credential stuffing attempts, half of which targeted financial services. Despite the recent increase in security, financial institutions can’t detect every attack thrown at them; since they are such a big target for criminals, detecting attacks is crucial.
A wealth of information has been disclosed by a publicly accessible database belonging to the automotive powerhouse Honda. Their recent delight of Formula 1 wins and podium finishes will have been dashed, by the news that 134 million documents containing 40GB’s of data had been left exposed to the internet. The data contained details of their IT assets as well as employee information. Unfortunately, the bad news didn’t stop there, and alongside the assets, was in-depth information on the company’s security software and patching levels, which is a treasure trove to attackers. Honda worked immediately to secure their systems and thanked the researcher for their efforts and reporting the vulnerability.
The viral photo-morphing app, FaceApp, has been collecting user’s Facebook friend list data, despite having no need for it. Researchers have spent a lot of time trying to discover why the app would need this kind of data but were unsuccessful. When asked, the FaceApp developers responded saying the data was collected for a social media voting feature that was discontinued, however this does not explain why the data is still being collected. Since the app is unnecessarily asking for permissions, we advise avoiding downloading it.
A new zero-day flaw in the total donations plugin has left WordPress sites vulnerable to hackers; who could potentially steal data, and even hijack the website. This vulnerability has been actively exploited, and it was confirmed that all versions of this plugin are affected by the flaw. Researchers received no reply when they contacted the plugin’s developers, and it has not been updated since 2016; this could mean that total donations has been abandoned, and there may not be an official patch. To protect against this exploit, we recommend you remove the plugin from your website and find a supported replacement. Details on the nature of the exploit are included in the original post.
Vulnerabilities & Updates
Google Project Zero’s white hat hackers have recently disclosed details for 4 major iOS security vulnerabilities, which were addressed in iOS 12.4 update. The flaws include a memory corruption issue, a Siri exploit, and two iMessage exploits. A fifth flaw was also discovered but has not yet been shared because the patch did not fully address it. Details on all the disclosed vulnerabilities can be found in the original post.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
If you have any recommendations for additional content, or things you would like to see covered then please let us know.
Why not follow us on social media using the links provided on the right.
Edition #52 – 2nd Aug 2019
Ironshare – Security Simplified