News Bites for the Week Ending December 14, 2018

Patches This Week

Adobe’s December patch list fixed 87 separate bugs in Acrobat and Acrobat Reader.  39 of these are rated critical.  Last week they patched a critical zero day in Flash (Details here).

More Spy Cams

The other day I reported the the DEA was buying spy camera enclosures to hide inside of street lights (here), well that is not the only place they are hiding them.

Again, Assuming they follow the rules, there is nothing illegal about these efforts.  The Register is reporting that the DEA is buying high end spy cams built into seemingly ordinary shop vacs.  While we don’t know the brand of shop vac, we do know that the camera is a Cannon M50B, a high end camera that does remote pan, tilt and zoom.

The camera/shop vac could we just left around or it could come attached to a government agent/janitor.

Whatever it takes to catch a crook.

O2 and its Partners Take Cell Service Down Because They Forgot to Update an Encryption Certificate

Last week millions of European and Asian cell phone users – customers of O2 and its partners – went without cell service and Internet for around 24 hours because someone forgot to renew an encryption certificate.  He is probably looking for a new job right now.

The network equipment was made by telecom giant Ericsson, so you can’t blame the problem on lack or resources or not having the expertise.  Details at ZDNet.

Bottom line here is that managing the details of any operational system is critical, especially if your mistakes will be publicly visible.

Kay Jewelers and Jared Jewelers fix Data Leak

Sometimes the bad guys don’t need to break in to steal information; sometimes companies leave out a welcome mat.

In this case, these two jewelers, both owned by Signet Jewelers, sent confirmation emails that allowed anyone to change the link in a confirmation email to see another customer’s order information – name, address, what they orders, how much they paid and the last four of their card number.

I have seen this many times before and it is an easy problem to avoid if your developers are trained to look for these kind of issues.

While not the worst data leak in the world, not a good thing.  They have since fixed the problem.  Source: Brian Krebs.

Google + To Shut Down Even Earlier After New Breach

Sometimes even the great Google can’t catch a break.

After an API flaw in October exposed data on 500,000 users, Google fixed it but announced plans to shut down the struggling social network In August 2019.

But now Google announced another flaw that affects over 50 million users and Google has changed it’s mind and will shut down Google + in April instead of August.  The information visible includes name, email, occupation and age and possibly other information, but Google says that it doesn’t think anyone exploited this new bug, which was created when they fixed the old bug.  Source: The Hacker News.

House Oversight and Government Reform Committee Says Equifax Responsible for Breach

A House committee spent 14 months and an unknown amount of money telling us what we already knew:  The Equifax breach was totally preventable and that CEO Richard Smith (who walked away from the breach with a $90 million golden parachute) had a growth strategy that lacked a clear IT management structure, used outdated technology and was not prepared to respond to the breach.   The Democrats say that there was a  missed opportunity to recommend concrete reforms and Equifax says that while they agree with the report, there are lots of factual errors in .  Our government at work.  Source:  The Hill.

by