News Bites for the Week Ending December 7, 2018
Australian Parliament Passes Crypto Back Door Law Overnight
Politics always wins. After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.
Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.
It is not clear what software companies will do if asked to insert back doors. One thing that is likely true is that they won’t tell you that they have inserted back doors into your software. Source: The Register.
Sotheby’s Home is the Latest Victim of Magecart Malware
Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.
Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.
They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.
Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines. GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).
Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.
Sky Brazil Exposes Info on 32 Million Customers Due to User Error
I continue to be amazed at the number of companies that can’t seem to do the simple things right.
Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.
They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it. Is password protecting your data really that hard? Apparently!
What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.
After the researcher told them about their boo-boo, they put a password on in quickly. We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?
Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it. Nice. Source: Bleeping Computer.
Yet Another Elastic Search Exposure – Belonging to UNKNOWN
Maybe this is elastic search week. Another group of researchers found a data trove of elastic search data, again with no password. Information on 50 million Americans and over 100 million records.
Information in this case is less sensitive and probably used to target ads. The info includes name, employer, job title, email, phone, address, IP etc. There were also millions of records on businesses.
In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.
That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later. Source: Hackenproof.
Microsoft Giving Up on Edge? Replacing it with Chrome?
If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.
Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead. Rumor is that Microsoft is creating a new browser, code named Anaheim, based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.
If this is true, Google will effectively own the browser market or at least the browser engine market. That could make them even more of a monopoly and a target for the anti-trust police. Source: The Hacker News.
Turnabout is Fair Play
While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.
Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election. The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.
Once way they kept is quiet is by not telling Speaker Paul Ryan, Majority Leader Kevin McCarthy or other leaders about it.
In fact, those guys found out when the media contacted them about the breach. I bet they are really happy about being blindsided.
Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out. I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.
Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC. It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them. I don’t think this was a random attack. Source: Fox News.
Another Adobe Flash Zero-Day is Being Exploited in the Wild
Hey! You will never guess.
Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild. The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization. Now that it is known, that won’t last long.
The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.
Adobe has released a patch. Source: The Hacker News.
by 