Security News Bites for the Week Ending January 25, 2019
Oklahoma Government Data Left Unprotected
The Oklahoma Department of Securities left data going back to at least 1999 unprotected online. Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information. The state says it was unprotected for “a limited duration”. They are investigating. Source: The Hacker News.
NOYB Files More GDPR Complaints
None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.
They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all. For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.
Beware, this is only the beginning of challenges for companies that have built their business models on selling your data. The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros. Source: NOYB .
Another Zero Click WiFi Firmware Bug
Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year. The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi. Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices. All it takes is for the device to be powered on.
I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released. Source: Helpnet Security.
Apple Releases Patches For iPhone, Mac and Wearables
Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser. The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.
The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.
Rounding out the patch set were patches for the Apple watch and Apple TV.
At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable. Source: The Register.
Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents
Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed. it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD. Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.
While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them. After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.
If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.
This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem. In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem. Now would be a good time to review your program. Source: Housingwire.