Security News for the Week Ending August 30, 2019
Lenovo “Crapware” Allows Attacker to Compromise Any PC in 600 Seconds
I am not going to get on my soapbox about why you should not buy a PC built by the Chinese government because I know people love their old IBM Thinkpads, but handle this issue no matter what.
Apparently the Lenovo “Solutions” Center has a bug that allows any user (meaning a hacker that has installed any malware on your computer – so your computer has to be compromised at some small level for this to work) to become an admin in 10 minutes, the frequency that Solutions Center runs. You can read the details in the link, but the simple fix is to delete the app completely. Lenovo has a new app that does not have this vulnerability if you actually use the Solutions Center functionality. Source: The Register.
Should You Block Newly Registered Domains?
Researchers say that OVER 70% of newly registered domains are malicious or otherwise potentially harmful to organizations. Newly registered means 32 days. Some organizations are already blocking these or alternatively giving users a warning if they go there.
Two thoughts on this – if YOU plan on launching a new domain, you should plan in advance and buy the domain early. Many hackers do not have the patience to do this (and in fact their domains are only live for a few hours) and second, you should consider implementing a block or warning on newly registered domains to protect your users. Source: Help Net Security.
House Dems Ask FSOC to Regulate AWS, Azure and Google Cloud
Two House Democrats have asked the Financial Stability Oversight Council (FSOC), which is comprised of Federal bank regulators, to consider making the big 3 cloud providers “systemically important” to the banking industry and as a result directly regulate them.
This was directly in response to the Capital One breach, even though that breach was the fault of Capital One’s bad security practices and not a security failure at Amazon.
It is probably obvious but I will point out that given the current political climate, it is unlikely that the administration will do anything that Democratic Party lawmakers suggest. Still it does point to the possibility that Congress will try to legislate that if the administration doesn’t do anything about cloud security. Source: Rep. Velazquez.
Cloud Archive for Dentists Hit By Ransomware Attack
DDSSafe, a cloud archive solution for dentists, was hit by a ransomware attack that encrypted the data of hundreds of practices. This follows the FBI/DHS alert that hackers were going after cloud service providers because one attack can generate a massive payday. In this case it is believed the hackers were asking $5,000 per practice and if 500 practices were affected, that would represent a $2 Mil+ payday. Tax free. Source: Krebs on Security.
Google Reveals Websites That Hacks iPhones With No Interaction
Google’s Project Zero identifies bugs in a variety of software from every vendor. This week they announced 14 flaws which, when chained together in different ways, created 5 different ways an iPhone user can be totally compromised just by visiting a malicious web site, without clicking on anything. The flaws were shared with Apple in February and Apple fixed them in version 12.1.4 of iOS. Successful attacks allow a bad guy to steal your photos, contacts, location and passwords. The bugs go back to iOS 10 and the web sites have been serving up malware for two years. The nature of the attack was such that rebooting the phone (and not visiting those sites again) would get rid of the malware. Source: Computing.