27 Aug 2019

Week in review

AUSCERT Week in Review for 2nd August 2019

Greetings,

This week we’ve seen a few noteworthy stories in the Information Security world.

Over in the USA, the Capital One banking corporation suffered from a massive data breach, as millions of customers’ data were downloaded from an AWS S3 bucket with inappropriate permissions. In their notification, Capital One were quick to point out that “No bank account numbers or Social Security numbers were compromised, other than […] About 140,000 Social Security numbers […] About 80,000 linked bank account numbers”. Several Information Security pundits were quick to point out the audacity and dishonesty of this statement. AUSCERT recommends, and has always recommended, clarity and honesty when communicating data breaches.

In other news, the Equifax credit reporting firm reached a settlement with the Federal Trade Commission last week, and any victims of the 2017 Equifax data breach can apply for reimbursement for any costs or losses incurred resulting from the breach, including the costs of applying for credit monitoring. Affected people may also make a claim for a cash settlement, which has been set at US$127 per person. Some might say this is small compensation for having your financial information leaked online, and I would agree with them.

Closer to home, the AUSCERT office appears to be experiencing virus attacks of a more traditional nature – more than half of our staff have called in sick over this week. We hope you’re staying healthy by sanitising your inputs (air!), installing the latest (vitamin) updates, and quarantining any infected machines (family members) in an isolated environment!

Here are some of the week’s noteworthy security stories (in no particular order):

Title: Apple iMessage Flaw Lets Remote Attackers Read Files on iPhones
Author: Sergiu Gatlan
Date: July 29, 2019

Excerpt:

“An iMessage vulnerability patched by Apple as part of the 12.4 iOS update
allows potential attackers to read contents of files stored on iOS devices
remotely with no user interaction, as user mobile with no sandbox.”

—-

Title: Capital One Says Breach Hit 100 Million Individuals in U.S.
Author:  Christian Berthelsen, Matt Day, and William Turton
Date: July 30, 2019

Excerpt:

“Capital One Financial Corp. said data from about 100 million people in
the U.S. was illegally accessed after prosecutors accused a Seattle woman
identified by Amazon.com Inc. as one of its former cloud service employees
of breaking into the bank’s server.

While the complaint doesn’t identify the cloud provider that stored the
allegedly stolen data, the charging papers mention information stored in
S3, a reference to Simple Storage Service, Amazon Web Services’ popular
data storage software.”

—-

Title: 200 million devices–some mission-critical–vulnerable to remote takeover
Author: Dan Goodin
Date: July 30, 2019

Excerpt:

“…Researchers with security firm Armis identified 11 vulnerabilities in
various versions of VxWorks, a slimmed-down operating system that runs on
more than 2 billion devices worldwide.

Billed collectively as Urgent 11, the vulnerabilities consist of six remote
code flaws and five less-severe issues… None of the vulnerabilities
affects the most recent version of VxWorks–which was released last
week–or any of the certified versions of the OS, including VxWorks 653
or VxWorks Cert Edition.”

—-

Here are some of this week’s noteworthy security bulletins (in no particular
order):

1. ASB-2019.0226 – [Win][Linux] GitLab: Multiple vulnerabilities

2. ASB-2019.0224 – ALERT [Appliance] VxWorks: Multiple vulnerabilities

3. ESB-2019.2872 – [Win][UNIX/Linux][Ubuntu] Subversion: Denial of service – Remote/unauthenticated

Stay safe, stay patched, and have a good weekend.

Anthony