News

The Friday Tech Takeaway - 21.07.17

Ashley Madison to pay $11.2 million to data breach victims: Ashley Madison, an American dating website that helps people cheat on their spouses has been hacked, and has subsequently agreed to an $11.2 Million settlement for roughly 37 million users whose personal details were exposed in a massive data breach two years ago. Whether that is enough to cover the resulting divorce settlements remains to be seen… https://goo.gl/Q1Gq58


When governments react: The Chinese government has recently instructed its Internet carriers to block access to personal VPNs by February 2018. As we know, VPNs can be used to hide and tunnel traffic past the view of a local ISP or, in the case of China, past the so-called Great Firewall which allows the government to regulate and censor the Internet so that those within its borders only have access to government-approved content. The use of VPNs has long been seen as a means to bypass those border protections.


Smart home gadget ends violent dispute by calling police: Engadget has reported some rather bizarre IoT news: That a smart home voice-response device was responsible for ending a violent dispute by calling the police. Although the device was first reported to be a Google Home device, that was later corrected. Police in New Mexico reported that a smart home device intervened in a domestic violence incident by calling 911. When Eduardo Barros asked "did you call the sheriffs?" as he threatened his girlfriend with a gun, the device interpreted it as a request to call emergency services. The 911 call responders overheard the altercation and called both negotiators and a SWAT team, who arrested Barros over assault, battery and firearms charges after a stand-off. https://goo.gl/u6C6ne


Disney reveals plans for a 'Star Wars' hotel: One of the big announcements from D23 this weekend (beyond details on Star Wars-inspired theme parks due in 2019) is the news that Disney will open a Star Wars resort in Orlando. The hotel itself will be filled with familiar-looking aliens, while the windows will appear to look out into space. Basically, it sounds like Disney is extending the interactivity you typically find in its theme-park experiences with one of its resort hotels. https://goo.gl/QezbaQ


MySpace: where nearly half a billion past users' personal "zombie data" lives on... A frustrated security researcher at Positive Technologies by the name of Leigh-Anne Galloway, finally disclosed a troubling vulnerability after having first responsibly disclosed the issue to MySpace nearly three months ago... in reaction to which MySpace was irresponsibly silent. Leigh-Anne described MySpace as "an enormous graveyard of personal data" and noted that companies have a duty of care to users, both present AND past. Leigh-Anne told Motherboard, who reported on this, that when she discovered the flaw she was "horrified" and "shocked" by "the complete lack of due diligence" on MySpace's part. So what's the problem? Unlike nearly every other password recovery system, which is at least anchored to a user-controlled email address, MySpace offers an account recovery process for people who have ALSO lost access to their email account.

At first glance this doesn't look too bad, since MySpace presents a comprehensive and somewhat intimidating form asking for a great many an individual's details: http://myspace.desk.com/customer/widget/emails/new?t=150416

The form states that ALL of the following information MUST be provided, including the email address associated with profile, date of birth, zip code listed on account, name listed, the city and state of the account owner. But it appears that heuristic logic operating behind the scenes processes the form's data so as to minimize support costs. So it likely has an "if any three or more are valid in the whole form" acceptance threshold.

Consequently, what Leigh-Anne discovered and reported, and MySpace ignored, was that anyone having ONLY a MySpace user's full name, username, and date of birth is able to establish themselves as the new owner of any existing MySpace account.


Microsoft Office 365 Users Targeted in Brute Force Attacks: Enterprise Office 365 accounts, many belonging to high-level employees at Fortune 2000 companies, were hit with a brute-force attack in one of the earliest operationalized cloud-to-cloud business attacks, according to Skyhigh Networks, which began tracking the campaign early this year.

Skyhigh detected a pattern of organized attacks including more than 100,000 failed Office 365 logins from 67 IP addresses and 12 networks. Attackers tried logging in with different versions of employees' usernames, a sign they may have already possessed names and passwords but needed usernames for spearphishing campaigns or data access. https://goo.gl/syrYUA


Healthcare industry lacks awareness of IoT threat, survey says: According to a survey of more than 200 healthcare IT decision makers, more than 90% of healthcare IT networks have IoT devices connected to their systems. The survey was conducted by ZingBox and released this week.

"Typically you will see 10 to 15 IoT devices per bed in a hospital," says Xu Zou, CEO of ZingBox, defining a healthcare IoT device as anything that is portable and connected to the Internet.

"A lot of IoT medical devices are not protected and secure, so they are easier to gain access to and control," Zou explains. "The attackers can control them and use them as a botnet."

This type of attitude may explain the recent results in a Ponemon Institute study, which found that while 67% of medical device makers expect an attack on their devices within the next 12 months, only 17% are taking significant steps to prevent it. https://goo.gl/Moxnxy


Hackers Steal $32 Million in Ethereum: An unknown hacker has just stolen nearly $32 million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – from Ethereum wallet accounts linked to at least three companies that seem to have been hacked.

This is the third Ethereum cryptocurrency heist that came out two days after an alleged hacker stole $7.4 million worth of Ether from trading platform CoinDash, and two weeks after an unknown attacker hacked into South Korean cryptocurrency exchange Bithumb and stole more than $1 Million in Ether and Bitcoins from user accounts. http://thehackernews.com/2017/07/ethereum-cryptocurrency-hacking.html


Vulnerability Found in Cisco Webex: A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer. Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a design defect in the WebEx browser extension. To exploit the vulnerability, all an attacker needs to do is trick victims into visiting a web page containing specially crafted malicious code through a browser with the affected extension installed. http://thehackernews.com/2017/07/cisco-webex-vulnerability.html


BlackHat 2017 report: Black Hat has released its third annual research report entitled - Portrait of an Imminent Cyber Threat. This report is based on survey responses from nearly 600 Black Hat USA attendees – a community populated by the brightest minds in the Information Security Industry, holding critical security roles across multiple industries including government, financial services, healthcare, energy, telecommunications, and utilities. https://www.blackhat.com/docs/us-17/2017-Black-Hat-Attendee-Survey.pdf


Netgear switches facing the internet with default passwords: A recent search of an exploit database has revealed that it is possible to log in to ProSAFE PoE+ click switches online. Conveniently Google has done a lot of the work for you, as these switches are facing the web with HTTP port 80 open, with no whitelisting. A simple google search locates these switches (81.94.XXX.XXX/login.cgi). Naturally we take no responsibility should anyone decide to proceed to this devices.

21 July 2017

Share this page:
Receive the latest news and relevant updates directly in your browser. (max. one message per week)