Brazil bested by hackers, Virgin plugs hub bugs, and France surrenders… records

Plus, Talos critical of flawed message apps

It was pretty hectic security week, between the Sharpshooter malware attack, a massive Patch Tuesday, and yet another Facebook privacy fail.

Here's what else broke:

Message apps leave the side door open

Researchers with Cisco Talos are warning that secure messaging apps including Signal, Telegram, and WhatsApp are leaving themselves (and their users) open to attack.

The problem, says researcher Vitor Ventura, is a while the apps themselves are secure, users can be fooled into doing things like not enabling secure settings, falling victim to session-stealing malware, and other side-channel attacks that don't break the apps themselves, but rather circumvent their protections.

"This is a serious problem, considering users download these apps in the hopes that their photos and messages will stay completely protected from third parties," Ventura explained.

"These apps, which have countless users, cannot assume that their users are security educated and understand the risk of enabling certain settings on their device."

Good news, Brazillians: Half of you still have a secure tax ID

The other half, however, will want to be keeping a close eye on your tax documents and other personal information after researchers found that a database containing the CPF numbers of some 120 million people had been left exposed to the open internet.

This from researchers with InfoArmor, who say they were unable to notify the owner of the database for several weeks. While the archive was eventually put behind a password wall, InfoArmor warns that anyone from nation states to cybercrime groups may have hacked it.

Emphasis on the may at this point. Data exposure is not the same as data theft, and thus far there is no evidence of the data being sold.

Firefox and Chrome slip out updates

In addition to the massive Microsoft and Adobe Patch Tuesday releases, both Chrome and Firefox pushed out patches as well.

The two self-updating browsers got updates that included in the case of Chrome a fix for a high-severity PDF vulnerability and in Firefox five high-severity fixes, including use after free and buffer overflow vulnerabilities.

As the browsers get these updates on their own, you should already be patched, but you can always update to the latest version to be sure.

Blizzard of Mac malware blows in for Christmas

Researchers with Malwarebytes are sounding the alarm after discovering a fresh batch of Mac malware.

So far, the security firm has spotted two new samples circulating in the wild. One is a malicious Word doc that uses breaks out of Apple's sandbox to allow macros to download and install additional backdoor code.

The second is a poisoned clone of the Discord chat app that not only installs a backdoor on the infected machine, but also occasionally takes screengrabs and uploads them to a command and control server.

Let this once again be a warning: Macs get malware too. Be smart and never open documents attached to unsolicited or strange emails, and only download your applications from trusted sources.

French fried by database theft

The French ministry of foreign affairs is warning that some 540,000 citizens have had their contact information stolen after one of its databases was copied.

IT security staff sacré bleu it when the hackers were able to get into Ariane, an emergency contact system that allows travelers to let the government know when they were traveling to potentially unsafe nations and who to contact in case of emergency.

While it is never a good look for a government database to get popped, in this case the exposed data was pretty minimal: Email address, phone numbers, and names were all that was contained, so the threat of fraud from this incident should be pretty minimal.


If you have a Virgin Media Hub, you will want to do two things: First, update your firmware. Second, check out this interesting deep dive from NCC Group with all of the details on a set of nasty security vulnerabilities in the home box.

The write-up includes all the details on exploiting bugs for remote command execution, back door installation, cross-site-scripting, and even DNS rebinding.

While the researchers said that nearly all of the vulnerabilities (save for the DNS rebinding) have been fixed, Virgin was hardly responsive to their reports.

"Although Virgin Media had other issues with this device, it took 1.5 years to fix the reported issues," writes researcher Balazs Bucsay.

"The proposed roll-out date was postponed many times and finally the new firmware (version was rolled out in end July 2018." ®

Similar topics

Other stories you might like

  • Graviton 3: AWS attempts to gain silicon advantage with latest custom hardware

    Key to faster, more predictable cloud

    RE:INVENT AWS had a conviction that "modern processors were not well optimized for modern workloads," the cloud corp's senior veep of Infrastructure, Peter DeSantis, claimed at its latest annual Re:invent gathering in Las Vegas.

    DeSantis was speaking last week about AWS's Graviton 3 Arm-based processor, providing a bit more meat around the bones, so to speak – and in his comment the word "modern" is doing a lot of work.

    The computing landscape looks different from the perspective of a hyperscale cloud provider; what counts is not flexibility but intensive optimization and predictable performance.

    Continue reading
  • The Omicron dilemma: Google goes first on delaying office work

    Hurrah, employees can continue to work from home and take calls in pyjamas

    Googlers can continue working from home and will no longer be required to return to campuses on 10 January 2022 as previously expected.

    The decision marks another delay in getting more employees back to their desks. For Big Tech companies, setting a firm return date during the COVID-19 pandemic has been a nightmare. All attempts were pushed back so far due to rising numbers of cases or new variants of the respiratory disease spreading around the world, such as the new Omicron strain.

    Google's VP of global security, Chris Rackow, broke the news to staff in a company-wide email, first reported by CNBC. He said Google would wait until the New Year to figure out when campuses in the US can safely reopen for a mandatory return.

    Continue reading
  • This House believes: A unified, agnostic software environment can be achieved

    How long will we keep reinventing software wheels?

    Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

    This week's motion is: A unified, agnostic software environment can be achieved. We debate the question: can the industry ever have a truly open, unified, agnostic software environment in HPC and AI that can span multiple kinds of compute engines?

    Our first contributor arguing FOR the motion is Nicole Hemsoth, co-editor of The Next Platform.

    Continue reading

Biting the hand that feeds IT © 1998–2021