Bug-hunter faces jail for vulnerability reports, DuckDuckPwn (almost), family spied on via Nest gizmo, and more

Your rapid-fire guide to all the other infosec news of the week


Roundup This was the week we saw GPS grumbles, shady speakers, and Yahoo! Losing! Again!

While all that was happening, a few other bits of news that hit our screens...

DuckDuck D'oh!

Drama in search engine land this week as Google-alternative DuckDuckGo disclosed a potentially nasty flaw in its server-side software.

Bug-hunter Michele Romano took credit for spotting and reporting an information-leaking vulnerability in backend servers that handled some user requests.

The XML External Entity vulnerability would have allowed an attacker to feed maliciously crafted XML files that had local paths embedded within them into DuckDuckGo's backend servers, causing those systems to cough up internal data. Because the server-side code was not properly examining XML content for things that shouldn't be there (such as requests for local system files) miscreants could have downloaded sensitive files and documents from the servers using dodgy XML files.

Fortunately, the flaw has now been patched, and there are no reports of malicious actors targeting it.

A cryptocurrency exchange owes its customers $190m and can't unlock the funds – because only the CEO and founder knows the password to the cold wallets holding the dosh, and he died in December.

Crook builds massive library of stolen credentials

Someone is making the rounds on cybercrime forums offering a massive collection of personal details built by aggregating a bunch of previous data breaches.

The collection of 2.2 billion records is apparently nothing new, just a fat collection of other data dumps, but you have to admire (and be a little scared by) the commitment of the crook to get so many pilfered pieces of information in one place.

Now would be a good time to make sure you aren't re-using any old passwords.

S(o) S(crewed) 7

UK cyber-snoops are warning, via Vice, that criminals are abusing flaws in the SS7 text message protocol to steal two-factor login codes from banking websites, and then break into online bank accounts.

Apparently, criminals have been abusing the system to re-route messages around phone networks, eventually intercepting the messages. In the UK, this has taken the form of attacks on Metro Bank*, among others.

A criminal gets into the SS7 backbone and then intercepts the text messages of the person they are targeting and, using the intercepted 2FA code along with a username and password obtained by other means (such as phishing) they could get everything they need to access and drain a bank account.

Chrome and Firefox patched

While they may not get the attention of Microsoft's Patch Tuesday, security fixes for the Chrome and Firefox browsers are something everyone should keep an eye on.

Earlier this week, security fixes were posted for both browsers on Linux, Windows and macOS. Among the vulnerabilities patched were remote code execution flaws, and US-Cert is advising users and admins to make sure the patches are installed and running.

This should be easy enough to do, as both browsers have built-in update mechanisms that will download and install the fixes, so just make sure you have the latest version installed.

Hungarian researcher faces jail time for vulnerability disclosure

No good deed goes unpunished, right?

A researcher in Hungary could be spending as long as eight years in jail simply for discovering and reporting a vulnerability in the network of one of the country's largest telcos.

BleepingComputer reports that the unnamed researcher spotted and reported a vulnerabulity in the network of Magyar Telekom last April.

Rather than recognize the bug-hunter or pay out a bounty, the telco instead ratted out the white hat to the police. He could now get as many as eight years in jail if convicted on charges of hacking into the company's network and database.

Hopefully cooler heads prevail, and this whole affair gets sorted out without anyone having to spend time behind bars.

Dumb problem in smart home

A smart home aficionado in Illinois, USA, saw his internet of things house meet the internet of trolls this week after hackers got into his home network and began manipulating both surveillance cameras and thermostats.

Telly news station NBC Chicago reports that for more than a week Arjun Sud and his family have been in a panic over strangers who apparently had access to their network of Nest devices, including two smart thermostats and 16 cameras placed around that home.

The hackers undertook such creepy activities as talking to Sud's 7-month old baby while alone in the nursery, cranking the couple's heating system up to 90 degrees (32C) and shouting obscenities into the family's living room.

"The moment I realized what was happening, panic and confusion set in, and my blood truthfully ran cold," Sud was quoted as saying.

"We don’t know how long someone was in our Nest account watching us. We don’t know how many private conversations they overheard."

Not exactly a ringing endorsement for smart home devices, is it?

Turbulence ahead for Airbus after mystery data theft disclosure

European plane-builder Airbus is fessing up to a potentially serious hack and data theft. Emphasis on the "potential," because the biz isn't revealing much information of use.

The French air giant says an unspecified "cyber incident" hit its commercial airliner operation, resulting in the loss of some employee data. What is that data? Your guess is as good as ours.

The disclosure was conspicuously short on details, omitting any sort of specifics on how many people were affected, what data was taken, or who might have taken it, but Airbus said the "incident" included unauthorized access to information that included "professional contact and IT identification details" for some of its workers. The number of employees affected is estimated to be somewhere between 1 and 129,000.

"This incident is being thoroughly investigated by Airbus’ experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins," Airbus said.

"Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed."

How forthcoming.

Airbus notes it is working with the "relevant regulatory authorities and the data protection authorities pursuant to the GDPR." We imagine that EU authorities are going to want a slightly more detailed report than "a cyber incident occurred" when they look into the matter.

The aircraft builder also says it is advising its employees to "take all necessary precautions going forward", though that might be hard to do if they have no idea what data was taken, who has it, and where they got it from.

So, to recap, something happened at Airbus. To someone. Resulting in the theft of something. By someone. ®

Updated to add at 1204 UTC:

* Metro Bank got in touch after publication to say: "Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website."


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022