Millions of personal files exposed by insurance biz, serial web hacker strikes again, and more from infosec land

Roundup It's a bumper three-day weekend in the US and UK, so we won't keep you long. Here's a rapid summary of information security news from the past week beyond what El Reg has already covered.

Baltimore ransomware misery deepens: The US city of Baltimore's government websites and online services remain offline, and its computer systems are still knackered, after ransomware scrambled its files two weeks ago. Officials' voicemail and email boxes are down, along with a parking fines database, and a system used by residents to pay water bills, property taxes, and vehicle law citations.

In a further blow, Gmail accounts set up by the mayor, city council members, and mandarins to communicate during the malware-inflicted outage were frozen out by Google's software, which informed them they had to buy business subscriptions to continue. This was triggered by the officials setting up the personal accounts from the same public IP address, it seems. In the end, they were given back the accounts by the online ad giant.

"We have restored access to the Gmail accounts for the Baltimore City officials," a Google spokesperson said on Thursday. "Our automated security systems disabled the accounts due to the bulk creation of multiple consumer Gmail accounts from the same network."

Huawei to the danger zone: Not directly security related, but is kinda due to this all kicking off over fears of backdoors-to-Beijing: Huawei was this week snubbed by the Wi-Fi Alliance, which sets global wireless networking standards.

The industry body said it has "temporarily restricted" Huawei's participation in the group, which includes Apple, Qualcomm, Broadcom, and Intel. Meanwhile, Huawei voluntarily withdrew its membership of JEDEC, which defines semiconductor standards. The Chinese goliath is right now cut off from the pair of standards-setting bodies, as a result of America's crackdown on exports of US tech to the manufacturer.

Hundreds of millions of personal documents exposed online: First American Financial, a US real-estate insurance biz, was caught accidentally leaking customers' highly personal files online.

The corp's website apparently hosts some 885 million insurance-related documents – including details of wire transfers, and property records – going back 16 years, which could be accessed using sequential ID numbers in a URL. Stepping from 000000075 onwards revealed each file one by one, investigative blogger Brian Krebs and real-estate developer Ben Shoval revealed Friday.

Around 1400 Eastern Time (1800 UTC) that day, First American Financial's website was updated to disable the file serving. "We are currently evaluating what effect, if any, this had on the security of customer information," a spokesperson said. "We will have no further comment until our internal review is completed."

TalkTalk NaughtyNaughty: Account information and bank account details of approximately 4,500 subscribers of calamity British ISP TalkTalk were available through a Google search, BBC Watchdog reported this week. This information made its way onto the web from the 2015 mega-hack of the internet provider, we're told.

Contain thyself, Chrome and Firefox, says Microsoft: Windows 10's software containment tech, used by Microsoft Edge to isolate malicious browser-based code and exploits from the rest of your PC, is now available for Google Chrome and Mozilla Firefox on the Redmond operating system via a new plugin.

Graphic design web biz mega-hacked: The hacker who swiped 620 million account details from 16 websites, and millions more in subsequent server intrusions, and dumped them on the dark web for sale, has struck again. This time the miscreant has hit Australia-based Canva, which offers logo and other online graphic design services, and siphoned off 139 million user records, ZDNet reported Friday.

These records, stolen on Friday, cover usernames, email addresses, real names, city and country information, and individually salted bcrypt-hashed passwords or Google-issued per-app login tokens, where available.

"Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses," a spokesperson told The Register Friday.

"We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution. We will continue to communicate with our community as we learn more about the situation."

T-Mobile USA web leak: T-Mob USA this month closed up a vulnerability in its website that leaked customers’ names and account numbers when asked nicely in HTTP requests, after the hole was spotted and reported by developer and hacker Daley Bee.

In brief...

• A Metasploit-based scanner to check networks for PCs and servers vulnerable to the so-called Bluekeep (CVE-2019-0708) RDP hole in Windows is now available. Everyone's encouraged to patch this security bug as soon as possible as various teams, from white to black hat, are developing exploits to achieve remote-code execution without any authentication via the blunder. The scanner should make identifying at-risk machines to prioritize much easier.
• Some 194 of the most popular 1,000 Docker containers on Docker Hub have no root password set. That's a problem if a miscreant or malware gets into one of your running containers as they may be able to gain root privileges. To be exploitable, the container must be using PAM, or something else that uses the shadow file, for authentication. A similar issue was found in Alpine Linux Docker images, now patched.
• Facebook's face-recognition privacy settings were found missing for some users, weirdly enough.
• Equifax this week became the first company to have its rating outlook downgraded, in this case from stable to negative, by Moody's as a result of a cyber-attack – specifically, the mega-hack it suffered in 2017. Equifax set aside $690m in the first quarter of 2019 to cover class-action lawsuit settlements, and any regulatory fines, as well as pledging to spend hundreds of millions on cyber-security defenses, which spooked financial analysts.
• A 33-year-old Australian government worker was accused of mining cryptocurrency for personal gain on his agency's computer systems.
• Snapchat's internal tool for administrating user accounts and providing information to law enforcement is called SnapLion, and yes, a few employees apparently abused it in the past to snoop on others. ®