VMware warning, OpenBSD gimme-root hole again, telco hit with GDPR fine, Ring camera hijackings, and more

Your quick summary of infosec news beyond everything else we've reported


Roundup Here's your Register security roundup of infosec news about stuff that's unfit for production but fit for print.

Yet another OpenBSD bug advisory

Another week, another OpenBSD patch. You're not having deja vu.

This time, it's CVE-2019-19726, a local elevation of privilege flaw that could let users grant themselves root clearance.

The bug was discovered by researchers at Qualys, and has been patched prior to public disclosure.

"We discovered a Local Privilege Escalation in OpenBSD's dynamic loader (ld.so)," the report reads, "this vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges."

In some good news for OpenBSD, though, the necessary mechanisms to restrict Firefox's access to the underlying system, in case it gets compromised, have been added, a la Chromium on the free software platform.

VMware issues advisory for critical ESXi bug

Admins running VMware ESXi will want to make sure they have updated their software to protect against this OpenSLP remote code execution vulnerability.

The flaw, caused by a heap overwrite error, would potentially allow an attacker to take over the underlying host. Both ESXi and Horizon DaaS should be updated to protect against attacks.

Ring speaks out on camera hacks

Following a series of reports of customers having their Ring cameras attacked by credential stuffing, the Amazon-owned biz has issued a guide to help punters keep their gear safe.

As Ring notes, various frightening camera takeovers, in which hackers compromised the internet-connected gear and yelled at victims through the gadgets in their own homes seemingly for a sick podcast, were not the result of a network or software security breach on its end, but rather customers re-using login details that had been stolen from other sites.

In other words, people were using the same username and passwords for their home Ring kit as profiles on websites that had been hacked, allowing miscreants to get their hands on credentials and log into the Ring boxes over the 'net and cause trouble.

"Customer trust is important to us, and we take the security of our devices and services extremely seriously," Ring says. "As a precaution, we highly encourage all Ring users to follow security best practices to ensure your Ring account stays secure."

These steps include enabling two-factor authentication, picking unique passwords, and adding shared users rather than giving out your password to others.

NordVPN opens bug bounty program

Following a flood of bad press for its security policies, NordVPN is putting the final touches on its infosec overhaul with the opening of a bug bounty program with HackerOne.

Researchers who uncover and report security flaws in the NordVPN software or network will be eligible to collect payouts ranging from $100 to $5,000.

"NordVPN accepts findings related to its applications, servers, backend services, website, and more," the VPN provider says. "Bug bounty hunters do not need to worry about possible legal action against them as long as they keep their penetration testing ethical."

Coffee company brews up MageCart infection alert

Bad news for customers of gourmet cup of Joe shippers CoffeeAM.

The online store for the caffeine infusion service was host to a MageCart infection that sipped customer payment card details for more than eight months.

Unfortunately, it looks like the script was able to collect full payment card and account information, including card numbers, security codes, expiration dates, passwords, contact details, and shipping address.

Customers who were exposed will be eligible to get credit monitoring and insurance against identity theft. It would also be a good idea to get a new bank card and keep a close eye on your statements for a while.

FBI warning over IoT attacks

The FBI's Portland office has issued an alert to users on the dangers of IoT malware. There was no one incident that triggered the alert, but the Feds are offering some tips and best practices.

"Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure," the FBI warned. "Are private pictures and passwords safely stored on your computer? Don’t be so sure."

The tips range from basic stuff everyone should know, like changing default passwords and picking unique logins, to more advanced things like creating a separate network for your IoT devices and your personal computing gear.

German telco hit with fine for lax login protections

A European cable internet and cellular telco has been fined €9.6m ($10.5m, £8m) for its overly accommodating customer service.

German giant 1&1 Telecommunications was issued the penalty after authorities in Germany found its support agents were not properly verifying the identities of people before accessing their accounts.

This is a major security concern, particularly with the rise in SIM-jacking attacks that rely on lax identity verification policies to take over mobile phone accounts. As such, it was ruled that 1&1 had violated data privacy laws.

Amazon Blink cameras found to have command injection flaws

Hackers with Tenable have found a trio of security holes in Amazon's Blink cameras.

The three flaws range from physical access vulnerabilities (easily accessible command ports) to man-in-the middle flaws and network vulnerabilities that would let hackers on the local Wi-Fi send arbitrary commands.

"In short, Tenable Research discovered three-ish vectors of attack that allow a full compromise of the sync module, which could potentially allow attackers to take further action against an end user’s entire account and associated cameras," the firm writes.

Sorry to drone on but... a database of drone flights, including those of police-owned drones, in the US was inadvertently left facing the public internet. The system was removed from view after it was flagged up to its operator, DroneSense, by a security researcher.

US streamers take guilty plea

Two men from the US have plead guilty to creating and running separate illegal streaming services.

Darryl "djppimp" Polo, 36, admitted to five counts of copyright infringement and money laundering as the admin of iStreamitall, a TV and movie streaming site. Meanwhile, Luis Villarino, 40, took a guilty plea to one count of conspiracy to commit copyright infringement. He was among the team that created illegal streaming site Jetflicks.

Both are due to be sentenced next March. ®


Other stories you might like

  • Threat of cross-border data tariffs looms over WTO
    Some countries call for moratorium to be lifted, tech industry not keen on potential costs

    Concern is growing that a World Trade Organization (WTO) moratorium on cross-border tariffs covering data may not be extended, which would hit e-commerce if countries decide to introduce such tariffs.

    Representatives of the WTO's 164 members are meeting in Geneva as part of a multi-day ministerial conference. June 15 was to be the final day but the trade organization today confirmed it is being extended until June 16, to facilitate outcomes on the main issues under discussion.

    The current moratorium covering e-commerce tariffs was introduced in 1998, and so far the WTO has extended it at such meetings, which typically take place every two years.

    Continue reading
  • Five Eyes alliance’s top cop says techies are the future of law enforcement
    Crims have weaponized tech and certain States let them launder the proceeds

    Australian Federal Police (AFP) commissioner Reece Kershaw has accused un-named nations of helping organized criminals to use technology to commit and launder the proceeds of crime, and called for international collaboration to developer technologies that counter the threats that behaviour creates.

    Kershaw’s remarks were made at a meeting of the Five Eyes Law Enforcement Group (FELEG), the forum in which members of the Five Eyes intelligence sharing pact – Australia, New Zealand, Canada, the UK and the USA – discuss policing and related matters. Kershaw is the current chair of FELEG.

    “Criminals have weaponized technology and have become ruthlessly efficient at finding victims,” Kerhsaw told the group, before adding : “State actors and citizens from some nations are using our countries at the expense of our sovereignty and economies.”

    Continue reading
  • Amazon accused of obstructing probe into deadly warehouse collapse
    House Dems demand documents from CEO on facility hit by tornado – or else

    Updated The US House Oversight Committee has told Amazon CEO Andy Jassy to turn over documents pertaining to the collapse of an Amazon warehouse – and if he doesn't, the lawmakers say they will be forced to "consider alternative measures."

    Penned by Oversight Committee members Alexandria Ocasio-Cortez (D-NY), Cori Bush (D-MO) and committee chairwoman Carolyn B. Maloney (D-NY), the letter refers to the destruction of an Edwardsville, Illinois, Amazon fulfillment center in which six people were killed when a tornado hit. It was reported that the facility received two weather warnings about 20 minutes before the tornado struck at 8.27pm on December 10; most staff had headed to a shelter, some to an area where there were no windows but was hard hit by the storm.

    In late March, the Oversight Committee sent a letter to Jassy with a mid-April deadline to hand over a variety of documents, including disaster policies and procedures, communication between managers, employees and contractors, and internal discussion of the tornado and its aftermath.

    Continue reading
  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • Engineer sues Amazon for not covering work-from-home internet, electricity bills
    And no, I'm not throwing out this lawsuit, says judge

    Amazon's attempt to dismiss a lawsuit, brought by one of its senior software engineers, asking it to reimburse workers for internet and electricity costs racked up while working from home in the pandemic, has been rejected by a California judge.

    David George Williams sued his employer for refusing to foot his monthly home office expenses, claiming Amazon is violating California's labor laws. The state's Labor Code section 2802 states: "An employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer."

    Williams reckons Amazon should not only be paying for its techies' home internet and electricity, but also for any other expenses related to their ad-hoc home office space during the pandemic. Williams sued the cloud giant on behalf of himself and over 4,000 workers employed in California across 12 locations, arguing these costs will range from $50 to $100 per month during the time they were told to stay away from corporate campuses as the coronavirus spread.

    Continue reading
  • Broadcom's stated strategy ignores most VMware customers
    Focuses on 600 users, lets smaller outfits slide, trims R&D spend, slashes sales expenses

    Broadcom's stated strategy is very simple: focus on 600 customers who will struggle to change suppliers, reap vastly lower sales and marketing costs by focusing on that small pool, and trim R&D by not thinking about the needs of other customers – who can be let go if necessary without much harm to the bottom line.

    The Register offers that summary based on Broadcom's own words, as uttered at a November 2021 Investor Day.

    The Broadcom event kicked off with an overview from president Tom Krause, who illustrated the outfit's go-to-market plan with the following diagram.

    Continue reading
  • Amazon’s Kindle bookstore to quit China
    Local authorities insist the next chapter is not a collapse in foreign investment

    Amazon.com has decided to end its Kindle digital book business in China.

    A statement posted to the Kindle China WeChat account states that Amazon has already stopped sending new Kindle devices to resellers and will cease operations of the Kindle China e-bookstore on June 30, 2023. The Kindle app will last another year, allowing users to download previously purchased e-books. But after June 30, 2024, Kindle devices in China won’t be able to access content.

    An accompanying FAQ doesn’t offer a reason for the decision, but an Amazon spokesperson told Reuters “We periodically evaluate our offerings and make adjustments, wherever we operate.”

    Continue reading

Biting the hand that feeds IT © 1998–2022