Roundup Here's your Register security roundup of infosec news about stuff that's unfit for production but fit for print.
Yet another OpenBSD bug advisory
Another week, another OpenBSD patch. You're not having deja vu.
This time, it's CVE-2019-19726, a local elevation of privilege flaw that could let users grant themselves root clearance.
The bug was discovered by researchers at Qualys, and has been patched prior to public disclosure.
"We discovered a Local Privilege Escalation in OpenBSD's dynamic loader (ld.so)," the report reads, "this vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges."
In some good news for OpenBSD, though, the necessary mechanisms to restrict Firefox's access to the underlying system, in case it gets compromised, have been added, a la Chromium on the free software platform.
VMware issues advisory for critical ESXi bug
Admins running VMware ESXi will want to make sure they have updated their software to protect against this OpenSLP remote code execution vulnerability.
The flaw, caused by a heap overwrite error, would potentially allow an attacker to take over the underlying host. Both ESXi and Horizon DaaS should be updated to protect against attacks.
Ring speaks out on camera hacks
Following a series of reports of customers having their Ring cameras attacked by credential stuffing, the Amazon-owned biz has issued a guide to help punters keep their gear safe.
As Ring notes, various frightening camera takeovers, in which hackers compromised the internet-connected gear and yelled at victims through the gadgets in their own homes seemingly for a sick podcast, were not the result of a network or software security breach on its end, but rather customers re-using login details that had been stolen from other sites.
In other words, people were using the same username and passwords for their home Ring kit as profiles on websites that had been hacked, allowing miscreants to get their hands on credentials and log into the Ring boxes over the 'net and cause trouble.
"Customer trust is important to us, and we take the security of our devices and services extremely seriously," Ring says. "As a precaution, we highly encourage all Ring users to follow security best practices to ensure your Ring account stays secure."
These steps include enabling two-factor authentication, picking unique passwords, and adding shared users rather than giving out your password to others.
NordVPN opens bug bounty program
Following a flood of bad press for its security policies, NordVPN is putting the final touches on its infosec overhaul with the opening of a bug bounty program with HackerOne.
Researchers who uncover and report security flaws in the NordVPN software or network will be eligible to collect payouts ranging from $100 to $5,000.
"NordVPN accepts findings related to its applications, servers, backend services, website, and more," the VPN provider says. "Bug bounty hunters do not need to worry about possible legal action against them as long as they keep their penetration testing ethical."
Coffee company brews up MageCart infection alert
Bad news for customers of gourmet cup of Joe shippers CoffeeAM.
The online store for the caffeine infusion service was host to a MageCart infection that sipped customer payment card details for more than eight months.
Unfortunately, it looks like the script was able to collect full payment card and account information, including card numbers, security codes, expiration dates, passwords, contact details, and shipping address.
Customers who were exposed will be eligible to get credit monitoring and insurance against identity theft. It would also be a good idea to get a new bank card and keep a close eye on your statements for a while.
FBI warning over IoT attacks
The FBI's Portland office has issued an alert to users on the dangers of IoT malware. There was no one incident that triggered the alert, but the Feds are offering some tips and best practices.
"Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure," the FBI warned. "Are private pictures and passwords safely stored on your computer? Don’t be so sure."
The tips range from basic stuff everyone should know, like changing default passwords and picking unique logins, to more advanced things like creating a separate network for your IoT devices and your personal computing gear.
German telco hit with fine for lax login protections
A European cable internet and cellular telco has been fined €9.6m ($10.5m, £8m) for its overly accommodating customer service.
German giant 1&1 Telecommunications was issued the penalty after authorities in Germany found its support agents were not properly verifying the identities of people before accessing their accounts.
This is a major security concern, particularly with the rise in SIM-jacking attacks that rely on lax identity verification policies to take over mobile phone accounts. As such, it was ruled that 1&1 had violated data privacy laws.
Amazon Blink cameras found to have command injection flaws
Hackers with Tenable have found a trio of security holes in Amazon's Blink cameras.
The three flaws range from physical access vulnerabilities (easily accessible command ports) to man-in-the middle flaws and network vulnerabilities that would let hackers on the local Wi-Fi send arbitrary commands.
"In short, Tenable Research discovered three-ish vectors of attack that allow a full compromise of the sync module, which could potentially allow attackers to take further action against an end user’s entire account and associated cameras," the firm writes.
Sorry to drone on but... a database of drone flights, including those of police-owned drones, in the US was inadvertently left facing the public internet. The system was removed from view after it was flagged up to its operator, DroneSense, by a security researcher.
US streamers take guilty plea
Two men from the US have plead guilty to creating and running separate illegal streaming services.
Darryl "djppimp" Polo, 36, admitted to five counts of copyright infringement and money laundering as the admin of iStreamitall, a TV and movie streaming site. Meanwhile, Luis Villarino, 40, took a guilty plea to one count of conspiracy to commit copyright infringement. He was among the team that created illegal streaming site Jetflicks.
Both are due to be sentenced next March. ®