Teenagers today. Can't take them anywhere, eh? 18-year-old kid accused of $50m SIM-swap cryptocurrency heist

Also, Cisco, Citrix emit patches, US army advises using Signal

Roundup Here comes a summary of this week's computer security news beyond what we've already covered.

Montreal youth blamed for massive phone-swapping scheme

An 18-year-old man from Canada has been accused of stealing more than $50m in cryptocurrency using SIM-swapping attacks.

SIM swapping typically involves crooks tricking cellular network support staff to transfer victims' smartphone numbers to the criminals' own SIMs, and then using those numbers to reset passwords, or get two-factor authentication tokens, via text messages, and ultimately access and drain cryptocoin accounts.

Prosecutors in Montreal believe Samy Bensaci specifically targeted the cell numbers of people he knew were attending a conference on cryptocurrencies, and thus were more likely to have significant amounts of cash invested.

He was charged, released on bail, and ordered to stay with his parents.

Cisco has busy patch week

Admins using Cisco gear in their networks will want to head over to Switchzilla's security portal and check for applicable updates among the latest batch of 28 patches.

Among the most serious are a critical fix for Firepower Management Center and high-priority patches in WebEx Meetings and IOS XR.

GE medical monitors found to have security flaws

Any time the US Department of Homeland Security gets involved with a bug disclosure, you should pay attention.

This time, the DHS is warning medical providers to immediately patch a serious of vulnerability in General Electric's Carescape, ApexPro, and Clinical Information Center devices.

The bugs are exploitable over a network connection, meaning an attacker would have to be on the local network, or if for some reason the devices would need to be attached to a network that is remotely accessible. Hopefully, any network that these units are linked to is well-secured to begin with.

Either way, it would be wise to test and install the patches from GE as soon as possible.

US soldiers told to use encryption apps on deployment

American troops in the Middle East have been told to use officially-sanctioned encrypted text apps while in the field.

The Military Times says members of the 82nd Airborne Task Force Devil have been advised to lock down their text messages in order to prevent eavesdropping from the enemy.

Soldiers are being told to make use of either Signal or Wickr when sending messages over their government-issued handsets. These apps will be used in addition to VPNs for the data connections.

While the apps will provide a layer of security for the messages, the Times notes that they raise concerns over record keeping and transparency, as the apps could allow for communications to automatically be deleted.

Exploits arise for Microsoft RDP flaws

If you haven't yet got around to installing Microsoft's January patch release, now would be a good time to do so. Researchers have posted proof-of-concept exploits for two of the more serious flaws addressed in the release: CVE-2020-0609 and CVE-2020-0610.

Those bugs, present in the Windows RDP remote desktop software, would potentially allow an attacker to completely take over a targeted system by way of a poisoned network packet. As these are considered critical flaws, getting the patches tested and installed should be a top priority.

Uncle Sam gets poor review on data protection

The US federal government continues to struggle with it efforts to overhaul its IT security practices and policies. The State Department is the latest agency to get a bad grade on its cybersecurity audit.

Among the issues raised by the Office of the Inspector General were the department's failure to hire two key security positions, a lack of lifecycle planning, and problems with financial reporting and identity management.

German car renter drops the details of three million people

Bad news out of Germany: one of the nation's top car rental companies has suffered a massive data leak that includes payment card details on millions of people.

Heise reports that a whopping 10TB of data from rental biz Buchbinder were left setting out in an exposed database for several weeks.

Among the details included in the database were customer phone numbers, addresses, accident reports, emails, employee information, and in some cases payment information and bank details (but not credit card information, thankfully.)

While most of the exposed records were from Germany, there were also some details on customers in Austria, Italy, Slovakia, and Hungary.

Citrix extends patching effort for critical vulnerability

It's the bug that just wouldn't go away.

Days after issuing the first patches for the critical vulnerability in ADC and Gateway, Citrix has rolled out a second batch of updates for even more of its networking hardware.

This latest release extends the update to cover ADC and Citrix Gateway firmware versions 12.1 and 13.0, which were not addressed in the fixes posted earlier this week.

As the flaws are both being scanned for and exploited in the wild, admins will want to get the patches in place ASAP.

Intercept cofounder faces charges

Glenn Greenwald, one of the first journalists to report Edward Snowden's revelations, faces criminal charges in Brazil on allegations of assisting criminal hackers. The Intercept, which Greenwald cofounded and edits, claims he is being unfairly targeted for reporting corruption in the ranks of the Brazilian government.

"The Bolsonaro government has repeatedly made it clear that it does not believe in basic press freedoms," the publication claimed on Tuesday. "Today’s announcement that a criminal complaint has been filed against Intercept co-founding editor Glenn Greenwald is the latest example of journalists facing serious threats in Brazil." ®

Other stories you might like

  • DigitalOcean sets sail for serverless seas with Functions feature
    Might be something for those who find AWS, Azure, GCP overly complex

    DigitalOcean dipped its toes in the serverless seas Tuesday with the launch of a Functions service it's positioning as a developer-friendly alternative to Amazon Web Services Lambda, Microsoft Azure Functions, and Google Cloud Functions.

    The platform enables developers to deploy blocks or snippets of code without concern for the underlying infrastructure, hence the name serverless. However, according to DigitalOcean Chief Product Officer Gabe Monroy, most serverless platforms are challenging to use and require developers to rewrite their apps for the new architecture. The ultimate goal being to structure, or restructure, an application into bits of code that only run when events occur, without having to provision servers and stand up and leave running a full stack.

    "Competing solutions are not doing a great job at meeting developers where they are with workloads that are already running today," Monroy told The Register.

    Continue reading
  • Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
    Google Project Zero blows lid off bug involving that old chestnut: XML parsing

    Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.

    The bug, tracked as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary remote-code-execution vulnerability.

    The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit involved, so crooks may not jump on it, but you should still update your app.

    Continue reading
  • Google says it would release its photorealistic DALL-E 2 rival – but this AI is too prejudiced for you to use
    It has this weird habit of drawing stereotyped White people, team admit

    DALL·E 2 may have to cede its throne as the most impressive image-generating AI to Google, which has revealed its own text-to-image model called Imagen.

    Like OpenAI's DALL·E 2, Google's system outputs images of stuff based on written prompts from users. Ask it for a vulture flying off with a laptop in its claws and you'll perhaps get just that, all generated on the fly.

    A quick glance at Imagen's website shows off some of the pictures it's created (and Google has carefully curated), such as a blue jay perched on a pile of macarons, a robot couple enjoying wine in front of the Eiffel Tower, or Imagen's own name sprouting from a book. According to the team, "human raters exceedingly prefer Imagen over all other models in both image-text alignment and image fidelity," but they would say that, wouldn't they.

    Continue reading

Biting the hand that feeds IT © 1998–2022