Canadian shipping company Canpar gets an unwanted delivery – ransomware
Meanwhile, Gmail finally deals with a 'confused mailman' problem
In brief It has not been a good week for major Canadian shipping company Canpar Express.
The Canuck parcel-mover's website fell offline for days as it tackled a ransomware outbreak on its internal systems. We are also told by readers who reside in America's Hat that deliveries have been negatively affected – things like package tracking and scheduling pickups are not possible right now, for instance.
Here's what Canpar Express had to say on the matter: "On 19th Aug 2020 Canpar Express was the target of a ransomware attack that impacted some of our systems. We continue to meet most customer shipping needs and we are not aware of any misuse of client information."
At time of publication, the site was still down with the message: "Canpar Express takes our obligation to protect customer information seriously. Upon learning of the incident, we immediately began an investigation and engaged cybersecurity experts to assist in the process. We have taken steps to contain and remediate the issue and are taking all necessary steps to help prevent a similar occurrences in the future."
Google rushes to patch 'confused mailman' bug in Gmail
It took a public disclosure, but Google has got itself in gear and patched a potentially serious Gmail fraud bug.
Security bug-finder and student at University of California, Berkeley Allison Husain gets credit for finding and reporting what is described as a "confused mailman" attack in which a miscreant could send email as another G Suite customer, and thus potentially trick people into thinking malicious messages are legit, thanks to errors in Gmail's routing rules.
"These rules allowed me to, among other things, apply custom headers, modify the subject line, or change the who the email should be sent to before it is processed by the rest of Google’s infrastructure," said Husain.
When Google stalled fixing the issue, Husain opted to go live with an advisory last week, a move that gave Googlers motivation to address the security hole and deploy a fix within hours. There's also no animosity on either side, as Husain has "absolutely no ill-will against Google’s security team because they have been kind throughout the entire reporting process," we're told.
Yep, there's more Cisco bugs to patch
Switchzilla has dropped a fresh crop of security updates.
This time the critical patch is for default credentials left in the Cisco ENCS 5400-W Series and CSP 5000-W Series virtual network boxes, and a high-rated fix for a privilege escalation bug in Smart Software Manager On-Prem.
There are also updates for less-severe flaws in DNA Center, Data Center Network Manager, and an "access control" flaw Cisco Vision Dynamic Signage Director, which sounds like it would have been a fun one to exploit.
Admins are, of course, advised to test and install the updates as soon as possible, particularly the default credential flaws. ®