Remote Exploit in 2008+ Intel Platforms, Netflix Extorted, Google and Facebook Phished for 100 Million dollars and more!
Infosec News
INFORMATION SECURITY NEWS
For The Week of 4/18-5/2 2017
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
Remote Security Exploit in all 2008+ Intel Platforms
Every Intel platform made since 2008 has vulnerability in the Management Engine (the separate processor used to manage computers remotely). While Intel isn’t giving out details about what the vulnerability was, they released firmware updates in April for all the affected platforms. Due to the unchecked nature of the Management Engine, this vulnerability potentially allows remote access to your entire machine. Make sure to update your firmware!
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/
http://mjg59.dreamwidth.org/48429.html
New “Orange is the New Black” Season Leaked After Netflix Doesn’t Pay Extortion Demand
A group (or individual) going by the name TheDarkOverlord was able to steal a bunch of movies and TV shows from a Hollywood post-production studio. After trying unsuccessfully to extort the studio into paying them not to release the media, they set their sights on Netflix. After Netflix refused to pay, they released the first episode of the new season of Netflix Original show “Orange is the New Black”, and later released the entire season. They have tweeted that they may go after other companies whose media they have stolen.
FuturePets.com Customer Database Left Exposed for 6 Months
By allowing rsync to stream data without requiring a password, online store FuturePets.com effectively exposed their customer database for months. The database consisted of 110K+ records of credit card numbers, names, email addresses, and more. The company says that it has “solicited a security firm to investigate the issue and plug any hole should one exist”.
http://www.zdnet.com/article/database-of-thousands-of-credit-cards-exposed-on-open-internet/
http://www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016/
Tech Giants Lose $100M Due to Phishing Attack
By impersonating Taiwanese firm Quanta Computer, a company that has Facebook and Google as clients, a Lithuanian man was able to trick Facebook and Google into paying for fraudulent invoices. Both companies paid more than 100 million dollars. While both companies were able to recover their funds, and the man responsible was arrested, it’s crazy to see tech giants falling victim to these attacks.
https://www.theguardian.com/technology/2017/apr/28/facebook-google-conned-100m-phishing-scheme
NSA Stops Collecting Emails Incidentally Mentioning Targets
The NSA has stopped the practice of collecting emails and texts exchanged with people overseas that mention people the agency is spying on, but aren’t to or from those people.
https://mobile.nytimes.com/2017/04/28/us/politics/nsa-surveillance-terrorism-privacy.html
Turkey Blocks Wikipedia
Turkey’s government has blocked Wikipedia, accusing it of running a smear campaign against Turkey. This ban comes with some other Turkish decisions, including the firing of around 4000 civil servants, and the banning of dating TV shows.
http://www.reuters.com/article/us-turkey-security-internet-wikipedia-idUSKBN17V06Q?il=0
Fitbit Data Contradicts Murder Alibi
Connecticut police are using fitbit data to contradict the alibi of a man suspected of murdering his wife. The suspect, Richard Dabate, says that a masked man entered his home, subdued him, and shot his wife with a gun Dabate owned. According to his wife’s fitbit, however, she was walking around for more than an hour after he claims the murder took place.
https://www.theguardian.com/technology/2017/apr/25/fitbit-data-murder-suspect-richard-dabate
Aura Uses Wifi to Sense Movement
A new security system uses RF to detect movement in houses. The camera is able to see through walls and detect objects. According to the manufacturers, it can tell the difference between a dog and person, so it can’t be easily fooled. Because it just detects motion without having a camera, the fact that it can see through walls isn’t really invasive of privacy.
http://www.cbc.ca/news/technology/aura-cognitive-systems-home-security-wireless-spectrum-1.4086660
ADDITIONAL READING
Bad Security In The Wild
Read about some examples of bad security practices in the wild, including a company that asked to Mozilla to remove a warning that their webpage was insecure, passwords being sent around in plaintext, online stores with no security, and some more ridiculous examples of bad security.
https://www.troyhunt.com/reckon-youve-seen-some-stupid-security-things-here-hold-my-beer/
Essay on NSA and CIA leaks by Bruce Schneier
https://www.lawfareblog.com/who-publishing-nsa-and-cia-secrets-and-why