Massive 143 Million Equifax Record Breach, Smith's Medical Drug Pumps Vulnerable to Fatal Hack, Bluetooth Zero Day and more!

12 views
Skip to first unread message

Infosec News

unread,
Sep 12, 2017, 1:50:46 PM9/12/17
to Infosec News

INFORMATION SECURITY NEWS

For The Week of 9/5-9/12 2017

The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.

CURRENT NEWS


Massive Equifax Breach - 143 Million Americans’ Data Stolen

In a massive data breach, 143 million records for Americans were stolen from credit reporting agency Equifax. The data included social security numbers, dates of birth and addresses. In addition, about 200,000 credit card numbers were stolen. There were an undisclosed number of Canadian and UK customer records that were compromised as well. This breach affects almost half of Americans -- if you have a credit report, there is a good chance your data was taken. Equifax has set up a website for people to check if their data was hacked here: https://www.equifaxsecurity2017.com/. Equifax is also offering free credit monitoring for a year to everybody, regardless of if their data was compromised. You have to sign up for the credit monitoring before November 11. There was some discussion about whether or not enrolling waives your rights to legal action against Equifax (if you’re into that sort of thing), but it looks like it doesn’t.

FTC on the breach: https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do

http://abcnews.go.com/Technology/wireStory/speed-equifax-data-breach-scandal-49771561

Bruce Schneier on the breach: http://www.cnn.com/2017/09/11/opinions/dont-complain-to-equifax-demand-government-act-opinion-schneier/index.html

Equifax’s PR response was pretty lackluster http://money.cnn.com/2017/09/12/news/companies/equifax-pr-response/index.html


Drug Infusion Pump Vulnerable to Fatal Hack

The Medfusion 4000 Wireless Syringe Infusion Pump, manufactured by Minnesota-based Smith’s Medical, has eight distinct security vulnerabilities in it. Among the vulnerabilities are hard-coded usernames and passwords in the default configuration, a buffer overflow bug that can lead to remote code execution, lack of authentication when FTP is allowed, hard-coded FTP credentials, and lack of proper certificate authentication. These vulnerabilities would allow an attacker to deliver a fatal dose of medicine to a patient. Smiths medical plans to release a new firmware in January 2018 to address the issues. In the meantime, organizations are encouraged to chan upge default passwords and assign static IP’s to the pumps.


http://thehackernews.com/2017/09/hacking-infusion-pumps.html?m=1


Blueborne (Bluetooth Zero Day Attack Vector)

Armis Labs unveiled a collection of Bluetooth related zero day vulnerabilities targeting what they say may affect a majority of Bluetooth devices. The vulnerabilities they have listed are as follows:

  1. Linux kernel RCE vulnerability - CVE-2017-1000251

  2. Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250

  3. Android information Leak vulnerability - CVE-2017-0785

  4. Android RCE vulnerability #1 - CVE-2017-0781

  5. Android RCE vulnerability #2 - CVE-2017-0782

  6. The Bluetooth Pineapple in Android - Logical Flaw CVE-2017-0783

  7. The Bluetooth Pineapple in Windows - Logical Flaw CVE-2017-8628

  8. Apple Low Energy Audio Protocol RCE vulnerability - CVE-2017-14315

The attack vectors themselves leverage anything that potentially uses Bluetooth to gain Remote Code Execution (RCE) as well as execute Man-In-The-Middle attacks on victims. In the technical document they go into further detail regarding the exploitation of these 8 vulnerabilities, describing their impact as well as applications. Armis Labs is continuing to do research into Bluetooth vulnerabilities as they believe there are many other Zero-days left to be discovered.


The technical paper may be found here: http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

The Armis Labs site containing their announcement can be found here:

https://www.armis.com/blueborne/



Canadian Bank Had Expired HTTPS Certificates for Five Months

Scotiabank, a Nova Scotia bank, has had expired https certificates for the last five months. The bank was alerted that the certificates were expired, but chose to do nothing. If you visit their website now, the certificates aren’t valid at all - they are using certificates assigned to their cdn’s domains, instead of their own. Other than the obvious dangers of having expired HTTPS certificates, this trains users to ignore security warnings, which weakens the effectiveness of https as a whole.

http://www.theregister.co.uk/2017/09/08/scotiabank_security_whiz_kids_screw_up_security_certs/


Reply all
Reply to author
Forward
0 new messages