Mailing bombs, Gmail glitch Phishing Attacks, Stopping the Infiltration of Things, Make-A-Wish website serves a Cryptojacking Script, Instagram exposes user passwords, and DirtyCOW is back in backdoor attack targeting Drupal Web Servers! Jason Wood from Paladin Security joins us for expert commentary to discuss how Ford is Eyeing the Use of Customers Personal Data to Boost Profits!
Security News Support wouldnt change his password, so he mailed them a bomb The bomb sat in one of their offices for 5 months without being opened! Not the way to handle your frustrations obviously: When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package the only thing the company could think of was that it had declined his request for a password change.In August 2017, Salonen, a customer of Cryptopay, emailed their customer services team to ask for a new password. They refused, given that it was against the company’s privacy policy. Gmail Glitch Offers Stealthy Trick for Phishing Attacks Get out of my sent folder: The Gmail issue, discovered and outlined by software developer Tim Cotten this week, stems from the way that Gmail organizes its folders. It files an email into the Sent folder based on the address in the “from” field. So, if an attacker sends an email to a target, which has been specially crafted to also have that target’s email address in the “from” field, the mail will automatically go to the person’s inbox and Sent folder at the same time. This gives the false impression to the unwitting user that it was an email they themselves sent, said Cotten. Stopping the Infiltration of Things The article says the same thing all of the IoT security articles state: Legislation, overcoming weak/default/backdoor passwords and addressing vulnerabilities. What really needs to change is the architecture and design of every IoT device on the market, and this will take time, but realize it is the only way to make progress on IoT security. New security feature to prevent Amazon S3 bucket misconfiguration and data leaks Help Net Security S3 buckets are not public by default, and Amazon has made it easier to identify public S3 buckets. But, thats not enough. Check out this new feature: This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access. They allow account users to protect against future attempts to use ACLs to make buckets or objects public, to override current or future public access settings for current and future objects in the bucket, to disallow the use of new public bucket policies, and to limit access to publicly accessible buckets to the bucket owner and to AWS services. Make-A-Wish website compromised to serve cryptojacking script Help Net Security Thanks to a Drupal remote code execution bug, website visitors are turned into cryptomining machines: The cryptojacking CoinIMP script (check.js) injected into the website was being loaded from the drupalupdates.tk domain, which has been associated with a known campaign that has been exploiting a critical Drupal vulnerability (CVE-2018-7600, aka Drupalgeddon 2) to compromise websites since May 2018. Popular AMP Plugin for WordPress Patches Critical Flaw Update Now A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website….The affected plugin was recently removed temporarily from the WordPress plugins library due to vulnerable code, but neither its developer nor the WordPress team revealed the exact issue in the plugin. Instagram flaw exposes user passwords | SC Media A security flaw in Instagram’s recently released “Download Your Data” tool could have exposed some user passwords, the company reportedly told users. The tool, revealed by Instagram right before the GDPR regulation went into effect, is designed to let users see and download the personal data that the social media platform had collected on them. DirtyCOW is back in backdoor attack targeting Drupal Web Servers | SC Media Impreva researcher Nadav Avital spotted the attack on Oct. 31 exploiting the Drupalgeddon2 and DirtyCOW, bugs as well as system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines…The attacker downloads three different implementations of DirtyCOW and runs them one after the other,” Avital said. “One of the implementations is downloaded in its raw format (C source code file) and is compiled at runtime. Once the attacker switches to the root user and gains permission to install new services they install and configure SSH, add their key to the list of authorized keys used by the service and as long as the machine is running, have the ability to remotely transmit any command as the user root Every day is Black Friday Funny: There are no precautions you should take on Black Friday and Cyber Monday that you shouldn’t also be taking on Shrove Tuesday, dress down Friday, any given Sunday, National Cookie Day, March Madness, Black History Month, the second fiscal quarter, the lunar phase cycle or at any other time Recommendations, both from me and the article are to use a password manager, ad blocking plugin, and a DNS service that blocks malicious activity. Expert Commentary:Ford Eyes Use of Customers’ Personal Data to Boost Profits
This article posted on Threatpost startled me a bit. I think most listeners of the Security Weekly podcasts are used to the idea of tech companies that collect and monetize data. However, the idea of buying a car and then having the data I provide to the dealer to buy the vehicle being monetized was unexpected. And that’s what Ford Motor Company’s CEO Jim Hackett is talking about now.
In an interview on the Freakonomics podcast Hackett stated, “We have 100 million people in vehicles today that are sitting in Ford blue-oval vehicles. The issue in the vehicle, see, is: We already know and have data on our customers. By the way, we protect this securely; they trust us. We know what people make. How do we know that? It’s because they borrow money from us. And w