Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
While publishing this weeks edition we realised that amazingly, it has been a year since we first released the Cyber Round-up. Its format has evolved since the early editions, and hopefully like us you feel that it continues to improve.
Happy reading!
In this week’s round-up:
Major credit card issuer, Capital One, has suffered amassive data breach compromising the personal data of about 106 million US and Canadianusers; the company revealed that the stolen data included names, addresses andphone numbers of its customers. It was reported that the breach was possiblebecause of a configuration vulnerability in the company’s infrastructure, whichwas discovered on 19th July. Following the hack, the attacker wasfound boasting about the breach on social media and has since been arrested;this is believed to be one of the biggest data breaches in banking history.
By BBC.co.uk
North Carolina county was recently hit by a business emailcompromise scam, which resulted in the theft of $1.7 million. The emailappeared to be from Virginia-based Branch and Associates; it claimed to havechanged their bank details and requested that payments be sent to the newaccount instead. The scam resulted in a total of $2,504,601 on 21 December2018. The Bank of America was able to recover some of the stolen funds, but$1.7 million remains missing. The money stolen was supposed to be used to builda new high school in the county, but this project has since been halted.
By HotForSecurity.BitDefender.com
Credential stuffing is becoming a bigger threat every dayand maybe even more popular than phishing attempts. Credential stuffinginvolves using stolen or leaked usernames and passwords from previous breachesto brute-force a user’s account. In the last 18 months, content deliverynetwork Akamai Technologies has detected around 3.5 billion credential stuffingattempts, half of which targeted financial services. Despite the recentincrease in security, financial institutions can’t detect every attack thrownat them; since they are such a big target for criminals, detecting attacks iscrucial.
By TheRegister.co.uk
A wealth of information has been disclosed by a publicly accessibledatabase belonging to the automotive powerhouse Honda. Their recent delight ofFormula 1 wins and podium finishes will have been dashed, by the news that 134million documents containing 40GB’s of data had been left exposed to theinternet. The data contained details of their IT assets as well as employee information.Unfortunately, the bad news didn’t stop there, and alongside the assets, was in-depthinformation on the company’s security software and patching levels, which is atreasure trove to attackers. Honda worked immediately to secure their systemsand thanked the researcher for their efforts and reporting the vulnerability.
By BleepingComputer.com
The viral photo-morphing app, FaceApp, has been collectinguser’s Facebook friend list data, despite having no need for it. Researchershave spent a lot of time trying to discover why the app would need this kind ofdata but were unsuccessful. When asked, the FaceApp developers responded sayingthe data was collected for a social media voting feature that was discontinued,however this does not explain why the data is still being collected. Since theapp is unnecessarily asking for permissions, we advise avoiding downloading it.
By TheHackerNews.com
A new zero-day flaw in the total donations plugin has leftWordPress sites vulnerable to hackers; who could potentially steal data, andeven hijack the website. This vulnerability has been actively exploited, and itwas confirmed that all versions of this plugin are affected by the flaw.Researchers received no reply when they contacted the plugin’s developers, andit has not been updated since 2016; this could mean that total donations hasbeen abandoned, and there may not be an official patch. To protect against thisexploit, we recommend you remove the plugin from your website and find asupported replacement. Details on the nature of the exploit are included in theoriginal post.
By TrendMicro.com
Google Project Zero’s white hat hackers have recentlydisclosed details for 4 major iOS security vulnerabilities, which wereaddressed in iOS 12.4 update. The flaws include a memory corruption issue, aSiri exploit, and two iMessage exploits. A fifth flaw was also discovered buthas not yet been shared because the patch did not fully address it. Details onall the disclosed vulnerabilities can be found in the original post.
By SecurityAffairs.co
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
If you have any recommendations for additional content, or things you would like to see covered then please let us know.
Why not follow us on social media using the links provided on the right.
Edition #52 – 2nd Aug 2019
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
