Here is the round up of the last two weeks news.
British Airways faces record-breaking GDPR fine after data breach
The UK’s data watchdog has announced plans to fine the airline British Airways a record £183 million over last year’s data breach. The Information Commissioner’s Office (ICO) saidthat “poor security arrangements” at the company lead to the breach of credit card information, names, addresses, travel booking details, and logins for around 500,000 customers. The fine would be the largest the ICO has ever issued, BBC News reports, far more than the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions. British Airways will now have 28 days to appeal the ruling before it is made final.
Marriott Hotels face a £99,000,000 fine for poor security
International hotel group Marriott is facing a £99m fine after hackers stole the records of 339 million guests. The Information Commissioner’s Office, Britain’s data privacy authority, issued a notice of its intention to fine the group for infringements of the General Data Protection Ruling (GDPR) for the 2014 hack on the Starwood hotels group — two years before it was acquired by US-based Marriott. It comes just days after British Airways said it intended to contest a record £183m fine over a 2018 data breach.
D-Link to Audit Every 2 Years
D-Link has settled a case with the FTC, by agreeing to implement a security program within the company and do audits every two years. They were forced to set up new security standards when the FTC sued then for having serious security flaws that threatened users including hard coded login creds, storing plain text credentials on mobile devices, implying their devices are secure, and failing tests and remediation measures.
Cyber Crim to Jail for 27 Months
DerpTroll, also known as Austin Thompson, 23, has been ordered to pay $95,000 for damages to Sony, as well as spend 27 months in prison for DDOSing Sony and other gaming companies in 2013 and 2014. This is the same hacker who took down the gaming servers during Christmas of 2013 and bragged about it on Twitter. Don’t do illegal attacks, kids!:
Canonical’s github account was hacked on July 6, when credentials were compromised and an attacker created new repositories and created issues. The compromised account was removed and Ubuntu’s source code was not affected.:
Another hole is Firefox
A couple of Firefox flaws hit the news this week. First, downloading an HTML file via the browser and opening it on your local computer may be a severe threat thanks to a 17 year old known issue that was used in a POC recently. This would allow an attacker to steal files stored on a victim’s computer. There is no fix in the works. Mozilla also has no intention of enabling DNS-over-HTTPS, which is used to keep ISPs from sniffing some user traffic. In the UK, ISPs wanted to sniff user data to block them from accessing innapropriate sites. DNS-over-HTTPS adds an additional layer of security, and you can still enable it via the step by step guide linked here:
China Against Privacy
China border authorities are installing spyware on tourists’ phones when they cross into Xinjiang. The malware is used to find extremist Islamic files and data, but it also snoops on texts, emails, and phone logs. It’s unknown what the Chinese government is using this data for, but we can make guesses based on their current surveillance state network in that region.:
Amazon Echo has No Data Deletion
Amazon echo transcripts and voice data are officially kept indefinitely, according to a letter from Amazon to a US state senator. The data can be deleted via the Alexa app or website, but transactions are kept forever. Amazon is very interested in how many pizzas you order, apparently.:
PGP has been targeted in attacks via the OpenPGP protocol GnuPG. The attacks hit the signature feature of GnuPG, and break the encryption validation for messages or updates using that protocol. Chances are this won’t be fixed anytime soon.:
Superhuman charges you to be the product
Superhuman is an invite only app for $30 a month, that allows users to see when and where their email recipients opened emails. That’s creepy, especially for anyone who wants to collect and triangulate data about you. Superhuman wasn’t informing recipiants of this, either. The app is using tracking pixels to do this, but in light of this controversy the app stated they’ll stop tracking location and will delete existing location data. Read receipts will be off by default. Sometimes outrage can create change.
Tor fix released
Tor fixes a huge bug in 0.4.2 that was used for years to launch DDOS attacks against .onion sites. While some sites that were attacked were legitimate, lately the attacks have been targeting illegal marketplaces on the dark web. Tor devs are giving Onion site operators the option to enable an active defense against DDOS attacks.:
Arlo flaw, Requires Physical Access
Arlo Smart Home Cameras have serious flaws that affect customers, of which Netgear (owners of Arlo) state stream more than 100 million videos a day from security cameras. The flaw would allow an attacker to disable a video feed or manipulate the footage. Two announcements, one from Tenable and one from a pair of researchers, detail the flaw. Chances are low that you’d be targeted in an attack as they require physical access. Patches from Arlo are now available.:
Hackers stole $500,000 USD (about 55 million yen) from 900 customers of 7-Eleven Japan, after their new 7pay apps were used to make illegal charges. The app had a design flaw, in which a barcode was shown on the screen to pay whenever a customer checked out – BUT the app would allow anyone to request a password reset for any other account, and the password link would be sent to the attackers email address. Why the app allowed password reset links to be sent to any random email address is beyond me.
Microsoft Security Updates
It is that time of the month already. The days seem to slip away at an astounding rate. This month we see three major revisions for issues:
Complete information for the July 2019 security update release can be found at:
Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.
Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims. GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.
In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.
WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.
The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.
With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets
In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.
A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.
On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.
A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.