This Week In Security - 12/16/2019
Around 2.7 billion email addresses, 1 billion email account passwords as well as 800,000 applications for copies of birth certificates have been discovered on unsecured cloud buckets.
Separate data exposures have been revealed all over the US with as many as a billion passwords visible in plaintext all have one thing in common, an unsecured cloud-based data database, allowing anyone to access the sensitive information online.
Businesses and organizations have left their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets completely exposed with researchers finding this information, but it’s also likely that cybercriminals have come across this as well.
“Cloud services are inexpensive ways to do things we’ve done expensively for years, so it makes sense why so many people are moving their resources to the cloud. The problem is that it’s still far too easy to make mistakes that expose all your data to the Internet,” says, vice president of security research and intelligence at ThreatStop, John Bambenek.
Online storage which has been misconfigured has led to a 50% increase of exposed files this year in comparison to last year.
The patch released in December also fixes seven critical flaws.
Microsoft has zapped a zero-day exploit which was found by Kaspersky researchers. The scheduled security update also took care of seven bugs that were rated critical, 28 that were thought important and one which was moderate.
The zero-day bug in question allowed cybercriminals to attain higher privileges on the attacked device as well as avoid protection mechanisms found in the Google Chrome browser.
“An attacker could exploit the flaw to execute arbitrary code in kernel mode on the victim’s system,” said Satnam Narang, a senior research engineer at Tenable. “From there, the attacker could perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data.”
Another issue, the RCE bug which affects the Visual Studio client was also removed.
“As Visual Studio is one of the most popular development environments used today to design and build applications, this exploit puts engineering organizations on the front lines of a potential attack,” said Richard Melick, senior technology product manager at Automox.
It should also be noted that there is just one Patch Tuesday left in January for Windows 7 until Microsoft stops issuing security solutions for them.
Smart Toys are a Security Risk According to FTC
Are you inviting a privacy breach into your home this Christmas?
Children are getting more and more tech-savvy these days, so if you’re thinking of gifting your little ones with a smart toy this Christmas, the US Federal Trade Commission (FTC) wants you to think twice.
Hidden security risks in smart toys according to the FTC include three main factors that might lead to trouble.
The first is whether the toy has a microphone or camera installed and whether it stores any data. The second is whether these toys connect to social media or send emails, and the third is if adults have control over the toy’s management and security.
Other things to take into consideration is what type of privacy policies the server provider includes regarding the usage of the toy and whether any data is shared. How easy is it to delete personal account data. It might also be an idea to do a little bit of research to find out whether the vendor has a history of known security issues.
Make sure to keep your children safe by researching the privacy implications of smart toys this holiday season.
The iOS and macOS bug had the ability to allow hackers to render nearby iPhones and iPads inoperable.
On Tuesday, Apple fixed a bug in AirDrop, its file-swapping feature. The guy would make available a denial of service attack allowing for cybercriminals to spam all iPhones and iPads within the nearby area.
“This share popup blocks the UI so the device owner won’t be able to do anything on the device except Accept/Decline the popup, which will keep reappearing. It will persist even after locking/unlocking the device,” according to independent researcher Kishan Bagaria.
AirDrop is a feature found in iOS and macOS systems which allow file transfers when using wifi or Bluetooth.
“This bug is still subject to the AirDrop receiving setting, meaning if your AirDrop setting is set to ‘Everyone’, anyone can be the attacker, but if it’s set to ‘Contacts Only’, only someone in your contacts can be the attacker,” Bagaria wrote.
In addition to fixing this bug, Apple also delivered dozens of other fixes including those for Apple Watch, macOS Catalina and iOS.
Demonstrations in India turn violent over bill excluding Muslims
Thousands of protesters have hit the streets in the Indian state of Assam over legislation that allows for Hindu, but not Muslim migrants from Pakistan, Afghanistan and Bangladesh to become Indian citizens. Two people have been shot dead during the protests and the mobile internet was cut off in 10 districts across the country.
The protesters in Assam are fearing that giving citizenship to immigrants from Bangladesh will burden their resources. Many are also opposing the anti-Muslim elements of the bill. Opposing the government curfew, tens of thousands took to the streets of Guwahati.
Protesters burned cars and tires as well as pulled down multiple political billboards and set a bus terminal and two trains on fire. They were met with special forces and police who opened fire on the protesters. One of the civilians that died of bullet injuries was an 18-year old, Dipankar Das.
Director of Amnesty India, Avinash Kumar stated, “Welcoming asylum seekers is a positive step, but in a secular country like India, slamming the door on persecuted Muslims and other communities merely for their faith reeks of fear-mongering and bigotry.”
Amit Shah, the Home Minister rejected all criticism of the legislation ensuring that it would in no way affect the current path to citizenship to all communities.