//Blogs - 02 August 2019
AusCERT Week in Review for 2nd August 2019
AusCERT Week in Review
26 July 2019
This week we've seen a few noteworthy stories in the Information Security
Over in the USA, the Capital One banking corporation suffered from a massive
data breach, as millions of customers' data were downloaded from an AWS S3
bucket with inappropriate permissions. In their notification, Capital One
were quick to point out that "No bank account numbers or Social Security
numbers were compromised, other than [...] About 140,000 Social Security
numbers [...] About 80,000 linked bank account numbers". Several Information
Security pundits were quick to point out the audacity and dishonesty of
this statement. AusCERT recommends, and has always recommended, clarity
and honesty when communicating data breaches.
In other news, the Equifax credit reporting firm reached a settlement with
the Federal Trade Commission last week, and any victims of the 2017 Equifax
data breach can apply for reimbursement for any costs or losses incurred
resulting from the breach, including the costs of applying for credit
monitoring. Affected people may also make a claim for a cash settlement,
which has been set at US$127 per person. Some might say this is small
compensation for having your financial information leaked online, and I
would agree with them.
Closer to home, the AusCERT office appears to be experiencing virus attacks
of a more traditional nature - more than half of our staff have called
in sick over this week. We hope you're staying healthy by sanitising your
inputs (air!), installing the latest (vitamin) updates, and quarantining
any infected machines (family members) in an isolated environment!
Here are some of the week's noteworthy security stories (in no particular
Title: Apple iMessage Flaw Lets Remote Attackers Read Files on iPhones
Author: Sergiu Gatlan
Date: July 29, 2019
"An iMessage vulnerability patched by Apple as part of the 12.4 iOS update
allows potential attackers to read contents of files stored on iOS devices
remotely with no user interaction, as user mobile with no sandbox."
Title: Capital One Says Breach Hit 100 Million Individuals in U.S.
Author: Christian Berthelsen, Matt Day, and William Turton
Date: July 30, 2019
"Capital One Financial Corp. said data from about 100 million people in
the U.S. was illegally accessed after prosecutors accused a Seattle woman
identified by Amazon.com Inc. as one of its former cloud service employees
of breaking into the bank's server.
While the complaint doesn't identify the cloud provider that stored the
allegedly stolen data, the charging papers mention information stored in
S3, a reference to Simple Storage Service, Amazon Web Services' popular
data storage software."
Title: 200 million devices--some mission-critical--vulnerable to remote takeover
Author: Dan Goodin
Date: July 30, 2019
"...Researchers with security firm Armis identified 11 vulnerabilities in
various versions of VxWorks, a slimmed-down operating system that runs on
more than 2 billion devices worldwide.
Billed collectively as Urgent 11, the vulnerabilities consist of six remote
code flaws and five less-severe issues... None of the vulnerabilities
affects the most recent version of VxWorks--which was released last
week--or any of the certified versions of the OS, including VxWorks 653
or VxWorks Cert Edition."
Here are some of this week's noteworthy security bulletins (in no particular
1. ASB-2019.0226 - [Win][Linux] GitLab: Multiple vulnerabilities
2. ASB-2019.0224 - ALERT [Appliance] VxWorks: Multiple vulnerabilities
3. ESB-2019.2872 - [Win][UNIX/Linux][Ubuntu] Subversion: Denial of service - Remote/unauthenticated
Stay safe, stay patched, and have a good weekend.