Bethesda blunders, IRS sounds the alarm, China ransomware, and more
Plus, US Congress wants more cybersec training, better breach laws
But that wasn't the only news to hit over the week.
Oh look, it's yet another SystemD vulnerability
Linux management tool SystemD is once again getting the wrong kind of attention as researchers have spotted another security vulnerability in the software. Specifically in the polkit, or Policy Kit, library used by SystemD.
This time, it is an elevation of privilege vulnerability that would potentially let users execute systemctl commands they would otherwise not be authorized to perform.
Fortunately, there are some mitigating factors in this case. Mainly, to exploit the vulnerability requires superuser clearance ro create a user with a really high user ID. At that point, you wouldn't have much need for the flaw. Still it would be a good idea to patch this one as soon as possible.
The bug has been designated CVE-2018-19788.
Congress pitches tougher data breach, security training laws
A pair of efforts in Washington DC are aiming to improve information security in the government.
First, there is Senator Mark Warner (D-VA) who is pointing to the recent Marriott hotel breach as proof that we need a new set of federal data breach regulations. From Warner:
"We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
Then, there's a bipartisan bill in the House that would beef up government support for cybersecurity training.
That bill (PDF), floated by Reps. Jim Langevin (D-RI) and Glenn Thompson (R-PA) would create a new Department of Education grant program focused on training students in the basics of infosec with the hope that they would eventually put those skills to work in the public and private sectors.
Leaking… leaking never changes
As if Bethesda's rollout of Fallout 76 wasn't going badly enough.
Now comes the news that the games company's efforts to replace a premium tote bag some users got with their pre-orders has resulted in the exposure of their personal details and payment card information.
A user reported that, due to a glitch in Bethesda's support site, she was receiving all of the tickets from other customers. Those tickets included the information they had sent to prove their purchase and claim their replacement bags, things like addresses and credit card information.
Fortunately, rather than do anything evil, the user reported the matter and Bethesda was able to clear everything up before any nefarious activity (that we know of) occurred.
Now, if they could do something about the lousy gameplay…
IRS fires up tax-season fraud alerts
With the end of the year rapidly approaching, workers around the US will soon be getting their tax information, and the IRS is already starting to issue warnings on how to avoid being duped.
The US tax collector says it is already seeing scammers attempting to trick users into turning over personal information.
Avoiding these scams meaning taking some basic security steps: Don't trust unsolicitied emails (the IRS sends its official notices by snail-mail) and don't follow any hyperlinks or open strange attachments. Most of all, don't hand personal details over to any person or site unless you are absolutely sure of their authenticity.
Reg readers know most of these things already, but it's worth passing along to friends and family members who are less tech-savvy.
Wechat ransomware runs amok in China
A massive ransomware outbreak is spreading in China, locking up the machines of tens of thousands of users.
The malware, interestingly enough, does not ask for its payout in bitcoin or other cryptocurrencies, but rather in the form of cash transfers from China's WeChat pay service. So far, it is estimated that more than 100,000 machines have been hit by the infection.
Considering that the outbreak is concentrated in China, the decision not to use cryptocoins for payment makes sense, as Bitcoin and other currencies are not allowed to be exchanged or traded in the Middle Kingdom. If this infection was the work of a local hacker, it would make sense that another form of payment was used.
Cozybear creeps launch new offensive
Microsoft is sounding the alarm over a new wave of attacks from an APT known as 'Cozybear'.
Redmond says the group appears to be mounting a large-scale attack on public-sector, non-profit, and private companies that all operate within the oil, gas and hospitality industries.
The attacks themselves are not particularly remarkable; the attackers use spear-phishing campaigns to try and infect their targets with poisoned PDF files that then install spyware and botnet controllers on the infected machines.
What does have Microsoft concerned, however, is the massive scale of the attack on companies around the US, as well as some of the tell-tale signs that Redmond says point to a state-sponsored campaign.
"Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations," Redmond said of the operation.
Seattle stalker sees slammer
A 39 year-old man from Seattle, WA will be spending the next 20 months behind bars for a particularly gross string of cyberstalking incidents.
Joel Kurzynski admitted to conducting two cyberstalking campaigns that included prolonged harassment, death threats, and other scumbaggery. Among the claims made against Kurzynski was that he signed one person up for "fake dating profiles wherein Kurzynski portrayed Victim 1 as seeking sadomasochistic or underage relationships. These profiles contained photographs of Victim 1 and his contact information, resulting in solicitations and harassing messages directed toward Victim 1 from multiple strangers."
In another case, Kurzynski was said to have signed a victim up for multiple weight-loss and suicide prevention programs with the aim of flooding the target with calls and correspondence from those groups.
This escalated to death threats, according to the DOJ, who recounted that "one threat claimed that he was waiting for her in the lobby, and another that said, “Looking forward to seeing you today and how much you bleed. Don’t go to the bathroom alone'."
It sounds like, for the next 20 months at least, the internet will be a slightly better place. ®
Sponsored: Becoming a Pragmatic Security Leader