Bug-hunter faces jail for vulnerability reports, DuckDuckPwn (almost), family spied on via Nest gizmo, and more

Your rapid-fire guide to all the other infosec news of the week

Rubber duck (classic, yellow) floats on water. Photo by shutterstock

Roundup This was the week we saw GPS grumbles, shady speakers, and Yahoo! Losing! Again!

While all that was happening, a few other bits of news that hit our screens...

DuckDuck D'oh!

Drama in search engine land this week as Google-alternative DuckDuckGo disclosed a potentially nasty flaw in its server-side software.

Bug-hunter Michele Romano took credit for spotting and reporting an information-leaking vulnerability in backend servers that handled some user requests.

The XML External Entity vulnerability would have allowed an attacker to feed maliciously crafted XML files that had local paths embedded within them into DuckDuckGo's backend servers, causing those systems to cough up internal data. Because the server-side code was not properly examining XML content for things that shouldn't be there (such as requests for local system files) miscreants could have downloaded sensitive files and documents from the servers using dodgy XML files.

Fortunately, the flaw has now been patched, and there are no reports of malicious actors targeting it.

A cryptocurrency exchange owes its customers $190m and can't unlock the funds – because only the CEO and founder knows the password to the cold wallets holding the dosh, and he died in December.

Crook builds massive library of stolen credentials

Someone is making the rounds on cybercrime forums offering a massive collection of personal details built by aggregating a bunch of previous data breaches.

The collection of 2.2 billion records is apparently nothing new, just a fat collection of other data dumps, but you have to admire (and be a little scared by) the commitment of the crook to get so many pilfered pieces of information in one place.

Now would be a good time to make sure you aren't re-using any old passwords.

S(o) S(crewed) 7

UK cyber-snoops are warning, via Vice, that criminals are abusing flaws in the SS7 text message protocol to steal two-factor login codes from banking websites, and then break into online bank accounts.

Apparently, criminals have been abusing the system to re-route messages around phone networks, eventually intercepting the messages. In the UK, this has taken the form of attacks on Metro Bank*, among others.

A criminal gets into the SS7 backbone and then intercepts the text messages of the person they are targeting and, using the intercepted 2FA code along with a username and password obtained by other means (such as phishing) they could get everything they need to access and drain a bank account.

Chrome and Firefox patched

While they may not get the attention of Microsoft's Patch Tuesday, security fixes for the Chrome and Firefox browsers are something everyone should keep an eye on.

Earlier this week, security fixes were posted for both browsers on Linux, Windows and macOS. Among the vulnerabilities patched were remote code execution flaws, and US-Cert is advising users and admins to make sure the patches are installed and running.

This should be easy enough to do, as both browsers have built-in update mechanisms that will download and install the fixes, so just make sure you have the latest version installed.

Hungarian researcher faces jail time for vulnerability disclosure

No good deed goes unpunished, right?

A researcher in Hungary could be spending as long as eight years in jail simply for discovering and reporting a vulnerability in the network of one of the country's largest telcos.

BleepingComputer reports that the unnamed researcher spotted and reported a vulnerabulity in the network of Magyar Telekom last April.

Rather than recognize the bug-hunter or pay out a bounty, the telco instead ratted out the white hat to the police. He could now get as many as eight years in jail if convicted on charges of hacking into the company's network and database.

Hopefully cooler heads prevail, and this whole affair gets sorted out without anyone having to spend time behind bars.

Dumb problem in smart home

A smart home aficionado in Illinois, USA, saw his internet of things house meet the internet of trolls this week after hackers got into his home network and began manipulating both surveillance cameras and thermostats.

Telly news station NBC Chicago reports that for more than a week Arjun Sud and his family have been in a panic over strangers who apparently had access to their network of Nest devices, including two smart thermostats and 16 cameras placed around that home.

The hackers undertook such creepy activities as talking to Sud's 7-month old baby while alone in the nursery, cranking the couple's heating system up to 90 degrees (32C) and shouting obscenities into the family's living room.

"The moment I realized what was happening, panic and confusion set in, and my blood truthfully ran cold," Sud was quoted as saying.

"We don’t know how long someone was in our Nest account watching us. We don’t know how many private conversations they overheard."

Not exactly a ringing endorsement for smart home devices, is it?

Turbulence ahead for Airbus after mystery data theft disclosure

European plane-builder Airbus is fessing up to a potentially serious hack and data theft. Emphasis on the "potential," because the biz isn't revealing much information of use.

The French air giant says an unspecified "cyber incident" hit its commercial airliner operation, resulting in the loss of some employee data. What is that data? Your guess is as good as ours.

The disclosure was conspicuously short on details, omitting any sort of specifics on how many people were affected, what data was taken, or who might have taken it, but Airbus said the "incident" included unauthorized access to information that included "professional contact and IT identification details" for some of its workers. The number of employees affected is estimated to be somewhere between 1 and 129,000.

"This incident is being thoroughly investigated by Airbus’ experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins," Airbus said.

"Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed."

How forthcoming.

Airbus notes it is working with the "relevant regulatory authorities and the data protection authorities pursuant to the GDPR." We imagine that EU authorities are going to want a slightly more detailed report than "a cyber incident occurred" when they look into the matter.

The aircraft builder also says it is advising its employees to "take all necessary precautions going forward", though that might be hard to do if they have no idea what data was taken, who has it, and where they got it from.

So, to recap, something happened at Airbus. To someone. Resulting in the theft of something. By someone. ®

Updated to add at 1204 UTC:

* Metro Bank got in touch after publication to say: "Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website."

Sponsored: How to get more from MicroStrategy by optimising your data stack

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019