LAPD loses job applicant details, Project Zero pokes holes in iOS, AWS S3 whack-a-mole continues, and more
Plus, Cisco patches up router pwnage vulnerability
Roundup Here is a quick roundup of the recent happenings in the world of computer security beyond what we've already reported.
Also, look out this week for our Black Hat, DEF CON, and Bsides Las Vegas coverage: our vultures out in the Nevada desert will produce a string of articles from the hacking conferences.
Amazon closes one open S3 bucket, two more pop up
In what has become a depressingly common occurrence, misconfigured Amazon S3 buckets continue to expose people's private information to the public internet.
Researcher Gareth L. found that Bank of Cardiff, a financial institution based in San Diego, California, had left open a public-facing S3 bucket containing its communications with customers. The archive, which has been up since at least December, includes recordings of the bank's customer service calls.
El Reg was unable to get a response from Bank of Cardiff over the issue. At least some of the files have now been hidden from view by its staff, though. Shortly after that discovery, our man spotted another open bucket, this belonging to UK company VQ solutions.
In about an hour it'll be ~72 hours since @vqsolutions was notified that they had suffered a GDPR breach resulting in the exposure of British citizens' passports, employment contracts, educational history, driving licenses and more.— Gareth (@NetworkString) May 19, 2019
Have they told the @ICOnews?
I hope so...
In better news, a collection of sensitive data, hosted in a poorly secured public-facing Amazon S3 bucket, that Gareth L. and El Reg have been tracking for some time has finally been taken down. That archive included patient medical records, health insurance details, and court filings.
Despite trying to reach the multiple doctors, lawyers, and insurance companies whose documents were included in the archive, and despite reporting the breach to the US Department of Health and Human Services, the S3 bucket was only taken down by alerting Amazon's AWS security team to the leak.
StockX admits it fell victim to cyber-attack
Late last week, a Register ad-sales exec who buys shoes from StockX.com got an email from the e-tailer asking him to reset his account password. This was due to a "system upgrade" he was told at the time. Well, it turns out it was actually due to hackers, who managed to raid the web store and steal customer data.
"An unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history," the online souk added.
"From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted."
Reset your passwords, folks, or find a better e-tailer for your sneakers.
Europol celebrates No More Ransom milestone
This week marked an important milestone for Europol's 'No More Ransom' project, as the security campaign celebrated its third anniversary.
Since its launch in 2016, No More Ransom says it has helped some 200,000 people and companies decode their encrypted data without caving to ransom demands. This has kept more than $100m out of the hands of criminals the agency claimed.
"With visitors from 188 countries, the project has become a one-stop shop for the victims of ransomware, registering already over three million individual visits in its short life span," Europol said. "Thanks to the cooperation between more than 150 partners, the criminal business model behind ransomware has been severely hit since the initiative was launched, resulting in some $108 million profit prevented from going to the wrong pockets."
LAPD relieved of personal details on job applicants
Los Angeles Police find themselves on the wrong end of a data exposure case as someone has managed to pilfer the details on more than 17,000 officers and job applicants.
Local news station NBC Los Angeles reports that a hacker appears to have gotten into a database containing the information police candidates gave when they applied for a job with the department, including, name, partial social security numbers, email and home address. Those affected are being advised to keep a close eye on their bank and credit reports.
Cisco Nexus wrecks us
Anyone using a Cisco Nexus 9000 switch will want to check for an update after the networking giant issued an alert for a high-severity security flaw. The bug potentially allows for complete takeover of the switch.
"An attacker could exploit this vulnerability by sending a crafted LLDP packet to the targeted device. A successful exploit may lead to a buffer overflow condition that could either cause a DoS condition or allow the attacker to execute arbitrary code with root privileges," Cisco notes.
And this week's government ransomware victim is… *spins wheel*...Georgia state police!
Word out of Atlanta is that multiple Georgia state police agencies have fallen victim to an unspecified ransomware infection.
The malware, affecting the Georgia State Patrol and the State Capitol Police, partially disabled the system officers use to check records, meaning in some cases they are having to use phones and dispatch radio to perform checks.
Project Zero details iOS flaws
Noted bug-hunter Natalie Silvanovich with Google's Project Zero has dropped the details on a handful of flaws her team uncovered in Apple's iOS. The (since-patched) vulnerabilities have been known for weeks, the release of the PoC will make it that much easier to exploit the bugs.
If you haven't updated your iOS gear recently, do so immediately.
SanDisk SSDs found to have hard-coded passwords
Trustwave researcher Martin Rakhmanov has found two CVE-listed flaws in SanDisk solid-state hard drives stemming from the use of hard-coded passwords.
While not critical, the bugs could potentially allow an attacker to gather detailed system data on a target by intercepting and reading the status reports SanDisk drives send back to the company.
Apple devices blab data over Bluetooth
Researchers have uncovered a new set of vulnerabilities in Apple iOS gear via Bluetooth connections. Like many other devices, Apple gear allows some data to be harvested over bluetooth low energy connections. Things like hardware details, device names, and even your mobile number. ®