Security

What got breached this week? Ticket portals, DNA sites, and Atlanta's police cameras

Also, Apple tightens up its certificate requirements

By Shaun Nichols in San Francisco

18 SHARE

Roundup This week brought new charges for Marcus Hutchins, a novel way to sneak malware into archives, and shady hotspots for World Cup fans.

There was also plenty of other security bits that didn't quite make the headlines. Here are some of the best.

Apple wants to be cert-ain on certs

Apple is going to make it harder for sites to be trusted on Safari.

The Cupertino phone seller said this week that, come Fall, it will put stricter requirements on sites that want their certificates to be accepted.

"Publicly-trusted Transport Layer Security (TLS) server authentication certificates issued after October 15, 2018 must meet our Certificate Transparency (CT) policy to be evaluated as trusted on Apple platforms," Apple says.

"Certificates that fail to comply will this policy will result in a failed TLS connection, which can break an app’s connection to Internet services or Safari’s ability to seamlessly connect."

This means that certificates will now have to have at least two signed certificate timestamps from a CT log. That was previously only required for Extended Valuation certificates.

Ticketfly falls to hackers

Last week, ticketing site Ticketfly said it was the victim of an attack that left it unable to handle ticketing for some events over the weekend. This week, the site shed more light on the matter when it revealed that information on some 27 million accounts was harvested in the attack.

"In consultation with third-party forensic cybersecurity experts we can now confirm that credit and debit card information was not accessed," Ticketfly said.

"However, information including names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed. "

Ticketfly notes that many of its users have multiple accounts with different email addresses, so fewer than 27 million actual people are affected by the breach. Also, no credit card information or passwords were accessed.

Still, anyone who has a Ticketfly account will need to reset their password, and re-used passwords on other sites should also be changed.

Thanks for getting scammed, now tell your friends!

It's bad enough to fall victim to a support scam, but one group is making matters even worse by tricking their marks into recording video endorsements.

Australia's ABC has the story of a group called 'Macpatchers' that uses fake tech support pages to get users to install remote access malware.

From there, the scammers trick the users into paying for unnecessary (and useless) support software and service. Finally, the scammers asked the victims to read a script saying they were satisfied with their experience.

Why? Because unbeknownst to the users, their webcams were turned on and recording them. The video clips were captured by the scammers and used to compile 'testimonial' videos that would make their dodgy support operations seem more legit.

While many Reg readers have no doubt tired of being the unpaid support staff for friends and family, stories like this underscore how important it is to be there to help of the less tech-savvy people in your life when they have problems or questions. The alternative is letting them play right into the hands of scammers.

MyHeritage coughs up user details

It's the notice nobody who uses a geneology site wants to see: MyHeritage has confirmed it suffered a massive breach of user data.

The testing site says a security researcher informed it earlier this week that a file containing the usernames and hashed passwords of every person who signed up for their service through October of last year was out in the wild.

Fortunately, we don't have to run any panicked thinkpieces about people having their "DNA hacked" anytime soon. The database only contained user email addresses and hashed passwords, no other personally identifiable information was accessed, and the site uses third-party services to process card data.

"Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security," the company said in its mea culpa.

"We have no reason to believe those systems have been compromised."

Atlanta ransomware infection worse than feared

Earlier this year, a ransomware outbreak hit the city of Atlanta, GA, taking down a number of the city's central IT services.

Now, it seems the outbreak was even worse than previously thought, and it could have a long-term impact on the city.

In addition to costing more than $2.5m to clean up, the city says the infection resulted in the loss of police dashcam footage. That footage includes evidence the city planned to use for criminal cases.

Police Chief Erika Shields told the Atlanta Journal Constitution that the city will hopefully still be able to proceed with the cases.

"But the dashcam doesn’t make the cases for us. There’s got to be the corroborating testimony of the officer," Shields was quoted as saying.

"There will be other pieces of evidence. It’s not something that makes or breaks cases for us."

Supermicro, semivulnerable

Researchers say that some servers from Supermicro could be vulnerable to firmware attacks, thanks to poorly-guarded hardware settings.

Security firm Eclypsium found that Supermicro boxes are not set to properly limit access to the firmware, potentially leaving the descriptor region vulnerable to being completely re-written.

"In general, the flash descriptor region should be “immutable” once the system completes the manufacturing process and is ready for production use. This helps establish the firmware stored in the SPI flash as a root of trust for the system," Eclypsium explains.

"By insecurely configuring the descriptor, malicious software with administrative privilege in the host OS may be permitted to modify the contents of firmware code and data that the host processor would otherwise never need to directly read or write."

In practice, this means that a malware infection already present on the system could use those vulnerabilities to further embed itself in the firmware layer, allowing the infection to become harder to detect and potentially crippling the entire server.

Eclypsium says it is working with Supermicro to shore up security and fix the vulnerabilities where needed. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Juniper, Ericsson sign 5G product pact

Pour an aquavit, pour a gin, take a deeeep breath ...

Qualcomm, Microsoft drag apps for Win-10-on-Arm into 64-bit world

Visual Studio previews a world without 32-bit emulation

Qualcomm data centre tech veep jumps ship

Whither the Centriq now?

Juniper pours a shot of its data centre juice into campus networks

Big switch-style fabric comes to pizza boxes

Profits diving? All part of the plan, says Juniper Networks beancounter

Just wait till 400Gbps Ethernet boxen start shifting...

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Juniper prepping for a 400 Gbps Ethernet world

Interview EVP Manoj Leelanivas talks to El Reg

It's here! Qualcomm's new watch chip is finally here! Oh, uh, never mind

Ancient tech – but it isn't so bad

Juniper sharpens knife for the carrier network and boxes white boxes

MWC Suddenly, everyone's using automation to beat back open networks

400GbE party. Loud knock at the door. Music stops. In jumps Juniper

And it's clutching a roadmap that charts first shipments before end of 2018