US Cyber Security and Infrastructure Agency – CISA has added three significant vulnerabilities to its “known exploited vulnerabilities list. Avis data breech exposes 300,000 customers. A $20 domain purchase exposes a massive internet security flaw, and the insider threat – a disgruntled employee causes havoc and blackmails employer
Welcome to Cyber Security Today. I’m your host Jim Love.
Some breaking news that came up just as we were recording this podcast:
Transport for London (TfL) has revealed that its recent cyber-attack may have compromised sensitive customer data, including bank details of up to 5,000 individuals. The breach involved Oyster card refund data, which could expose commuters’ bank account numbers and sort codes. Additionally, the cyber attack is believed to have compromised employee passwords, prompting the organization to conduct IT identity checks across its workforce.
The UK’s National Crime Agency (NCA) has confirmed the arrest of a 17-year-old male in Walsall in connection with the incident, under suspicion of Computer Misuse Act offences. Deputy Director Paul Foster, from the NCA’s National Cyber Crime Unit, stated that the agency is working closely with TfL to identify the culprits and mitigate the impact of the breach.
Sources include: ITPro
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling increased risk for organizations.
The vulnerabilities affect ImageMagick, the Linux Kernel, and SonicWall SonicOS. Of particular concern is CVE-2024-40766, a recently discovered flaw in SonicWall SonicOS with a critical Common Vulnerability Scoring System (CVSS) score of 9.3. This vulnerability could allow attackers to bypass access controls, potentially leading to unauthorized system access.
The other two vulnerabilities, while older, remain threats. CVE-2016-3714 in ImageMagick could enable remote code execution through manipulated images, while CVE-2017-1000253 in the Linux Kernel could allow local privilege escalation.
CISA has mandated that federal agencies address these vulnerabilities by September 30, 2024. IT professionals in all sectors should promptly assess their systems for these vulnerabilities and apply necessary patches or mitigations.
This update underscores the importance of continuous vulnerability management and the need to address both new and older, unpatched vulnerabilities in critical systems.
Sources include: Security Affairs
Microsoft’s September Patch Tuesday Addresses Critical Vulnerabilities
Microsoft’s latest Patch Tuesday has addressed over 70 security flaws, including three actively exploited vulnerabilities. The most severe of these is CVE-2024-38014, a privilege escalation issue in Windows Installer with a Common Vulnerability Scoring System (CVSS) score of 7.8 out of 10.
A concerning bug, CVE-2024-43491, affects Windows 10 version 1507. This critical flaw, rated 9.8 in CVSS severity, caused the operating system to silently undo previously applied updates and security patches for certain optional components, potentially leaving systems vulnerable.
Other major tech companies have also released patches:
– Adobe fixed 35 issues across various products, including a critical flaw in ColdFusion.
– Intel addressed vulnerabilities in UEFI firmware and older processors.
– SAP issued 19 security notes, with high priority given to previously reported issues.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about high-severity flaws in Citrix Workspace app for Windows and multiple vulnerabilities in Ivanti products.
IT professionals should prioritize reviewing and applying these patches, especially for actively exploited vulnerabilities and those affecting widely used systems.
Sources include: The Register
Rental car provider Avis has reported a significant data breach affecting nearly 300,000 US customers. Discovered on August 5, 2024, the breach involved unauthorized access to a business application, potentially compromising sensitive customer information.
The stolen data varies by customer but may include:
– Names
– Mailing addresses
– Email addresses
– Phone numbers
– Dates of birth
– Credit card numbers and expiration dates
– Driver’s license numbers
This broad range of personal information puts affected individuals at high risk for identity theft and fraud.
Avis is responding by offering one year of free credit monitoring to victims. The company has also hinted at possible insider wrongdoing as the source of the breach. In response, Avis is working with cybersecurity experts to enhance security protections and implement additional safeguards.
For anyone who remembers the bad old days of paper forms and long checkouts, the speed and convenience of using digital tech for rentals was a welcome innovation for the tired traveller. But the corresponding risk of your data has to be managed as well,
Sources include: PCMag.com
Imagine this: You’re at a tech conference in Las Vegas, escaping the scorching heat in your hotel room, when you stumble upon a way to potentially wreak havoc across the internet. That’s exactly what happened to Benjamin Harris, a security researcher, last month.
For just 20 bucks, Harris bought a domain name that used to be the official WHOIS server for all .mobi websites. Now, if you’re wondering what a WHOIS server is, think of it as the phone book of the internet. It tells you who owns what website and how to contact them. Pretty important stuff, right?
Well, here’s where it gets wild. Harris set up his own WHOIS server on this domain, and suddenly, he was flooded with millions of requests from all over the world. We’re talking big tech companies, governments, universities – you name it. They were all asking Harris’s server for information, thinking it was still the official source.
“The purchase of a $20 domain that allowed the passive inference of .gov/.mil communications and the subversion of the Certificate Authority verification system should be a clear demonstration that the integrity of the trust and security processes we as Internet users rely on is, and continues to be, extremely fragile,” Harris said.
Now, here’s the kicker: with this power, Harris could have done some seriously scary stuff. He could have created fake security certificates for websites, tracked email communications, even run malicious code on thousands of computers. It’s like he accidentally got handed the keys to the internet kingdom.
But Harris is one of the good guys. Instead of exploiting this flaw, he raised the alarm. He showed how easy it would be to get a security certificate for Microsoft’s .mobi domain, stopping just short of actually doing it.
“Now that we have the ability to issue a TLS/SSL cert for a .mobi domain, we can, in theory, do all sorts of horrible things—ranging from intercepting traffic to impersonating the target server,” Harris explained. “It’s game over for all sorts of threat models at this point.”
The scary part? This isn’t just a one-off thing. It’s a symptom of a bigger problem. The internet is built on trust, but that trust is often based on outdated information or systems that haven’t been updated in years. It’s like we’re all still using an old phone book, not realizing the numbers have changed.
Harris summed it up perfectly: “The systems and security we all take for granted is, in many places, truly held together in ways that would not pass approval in 2024.”
So, next time you’re browsing the web, remember: the security you think is protecting you might just be hanging by a thread… or in this case, a $20 domain name.
Sources include: ArsTechnica
You’re running a big industrial company, right? Everything’s humming along, and then bam! One of your own engineers goes rogue. This isn’t some faceless hacker from halfway around the world. This is Daniel Rhyne, a guy who knew your systems inside and out. And it really happened.
Daniel was a disgruntled employee who gained unauthorized access to administrator accounts. He locked out the admins, wiped backups, and started shutting down servers. Then he demanded $750,000 in Bitcoin. Talk about a bad day at the office!
Now, here’s where it gets really interesting. Rhyne sends this ominous email to everyone in the company, basically saying, “Pay up, or watch your business crumble.” It’s like something out of a techno-thriller, right?
Sound crazy? It was. Of course Rhyne got caught. The feds traced those extortion emails back to him faster than you can say “disgruntled employee.”
Damian Garcia, an expert in IT governance, noted:
“The insider threat is a very serious risk to organizations. Historically, companies have tended to overlook this, preferring to focus their efforts on external threat actors (cue the picture of the cyber-criminal wearing a hoodie and with their face obscured). However, companies are now realizing that the insider threat is more of a problem and is something that they need to take seriously.”
There is a risk that we are so focused on external threats or employee’s mistakes, we forget about a serious risk if an employee goes rogue.
It’s a bit like that old horror movie. Sometimes, the call is coming from inside the house.
This situation or variations on it play out every day. Small companies are particularly vulnerable as they often have one person who has access to all accounts and passwords.
How to deal with this? Most experts will tell you to ensure that you follow the rule of least privileges. Ensure that when extra privileges are issued that it is only for the purpose they are needed for and that they are revoked when no longer needed.
For more tips, check out our Cyber Security Week In Review Panel this weekend,
Sources include: ITPro
That’s our show. You can find the show notes with links at technewsday.com or .ca – take your pick.
I’m your host, Jim Love, thanks for listening.
