Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
ThreatWire Newsletter (Patreon)
Content
All this week's security and privacy news straight to your inbox! Please let me know what you think and share your thoughts on this week's security news on the patreon page!
Firefox Zero Day:
Several zero day vulnerabilities were found in Mozilla's Firefox this month, and were publicly disclosed with CVEs this week. Updating to the current version of the browser will keep your machine from being exploited, but chances are minimal unless you worked at a cryptocurrency organization, as those were the main targets. Read more here:
https://www.zdnet.com/article/mozilla-patches-firefox-zero-day-abused-in-the-wild/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-day-exploited-in-the-wild/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
https://twitter.com/SecurityGuyPhil/status/1141466335592869888
https://threatpost.com/mozilla-patches-firefox-critical-flaw-under-active-attack/145814/
Amazon Drones:
Amazon filed a patent for drones that offer surveillance... as a service. Their patent was granted this month. This, of course, has us in the security community pretty concerned, even though they claim the technology will only be used for folks that opt-in. Drone surveillance sounds like some Watch Dogs Legion stuff to me.
https://www.cnet.com/news/amazon-granted-patent-for-surveillance-drones-service/
https://www.businessinsider.com/amazon-wins-patent-for-surveillance-drones-2019-6
Linux Vulns:
Linux vulnerabilities are rarely exploited but are still important to patch. If you run any of the affected distros or servers, make sure to patch! Read more here:
https://threatpost.com/linux-kernel-bug-pcs-iot-offline/145797/
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Cloudflare:
Cloudflare comes to the rescue! While this news does -not- pertain to Cloudflare going down over the weekend (or... maybe it does? hmm...) this does have to do with their advocacy for more security on the internet. The company is working to create a FREE service to prevent BGP hijacking from happening to trusted HTTPS certs.
They're also working closely with Google Chrome to find a practical post-quantum computing encryption technique, since quantum computing is making encryption easier and faster to break. They've created an open source software package called CIRCL too, for anyone interested in helping. Pretty cool stuff.
https://www.cnet.com/news/quantum-computing-will-break-net-security-cloudflare-wants-to-fix-it/
WiFi Extenders Vulnerable:
Quick hit! TP-Link has some vulnerable WiFi range extenders, which can be taken over by an attacker. Update the firmware to stay protected.
https://www.cyberscoop.com/wi-fi-extenders-remote-code-ibm-xforce/
AMCA files for bankruptcy:
AMCA is the company that had a security breach which affected over 7.7 million LabCorp patients, along with other vendors. The company filed for bankruptcy on the 19th. Goes to show that proper security hygiene before the "big attack" happens will be cheaper than fixing it in the aftermath.
https://www.cyberscoop.com/amca-bankruptcy-data-breach-quest-diagnostics-labcorp/
Patch Your Dell:
SupportAssist, which comes prepackaged on many Dell PCs and OEM devices, has a DLL Hijacking vulnerability. So basically, if you own a Dell that came with Windows, chances are you need to patch.
https://threatpost.com/millions-of-dell-pcs-vulnerable-to-flaw-in-third-party-component/145833/
https://www.cyberscoop.com/dell-supportassist-patch-security-vulnerability-microsoft-windows/
https://thehackernews.com/2019/06/dells-supportassist-hacking.html
Samsung TVs:
Samsung just told people to manually scan for viruses on their smart TVs using a built in virus-scanner called McAfee Security for TV. If you're as pissed as I am that a decent "dumb" TV is so hard to come by these days, then this news is for you.
https://arstechnica.com/gadgets/2019/06/samsung-please-virus-scan-your-tv/
https://www.cnet.com/news/as-smart-tvs-become-the-only-option-your-privacy-choices-fizzle-out/
MongoDB Medical Prescription database left open:
Over 390,000 Vascepa prescriptions and 78,000 patients had data left publicly accessible over the internet. It seems like everyone leaves databases open without any kind of protection, whether they're MongoDB or Amazon AWS. The leaked data included full names and addresses, phone numbers, email addresses, and prescription information.
Leaks of Military Vet Medical Data
X Social Media is an ad agency out of Florida who does legal advertising on instagram and facebook for medical malpractice lawsuits, lawyers, and class action injury related lawsuits. This was yet another story of an exposed database, this one containing responses from target customers of ads, such as people in medical malpractice cases or even US military veterans with combat injuries.
https://www.zdnet.com/article/ad-agency-leaks-data-on-us-military-veterans-combat-injuries/
Georgia Court Case over car data warrants:
The ACLU is fighting to make search warrants a necessity (at least in Georgia) to obtain data collected by cars, such as music, who you've talked to via your connected phone, where you've driven to, and more.
https://www.cnet.com/news/your-cars-data-privacy-comes-into-question-in-georgia-supreme-court-case/
Cellebrite can unlock any iphone:
According to Cellebrite, any iPhone from iOS7 up to iOS 12.3 can be unlocked with their software. Yikes!
https://www.cnet.com/news/security-firm-cellebrite-says-it-can-unlock-any-iphone/
Florida city ransomware:
Riviera Beach in Florida, (est pop 35,000) chose to pay a $600,000 ransom to attackers in a ransomware attack that took down their computer systems for 3 weeks. No word yet on if they've gotten their data unlocked. Backup before a breach.
https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869/
https://www.zdnet.com/article/florida-city-pays-600000-to-ransomware-gang-to-have-its-data-back/
Tor browser issues:
Quick Hit! Tor Browser updated to 8.5.2 to fix a critical security flaw that could allow full system takeovers. This related to the Firefox vulnerability talked about in the show this week.
https://threatpost.com/tor-browser-update-critical-flaw/145857/
https://thehackernews.com/2019/06/tor-browser-firefox-hack.html
IoT devices flawed:
I talked about 2 million IoT devices being vulnerable to botnets or other attacks way back in April. Manufacturers still haven't patched their firmware for the devices (including baby monitors, security cameras and more), so the researcher who disclosed the flaw is sounding the alarms.
https://threatpost.com/consumers-urged-to-junk-insecure-iot-devices/145800/
DHS: Bluekeep is dangerous:
Yes, Bluekeep is dangerous. Yes, you should patch because the DHS says so.
https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/
Files
