Nintendo Switch
Nintendo Switch “pirates” are releasing widely anticipated games
prior to their intended release dates. To read more: https://motherboard.vice.com/en_us/article/mbyegx/inside-messy-dark-side-nintendo-switch-hacking-piracy-pirates
Mobile VPNs
Sixty percent of the top free mobile VPN apps on Google’s Play
Store and Apple’s App Store were developed in China or by firms
under Chinese ownership. This fact is raising concerns about data
privacy. To read more: https://www.top10vpn.com/free-vpn-app-investigation/
Kars4Kids
A New Jersey charity, Kars4Kids, experienced a security issue where
the company’s MongoDB database was left open on the web without a
password. The server contained 21,612 records. To read more:
https://techcrunch.com/2018/11/13/kars4kids-data-breach/
Infowars
Malware that recorded payment card information was removed from the
Infowars online store. The malware was a generic Magecart infection
that was spotted by a security researcher. To read more: https://www.zdnet.com/article/card-skimming-malware-removed-from-infowars-online-store/
City of Bakersfield
The city of Bakersfield reported a data breach that may have
compromised the personal information of anyone who used its
Click2Gov online-payment service. To read more: https://www.bakersfield.com/news/city-of-bakersfield-announces-data-breach-from-hacked-click-gov/article_753d61ba-e6d3-11e8-a527-8316ecef574f.html
Cathay Pacific
This Hong Kong-based airline last month revealed that it had
uncovered “unauthorized access” to data on 9.4 million passengers
back in March, but had taken “immediate action to investigate and
contain the event.” Now Cathay has admitted that the attack
continued for several months after it was spotted, and still seems
to have no real idea what happened. To read more: https://www.infosecurity-magazine.com/news/cathay-pacific-admits-cyberattack/
Venezuela and ZTE
Venezuela’s government hired Chinese telecoms giant ZTE to build a
“fatherland database” that many citizens and human rights groups
believe is a tool to monitor the public. The system monitors
citizen behavior through an identification card. The card has
already been used by the government to track voting. To read more:
https://www.reuters.com/investigates/special-report/venezuela-zte/
Voxox
A security snafu at Vovox, a communications company, exposed a
massive database containing tens of millions of text messages. The
server wasn’t protected with a password, enabling anyone to view
the stream of text messages. To read more: https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/
Ruby
The Ruby programming language is being affected by a
deserialization issue that caused a major issue in the Java
ecosystem in 2016. The serialization and deserialization process
can be targeted to trick applications into running malicious
commands. To read more: https://www.zdnet.com/article/deserialization-issues-also-affect-ruby-not-just-java-php-and-net/
New Spectre and Meltdown vulnerabilities
Seven new variants of speculative-execution attacks were discovered
that affect Intel, AMD and ARM chips. Some of the vulnerabilities
are mitigated by existing techniques but others are not. To read
more: https://thehackernews.com/2018/11/meltdown-spectre-vulnerabilities.html
Siemens
Siemens patched eight vulnerabilities spanning its industrial
product lines. The most serious flaw is a cross-site scripting
vulnerability in its SCALANCE firewall product. To read more:
https://threatpost.com/siemens-patches-firewall-flaw-that-put-operations-at-risk/139082/
Windows
Windows users should patch their systems immediately to rectify 63
security vulnerabilities, twelve of which are rated critical. One
of the vulnerabilities is the zero-day CVE-2018–8589. To read more:
https://thehackernews.com/2018/11/microsoft-patch-tuesday-updates.html
Nigerian ISP
MainOne Cable, a small Nigerian ISP, hijacked internet traffic
meant for Google’s data centers. The incident was detected by
BGPmon, an online server that monitors the routes taken by the
traffic. To read more: https://www.zdnet.com/article/google-traffic-hijacked-via-tiny-nigerian-isp/
Zero-days
Apple’s iPhone X, Samsung’s Galaxy S9 and Xiaomi’s Mi6 were among
devices that were successfully hacked in the annual mobile-hacking
contest Pwn2Own. To read more: https://thehackernews.com/2018/11/mobile-hacking-exploits.html
Magecart
Researchers found that online stores infected with Magecart malware
will often get reinfected after clean-up. Some 21% of cleaned
stores were found to be reinfected within 11 days. To read more:
https://www.zdnet.com/article/one-in-five-magecart-infected-stores-get-reinfected-within-days/
AMP plugin
A critical vulnerability was just disclosed in one of the popular
plugins for WordPress. It could enable a low-privileged attacker to
inject malicious code on Accelerated Mobile Pages, an open-source
technology designed by Google. To read more: https://thehackernews.com/2018/11/amp-plugin-for-WordPress.html
Sign up below and receive these reports and more directly in your inbox.