Windows Zero-Day
A security researcher disclosed a proof-of-concept exploit for a
new Windows zero-day vulnerability. The exploit appears to be a
privilege escalation flaw in Microsoft Data Sharing. To read more:
https://thehackernews.com/2018/10/windows-zero-day-exploit.html
Cathay Pacific
This Hong Kong airline announced that it had suffered a major data
leak affecting up to 9.4 million passengers. Personal information
including passport numbers, identity-card numbers, email addresses,
and credit-card details was accessed. To read more: https://www.theguardian.com/technology/2018/oct/24/cathay-pacific-hit-by-data-leak-affecting-up-to-94m-passengers
British Airways
British Airways has added 185,000 more victims to the tally of
those impacted by a data breach in September. Some 429,000 people
are now believed to have been affected. To read more: https://threatpost.com/british-airways-data-breach-takes-off-again-with-185k-more-victims/138600/
Missouri Department of Health and Senior
Services
The Missouri Department of Health and Senior Services has notified
10,400 people that their personal information was compromised by a
security breach. To read more: http://www.stlamerican.com/news/local_news/state-warns-of-data-breach-has-mailed-letters-to-those/article_a672c38a-d975-11e8-b6f9-7f5e9452188e.html
Adult websites
A recent hack of eight poorly secured adult websites exposed
megabytes of personal data. Included in the leak are IP addresses,
user passwords protected by weak, four-decade-old cryptography,
user-names, and 1.2 million email addresses. To read more: https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/
Wolf Intelligence
This German spyware startup left 20 gigabytes of data?—?including
recordings of customer meetings, scans of the founder’s credit
cards, and surveillance data?—?exposed on the internet. Security
researchers discovered the data in a public Google Drive folder. To
read more: https://motherboard.vice.com/en_us/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online
Pocket iNet
This US-based ISP left 73 gigabytes of essential operational data
publicly exposed in a misconfigured Amazon S3 storage bucket for
months. The bucket contained internal network diagramming, network
hardware configuration photos, and other data. To read more:
https://motherboard.vice.com/en_us/article/zm9dmj/an-isp-left-corporate-passwords-keys-and-all-its-data-exposed-on-the-internet
China ISP intelligence-gathering
According to an academic paper published this week, state-owned
China Telecom has been “hijacking the vital internet backbone of
western countries.” The company is China’s third-largest telco and
internet service provider, and has had a presence inside North
American networks since the early 2000s. To read more: https://www.zdnet.com/article/china-has-been-hijacking-the-vital-internet-backbone-of-western-countries/
Cisco Webex
An exploitable security bug was found in the Cisco Webex Meetings
Desktop App for Windows. The bug is a privilege-escalation issue
rated “high”. To read more: https://www.theregister.co.uk/2018/10/25/white_hats_pop_webex/
SystemD
A security bug in open-source software suite Systemd can be
exploited over the network to crash vulnerable Linux machines. The
vulnerability sits within the written-from-scratch DHCPv6 client of
the Systemd management suite, which is built into various types of
Linux. To read more: https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/
Python
A security engineer identified 12 Python libraries uploaded on the
official Python Package Index that contained malicious code. They
have since been removed from PyPl. To read more: https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/
X.org
A vulnerability that is trivial to exploit was found on Linux and
BSD distributions using the open-source X.Org Server. The flaw has
been present for two years. To read more: https://www.bleepingcomputer.com/news/security/trivial-bug-in-xorg-gives-root-permission-on-linux-and-bsd-systems/
Windows zero-day
Proof-of-concept code for a zero-day vulnerability in Windows was
released by a security researcher before Microsoft released a fix.
The code exploits a vulnerability that enables any files on a
machine (including system files) to be deleted without permission,
and can potentially lead to privilege escalation. To read more:
https://www.bleepingcomputer.com/news/security/new-windows-zero-day-bug-helps-delete-any-file-exploit-available/
Sign up below and receive these reports and more directly in your inbox.