Friday Five: 9/15 Edition
It's Friday! Catch up on the latest infosec headlines with our weekly news roundup.
1. Equifax Confirms Hackers Used Apache Struts Vulnerability to Breach Its Servers by Catalin Cimpanu
This week, Equifax confirmed the giant hack that occurred earlier this year—but was not disclosed until last week—was caused by a vulnerability in Apache Struts, known as CVE-2017-5638. Struts is an open-source framework for Java that allows developers to build applications. The CVE-2017-5638 vulnerability was patched in March of this year, following exploitations used to install ransomware on computers. This means that Equifax failed to patch a known flaw and had at least two months to do so before the breach occurred. Visa and Mastercard are also sending private notices to warn that over 200,000 credit cards were stolen during the breach. In addition, Equifax failed to properly secure its Argentinian operations. Both the username and password to an online employee portal to manage credit report disputes, which has since been taken down, were admin.
A misconfigured CouchDB database resulted in a leak of over 500,000 U.S. voter records, which may have contained the information of every registered voter in Alaska. The database, now offline, was not password protected so anyone could access it via a web browser. The data is part of TargetSmart’s national voter file and contains personal information such as addresses, birthdays, and ethnicities as well as income and home ownership. TargetSmart blames the exposure on third-party Equals3, which licenses data from them. While an audit shows that the data had not been downloaded, companies need to be more diligent in securing databases, especially when third parties become involved.
Apple’s announcement of the new iPhone X’s Face ID has been fodder for debate this week. While many users are excited over the idea of being an animoji, others are concerned about the risks and/or benefits Face ID poses for the future of mobile security and authentication. Android and Samsung both have had face unlock features, which could be duped by pictures and photoshopping. The iPhone X will feature more technology such as a dot projector, flood illuminator, and infrared camera to get around these spoofs and recognize that a 2D picture is not actually a face. What if Face ID doesn’t recognize you because you changed a feature? Apple says the neural networks it has created mathematically models a face to adapt to changes. Though there are concerns over the tool being used for mass spying, Face ID will theoretically be harder to spoof than Touch ID and passcodes, making it likely to become the new normal and future of authentication.
This week, researchers disclosed a bunch of Bluetooth vulnerabilities as well as an attack vector, dubbed BlueBorne, that can wirelessly jump from device to device. They estimate that over 5 billion devices are at risk, including smartphones, TVs, printers, and other IoT devices. The vulnerabilities could result in device take-overs or malware spreading and doesn’t even require device pairing. Apple devices running iOS 10 are safe, but only 45% of active Android phones and 20% of Linux devices are able to be patched. According to researchers, these are most the serious Bluetooth vulnerabilities to date.
Google Play apps are under attack again. At least 50 apps infected with malware were downloaded over 4 million times. The malware, known as ExpensiveWall, allowed apps to upload phone numbers, which were used to sign people up for premium services and to send premium, billable text messages. It's unclear how much revenue has been generated, but packing, which is over a decade old, still remains an effective method of attack for hackers to compress or encrypt .exes into apps before uploading to app stores. Even after removal of the apps from the Play store, phones may still remain infected until users manually uninstall the apps.