Friday Five: 11/17 Edition
Catch up on all the week's InfoSec news with this roundup!
1. Oracle Rushes Out Patches for Huge Vulnerabilities in PeopleSoft App Server by Sean Gallagher
Oracle, for the second time in the past three weeks, was forced to release an out-of-bound set of security fixes to address vulnerabilities in its products. Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management, as well as any other product using the Tuxedo 2 application server, are vulnerable according to Ars Technica's Sean Gallagher. One of the bugs - JoltandBleed (a la Heartbleed) – rates a 10 out 10 severity and affects Oracle's Jolt protocol. The bug could allow attackers to extract data from memory on the app server, including session information, user names, and passwords in plaintext.
2. New Threats from North Korean Malware by Mark Rockwell
More details on threats from North Korea, namely malware dropped by the group Hidden Cobra, came to light this week, thanks to two joint alerts via the FBI and the U.S. Cybersecurity Emergency Readiness Team. Both agencies initially warned of the group back in June but this week the agencies highlighted a list of IP addresses believed to be associated with Volgmer, a Trojan used by the group to target government/media/financial sectors. According to FCW’s Mark Rockwell the group has also been utilizing a remote administration tool named FALLCHILL to keep tabs on malware that’s already made it onto U.S. servers. Hidden Cobra, known in some circles as the Lazarus Group, is purportedly the group behind well publicized attacks on Sony and SWIFT attacks against banks in Bangladesh and Mexico.
3. OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices by Catalin Cimpanu
OnePlus, a China-based smartphone manufacturer, said this week that it plans to fix a flaw in most of its phones that’s tantamount to a backdoor. A researcher who declined to give his name – instead going by the pseudonym of Mr. Robot's Elliot Alderson – said he discovered last month a preinstalled application named EngineerMode could essentially be used to root the device and turn it into a backdoor. According to Bleeping Computer’s Catalin Cimpanu the app can perform hardware diagnostic tests, check for root status, diagnose the GPS function, and more. The company stressed in a forum post on Tuesday that the APK doesn’t allow third party apps to access root privileges but nonetheless it plans on removing the function, something called the ADB Root Function, in a future OTA update.
4. Forever 21 May Have Been Hacked by Leticia Miranda
Another week, another breach. Forever 21, a fast fashion retailer announced on Tuesday that its looking into a breach of its payment card systems, in stores from March to October 2017. The source of the hack is unclear; the company only said that some point-of-sale stores were affected “when the encryption on those devices was not operating.” The company joins a laundry list of companies hit by data breaches so far this year as Buzzfeed's Leticia Miranda points out: Arby's, Sak's Fifth Avenue, Chipotle, Verizon, Equifax, and Whole Foods Market.
5. Amazon: We're Fixing Flaw That Leaves Key Security Camera Open to Wi-Fi Jamming by Liam Tung
Amazon was quick to issue a fix for its Key product - the service designed to monitor the company's couriers while dropping off packages - after a flaw was found in it earlier this week. Researchers with Rhino Security Labs, a security firm based in Seattle, found that an attacker in WiFi range could disable the camera by freezing it, essentially carrying out a denial of service attack. Amazon told CNET/ZDNet on Wednesday it would be pushing an update later this week that will let users known whether Cloud Cam, the device behind Amazon Key, is offline and not unlock the door if Wi-Fi is disabled and the camera is offline. The service, announced last month, already had privacy-conscious users on edge as it provides Amazon delivery drivers unfettered access to users homes.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business