Inside Security - February 27th, 2017

Inside Security (Feb 27th, 2017)

Cloudbleed, Stewart Airport hack, watch those Linux datagrams

New blank template
Subscribe | View in browser

David’s Take

I confess that I am guilty of leaving my phone's Wi-Fi radio on when I am out and about. I should know better because it is easy for my phone to connect to a rogue hotspot without my knowledge. Here is a chilling account of why you need to change this procedure tout-suite: the post talks about how to prevent an evil twin attack, which is when an attacker fools wireless users into connecting their smartphones and laptops to an evil (malicious) hotspot by posing as a legitimate Wi-Fi provider, and then collects the data being sent over the air to the evil hotspot from your phone. When you don't need it, turn off your Wi-Fi now!

-- David Strom, editor of Inside Security

Top Story: Cloudflare leak

Security vendor Cloudflare had a massive data leak earlier this month that is being called Cloudbleed. It was discovered by Tavis Ormandy from Google’s Project Zero. The leak contained private information such as HTTP cookies, authentication tokens, web server pages, and other sensitive data. “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.” Fortunately, no Cloudflare customer SSL private keys were leaked and the leak, which originated from a web server bug, was quickly contained within a few hours. Before the leak was announced, Cloudflare engineers worked with search engine vendors to find 770 unique URLs that had been cached and which contained leaked memory. Those 770 unique URLs covered 161 unique domains. The leaked memory has been purged with the help of the search engine vendors. Their blog contains more specifics about how the bug came to be created and how it was fixed. Despite these assurances one security researcher at Tripwire says, “I think it is extremely unlikely that efforts to scrub this data from caches around the world would go completely unnoticed by all intelligence agencies and criminal organizations” and recommends password changes and deploying multi-factor authentication on SaaS resources ASAP. – CLOUDFLARE BLOG  

More attacks


Stewart Airport is a small international airport in upstate New York near Newberg and it has experienced a major data leak recently. About 760 gigs of backup data were exposed to the public internet for almost a year without any authentication whatsoever. The leak apparently happened thanks to testing the  backup software known as ShadowProtect on a NAS drive and opening up a firewall port to send this data to the online service..The data includes everything from sensitive TSA letters of investigation to employee social security numbers, network passwords, and 107 gigabytes of email correspondence. -- MACKEEPER.

While we covered news of Wordpress flaw a few weeks ago, there are still sites running earlier version and researchers at SiteLock estimate that some 20 different attackers have produced exploits to take advantage of these vulnerable sites. It is all happening by forcing site owners to pay ransom. The exploits are using site defacements, removing links, and adding shady solicitations. Some criminals have even taken to replacing defacements with their own. The moral of this story: get thee to an update ASAP. -- THREATPOST

Another privilege-escalation vulnerability (CVE-2017-6074) has been discovered in part of the Linux kernel that dates back to 2005. It affects several major Linux versions, including Redhat, Debian, OpenSUSE, and Ubuntu. It was discovered by security researcher Andrey Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller, a kernel fuzzing tool released by Google. Time to update your OS. – THE HACKER NEWS  

The docket

New regulations go into effect in March for New York State. They propose that the Board of Directors of all New York licensed financial institutions would have to file annual certifications with New York State Department of Financial Services. The reports would have to describe how their companies' cyber programs comply with the new regulations. In the draft regulations, the CISO would be required to provide a detailed account of any exceptions to cybersecurity policies and procedures, identify cyber risks, assess the effectiveness of their cybersecurity programs, propose steps to remediate any inadequacies identified, and include a summary of all material cybersecurity events that affected the regulated institution during the period addressed by the report. NY may be the first state to introduce such measures, but they most certainly will not be the last. The regs don’t apply to federally chartered businesses, such as most major banks. A copy of the full regs can be found at the NYS website.

Just for fun

The whole notion of gerrymandering has been pissing me off for decades. Now some math professors, led by Moon Duchin of Tufts (shown here) are doing something about it. Look for more math profs to testify in court about geometric group theory and compactness. About time I say!  -- CHRONICLE OF HIGHER ED

Copyright ©, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security