Inside | Real news, curated by real humans
Inside Security

Inside Security (Aug 12th, 2019)

1. State Farm was hit with a credential stuffing attack last month. It disclosed this in an advisory that was short on details. The company posted suggestions on how to improve customer password hygiene, such as using MFA and more complex and unique passwords. Customers who were affected had their passwords reset. No personal data was leaked.

  • Email gray
  • Permalink gray

2. About 1,200 customers of London Transport had their Oyster contactless payment cards hacked with another credential stuffing attack last week. These cards were suspended and the company took down its website. As of this morning, the website isn’t yet back in service. -- WIRED UK

  • Email gray
  • Permalink gray

3. Beware of unexpected Docusign emails, they could be phishing lures. Researchers tracked several campaigns that duplicate the Docusign web pages, made notable by the fact that they are hosted on AWS. This post tracks these efforts since early February and describes their indicators of compromise. -- PROOFPOINT BLOG

  • Email gray
  • Permalink gray

4. A bug in Microsoft’s Hyper-V’s path traversal function that was found earlier this year has been patched by the vendor last month without any fanfare. When the bug was first identified, Microsoft acknowledged it and labeled it a poisoned RDP bug but didn’t indicate any solution. What the patch shows is that RDP issues can have important consequences for Hyper-V environments. Users should patch their systems accordingly. -- THE HACKER NEWS

  • Email gray
  • Permalink gray

5. The NYC fire department issued a warning that a stolen employee’s hard drive could have leaked data from more than 10,000 patients. Some of these patients who have taken ambulances from 2011-2018 could have compromised SSNs. The theft was discovered in March, and an internal investigation took months to track down the affected patients. -- NY POST

  • Email gray
  • Permalink gray

6. F5’s Big-IP firewalls have a code injection bug. It was found by researchers and has to do with how a bad actor can manipulate its scripting language. While the exploit hasn’t been seen in actual use, it can occur if the scripts are poorly written and F5 has issued an advisory. -- F-SECURE BLOG

  • Email gray
  • Permalink gray

7. Joel Stein’s column on how he tried to protect his privacy from Big Tech is worth reading. His journey takes him through using a variety of tools such as Jumbo (a smartphone app that reconfigures your privacy settings of major social networks and which I am still testing), MySudo (for disposable email addresses), Abine’s DeleteMe opt-out service, the Brave browser and DuckDuckGo search engine. -- BLOOMBERG BUSINESS

  • Email gray
  • Permalink gray

8. Funding news of the week

  • Cybereason raised $200M funding round led by SoftBank. The CEO of the Boston-based endpoint protection firm is Lior Div
  • Eftsure raised $2.5M funding round led by Our Innovation Fund. The Australian firm has payment processing security and its CEO is Mike Kontorovich
  • Capsule8 raised a $6.5M funding round led by Intel Capital. The  NYC-based firm has an attack detection tool for Linux and its CEO is John Viega
  • Prevailion raised a $10M A funding round led by AllegisCyber. Its CEO is Karim Hijazi and it is based in the DC area. The firm does risk discovery and mitigation. 
  • Altitude Networks raised a $9M A funding round led by Felicis Ventures. Its CEO is Michael Coates. It has SMB-based security tools and is based in San Francisco. 
  • Email gray
  • Permalink gray

9. The annual Defcon and Black Hat conferences were last week. Here are links to some notable research delivered there:

  • Check Point discovered memory corruption issues with SQLite databases, including stealing passwords and making their malware persistent on iOS devices. This is important because hackers could obtain your contact data stored on your phone. 
  • Researcher Will Caruana described his experiences hacking into the emergency phones inside elevator cabs, including remote monitoring of the elevator audio and reprogramming the phone. 
  • Winners of the annual Pwnie awards were announced last week. They include bugs found in Pulse Secure’s SSL VPN, Facebook’s Group Messenger, DragonBlood and others. Bloomberg news won an “epic fail” award for its “infosec fan fiction” too. 
  • Boeing 787 planes have serious bugs thanks to code that was found on a public file server that operates the plane’s maintenance functions. The paper presented at Black Hat by Ruben Santamarta was disputed by the airplane maker, saying his exploit wasn’t possible. -- THE REGISTER
  • Email gray
  • Permalink gray

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).

  • Email gray
  • Permalink gray

Subscribe to Inside Security