Inside Security - December 11th, 2019

Inside Security (Dec 11th, 2019)

1&1 fined $10M for GDPR breach / Microsoft, Adobe fix critical flaws / Intel chip power attack exposes data

Subscribe | View in browser

1. Web-hosting company 1&1 has been fined a hefty €9.55 million ($10.6 million) for lax security at its call centers. Germany's Federal Commission for Data Protection and Freedom of Information levied the fine against 1&1 for not taking adequate measured to prevent unauthorized access to customer data, in violation of the European Union's General Data Protection Regulation (GDPR). The company said that it is now requiring call center personnel to ask for additional information beyond name and date of birth to verify an individual's identity and is deploying a new authentication system. -- SECURITY BOULEVARD

2. Microsoft and Adobe each patched a number of critical vulnerabilities as part of their Patch Tuesday updates. Microsoft patched seven critical vulnerabilities, with five of the seven flaws located in Git for Visual Studio and two in Hyper-V and Win32k. In total, Microsoft issued patches for 36 vulnerabilities on Tuesday. Adobe patched 17 critical vulnerabilities in Photoshop, Reader, Brackets, and Cold Fusion that could have been exploited to carry out arbitrary code execution attacks. -- QUALYS

3. European and U.S. researchers have developed a technique called Pludervolt that manipulates the voltage of Intel chips in order to steal data stored in secure areas in a device's memory. The researchers planted malware on a target computer to reduce the voltage flowing into the Intel chip. By dropping the voltage by 25 percent to 30 percent and timing the voltage change, the researchers were able to cause the chip to make processing errors that could reveal cryptographic keys or other sensitive data stored in Intel's Secure Guard Extensions enclave. Intel confirmed the research and updated to its chip firmware to prevent such an attack. -- WIRED

4. More than 750,000 applications for copies of birth certificates were found on an unsecured AWS storage bucket. The applications included the applicant's name, date of birth, current home address, email address, phone number, and historical personal information. Fidus Information Security, a U.K.-based penetration testing firm, discovered the information. TechCrunch verified it by matching names and addresses with public records. Fidus and TechCrunch were unable to reach the company to inform it of the breach. -- TECHCRUNCH

5. The city of Pensacola has confirmed that it suffered a ransomware attack that crippled municipal servers, disrupting landline phones, emails, electronic "311" service requests, and electronic payment systems. In response to the attack, the city's "Technology Resources staff disconnected computers from the city's network until the issue can be resolved," explained Pensacola spokesperson Kacee Lagarde. Lagarde did not say whether the city paid or plans to pay the ransom. Pensacola stressed that emergency 911 services were not affected. The ransomware attack follows a similar one on the Louisiana state government. -- ARS TECHNICA

6. Close to half of employees only change or add a digit or character to their password when they are required by their company to update their password, according to a survey of more than 500 workers in the U.S. and Canada by HYPR. In addition, 72 percent of respondents said they reused passwords in their personal life. More than three-quarters of respondents said they had to reset a password in their personal life within the last 90 days, and 57 percent of respondents had to reset their password at work because they forgot their password. -- GRAHAM CLULEY

7. An unsecured DroneSense database exposed the drone flight plans used by government agencies, law enforcement, and private clients. Data exposed included technical information about the drone, as well as the pilot's name and email address; however, no video footage was revealed. One of DroneSense's clients, the Atlanta Police Department, told Motherboard that it had contacted the company about the data exposure and was assured that it had taken measures to correct the problem. "We have no reason to believe any law enforcement-sensitive data was compromised as a result of the exposure," department spokesperson Carlos Campos said in an email. -- MOTHERBOARD

8. Waterbear, a cybercrime campaign that uses modular malware to add functionality remotely, is now using application programming interface (API) hooking techniques to elude detection by a particular vendor's security product, advised Trend Micro researchers. Waterbear is associated with the cyberespionage group BlackTech, which has targeted tech firms and governments in East Asia and carried out the PLEAD and Crossbow malware campaigns. The attackers appear to know how certain security products use APIs to gather information on their clients' endpoints and networks. "And since the API hooking shellcode adopts a generic approach, a similar code snippet might be used to target other products in the future and make Waterbear harder to detect," the researchers judged. -- TREND MICRO

9. In response to a cyberattack last year, NordVPN has launched a bug bounty program on HackerOne to improve the security of its virtual private network (VPN) service. The program includes the NordVPN website, backend systems, services, and applications, including Windows, Mac, iOS, Android, and Linux apps and official apps on third-party devices. Bounties range from $100 to more than $5,000, based on the vulnerability’s severity. In addition, NordVPN plans to work with VerSprite to run frequent penetration testing and boost its vulnerability management, to form an independent cybersecurity advisory board, and to perform a full-scale cybersecurity audit before the end of the year. -- ZDNET

10. The North Korean APT group Lazarus and the cybercriminal group Trickbot appear to be collaborating using an attack framework developed by Trickbot, according to SentinelLabs researchers. This marks the first time that Lazarus has cooperated with a cybercrime group and could pose a significant threat to Lazarus targets, which have included Sony Pictures. The researchers found the Lazarus group's PowerRatankba tool being delivered to a victim of Trickbot's Anchor Project. "The ability to seamlessly integrate the APT into a monetization business model is evidence of a quantum shift," the researchers observed. -- THREATPOST

Fred Donovan is a professional writer, editor, and content specialist with decades of experience, most recently in the areas of information technology and cybersecurity. He has written for such publications as, FierceITSecurity, InfoSecurity Magazine, Report on Patient Privacy, TechGenix, and NetDefense. Fred has a B.A. from Harvard University in government and an M.S. in national security from Georgetown University.

Copyright © 2020, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security