Security Briefing 1.18.2017
iOS Onion Browser, a browser which encrypts and sends traffic through the TOR network, is now free. The developer said that he believes that now more than ever it is more important to exercise free speech, digital security, and privacy rights by using this TOR network.
App stores in China must register with the state from Monday, a government statement said, as China tightens its control over the internet. Allegedly, App stores are “not strict” when they examine and approve apps, the China Cyberspace Administration, the country’s internet watchdog, said in a statement.
A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues. According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year. Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text. The important thing to remember is when you are registering for the McDonald’s Monopoly (or any other fast food/casual concept), use a fundamentally different password to all your others.
In a technical document, Google has released its infrastructure security design overview that protects its data centers that house both its existing services and its growing Google Cloud Platform (GCP). While many organizations are traditionally wary about giving out such information for fear of giving attackers an advantage, Google is not. There are two reasons — the first is to show potential GCP customers the extent of its data center security; while the second is that Google is confident in that security.
Adobe and Microsoft on Tuesday each released security updates for software installed on hundreds of millions of devices. Adobe issued an update for Flash Player and for Acrobat/Reader. Microsoft released just four updates to plug some 15 security holes in Windows and related software. This includes updates for Window’s, Office, and MS Edge.
Mentioned previously in security briefs, the MongoDB platform that tens of thousands of people used to store databases online had some gaping security holes. It appears they have all been compromised, wiped, and replaced with ransom notes demanding payment. In addition, it appears that none of the victims that have paid the ransom have actually received their databases back. MongoDB, by default, allows anyone read/write/modify/delete access. Not super secure.
A 21-year-old from Great Falls, Virginia, has admitted developing a piece of malware used by cybercriminals to infect thousands of computers, the U.S. Department of Justice announced last week. Zach Shames developed and sold a keylogger to more than 3,000 people who then used it to infect over 16,000 machines. He faces up to 10 years in prison.
Cybercriminals have been using specially crafted URLs to trick even tech-savvy people into entering their Gmail credentials on a phishing website. Once an account has been compromised, the attackers immediately access it and start targeting the victim’s contacts. This works through PDF’s that can be ‘previewed’ in Gmail, but it’s an embedded phishing page. The instant access part is the terrifying part.