Security Briefing – 9-15-2017

If you own a D-Link DIR-850L AC1200 Dual Band Gigabit Cloud router, we have bad news for you on several fronts. According to researcher Pierre Kim, the product has 10 security vulnerabilities serious enough for him to recommend owners to “immediately disconnect vulnerable routers from the internet”. The fact that this router was discontinued months ago raises the likelihood that the latest flaws might never be fully patched.

The Virginia State Board of Elections decided in a meeting on Friday that it would replace all of its current generation of voting machines that are vulnerable and plans to replace them all in time for its gubernatorial elections in November.

A new Chrome plugin will detect and warn users of Man in the Middle attacks, throwing up a warning screen if the browser detects a large number of SSL connection errors. This version of Chrome will be available in early December.

After China banned Initial Coin Offerings (ICO) for cryptocurrency, new talks on Monday may lead to the shut-off country banning cryptocurrency exchanges all together. This caused almost a 20% decrease in the value of Bitcoin (and most subsequent coins) but it has since recovered. No definitive word just yet.

The hacker group calling itself Shadow Brokers continues to release tools and exploits allegedly stolen from the U.S. National Security Agency (NSA), including a sophisticated espionage platform that can be used to take full control of targeted computers. The latest alleged release is UNITEDRAKE, a tool for taking total control of Windows machines and based on tools used from 2003-2014 (Grayfish/EquationDrug). You can get a copy of the manual for free online, but the tool may or may not cost $3,800,000.

Justin G. Liverman, a 25-year-old from Morehead City, North Carolina, has been sentenced to prison for his role in a hacking conspiracy that targeted the online accounts of U.S. officials and their families. Liverman, known online as “D3F4ULT,” admitted being a member of the Crackas With Attitude hacker group. In January, he pleaded guilty to conspiracy to commit unauthorized computer intrusions, identity theft, and phone harassment.

Consumer credit reporting agency Equifax on Thursday said it suffered a major criminal data breach that exposed personal information of as many as 143 million consumers in the U.S. between mid-May and July of this year. They are offering a credit monitoring service but, until 9/11, if you take them up on it, you may waive all right to any class-action lawsuits. They have since amended this clause and apologized. And…

After Equifax massive data breach that was believed to be caused due to a vulnerability in Apache Struts, Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework. Apache Struts is a free, open-source MVC framework for developing web apps in Java, and used by 65% of Fortune 100 companies. There are 3 vulnerabilities at the top of the list and you can read about some of the details here.

Spain hammered Facebook with a 1.2 million euro lawsuit over 3 infringements in the country’s data protection law. Think about that. A country is suing Facebook. What a time to be alive.