British Airways faces record-breaking GDPR fine after data breach

ICO announced plans to fine the airline British Airways a record £183 million over last year’s data breach. The Information Commissioner’s Office (ICO) said that “poor security arrangements” at the company lead to the breach of credit card information, names, addresses, travel booking details, and logins for around 500,000 customers. The fine would be the largest the ICO has ever issued, BBC News reports, far more than the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions. British Airways will now have 28 days to appeal the ruling before it is made final. In a statement, the Information Commissioner Elizabeth Denham said that the loss of personal data is “more than an inconvenience” and said that companies should take appropriate steps “to protect fundamental privacy rights.” “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” Just a day after the ICO provided notice of its intention to fine British Airways £183m over a separate breach, the ICO released another statement of its intention to fine Marriott International, Inc. (“Marriott”) over £99m in relation to a security incident affecting the Starwood reservation database which Marriott had acquired in 2016 and discovered in November 2018. The statement came in response to Marriott’s filing with the US Securities and Exchange Commission that the ICO intended to fine it for breaches of the GDPR.

 

Google removes seven stalkerware apps from Play Store

Mobile threat researchers at Avast have detected seven stalkerware apps on the Google Play Store that allow people to stalk employees, partners, or kids. These apps were all likely developed by a Russian developer and have been installed by over 130,000 users. These stalkerware apps are capable of spying on victims and tracking a person’s location, SMS, call history. These apps can also collect victims’ contact details. The person who wants to spy a person can download the app from the Google Play Store and install it on the targeted person’s device. The app then asks the person who installed the app to enter his/her email address and password. The spying app is then sent to the email address. The person can also hide the surveillance by providing directions to uninstall anything noticeable to the device’s owner. Upon which, there is no app icon, so the targeted person cannot see any sign of the stalkerware app installed on their phone. The seven apps reported by Avast researchers are

  • Track Employees Check Work Phone Online Spy Free
  • Spy Kids Tracker
  • Phone Cell Tracker
  • Mobile Tracking
  • Spy Tracker
  • SMS Tracker
  • Employee Work Spy

Out of these seven apps, Spy Tracker, and SMS Tracker are the most installed apps with more than 50,000 installs each. All these seven apps have been removed by Google from its official Play Store. 

 

Security flaw in Bluetooth communication protocol puts iOS and Windows 10 devices at risk

A flaw in the Bluetooth communication protocol can allow attackers to eavesdrop on users’ devices. The flaw impacts machines running on Windows 10 and iOS operating systems. In a research paper titled Tracking Anonymized Bluetooth Devices, researchers David Starobinski and Johannes Becker have revealed that the Bluetooth vulnerability affects iPhones, iPads, Apple Watch models, and Microsoft tablets and laptops. The flaw can be used to spy on users’ devices and collect their locations and IDs despite the native OS protections. According to researchers, many Bluetooth devices use MAC addresses while advertising their presence to prevent long-term tracking. However, this feature can be abused to circumvent the randomization of these addresses to permanently monitor a specific device. The researchers had successfully managed to exploit the thing by creating a new algorithm called an address-carryover algorithm. The algorithm is able to "exploit the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic, the research paper reads. During the experiment, the researchers had set up a testbed of Apple and Microsoft devices to analyze BLE advertising channels. Over a period of time, they had managed to collect advertising files and log files. They were also able to gather elicit data structures which revealed device ID tokens.

 

Newly discovered EvilGnome backdoor targets Linux users

Researchers from Intezer Labs uncovered a new backdoor dubbed ‘EvilGnome’ that targets Linux users by impersonating a Gnome shell extension. This Linux malware is capable of spying on users, taking desktop screenshots, capturing audio recordings from the user’s microphone, stealing files, and downloading additional modules. This malware is currently not detected by any of the anti-malware products on VirusTotal. The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions. EvilGnome backdoor is distributed via self-extractable archive created using the makeself shell script, with all the metadata generated when creating the malicious payload archive bundled within its headers. EvilGnome will also add a gnome-shell-ext.sh shell script to the compromised Linux desktop’s crontab, in order to ensure every minute that the spyware agent is running. The gnome-shell-ext.sh script is executed during the final stage of the infection process, thereby launching the gnome-shell-ext spyware agent. The malware’s configuration is stored within the rtp.dat file, which is bundled within the self-extractable payload archive allowing the backdoor to get its C&C server’s IP address. All the traffic sent to and from the malware’s C&C servers is encrypted and decrypted with the RC5 symmetric block cipher using the same key with the help of a variant of the RC5Simple open-source library.

 

More than 805,000 systems are still vulnerable to BlueKeep vulnerability

According to a new report, more than 805,000 internet-facing systems using older versions of Windows are still vulnerable to BlueKeep vulnerability. The vulnerability was uncovered in May 2019 and since then the number of systems likely to be affected by BlueKeep has dropped to 17%. BlueKeep is a flaw that affects RDP services in older versions of Windows OS such as XP, 7, Server 2003 and Server 2008. The flaw, designated as CVE-2019-0708, does not affect the later versions such as Windows 8 and 10. The BlueKeep vulnerability can result in untold damages, providing attackers with access to a system via a backdoor. The flaw has been described as ‘wormable’ which means it can be used to spread malware within or outside of networks much like WannaCry. A patch for the vulnerability has been offered by Microsoft on May 14. Apart from rolling out the patch, Microsoft has issued two alerts urging users and admins to install the fix. “As of July 2, 2019, approximately 805,665 systems remain online that are vulnerable to BlueKeep, representing a decrease of 17.18% (167,164 systems) compared to May 31. Part of that reduction is due to 92,082 systems that remain externally exposed that have been since been observed to be patched,” stated BitSight in a blog post.

 

Critical vulnerability in Instagram can allow hackers to take complete control of anyone’s account

Instagram was found vulnerable to attackers recently. The flaw could allow remote attackers to reset the passwords for any Instagram account and take complete control of it. Discovered and reported by an bug bounty hunter Laxman Muthiyah, the vulnerability resided in the ‘password recovery’ feature of the mobile version of Instagram. The ‘password reset’ or ‘password recovery’ is a feature that enables users to regain access to their accounts in case they forget their password. Recovering an Instagram account on mobile requires a user to provide a six-digit passcode to prove his/her identity. The passcode is sent to the associated mobile number or email account. Muthiyah noted that this passcode is one out of a million combinations which could let attackers unlock any Instagram account using brute force attack. Although Instagram’s rate-limiting characteristic could prevent such attacks, Muthiyah further found that this rate-limiting could be bypassed by sending brute force requests from different IP addresses and leveraging race condition. This allowed the attackers to send concurrent requests to process multiple attempts simultaneously. “My tests did show the presence of rate limiting. I sent around 1000 requests, 250 of them went through and the rest 750 requests were rate limited. Tried another 1000, now many of them got rate limited. So their systems are validating and rate limiting the requests properly,” said Muthiyah in a blog post. During the investigation, it was found that there were two things that allowed the bypass of the rate-limiting mechanism: Race Hazard and IP rotation. Race hazard (concurrent requests) and IP rotation allowed me to bypass it. Muthiyah has released a proof-of-concept for the vulnerability, which has now been patched. Meanwhile, users are advised to enable ‘two-factor authentication’ which could prevent hackers from accessing their accounts even if they manage to steal the passwords.​

 

Edited and compiled by cyber security specialist James Aguilan.