29 June 2018
Ticketmaster has admitted that it has suffered a security breach affecting up to 40,000 UK customers
Malicious software on third-party customer support product Inbenta Technologies caused the hack, the firm said on Twitter. "Some personal or payment information may have been accessed by an unknown third party", it added. All affected customers have been contacted. In the email to those customers, Ticketmaster said it had set up a website to answer any questions and advised them to reset their passwords. It also offered them a free 12-month identity monitoring service. It said the breach was likely to have only affected UK customers who purchased or attempted to purchase tickets between February and 23 June 2018. But, as a precaution, it said it had also informed international customers who had purchased or attempted to purchase tickets between September 2017 and 23 June 2018. Information that may have been compromised includes names, addresses, email addresses, telephone numbers, payment details and Ticketmaster log-in details. It said that "forensic teams and security experts are working around the clock" to understand how data was compromised. Ticketmaster is confident it has complied with General Data Protection Regulation (GDPR) rules - acting very quickly and informing all relevant authorities, including the Information Commissioner's office.
Cisco ASA Flaw Exploited in DoS Attacks
Cisco has informed users that a recently patched vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been exploited in denial-of-service (DoS) attacks. The vulnerability, tracked as CVE-2018-0296 and classified “high severity,” was addressed with the patches released by Cisco in early June. The flaw was reported to the networking giant by researcher Michal Bentkowski, who discovered that a remote and unauthenticated attacker could gain access to sensitive system information through directory traversal techniques. Cisco’s own analysis of the bug revealed that it can also be exploited to cause impacted devices to reload and enter a DoS condition. According to Cisco, the vulnerability exists due to the lack of proper input validation of the HTTP URL. An attacker can exploit the security hole by sending specially crafted HTTP requests to the targeted device. The list of impacted devices includes 3000 series Industrial Security Appliances, ASA firewalls, and Firepower products.
NSA Exploit "DoublePulsar" Patched to Work on Windows IoT Systems
An infosec researcher who uses the online pseudonym of Capt. Meelo has modified an NSA hacking tool known as DoublePulsar to work on the Windows IoT operating system (formerly known as Windows Embedded). The original DoublePulsar is a hacking tool that was developed by the US National Security Agency (NSA), and was stolen and then leaked online by a hacking group known as The Shadow Brokers. At its core, DoublePulsar is a Ring-0 kernel mode payload that acts like a backdoor into compromised systems. DoublePulsar is not meant to be used on its own, but together with other NSA tools. NSA operators are supposed to use the FuzzBunch framework (also leaked by The Shadow Brokers) together with an exploit package (such as EternalBlue, EternalSynergy, EternalRomance, or others) to gain a temporary foothold on a system and then drop DoublePulsar implant to obtain a permanent one. An in-depth analysis of the original DoublePulsar exploit, as leaked by The Shadow Brokers last year, is available here, authored by RiskSense security researcher Sean Dillon.
Firefox work with HaveIBeenPwned for password pwnage probe
Firefox has started testing an easier way for users to check whether they're using a leaked password, through integration with Troy Hunt's HaveIBeenPwned database. The hookup will take part of a user's email address, hash it, and use the hash as the basis of a lookup to see if the address appears in Pwned's database of 5.1 billion records of hacked account login details. The Firefox Monitor test will start with 250,000 users, mostly in the US, according to Mozilla's announcement this week. Mozilla first revealed its work on the tool in November 2017, and at that time, said a major challenge was to check a user's data against Haveibeenpwned without risking user privacy. Working with Hunt and Cloudflare, Mozilla has come up with an anonymisation approach. Instead of plaintext queries, Firefox Monitor's approach is to use hash range query API endpoints to handle the data. When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first 6 characters to the HIBP API. That isn't going to yield a single exact match, so Firefox Monitor loops through the objects returned by the API to find which (if any) prefix and breached account HashSuffix equals the the user-submitted hash value”.
Unpatched WordPress Flaw Gives Attackers Full Control Over Your Site
Last week we received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server. Discovered by researchers at RIPS Technologies GmbH, the "authenticated arbitrary file deletion" vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6. The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image. Researchers find that the thumbnail delete function accepts unsanitized user input, which if tempered, could allow users with limited-privileges of at least an author to delete any file from the web hosting, which otherwise should only be allowed to server or site admins. The requirement of at least an author account automatically reduces the severity of this flaw to some extent, which could be exploited by a rogue content contributor or a hacker who somehow gains author's credential using phishing, password reuse or other attacks. Researchers say that using this flaw an attacker can delete any critical files like ".htaccess" from the server, which usually contains security-related configurations, in an attempt to disable protection. Besides this, deleting "wp-config.php" file—one of the most important configuration files in WordPress installation that contains database connection information—could force entire website back to the installation screen, allegedly allowing the attacker to reconfigure the website from the browser and take over its control completely.
Hackers exploit FastBooking flaw to steal customer data from hundreds of hotels
Hackers exploited a web app vulnerability on a FastBooking server to install malware and pilfer data – such as names, email addresses, booking information and payment card data – on guests at hundreds of hotels. Prince Hotel officials said data on more than 124,000 of its customers was stolen as a result of the hacks on the FastBooking Korean, Chinese and English website, which occurred June 15 and June 17, and affected guests who stayed at one of the hotel's 43 locations between May and August of 2017, according to a report in the Japan Times. A company spokesman cited in the report said that personal data was purloined in 58,003 leaks while credit card information was stolen in the remaining 66,960 cases. The Prince Hotel spokesperson said Fastbooking bolstered its security in wake of the breach and that the foreign-language site was shuttered temporarily with reservations accepted only by email.
Facebook holds ICO ban but allows 'approved' cryptocurrency ads
Facebook earlier this year announced it was cracking down on advertisements of financial products that are often used to scam users by banning ads that promoted initial coin offerings (ICOs), cryptocurrencies, and binary options on its platform. But while the social network is still strict on its no-ICO play, it has tweaked the ban to now allow ads that promote cryptocurrency and related content from pre-approved advertisers. The policy introduced in January aimed to "prohibit ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices". At the time, the company still in hot water over the misuse of information on up to 87 million users said the policy was "intentionally broad" while it worked to "better detect deceptive and misleading advertising practices". In a blog post penned by Facebook product management director Rob Leathern, the company explains advertisers wanting to run ads for cryptocurrency products and services must submit an application for an eligibility assessment to be conducted. The application is to include any licences the advertiser has obtained, whether they are traded on a public stock exchange, and other relevant public background on their business.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.