DDoS sueball, felonious fonts, leaky Android file manager, blundering building security, etc etc

Roundup This week we wrangled with alleged Russian election meddling, hundreds of millions of username-password combos spilled online, Oracle mega-patches, and cliams of RICO swap-gangs.

While all that was happening, here are a few more bits and bytes of infosec news.

Swipe right… to steal private info for Safari

It seems a new weakness in the Mac Pro has been uncovered by a swipe-happy bug-hunter.

Security boffin Dhiraj Mishra says that Apple’s high-end notebook can be tricked into handing over private information via its multi-gesture trackpad. Mishra explains that Safari fails to clear out some dynamic data (such as the contents of logged-out email accounts) when it activates the swipe gesture to move between pages.

What does this mean? Well, take for example the video demo below.

Youtube Video

An insecure Android file manager app, ES File Explorer, with 100-million-plus downloads, opens a HTTP web server to the local network, allowing any miscreant able to reach the device to download files at will, and all list your apps and documents (CVE-2019-6447). A new version of the manager is available with this security hole plugged, so if you’re using this software, go grab it from the official Play Store.

Canadian fraudster betrayed by sloppy typeface

A crook in the Great White North has been put on ice after he was betrayed by his fonts.

According to this account from the National Post, a former telco exec going through bankruptcy proceedings, had produced two legal documents claiming a pair of his properties were held in a public trust, and thus protected from seizure by the bank.

Unfortunately, a review of the documents found that the typeface in both had been invented after the papers were said to have been drafted up and signed. One document was said to have been written, printed and signed in 1995 but used a font only released in 2002, and the other said to have been written and signed in 2004 used a font released in 2007. The papers were thus proved to be forged, and his claims the properties were shielded from seizure were invalidated.

The moral of the story: always forge in Times New Roman.

VOIPO-No! IP yak tool leaks data

Yes, we have yet another case of an unsecured cloud data store being unearthed via a Shodan search.

This time, the info silo was an insecurely configured AWS Elastic Search instance run by Voipo, a VoIP service based in California.

Justin Paine, Cloudflare security bod by day and breaker of internet things by night, found that the exposed database include things like call and SMS logs as well as some internal documents. The open database was privately reported and sealed up before public disclosure this week.

Now would be a good time to go back over your cloud database and storage instances to make sure everything is locked down properly.

China job-seekers get some unwanted recruiting help

When is exposure not a good thing for job-hunters? When it’s the unintended breach of more than 200 million CVs containing detailed personal information.

Researcher Bob Diachenko discovered an unprotected database that contained hundreds of millions of extremely detailed CVs from people in China looking for work.

Aside from job experience and references, the documents included things like personal phone numbers and marital status, height and weight, and ID and driver’s license numbers.

Once again, the culprit was a MongoDB database that had been left open to public access, and thus was able to be crawled via BinaryEdge.

Project Zero flushes out kernel bugs

Bug-finder Jann Horn of Google’s esteemed Project Zero crew has provided an interesting look into a particularly insidious class of bugs in operating system kernels, in particular in this case, Linux.

The vulnerabilities lie in TLB (Translation Lookaside Buffer) flushing. Should something go wrong with those operations, potentially sensitive system information can end up being exposed to user processes.

“Such bugs can, if the timing works out for the attacker, provide very strong exploitation primitives for local attacks; and they are hard to discover unless you are manually looking for them,” Horn explained.

“They are probably not a big bug class, but occasionally, bugs in TLB flushing logic do happen.”

You can read the full post here.

DDoS-for-hire scheme lands African telco in hot water

Last week we reported on the 32-month sentence handed out to the hacker behind a massive Mirai botnet attack on a Liberian telco.

Now, it seems that the rival who paid for the attack could also find themselves in legal trouble. Cellcom is reportedly facing a suit from Lonestar Cell for allegedly bankrolling the massive sustained DDoS that Lonestar suffered at the hands of hacker Daniel Kaye in late 2016.

In addition to Cellcom itself, the suit is also said to name Kaye and a pair of company executives as defendants in the case. Lonestar is seeking damages to cover the lost revenues it incurred while dealing with the attack.

Tenable blows holes in building security system

A report this week from Tenable outlines how multiple zero-day flaws in the Identicard PremiSys building security and surveillance systems could be used to bypass access protections.

According to the researchers, the PremiSys hardware contained bugs such as hardcoded credentials, weak encryption, and default credentials could all be used to open databases, harvest credentials, and collect information needed to manipulate both building controls and surveillance databases.

Perhaps worst of all was the complete lack of response the Tenable crew got after issuing their report.

“According to Tenable’s disclosure timeline, multiple attempts were made to contact the vendor to address these vulnerabilities,” Tenable said.

“The Computer Emergency Response Team (CERT) was notified of these vulnerabilities. As of January 9, the vendor hasn’t responded. The 90-day disclosure period ended on January 3, 2019.” ®

READ MORE HERE