IT Security Newsletter - 1/8/2020
City of Las Vegas wakes up to a cyber attack
In the early hours of Tuesday morning, city officials in Las Vegas were alerted that their computer network had suffered a security breach. Details are currently scarce, with a post from the city’s official Twitter account merely confirming that an incident occurred and that it is being investigated. Inevitably there will be concerns that Las Vegas may be the latest in a line of cities to suffer from a ransomware attack.
Medical Info of Roughly 50K Exposed in Minnesota Hospital Breach
The personal and medical information of 49,351 patients was exposed following a security incident involving two employees' email accounts as disclosed by Minnesota-based Alomere Health. Alomere Health is a community-owned and non-profit general medical and surgical hospital with 127 beds that has been twice named as one of the Top 100 Hospitals by Thompson Reuters. The Alexandria, Minnesota-based locally-governed hospital started notifying its patients of the security breach incident on January 3, 2020.
Krebs on Security: Tricky Phish Angles for Persistence, Not Passwords
Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.
REvil ransomware exploiting VPN flaws made public last April
Researchers report flaws, vendors issue patches, organisations apply them – and everyone lives happily ever after. Right? Not always. Sometimes, the middle element of that chain – the bit where organisations apply patches – can takes months to happen. Sometimes it doesn’t happen at all. It’s a relaxed patching cycle that has become security’s unaffordable luxury. Take, for instance, this week’s revelation by researcher Kevin Beaumont that serious vulnerabilities in Pulse Secure’s Zero Trust business VPN system are being exploited to break into company networks to install the REvil (Sodinokibi) ransomware.
PGP keys, software security, and much more threatened by new SHA1 exploit
Three years ago, Ars Technica declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world’s first known instance of a fatal exploit known as a "collision" on it. On Tuesday, the dead SHA1 horse got clobbered again as a different team of researchers unveiled a new attack that’s significantly more powerful.
Microsoft Access Files Could Include Unintentionally Saved Sensitive Data
An information disclosure vulnerability affecting Microsoft Access can cause sensitive data from system memory to be unintentionally saved in database files, email security company Mimecast revealed on Tuesday. The flaw, tracked as CVE-2019-1463, was fixed by Microsoft with its December 2019 Patch Tuesday updates. The tech giant learned of the security bug from Mimecast in September 2019.
Google Fixes Critical Android RCE Flaw
Google kicked off its first Android Security Bulletin of 2020 patching a critical flaw in its Android operating system, which if exploited could allow a remote attacker to execute code. Compared to last year’s monthly tally, the number of CVEs patched this month were relatively few. The remote-code-execution (RCE) flaw was one of several critical- and high-severity vulnerabilities that made up seven CVEs tracked overall this month. Qualcomm, whose chips are used in Android devices, also patched a mix of 29 high and medium-severity vulnerabilities as part of the January bulletin.