Uber says there is no evidence that users’ private information was compromised
Uber has provided an update regarding the recent security breach of its internal computer systems, and is stating that “we have no evidence that the incident involved access to sensitive user data (like trip history).” All the services provided by the company, including Uber, Eats, Freight, and the Uber Driver app remain operational. However the company has not revealed details about the attack, and several experts believe that it downplayed the incident and has no clear idea about the depth of the intrusion.
LastPass says hackers accessed its systems for just 4 days
Password management software provider LastPass has announced in an update published last week that the August security incident allowed the hackers to access its systems for “just 4 days.” LastPass says it hasn’t found any evidence that the malicious actors accessed any customer data or encrypted password vaults. This, they stated is because, the LastPass Development environment is physically separated from, and has no direct connectivity to, the Production environment, secondly the Development environment does not contain any customer data or encrypted vaults, and thirdly, LastPass does not have any access to customers’ master passwords. They also believe the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.
Netgear Routers impacted by FunJSQ module flaw
Researchers at security and compliance assessment firm Onekey warn of an arbitrary code execution via FunJSQ, a third-party module developed by Xiamen Xunwang Network Technology for online game acceleration, and which impacts multiple Netgear router models. There are two key issues, one related to an insecure update mechanism, being tracked as CVE-2022-40620, the other and unauthenticated command injection flaw tracked as CVE-2022-40619. Combined these can lead to arbitrary code execution from the WAN interface,” reads the analysis published by Onekey.
Gym phone thefts reveal significant 2FA flaw
A rash of thefts at UK gyms and health clubs is revealing a key flaw in how iPhone customers keep their bank accounts and money safe. The theft, in and around London, involved an individual stealing phones and bank cards from gym lockers. Once they have the phones and the cards, the thief registers the bank card on the relevant bank’s app using their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded. That verification passcode is sent by the bank to the victim’s stolen phone, which then flashes up on its locked screen, allowing the thief to enter it into their own device. Once accepted, gets full control of the bank account. Experts are recommending that gym goers never leave their valuables in their locker, and consider disabling the “Show Notifications” option on their phones.
(BBC News)
Thanks to today’s episode sponsor, 6clicks
Google, Microsoft can get your passwords via web browser’s spellcheck
Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively. This occurs with Chrome’s Enhanced Spellcheck or Microsoft Editor when manually enabled by the user. Josh Summitt, co-founder & CTO of JavaScript security firm otto-js suggests this is, or should be of significant concern for companies. In a demonstration he showed how, with enhanced spellcheck enabled, and assuming the user tapped “show password” feature, form fields including username and password are transmitted to Google at googleapis.com.
Cybersecurity startup launches mobile app to protect against phishing attacks
Cybersecurity startup novoShield has launched an enterprise-grade mobile security application, designed to protect users from mobile phishing threats. Released this week for iPhones via the US and Israeli Apple app stores, novoShield’s namesake app detects malicious websites in real time and blocks users from accessing them. Research from PurpleSec found that mobile phishing attacks have grown at a consistent rate of 85% annually since 2011, with 75% of the phishing sites analyzed by PurpleSec in 2021 specifically targeting mobile devices.
Vulnerabilities found in airplane WiFi devices, passengers’ data exposed
The flaws were discovered by Thomas Knudsen and Samy Younsi of Necrum Security Labs and affected the Flexlan FX3000 and FX2000 series wireless LAN devices made by Contec. “After performing reverse engineering of the firmware, we discovered that a hidden page not listed in the Wireless LAN Manager interface allows to execute Linux commands on the device with root privileges,” they wrote in an advisory, referring to the vulnerability tracked CVE–2022–36158.
Hive ransomware claims cyberattack on Bell Canada subsidiary
The Hive ransomware gang is claiming responsibility for an attack that hit the systems of a subsidiary of Canadian telecom giant Bell Canada. The subsidiary, Bell Technical Solutions (BTS), specializes in installing Bell services for residential and small business customers across the Ontario and Québec. While Bell has not revealed when its network was breached, Hive claims in a new entry added to its data leak blog that it encrypted BTS’ systems almost a month ago, on August 20. Bell has announced that the data accessed may include the names, addresses and phone numbers of residential and small business customers who had booked a technician visit.