Security Summary – June 2019

Our short monthly review summarises important news and blog posts, which focus on IT security, cloud computing and privacy protection.

1. Fortune 100 companies' data leaked from Amazon Web Service server

The Israeli IT company, Attunity, left sensitive data from some of the world's biggest companies exposed because they failed to password protect three Amazon S3 buckets. The data included passwords and private keys for production systems along with details of employees and sales information. Some of the affected companies include Netflix, Ford, and TD Bank.

Source in English: zdnet.com

2. Millions of medical insurance records exposed

The U.S.-based marketing site MedicareSupplement.com has exposed more than five million records with personal information. Security researchers confirm to have found a publicly-available MongoDB database with no password or authentication protection. It exposed full names, addresses, IPs, emails, dates of birth, and gender along with areas of interest, for example, if someone had looked at cancer insurance.

Source: threatpost.com

3. One in three companies has experienced an API attack

Radware's "Global Application and Network Security Report" concludes that one in three companies has experienced having their systems attacked through an API. APIs are of interest to hackers because personal information, including credit card information, is often being transferred via APIs.

Source: dev-insider.de

4. New malware exploits MacOS weakness

Security researchers have found Mac malware samples that appear to be under development to exploit a MacOS vulnerability reported this May. Apple has yet to patch the issue. It was found in the macOS Gatekeeper security feature that is in charge of verifying downloaded apps before they are run on a Mac.

Source: threatpost.com

5. Millions of Dell computers vulnerable due to support software

Security researchers at SafeBreach Labs discovered that a pre-installed support software named "SupportAssist" is responsible for a security vulnerability in millions of Dell laptops and PCs. The flaw enables malicious software or rogue logged-in users to gain admin-level privileges; That includes access to sensitive information.

Source: thehackernews.com

6. Florida city authorities pay 600,000 USD ransomware to hackers

Riviera Beach City Council has voted to pay a 600,000 USD ransom to the hacker who infected the city's IT systems with a blackmail Trojan three weeks ago. The council saw this action as their only option to recover the data encrypted by the hacker. A simultaneous decision was made to invest one million dollars in updated computers and hardware.

Source: heise.de

7. Security experts warn about Tinder privacy vulnerabilities

Analysts at ProPrivacy state that dating apps such as Tinder, OkCupid, and PlentyOfFish collect a vast array of highly personal information, including chat content and users' financial data. ProPrivacy now warns about the privacy policies of the holding company behind these and other services such as Match.com.

Source: threatpost.com

8. Apple devices allow data theft before crashing

An international team of researchers from TU Darmstadt has discovered security and data protection problems in iOS and macOS. They found vulnerabilities in the AWDL protocol that allow attackers to locate mobile phone users, crash their devices, and intercept sensitive data during transmission via AirDrop. Apple has now released updates to fix the problem.

Source: security-insider.de

9. Critical Evernote vulnerability puts millions of users' data at risk

Millions use Evernote for note-taking. Now a critical flaw in the Web Clipper extension for the Chrome browser has put the personal data of 4.6 million users at risk, researchers with Guardio state. The vulnerability could mean that hackers gained access to such data like emails and financial transactions as proven by the researchers.

Source: threatpost.com

10. Leak database "Have I Been Pwned" up for sale

The "Have I Been Pwned" site is a popular place to go for users who want to know if one of their online accounts has been compromised. Now it is up for sale. Its founder, the independent security researcher Troy Hunt, explained that he could no longer run the service as a "one-man-show". Consulting firm KMPG has been hired to find a buyer.

Source: heise.de

11. Many iPhone apps switch off Apple's security technology

According to the analysis of the security firm, Wandera. By analyzing 30,000 popular apps, they concluded that two-thirds of all apps disable Apple's App Transport Security, which forces encrypted connections. Large advertisement players such as Google Admob explicitly recommends developers to deactivate the function for a more efficient advertising and tracking,

Source: heise.de