Security summary – September 2019

Our short monthly review summarises important news and blog posts, which focus on IT security, cloud computing and privacy protection.

1. Checkm8: Millions of iPhones vulnerable

On Friday, September 27, a hacker known as "axi0mx" tweeted details about a severe the Apple vulnerability "Checkm8". It affects several iPhone models, including devices from iPhone 4S to iPhone X. What makes this exploit special is that Apple cannot fix it with an update, as they usually would. That leaves hundred of millions of devices vulnerable, however an exploit is only possible if a hacker gets his / her hands on a device. Amongst other things, "Checkm8" allows for a so-called jailbreak, which virtually gives technical control over the hacked device.

Source: spiegel.de

2. Reports of Emotet attacks significantly increase

In the past weeks, several thousand email accounts were reported compromised by an Emotet infection. The cybercrime group Emotet is known to create deceptive emails seemingly sent from contacts known to the victim, then encrypt all data on the victim’s computer and demand a ransom. Companies and citizens alike have been targeted. Furthermore, Emotet now seems to get active in online banking fraud.

Source: heise.de

3. Equifax data breach settlement challenged by 200K petition signatures

In response to the announced settlement between Equifax and the US government in the aftermath of the 2017 Equifax data, 200K victims have signed a petition demanding a better settlement. The data breach affected more than 150 million Equifax and the petition aims to achieve a better deal for the people affected.

Source: threatpost.com

4. Facebook suspends thousands of apps due to inadequate data handling

As a result of the Cambridge Analytica scandal, Facebook launched an investigation into how third-party apps on its platfrom collect, handle and use the personal data of users. Facebook has since suspended tens of thousands of apps because the 400 developers behind them were in some way sharing personal user data without authorization.

Source: threatpost.com

5. Possibly breakthrough in Ecuador’s largest data breach case

The general manager of IT consulting firm Novaestrat has been arrested in connection with the largest-scale data breach in the country’s history saw personal data of close to the entire population of the Republic of Ecuador left exposed online. The personal records of more than 20 million citizens were publicly exposed, including the president Lenin Moreno and WiKiLeaks founder Julian Assange.

Source: thehackernews.com

6. The U.S. sues Edward Snowden over new memoir

The U.S. has sued whistleblower Edward Snowden over his new memoir, alleging he published the book in violation of non-disclosure agreements signed with both the CIA and NSA. They now attempt to seize any assets related to the memoir entitled “Permanent Record”.

Source: threatpost.com

7. Compiled list of 420M Facebook users’ phone numbers found online

An IT security researcher found a compiled list including the telephone numbers of almost half a billion Facebook users online. However, the database appears to have been compiled from publicly available information gathered before the social media platform abolished the option to find old acquaintances via their phone number. Facebook has found no evidence of hacked accounts.

Source: computerworld.ch

8. Million-dollar donation to strengthen Wikipedia’s IT security

In the midst of a massive DDOS attack on the online encyclopedia, media entrepreneur Craig Newmark’s foundation grants Wikipedia a donation of 2.5 million dollars to help better protect its users from online threats.

Source: computerworld.ch

9. 24M patient data files found unprotected online

According to a report, more than 24 million patient data files, including Swiss patients, have been found on unsecured servers. Amongst other sensitive data, the leaked files included breast cancer screenings. The pictures are high-resolution and contain personal information such as date of birth, first and last name, date of the examination and information about the attending physician or the treatment itself.

Source: computerworld.ch