Security news weekly round-up - 5th January 2024

Habdul Hazeez - Jan 5 - - Dev Community

It's been a while, and I apologize for the long break since September 8, 2023. I hope that you're all doing well. Let's get to this week's review and the first of the year 2024!

Introduction

This week's review is mostly about privacy, vulnerabilities, poor security, and high-profile account hijacking.


Google Settles $5 Billion Privacy Lawsuit Over Tracking Users in 'Incognito Mode'

It started back in 2020, and it appears that Google has decided to settle for a fee. The lesson we can all take from this story or incident (depending on what you want to call it), is that not everything is what it appears to be.

Here is a short excerpt from the article:

The plaintiffs had alleged that Google violated federal wiretap laws and tracked users' activity using Google Analytics to collect information when in private mode.

They said this allowed the company to collect an "unaccountable trove of information" about users who assumed they had taken adequate steps to protect their privacy online.

Millions still haven’t patched Terrapin SSH protocol vulnerability

At the time of writing, this vulnerability was revealed two weeks ago. Now, it appears that millions have not patched their web servers. Nonetheless, it's a good habit to patch a vulnerability when you can.

Here is more for you:

Roughly 11 million Internet-exposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks. Once they're in, attackers compromise the integrity of SSH sessions that form the lynchpin for admins to securely connect to computers inside the cloud and other sensitive environments.

New iPhone Exploit Uses Four Zero-Days

It's sophisticated as you can think of and it targeted workers of Kaspersky. Yes, you read that right, Kaspersky! And it was for over four years!!

The following is the interesting bit, but ensure that you read the story:

A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel.

On most other platforms, once attackers successfully exploit a kernel vulnerability they have full control of the compromised system.

Say what you will? Your favorite speech-to-text app may be a privacy risk

Be careful of what you say to a speech-to-text app, no matter how convenient it might seem.

The following is why you should:

Many apps of all kinds request permissions to access various device or user information, such as location, contacts, chats in messaging apps – regardless of whether they need such permissions for their functionality.

The collection of this information poses a risk if it is misused, shared with third parties without the user’s informed consent, or if it is not properly secured on the servers of the company storing it.

Mandiant, the security firm Google bought for $5.4 billion, gets its X account hacked

It's fun to read until it happens to you. The excerpt below should get you started.

The hacked Mandiant account was initially used to masquerade as one belonging to Phantom, a company that offers a wallet for storing cryptocurrency.

Posts on X encouraged people to visit a malicious website to see if their wallet was one of 250,000 that were eligible for an award of tokens.

A “ridiculously weak“ password causes disaster for Spain’s No. 2 mobile carrier

The title says it all, and the carrier in question is Orange España.

Here is more for you:

Besides underscoring the continued fragility of BGP, the incident exposes a concerning lack of security hygiene at Orange. For one, an infostealer installed on an employee's computer that went undetected for four months.

For another: the use of a weak password and the failure to secure the account with multi-factor authentication to protect an account on a Regional Internet Registry such as RIPE.

All are amateur omissions that should never have been possible at an organization with Orange's reach

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .