The SecuriTea News - Issue #4
Every Friday The Weekly SecuriTEA Report brings you the latest week’s trending information security news. Read on and join the conversation.
Have you updated your iPhone? As of August 1st it has been reported that only 9.6 percent of enterprise users have updated their iOS to the recent 12.4 update. This update includes 5 critical flaw fixes that leaves users vulnerable to remote exploitation via the iMessage client. What does this mean for you if you have an iPhone? If you have not updated your phone an attacker could reveal pictures, videos, notes, PDFs and other information stored on your phone. This type of attack is considered pretty easy to execute and the code to exploit this vulnerability is publicly available, so it is imperative that you update your devices as soon as possible. If comfortable, set your devices to automatically update whenever they are pushed out to help keep you up to date and your devices safe.
Smart home lock flaw leaves some homes in danger. The ability to lock your door via Bluetooth may seem like a convenience but comes with a price when vendors are not properly securing products before rolling out to production. This has been evidenced in the Hickory Smart Bluetooth Enabled Deadbolt device where researches are warning that found unpatched flaws can allow an attack to break into a victims house with gained access to their phone. Rapid 7, a security company, laid out the details of the vulnerabilities. Though many of the flaws require an attacker to already have access to a compromised phone, once accessed it leaves the victim open for possible home invasions. This is yet another example of poor security implementation in IoT devices (everyday devices that can connect to the internet, for example your fridge) and how these devices can lead to serious harm or consequences for consumers. It is imperative that users take heed to device security as they begin connecting more devices in the home. As of August 1st the manufacturer of this lock has not yet acknowledged or fixed the flaws.
Cisco the latest to pay settlement. Cisco Systems, a worldwide leader in IT and networking solutions, is the latest to settle a lawsuit costing the company $8.6 million dollars. The lawsuit against them alleges that the company sold video security software with known security vulnerabilities to the U.S. federal and state governments. The lawsuit was originally filed in 201, filed under the False Claims Act, and involves 15 states in addition to the federal government. The vulnerabilities was alerted to the government by a whistleblower. The platform in question is the Cisco Video Surveillance Manger and the whistleblower found that a hacker who can compromise a camera can easily pivot to gain administrative privileges and move laterally into other parts of the network. This clearly poses an issue, especially for government entities, as having this flaw can lead to detrimental situations.
Honda is the latest to have insecure databases exposed. There has been plenty of reports now about user information being leaked, seemingly everyday. There are a variety of reasons for data loss but the main vector that is a thorn in companies side continues to be insecure databases. Honda is the latest to experience this as approximately 134 million documents and 40GB of data belonging to the company was found by security researcher Justin Paine. The data within the insecure database was related to the internal network of the company, including information such as the machine host's name (device name, for example what you name your iPhone), internal IP addresses, operating system version, which patches have been applied, and so much more. One dataset even included the CEO's full name, account name, employee ID, and other sensitive information. For a company of this magnitude, information like this in the wrong hands could have devastating consequences. Fortunately, the company promptly secured their database after being contacted by the security researcher and it was not evidenced that any other third party downloaded this information.
And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News.