Nightfall InfoSec Roundup: January 6 to January 13
Cyber Attacks & Breaches
Google Agrees to Pay US$ 7.5M Over Google+ Data Breaches(CISO Mag) January 10th
In a recent data leak incident, which exposed the private data of around 500,000 former Google+ users to outside developers, Google has agreed to pay US$7.5 million in a settlement to resolve a class-action lawsuit against the firm.
A Facebook Bug Exposed Anonymous Admins of Pages(Wired) January 10th
A recent Facebook update caused a bug that allowed anyone to easily reveal which accounts posted to Facebook Pages—including celebrities and politicians—for several hours.
Dixons Carphone fined £500,000 for massive data breach (The Guardian) January 9th
UK company Dixons Carphone has been hit with the maximum possible fine by the Information Commissioner’s Office (ICO) after its shops were compromised by a cyberattack that affected at least 14 million people.
Unpatched Citrix Flaw Now Has PoC Exploit(Threatpost) January 13th
Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. Over 25,000 servers globally are vulnerable to the critical Citrix remote code execution vulnerability (CVE-2019-19781).
PayPal Confirms ‘High-Severity’ Password Security Vulnerability(Forbes) January 10th
PayPal has confirmed that researcher Alex Birsan found a high-severity security vulnerability that could expose user passwords to an attacker. Birsan discovered the high-severity vulnerability when he was “exploring” the main authentication flow at PayPal.
Threat Actor Abuses Mobile Sensor to Evade Detection(PhishLabs Blog) January 9th
In a recent campaign, PhishLabs discovered a new and unique evasion technique that abuses an experimental feature available in select web browsers, device motion and orientation events.
Mozilla patches Firefox zero-day as attackers exploit flaw(Computer World) January 9th
On Wednesday, Mozilla issued Firefox 72.0.1, which included one change: A patch for the vulnerability identified as CVE-2019-17026. “We are aware of targeted attacks in the wild abusing this flaw,” Mozilla said in the short description of the flaw.
TikTok Riddled With Security Flaws (Threatpost) January 8th
Researchers say they have discovered several major vulnerabilities in the short form video app TikTok. The reported vulnerabilities come as scrutiny around the Chinese-owned platform increases. The most serious vulnerability in the platform could allow attackers to remotely take control over parts of victims’ TikTok account, such as uploading or deleting videos and changing settings on videos to make “hidden” videos public. Researchers also discovered a separate vulnerability that allowed them to obtain personal data of victims, such as email addresses and more.
Risks & Warnings
Why The Threat Of An Iranian Cyberattack Should Matter To Your Organization(Mondaq) January 10th
The ongoing Iran-US tensions, and potential for retaliatory cyberattacks, call attention to the need for all organizations to consider whether they are prepared to defend against a cyberattack. Of all the tools Tehran has to retaliate, including its large military, Iranian-backed proxies around the Middle East and robust disinformation operations, international experts believe there is a strong likelihood that Iran will utilize its well-known cyber-warfare capabilities to inflict further damage over time.
Protecting manufacturing from cyber breaches(TechRadar) January 7th
Manufacturing has been revolutionized by the development of increasingly sophisticated and connected operational technology (OT). But as with any integration, there are always going to be teething problems. The crucial bump in the road towards Industry 4.0 is cybersecurity. OT systems have rarely been subject to the same upgrade and replacement cycles as their IT systems and connecting OT to the wider network brings with it all of the security risks to which IT has been beholden for decades.
Join us next week for the next edition of Nightfall’s newsletter by subscribing here!
Financial services businesses can use DLP to eliminate the risk of data exfiltration and boost their overall security strategy. Learn what the different types of PII are, what’s really at stake when this data is at risk, and how laws only do some of the work needed to keep data safe.
Maynard Webb, a Nightfall investor, tech veteran, and industry thought leader recently joined us for a discussion. We talk about how his early career shaped his values and perspective, what motivated him to write his New York Times bestseller, Rebooting Work, as well as how the coronavirus will reboot the tech industry.
It's impossible to understand cloud security without first understanding the shared responsibility model. First touted by AWS, the shared responsibility model is now a staple of many services and the best way of understanding on which parties specific security obigations lie.
Ryan Nece followed in his father Ronnie Lott’s footsteps to become a Super Bowl champion, philanthropist, and venture capital leader. As the co-founder and managing partner of Next Play Capital, he's investing in rising startups like Caliva, hims, and Nightfall. Ryan shares what it takes to achieve in Silicon Valley, why giving back is essential for personal and professional growth, and how he manages a demanding, multi-faceted career.
Stuart McClure, CEO and founder of Cylance as well a Nightfall Investor talks about his what sparked his interest in information security as well as how he built prominent security companies like Foundstone and Cylance, the latter of which was acquired by Blackberry for $1.4 billion last year. Stuart shared his thoughts on the importance of AI in cloud security as well as what it takes to innovate in the infosec space.