By Juan Lugo, Product Marketing Manager at Bitglass
Here are the top stories of recent weeks:
- iPhones Susceptible to a Hack via Text
- Democratic Senate campaign group exposed emails of 6.2 million Americans
- State Farm says Hackers Successfully Conducted a Credentials Stuffing Attack
- 96 Million Stream Gamers Susceptible to Breach
- Bluetooth Security Vulnerability Exposes Millions Of Devices
Earlier this month, Natalie Silvanovich, a Google Project Zero researcher, presented multiple interaction-less bugs in Apple’s iOS iMessage client during the Black Hat security conference in Las Vegas. Silvanovich asserts that these bugs can be used to interact with a user’s device and exploit it. Although Apple has addressed the issue publically, the bugs have still not been patched. These bugs can be weaponized to infiltrate users’ data without having to click on a link or download a malicious file. There is a lot of focus on deploying cryptographic solutions to secure data but, it renders uselessly if there are bugs on the receiving end.
Similar to the recent Capital One breach, the DSCC (Democratic Senatorial Campaign Committee) stored sensitive data belonging to 6.2 million Americans which included their emails and political party affiliation. However, amongst the leaked data, 7,700 emails belonged to government officials and 3,400 belonging to active duty members. Even though the DSCC was able to recover and secure the leaked information reactively, far more damage could have been caused in the hands of a malicious entity.
A malicious character was able to mitigate State Farm’s security solution by implementing a credential stuffing attack. This yielded countless valid usernames and passwords for State Farm online accounts. Credential stuffing is a viable solution for hackers when usernames and passwords are made public via security breaches at other companies. This is a double-edged sword for organizations that choose to be transparent in the midst of a breach, and in turn, grant the public access to sensitive data. Hackers will then use this information and attempt to gain access to other platforms and services using the same credentials. It is estimated that 3.5 billion credential stuffing requests aimed at financial institutions have been made in the past 18 months.
The results of a stress test on the Steam Client Service concluded that there were vulnerabilities within the platform that enable bad actors to deploy malware onto the network – potentially affecting 96 million users. A privilege escalation vulnerability allows an attacker with minimal authority to forcefully gain administrative access. This kind of vulnerability would open user devices to the risk of being taken over by an attacker who could then steal data, compromise passwords, and more. This is done by modifying the system registry to enable application executions. The user could then deploy a malicious app via the steam service. Game over!
KNOB or Key Negotiation of Bluetooth is being coined the new gateway to your data via connection infiltration. IoT has been adopted by the masses, but how many users actually remember to update their devices firmware? Forgetting this seemingly trivial task can make your device susceptible to data breaches. Additionally, it enables attack vectors to interfere with the connection encryption process – stealing the encryption key and ultimately accessing the data moving between paired devices. The list of vulnerable tested Bluetooth chips included Apple, Intel, Broadcom, and Qualcomm.
Read more security spotlights by visiting Bitglass’s blog here.