15-08-202117-08-2021

Security daily (16-08-2021)

SEC, education company Pearson settle charges over 2018 security incident for $1 million

British educational software company Pearson settled charges with the U.S. Securities and Exchange Commission for $1 million over it “misleading” handling of a 2018 data breach, the SEC announced Monday. The SEC based its charges on a July, 2019 disclosure to the agency that a hypothetical “data privacy incident” could “result in a major data privacy or confidentiality breach” when the company had in fact already been breached and known about it for months, among other statements. In its public response to the incident, which involved the theft of student information and administrator log-in accounts for 13,000 district, school and university customer accounts, Pearson also left out details about the extent of the stolen information, the SEC said. Pearson claimed to have “strict protections” in place even though it had left a critical vulnerability unpatched for six months that the hackers exploited, along with other poor security practices cited by […] The post SEC, education company Pearson settle charges over 2018 security incident for $1 million appeared first on CyberScoop. (CyberScoop)

T-Mobile investigates potentially massive breach of consumer data

T-Mobile is investigating claims by a hacker that they have put sensitive information about more than 100 million of the company’s customers up for sale after breaching its servers. T-Mobile confirmed on Monday that some of its data was accessed without authorization. The company says it has not determined if the data included personal information or the number of records affected. “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the company said in a statement. “This investigation will take some time but we are working with the highest degree of urgency.” T-Mobile said it is coordinating its investigation with law enforcement. The data acquired by the hacker appears to include names, Social Security numbers, addresses, phone numbers and driver’s […] The post T-Mobile investigates potentially massive breach of consumer data appeared first on CyberScoop. (CyberScoop)

Copyright scammers turn to phone numbers instead of web links

Forewarned is forearmed. Here's our advice on dealing with "copyright infringement" scammers. (Naked Security)

SynAck Ransomware Group Releases Decryption Keys And Rebrands

(News ≈ Packet Storm)

T-Mobile Investigating Claims Of Customer Data Breach

(News ≈ Packet Storm)

The Taliban Have Taken Afghanistan

(News ≈ Packet Storm)

AFP Seeks Upgrade To Telco Interception And Surveillance

(News ≈ Packet Storm)

Multiple Flaws Affecting Realtek Wi-Fi SDKs Impact Nearly a Million IoT Devices

Taiwanese chip designer Realtek is warning of four security vulnerabilities in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors. The flaws, which affect Realtek SDK v2.x, Realtek "Jungle" SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek "Luna" SDK up to version 1.3.2, could be abused by attackers to (The Hacker News)

Attackers Can Weaponize Firewalls and Middleboxes for Amplified DDoS Attacks

Weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure could be weaponized as a vector to stage reflected denial of service (DoS) amplification attacks against any target, surpassing many of the existing UDP-based amplification factors to date. Detailed by a group of academics from the University of Maryland and the University of Colorado Boulder at the (The Hacker News)

Dozens of STARTTLS Related Flaws Found Affecting Popular Email Clients

Security researchers have disclosed as many as 40 different vulnerabilities associated with an opportunistic encryption mechanism in mail clients and servers that could open the door to targeted man-in-the-middle (MitM) attacks, permitting an intruder to forge mailbox content and steal credentials. The now-patched flaws, identified in various STARTTLS implementations, were detailed by a group of (The Hacker News)

New AdLoad Variant Bypasses Apple's Security Defenses to Target macOS Systems

A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple's on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection. "AdLoad," as the malware is known, is one of several (The Hacker News)

Critical Valve Bug Lets Gamers Add Unlimited Funds to Steam Wallets

Valve plugs an API bug found in its Steam platform that that abused the Smart2Pay system to add unlimited funds to gamer digital wallets. (Threatpost)

XSS Bug in SEOPress WordPress Plugin Allows Site Takeover

The bug would allow a number of malicious actions, up to and including full site takeover. The vulnerable plugin is installed on 100,000 websites. (Threatpost)

100m T-Mobile Customer Records Purportedly Up for Sale

UPDATE: T-Mobile confirmed the breach, but hasn't confirmed whether customer data was involved. The offer: 30m records for ~1 penny each, with the rest being sold privately. (Threatpost)

15-08-202117-08-2021

/security-daily/ 17-08-2021 23:44:22