March 27, 2019

DragonEx exchange hacked, smoking ashes being raked over

By Lisa Vaas

The DragonEx cryptocurrency exchange announced that it was hacked In the small hours of Sunday morning.

It’s managed to retrieve some of its customers’ funds; it’s got the address for a Bittrex account that gobbled up at least some of the loot; it’s asking for its “fellow exchange” to freeze that account; it’s got cyber-cops from Estonia, Thailand, Singapore and Hong Kong on the case; and so please, everybody, just go away for a week and stop clamoring for your money back.

We don’t know how much is gone, but we swear, we’ll make good on this, said the DragonEx team – and the team at every other looted exchange ever, except, that is, for the exchange that promised (almost) nothing when it exit-scammed.

In its official Telegram account, DragonEx promised:

For the loss caused to our users, DragonEx will take the responsibility no matter what.

DragonEx first took its platform offline on Sunday (apparently at the time it was first discovering the breach) saying that it was upgrading its system. Later that day, it announced that it was “still working on system maintenance,” before finally disclosing on Monday that it had been hacked. From Monday’s Telegram announcement:

Part of the assets were retrieved back, and we will do our best to retrieve back the rest of stolen assets.

Read more at https://nakedsecurity.sophos.com/2019/03/27/dragonex-exchange-hacked-smoking-ashes-being-raked-over/

Apple patches 51 security flaws

By John E Dunn

In terms of numbers, the system component with the most entries in the update list is Apple’s browser core, known as WebKit, which gets fixes for 13 vulnerabilities with CVE numbers.

Most of these are a predictable mixture of cross-site scripting (CVE-2019-8551), breaking out of the sandbox (CVE-2019-8562), and things that break web cross-site origin security (CVE-2019-8515).

There’s also the snoopy sounding CVE-2019-6222, by means of which:

A website may be able to access the microphone without the microphone use indicator being shown.

Echoing this is CVE-2019-8554, through which a website could track a user’s motion and orientation data.

This is similar in theme to flaw in the ReplayKit API, CVE-2019-8566, which could allow apps to record from a device’s microphone without the user realizing.

Most users probably understand that devices can be used to track their web visits and behavior. That security flaws in devices might extend this to their conversations or physical movement sounds much spookier.

Read more at https://nakedsecurity.sophos.com/2019/03/26/apple-patches-51-security-flaws-with-ios-12-2-update/

FEMA exposes sensitive data of 2.3 million disaster survivors

By Lisa Vaas

Losing your home in a hurricane or wildfire is bad enough, but to add insult to injury, the US agency that helps survivors get temporary housing set millions of them up for identity theft and fraud by needlessly sharing their personal data with a contractor.

The Department of Homeland Security Office of the Inspector General (DHS OIG), which administers FEMA, said in a management alert dated 15 March that the US Federal Emergency Management Agency (FEMA) spilled highly sensitive personal data belonging to 2.3 million people who needed hotel lodging because of the 2017 wildfires in California and because of that year’s trio of hurricanes: Harvey, Irma and Maria.

In order for the contractor to administer FEMA’s Transitional Sheltering Assistance (TSA) program, there are 13 types of Personal Identifying Information (PII) it needs, and there are these six types of Sensitive PII (SPII) that it doesn’t need but which FEMA gave it anyway: street address, city name, postal code, the name of the applicant’s financial institution, applicants’ electronic funds transfer numbers, and their bank transit numbers.

SPII is defined as a subset of PII which if lost, compromised, or disclosed without authorization could result in what the DHS OIG called “substantial harm, embarrassment, inconvenience, or unfairness to an individual.” SPII, which includes the financial information that FEMA fumbled, requires stricter handling guidelines because if it’s compromised, it can bring serious hurt to people.

On Friday, FEMA called the data disclosure a “major privacy incident” in a press release.

Read more at https://nakedsecurity.sophos.com/2019/03/26/fema-exposes-sensitive-data-of-2-5-million-disaster-survivors/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation