September 26, 2019

Russian pleads guilty in massive JPMorgan hacking scheme

By Lisa Vaas

Preet Bharara – former US attorney for the Southern District of New York – has called the 2012-2015 cyberattacks that targeted a dozen American companies, including JPMorgan Chase, “securities fraud on cybersteroids.”

On Monday, Andrei Tyurin, 35, of Moscow, became the first person to be convicted in the case, which involved the theft of data from as many as 83 million customers of JPMorgan, the biggest bank in the US.

The Department of Justice (DOJ) says that makes it one of the largest thefts of customer data from a single US financial institution in history.

In a statement released on Monday, the US Attorney’s Office for the Southern District of New York said that Tyurin pleaded guilty in Manhattan federal court to six felony counts, including wire fraud, bank fraud and conspiracy to commit computer hacking.

He could face a term of up to life in prison when he’s sentenced on 13 February, though maximum sentences are rarely handed out.

The massive hacking campaign started around 2012 and was carried out up until 2015. The network of crooks Tyurin was working with targeted other financial institutions besides JPMorgan, including brokerage firms. It also went after financial news reporters, including The Wall Street Journal, along with other American companies.

In November 2015, the US indicted three men for the hack and fraud scheme: Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein. All three are now in custody in the US, with charges pending.

Read more at https://nakedsecurity.sophos.com/2019/09/26/russian-pleads-guilty-in-massive-jpmorgan-hacking-scheme/

Hackers are infecting WordPress sites via a defunct plug-in

By Danny Bradbury

If you’re a WordPress admin using a plug-in called Rich Reviews, you’ll want to uninstall it. Now. The now-defunct plug-in has a major vulnerability that allows malvertisers to infect sites running WordPress and redirect visitors to other sites.

Rich Reviews is a WordPress plugin that lets sites manage reviews internally in WordPress, and also displays Google display reviews for a business underneath a search result. Marketing company Nuanced Media released it in conjunction with plug-in developer Foxy Technology in January 2013.

The honeymoon didn’t last long, though. Updating an old blog post earlier this month, Nuanced Media reaffirmed that it had discontinued the plugin. It blamed a change in Google’s schema guidelines that stopped merchants displaying review star ratings on their own URLs.

The company’s last update to the Rich Reviews GitHub repository was over three years ago. The plugin finally disappeared from the WordPress site in March this year. It had accumulated 106,000 downloads in total.

The problem is that at least some of those downloaders (16,000, by some estimates) are still using it, and have been stung by a nasty vulnerability. The security bug allows attackers to inject malvertising code into victims’ WordPress pages, littering them with pop-up ads or redirecting them to other sites.

Wordfence, which sells a WordPress firewall, disclosed the bug on Tuesday.

The attackers rely on two shortcomings in the plugin. The first is a lack of access controls for POST requests that modify the plug-in’s options, meaning that attackers can make those requests without authorization.

The second bug is an input validation flaw. Some of those modification requests can change the text displayed on the site, but the plug-in doesn’t validate the content of the request.

These two flaws combined mean that attackers can inject JavaScript code directly onto the website page.

Read more at https://nakedsecurity.sophos.com/2019/09/26/hackers-are-infecting-wordpress-sites-via-a-defunct-plug-in/

Update ColdFusion now! Emergency patch for critical flaws

By John E Dunn

Adobe has rushed out fixes for three vulnerabilities in its ColdFusion web development platform, two of which have been given the top billing of ‘critical’.

The flaws affect ColdFusion 2018 version 4 and earlier, and ColdFusion 2016 version 11 and earlier.

The first critical flaw is CVE-2019-8073, and is described as allowing “command injection via vulnerable component” leading to arbitrary code execution (ACE).

The second critical flaw is CVE-2019-8074, a path traversal vulnerability allowing an access control bypass.

The final vulnerability, rated ‘important’, is CVE-2019-8072, a security bypass leading to information disclosure.

Read more at https://nakedsecurity.sophos.com/2019/09/26/update-coldfusion-now-emergency-patch-for-critical-flaws/

Vimeo sued for storing faceprints of people without their say-so

By Lisa Vaas

You didn’t tell me that you’re collecting and storing my faceprint, you didn’t tell me why or for how long, you didn’t get my written OK to do it, and you haven’t told us how long you’re retaining our biometrics or how we can get you to nuke them, another Illinois resident has said in yet another proposed facial recognition class action lawsuit based on the state’s we’re-not-kidding-around biometrics law.

This one’s against the video-sharing, face-tagging website Vimeo.

The complaint was filed on 20 September on behalf of potentially thousands of plaintiffs under the Illinois Biometric Information Privacy Act (BIPA). Illinois resident Bradley Acaley is lead plaintiff.

The suit takes aim at Vimeo’s Magisto application: a short-form video creation platform purchased by Vimeo in April 2019 that uses facial recognition to automatically index the faces of people in videos so they can be face-tagged.

Facebook’s look-alike face-tagging lawsuit

Facebook is facing a similar class-action suit over BIPA: Last month, yet another in a string of US courts reaffirmed that Facebook users can indeed sue the company over its use of facial recognition technology.

That suit – Patel v. Facebook, first filed in 2015 – has been allowed to go forward as a stream of courts have refused to let Facebook wiggle out of it… in spite of Facebook’s many attempts. Last month’s decision to let Patel v. Facebook go ahead was the first decision of an American appellate court that directly addresses what the American Civil Liberties Union (ACLU) calls the “unique privacy harms” of the ever-more ubiquitous facial recognition technology that’s increasingly being foisted on the public without our knowledge or consent.

Read more at https://nakedsecurity.sophos.com/2019/09/26/vimeo-sued-for-storing-faceprints-of-people-without-their-say-so/

Microsoft rushes out fix for Internet Explorer zero-day

By John E Dunn

Windows users always struggled to live securely with Internet Explorer – and now it’s been superseded in Windows 10, it’s as if they’re now struggling to live securely without it.

Witness this week’s rush by Microsoft to patch two high-priority flaws affecting IE versions 9 to 11, one of which is a zero-day the company says is being exploited in real attacks.

The zero-day (CVE-2019-1367) was reported to Microsoft by Clément Lecigne of Google’s Threat Analysis Group. It’s a remote code execution (RCE) flaw in the browser’s scripting engine that could allow an attacker to:

… install programs; view, change, or delete data; or create new accounts with full user rights.

No further details have been made public in the advisory, but as with most browser vulnerabilities, exploitation would involve luring unpatched users to a malicious website.

No big deal?

Because IE is only used by a few percent of users, in theory this minimizes the scope of the flaw.

However, because IE code still lurks in every version of Windows, including Windows 10, the number of people actively using it might not be the whole story.

Some will have activated it on their Windows 7 and 8 computers in the past, which means they could still be vulnerable if it’s set as the default browser or they can be persuaded to visit an infected website using it.

Read more at https://nakedsecurity.sophos.com/2019/09/25/microsoft-rushes-out-fix-for-internet-explorer-zero-day/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation