British Airways Hack Triggers GDPR Concerns, as World Awaits Windows 0-Day Patch
Last updated on: September 6, 2020
A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.
Could British Airways hit GDPR turbulence after data breach?
Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.
Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.
British Airways said it fixed the problem but hasn’t provided details about the nature of the attack, other than calling it “malicious” and “sophisticated.” Experts are speculating on the possible vectors.
“It looks very much like the details were nabbed at the point of entry – someone managed to get a script on to the website,” Alan Woodward, a professor at the University of Surrey, told the BBC.
Meanwhile, Ben Oguntala, a security consultant hired this year by the airline to improve its payment systems, told The Times that the incident was a “disaster waiting to happen.” Oguntala said he quit after concluding that the controls being implemented by the airline were weak.
There’s already talk that this incident could land British Airways in trouble with the EU’s General Data Protection Regulation (GDPR), the severe regulation that went into effect in May and that carries potentially massive fines.
In an unrelated incident, about 20,000 users of Air Canada’s mobile app may have had personal information stolen between Aug. 22 and Aug. 24. According to the airline, customer data at risk included names, email addresses, phone numbers, passport information, known traveler number, birthdate. Credit card numbers are encrypted.
More information:
British Airways boss apologises for ‘malicious’ data breach (BBC)
British Airways Says Customers’ Financial Data Was Hacked In 380,000 Transactions (NPR)
BA Data Breach: What Does The British Airways Hack Mean For Customers? (The Independent)
Apple kicks out apps with spyware behavior
Apple has removed several popular apps from its Mac App Store in recent days after reports from various security researchers claiming the apps, built by third-party developers, were exfiltrating user data.
The wave of removals seems to have started when security researcher Patrick Wardle — acting on a tip from Twitter user @Privacyis1st — called out the app Adware Doctor, saying it stealthily collects users’ browser histories and transmits the information to a host in China.
Wardle, co-founder of Digita Security, detailed his findings on the Objective See blog, a site where he hosts free MacOS security tools he has built. Apple removed the app shortly after he published his post.
Thomas Reed, director of Mac and Mobile at Malwarebytes, jumped in, saying there were apps on the Mac App Store that he and other researchers had denounced for exfiltrating user data in recent months.
Over the weekend and on Monday, Apple removed several more apps, including those Reed had mentioned, as reported by SC Magazine, 9to5Mac, PC Magazine, BleepingComputer, and other outlets.
More information:
Top MacOS App Exfiltrates Browser Histories Behind Users’ Backs (ThreatPost)
A top-tier app in Apple’s Mac App Store stole your browser history (Techcrunch)
More Mac Apps Have Been Stealing User Data (Tom’s Hardware)
One Of Most Popular Mac Apps Acts Like Spyware (Wired)
Chinese hotel chain hit by massive hack
Huazhu Hotels Group, one of China’s largest hotel chains, suffered a data breach that affects a whopping 130 million customers. Hackers are believed to have stolen personal and financial customer data from 13 of the company’s hotels.
The data includes phone numbers, email addresses, bank account numbers and booking details. It was reportedly found for sale on the dark web for 8 Bitcoins, or about $56,000.
Huazhu hasn’t disclosed details of the attack, but, according to the BBC, cyber-security firm Zibao told a local news outlet that it believed hotel software developers accidentally uploaded database to Github.
If this was the case, a best practice that can help prevent this type of problem is to “create a process to monitor your GitHub and other external code repositories for deliberate or accidental inclusion of inappropriate information such as databases and SSH private keys, and assure proper access controls are in place to protect company IP,” SANS analyst Lee Neely said in a note.
More information:
China police investigate possible data breach at hotel operator Huazhu (Reuters)
Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forum (BleepingComputer)
Chinese police investigating major security breach of hotel group (ZDNet)
Chinese hotel chain’s customer data on Dark Web – 500M records for $50K (Naked Security)
Windows zero-day flaw awaits patch, as hackers exploit it
A security researcher disclosed publicly on Twitter a Windows 10 zero-day vulnerability, along with proof-of-concept exploit code, and hackers wasted little time using it for attacks in the wild. The researcher later acknowledged he should have notified Microsoft and given it a chance to create a patch before announcing the flaw.
The local privilege escalation bug resides on the Windows task scheduler’s Advanced Local Procedure Call (ALPC) interface, potentially allowing a local user to obtain system privileges, according to the CERT advisory.
“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. We have also confirmed compatibility with 32-bit Windows 10 with minor modifications to the public exploit code. Compatibility with other Windows versions is possible with further modifications,” the advisory reads.
The vulnerability was disclosed on Aug. 27, and attacks exploiting it began a couple of days later.
Microsoft is working on a patch, but it hasn’t been released yet. In a statement, the company said it would issue the fix during its monthly Patch Tuesday. The next one is scheduled for tomorrow Sept. 11.
Mitigations and at least one third-party patch have been offered, but Microsoft hasn’t endorsed them.
More information:
Microsoft Windows Zero-Day Found in Task Scheduler (ThreatPost)
Task Scheduler ALPC exploit high level analysis (DoublePulsar)
Microsoft Windows Task Scheduler zero-day and PoC exploit disclosed via Twitter (CSO)
Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day (BleepingComputer)
In other security news …
- Fiserv, a big tech services provider to banks, fixed a major flaw in its web platform that “exposed personal and financial details of countless customers across hundreds of bank Web sites,” according to KrebsOnSecurity.
- Abbyy, a Russian maker of optical recognitition software, left a MongoDB database unsecured and publicly accessible on the Internet, exposing more than 200,000 files containing sensitive customer information.
- Google has open sourced a tool it developed for internal use to detect font-related vulnerabilities.
- In separate incidents, two companies that make tools for secretly monitoring the content and communications of mobile devices — TheTruthSpy and mSpy — exposed data they’ve collected from customers, many of whom are parents wanting to track their children’s cell phone use.
- The Mega.nz browser extension for Chrome was compromised by hackers and used to steal information from users, including passwords and private keys for cryptocurrency accounts. The incident highlights the risks of browser extensions and add-ons.
- The recently-disclosed vulnerability in Struts 2 is already being exploited in the wild, yet another reason for organizations to apply the patch issued by Apache.
- A security researcher recently discovered almost 400,000 web pages with open .git directories, potentially exposing a trove of confidential information, like passwords.