Apple a failli … et a couru pour corriger la faille béante laissée dans sa version de macOS High Sierra. Pour rappel, l’exploit est simple: il suffit de cocher « Autre utilisateur » sur la page de connexion, de saisir root comme nom d’utilisateur et laisser le mot de passe vide. Il suffit ensuite de cliquer plusieurs fois et vous avez alors un accès en mode administrateur.
Sinon, on apprend également que la NSA a perdu des données ultra-secrètes à la vue de tous. C’est d’ailleurs un type d’actualité qui revient malheureusement très souvent ces derniers temps: des stockages de données dans le cloud mal sécurisés et qui se retrouvent finalement en libre accès comme par exemple la National Credit Federation (NCF) avec 111GB en libre accès sur Amazon. Rappelons encore ici que ce n’est pas Amazon qui est mis en cause mais les mauvaises configurations.
En attendant les prochaines nouvelles #cybersec et #infosec, voici la sélection des actualités intéressantes de la semaine passée:
-
Faille béante dans macOS High Sierra : Apple fait son mea culpa et diffuse son patch [MAJ]
« »Nous avons failli », reconnaît Apple dans un communiqué suite à la découverte de cette faille qui offre un moyen simple et infaillible de prendre le contrôle de n’importe quel Mac. »
-
Des milliers de données volées au département des services sociaux australiens
« Le département des services sociaux australiens (DSS) a récemment communiqué au sujet d’une faille de sécurité dans son système de gestion des cartes bancaires. Les noms, adresses mails, mots de passe et numéros de téléphone de plusieurs milliers de collaborateurs auraient été dérobés. »
-
UK’s NCSC Warns Government Agencies About Russian Antivirus Products
« A branch of the UK intelligence forces has sent out a letter to UK government departments and agencies about the use of Russian antivirus software to protect computers that store classified information. »
-
Websites use your CPU to mine cryptocurrency even if you close them
« Researchers have discovered “Persistent drive-by cryptomining” technique using which hackers and website owners can use visitors’ CPU power to generate Monero coins even after the browser window is closed. »
-
Un piratage perturbe la fabrication d’un vaccin
« Un vaccin destiné à lutter contre le cancer de l’utérus en rupture de stock à la suite du piratage informatique d’un laboratoire pharmaceutique. »
-
Red Disk : un outil de la NSA oublié dans le cloud !
« Red Disk : le contenu d’un disque dur hautement sensible appartenant à la National Security Agency a été découvert en accès libre sur le web. »
-
Après le vol massif de données, l’UE juge Uber « irresponsable »
« La Commission européenne a jugé jeudi « irresponsable » la gestion par Uber des données de ses clients et chauffeurs. Les autorités de protection de la vie privée de l’UE ont annoncé le début d’une enquête coordonnée. »
-
Nearly 50 per cent of second storage devices have personal information on them
« Nearly half of second hand storage devices contain sensitive information about their previous owners, according to a new study. Research published yesterday by Kroll Ontrack has found that people are failing to erase personal data on storage devices before selling them to others. »
-
Anonymous launch Brazilian Corrupt Public Sector Entities Data LeakSecurity Affairs
« It is important to notice that all IP ranges from São Paulo military and civil police was leaked, including servers related to public identification and public safety. The compromised data also describes the police servers entirely exposing not only the identity of every police officer, but also the entire public security office. »
-
Russia Will Build Its Own Internet Directory, Citing US Information Warfare
« The Russian government will build an “independent internet” for use by itself, Brazil, India, China, and South Africa — the so-called BRICS nations — “in the event of global internet malfunctions,” the Russian news site RT reported on Tuesday. »
-
Biggest hit against online piracy: Over 20 520 internet domain names seized for selling counterfeit
« Joint investigations by Europol’s Intellectual Property Crime Coordinated Coalition (IPC³), the US National Intellectual Property Rights Coordination Centre and law enforcement authorities from 27 EU Member States and third parties , facilitated by INTERPOL, have seized over 20 520 domain names that were offering counterfeit goods, for example luxury products, sportswear, electronics, pharmaceuticals and online piracy on e-commerce platforms and social networks. »
-
Europol smashes global ATM skimmer ring
« Europol has hunted down and arrested the alleged key members of a criminal ring dedicated to ATM skimming. On Thursday, the international law enforcement agency said that as part of a joint law enforcement push dubbed « Operation Neptune, » four Bulgarian citizens were arrested on 30 November. »
-
National Credit Federation leaked US citizen data through unsecured AWS bucket
« The National Credit Federation (NCF) has become the latest in a long list of companies to leave the sensitive, private data of customers exposed for all to see online. According to Chris Vickery, UpGuard Director of Cyber Risk Research, the Tampa, Fla.-based credit repair firm left 111GB of internal customer information on an Amazon Web Services S3 cloud storage bucket configured to allow public access without restriction. »
-
NSA Employee at the Middle of the Kaspersky Saga Admits Taking Files Home
« The US Department of Justice (DOJ) has formally charged a former NSA employee for taking classified documents home. The man, Nghia Hoang Pho, 67, of Ellicott City, Maryland, pleaded guilty today, according to court documents released by the DOJ. »
-
Cybersecurity company UpGuard finds classified NSA, Army data online
« A cybersecurity company said Tuesday it found top secret files related to classified Army communications systems sitting unprotected online for anyone to see. »
-
Facebook bot problem:Users forced to upload selfies to prove they are real
« Facebook, the world’s largest social network, has confirmed that it is attempting to « catch suspicious activity » by making users upload selfies to help prove they are real humans. »
-
Imgur confirms breach, 1.7 million users affected
« Popular image hosting website Imgur has announced on Friday that hackers stole usernames and passwords of 1.7 million of its users. The breach dates back to 2014, when Imgur still encrypted the stored passwords with the SHA-256 algorithm, which has since been found too weak to withstand brute forcing. »
-
Credit card fraud down 29% for the first time
« For the first time in recent years, credit card fraud has dropped from 59 percent of total fraud found in the 2016 holiday week to 42 percent of total fraud found in 2017 the holiday week. »
-
Deleting anyone’s Facebook photo, a bug that earned researcher $10,000
« The researcher who goes by the name of Pouya Darabi, found the bug while going through new features introduced by Facebook and noted that that the newly added “poll feature” on the site carried the flaw that could be exploited to remove photos from an account without user knowledge or permission »
-
Russia Is Now Providing North Korea With Internet: What That Could Mean For Cyber Warfare
« On October 1st, 38North and Dyn Research reported that Russia began providing an internet connection to North Korea. The Russian-provided infrastructure gives Pyongyang 60% more bandwidth and a second connection to the outside world »
Posted from Diigo. The rest of my favorite links are here.
1 Comment
Comments are closed.
Pingback: Veille Cyber N159 – 11 décembre 2017 |