InfoSec Round-Up: September 27th 2020
Ransomware Fatality, Bing Leaks, Instagram Bug & Uber Data Sharing
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
This week we are looking at Microsoft leaks, Instagram flaws, Uber data sharing and a fatal ransomware attack.
Following a ransomware attack against Düsseldorf University Hospital, a patient has died due to an inability to provide critical care, in what is believed to be the first cyber-crime fatality.
Happening on the 9th of September, the hospital was hit with the attack, causing vital systems to be disabled. As a result, the female patient was being transferred to a nearby hospital when the tragedy occurred.
According to some local reports, it is possible that the hackers did not intend to attack the hospital, instead attempting to target a different university, and that once they had realised their mistake, they handed over the decryption key without demands for ransom payment.
Former chief executive of the UK's National Cyber Security Centre Ciaran Martin said: "If confirmed, this tragedy would be the first known case of a death directly linked to a cyber-attack… Although the purpose of ransomware is to make money, it stops systems working. So, if you attack a hospital, then things like this are likely to happen.”
German police have launched a ‘negligent homicide’ investigation into the matter.
Uber Data Sharing Under the Spotlight
It has been reported that the transport company Uber has shared user data with law enforcement over 2,000 times per year, in a battle to regain its fraught London taxi licence.
Reported by The Times, the company has been sharing user and driver data with the Metropolitan Police ‘seemingly without warrants’, with the intention of currying favour with regards to appeals courts and their highly valuable London licence.
The Westminster Magistrates’ Court last week heard from the Police Chiefs’ Council (NPCC) that law enforcement benefits from "thousands of pieces of intelligence on drivers, passengers and journeys each year," aiding in their ability to tackle drug dealing and human trafficking.
Having lost their licence back in November of 2019, the company was condemned for a “pattern of failures” that jeopardised passenger safety, including not having adequate protections to stop drivers’ pictures from being swapped with unauthorised parties.
Striking some as an invasion of privacy, MP for Monmouthshire, David Davis declared in response that he is tabling “Parliamentary Questions to the Home Office and Freedom of Information requests to police forces around the country seeking further information” into the matter.
Microsoft Leaks 6.5TB of Bing Data
Microsoft has unwittingly exposed an Elasticsearch server containing 6.5TG of location data, device IDs and search details, following the erroneous removal of password-protection.
Originating from the Microsoft Bing mobile app, which has been downloaded more than 10 million times via Google Play alone, the exposed data was discovered by a white-hat hacker and cyber-security operation WizCase.
The database, which, according to the report, was growing by 200GB per day at the time of its discovery, contained the records of people searching from over 70 countries and was left unsecured for approximately 6 days.
A spokesperson for Microsoft has stated: “We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed. After analysis, we’ve determined that the exposed data was limited and de-identified.”
Despite the data containing a relatively limited collection of information, even search data, device numbers and location data can be used to deanonymize users, potentially making those affected more susceptible to phishing attacks, blackmail, and fraud.
Instagram Bug Allowed Hackers Remote Access
It has been reported that Instagram’s Android app contained a critical vulnerability that could have allowed attackers remote access and control over a user’s device, simply by sending a specially designed image.
Now fixed by Facebook, the issue affected hundreds of millions of users of the photo sharing app, up until February 10th of this year, when an update was released.
Discovered by a research team at Check Point, their Head of Cyber Research has stated: “The issue was a buffer overflow, caused by sending a picture with a large size which fools the application into believing it’s much smaller. This causes an overwrite and lets us do our magic.”
Disputing its significance, Facebook have responded that they “have no reason to believe [the flaw] impacted anyone”; though the discoverers maintain its importance.
According to security report, the critical vulnerability “would have allowed an attacker to perform any action of choice inside Instagram – read DMs, delete or post content, manipulate account details, as well as the ability to turn a victim’s phone into a spying tool to access GPS location, phone contacts and camera.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.
What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.
Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.