A look at some of the top news stories in information security this week, including President Trump proposing a cybersecurity alliance with Russia, breaches impacting Verizon and Hard Rock Hotel and Casinos, and Microsoft, Adobe and SAP all addressing security flaws.
President Trump Proposes, Then Rescinds, Joint Russian Cybersecurity Unit
In a tweet on Saturday, July 9, President Donald Trump mentioned the possibility of forming a cybersecurity alliance with Russia. The tweet came after President Trump met with Russian President Vladimir Putin. After Putin “vehemently denied” Russia’s interfering with the 2016 presidential election, President Trump tweeted about the potential cybersecurity unit. One day later, however, President Trump pulled back on the idea.
Verizon has confirmed that 6 million records have been compromised by the third party that facilitates its customer service calls. Israel-based Nice Systems, which claims to service 85 of the Fortune 100 companies as customers, has exposed the millions of customer records after the subscriber information was found on an unprotected Amazon S3 storage server operated by one of its employees.
Microsoft’s Patch Tuesday Release Addresses 19 Critical Vulnerabilities
Every security manager’s favorite day of the month, Microsoft’s Patch Tuesday featured fixes for 19 critical vulnerabilities. One of the patches addressed a vulnerability that was publicly known prior to the release. In total, 54 vulnerabilities were patched in Microsoft’s Windows, Edge, Internet Explorer, Office and Exchange products. Apart from the critical bugs, 32 flaws were rated important, while three were given a moderate severity rating.
Three Vulnerabilities Patched in Latest Adobe Flash Update
Adobe’s latest security release addresses vulnerabilities in its Flash Player browser impacting Windows, Mac, and Linux users. Version 220.127.116.11 patches one critical vulnerability (CVE-2017-3099) that could result in an attacker executing remote code, as well as an information disclosure bug and a memory address disclosure flaw. The company also patched three vulnerabilities in its Adobe Connect for Windows products.
Data Leak Impacts 100 Million Indian Telecom Customers
Indian telecom firm, Reliance Jio, has launched an investigation to find out whether the personal information of over 100 million of its customers leaked online. Personal information belonging to customers was made available on “Magicapk.com”, although Jio stated that it appeared to be “unauthentic.” Complaints started to flood Twitter regarding the information made available on the site, and some media stated that their checks had led them to believe that the information was authentic.
On Tuesday, SAP released patches addressing a series of vulnerabilities, one being a high-priority flaw in its Point of Sale Retail Xpress Server. The critical flaw is comprised of missing authentication checks in the POS server, which if leveraged, results in unauthorized access which gives an attacker the ability to execute restricted functions, such as reading, writing, or deleting files stored on an SAP POS server.
Guests who have recently stayed at the popular hotel, resort, and casino chain Hard Rock, as well as Loews Hotels, have recently been warned by the franchises to keep tabs on their bank account statements. Following a security incident which impacted Sabre Hospitality Solutions (SHS) SynXis, which produces an inventory management SaaS application used by the hotel franchises, the company began notified hospitality companies that may have been impacted, although it is not clear how many hotels have been affected by the breach.
Alexander Tverdokhlebov, a 29-year-old Russian-born man living in Los Angeles, has been sentenced to 110 months in prison for stealing and selling sensitive personal and financial data on exclusive Russian-speaking cybercrime forums. Tverdokhlebov offered a variety of illegal services on the forums, including the laundering of stolen funds, according to a release by the Department of Justice.
Avanti Markets, which produces the self-serve food kiosks often found in company break rooms, said on July 4 that it had discovered a “sophisticated” malware attack on a number of its kiosks. Although a specific number has not been disclosed, up to 1.5 million of the company’s customers may have been impacted by the breach. Information such as personal and bankcard data, in addition to stored biometric data, may have been compromised. Due to the different kiosk configurations, the company said that the stolen data could vary depending on location.