Each week, Wipfli’s cybersecurity professionals review the latest breaches, vulnerabilities, patches and updates.
- Marketing firm iPR Software exposed thousands of customer records through an unprotected 1TB Amazon S3 storage bucket for at least a month. Organizations affected include General Electric, Dunkin Donuts, CenturyLink, Xerox, Nasdaq, California Courts and Mercury Public Affairs. The bucket was discovered by researchers on Oct. 15, 2019 and secured Nov. 26, 2019.
- Customer credit card information could have been stolen from the city of Waco, TX water department’s Click2Gov online payment portal earlier this year. Investigators hired by the city found payment information entered between Aug. 30 and Oct. 14, including names, addresses, credit card numbers, expiration dates and card verification value numbers, could have been stolen by malicious code.
- A company that provides a service to allow customers to apply for copies of birth certificates from U.S. States has allegedly exposed the personal details of those applicants. A UK-based security research company identified the unsecured Amazon Bucket which contained the personal details of 750,000 people. The data includes their name, date of birth, email address, and home address, amongst other details.
- Siemens industrial equipment commonly found in fossil-fuel and large-scale renewable power plants are riddled with multiple security vulnerabilities, the most severe of which are critical bugs allowing remote code-execution.
- Security researchers are warning users of two WordPress plugins – made by Brainstorm Force – that they need to patch a “major” vulnerability that could allow hackers to gain administrative access to any website using the plugins.
- US-CERT Vulnerability Summary for the week of December 9, 2019.
Patches & Updates
- Google released a stable build of Chrome 79 which included new features aimed at security for password and phishing protection. As the user enters credentials into websites, the Chrome browser will check to see if those credentials have been previously compromised. The database of compromised websites the Chrome browser checks will now be updated every 30 minutes.
- For the last patch Tuesday of 2019, Adobe released updates for Acrobat Reader, Photoshop CC, ColdFusion and Brackets to patch 25 vulnerabilities, 17 of which have been rated as critical. The most common flaw identified is remote code execution. While there is no evidence these are being exploited in the wild, Adobe recommends prioritizing these fixes.
- Apple released iOS 13.3, iPadOS 13.3, tvOS 13.3, and watchOS 6.1.1 to the public. The update includes Safari browser support for two factor authentication tokens for FIDO2-compliant security keys that make use of near-field communications (NFC), USB, and Lightning.