National Consumers League

The #DataInsecurity Digest | Issue 99

Millions of Intel processors, Boeing 787 planes, and WhatsApp all found to have major cyber vulnerabilities

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: Cyber researchers were busy this week as new vulnerabilities were found in WhatsApp, Boeing 787s and millions of newer Intel processers. In other news, after the Federal Trade Commission (FTC) announced their settlement with Equifax, they are weathering a publicity fiasco after an ‘unexpected’ number of breach victims began filing for compensation and worries grew that the fund was not large enough to pay out to everyone at the promised amount.

And now, on to the clips! 

-----------------

Millions of newer Intel microprocessors vulnerable to hackers. @zpring reports that Intel microprocessors manufactured after 2012 “are vulnerable to a new type of side-channel attack dubbed SWAPGS.” SWAPGS is like the previously announced Spectre and Meltdown vulnerabilities and “could allow a hacker to gain access to sensitive data such as passwords and encryption keys on consumer and enterprise PCs.” This newly discovered vulnerability “bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown.” (Source: Threat Post)  

Cybersecurity vulnerability discovered in Boeing 787. The vulnerability could allow "a multi­stage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.” While Boeing flatly denies the existence of the vulnerability researchers say the “flaws uncovered in the 787's code" represent a “troubling lack of attention to cybersecurity...” (Source: Wired)  

Vulnerability in WhatsApp allows hackers to edit messages. Researchers have “discovered ways in which a malicious actor could alter messages in WhatsApp, “essentially putting words in [someone’s] mouth.” The vulnerability also “allows [hackers to] change the identity of the sender of content in a group chat.” Security researcher @Od3dV commented that “a malicious actor would not have to crack Facebook’s end-to-end encryption in order to do this... the process was ‘not so complex to perform.’” The security vulnerability has not been fixed and remains an issue. (Source: Financial Times)

‘Historic’ Equifax settlement may provide less relief than promised. Initially, victims were given the choice of free credit monitoring or a $125 settlement check. But, due to the limited funds, Equifax agreed to provide the fund and the “unexpected” demand on the settlement check option, the FTC is now cautioning “that if everyone eligible requests the money over the monitoring, your benefit will be nowhere near $125." (Source: CNET)  

Facebook fails to stop class-action lawsuit over biometric data collection practices. Class members alleged that the social media giant “secretly amassed the world’s largest privately held database of consumer biometric data,” without their knowledge or consent. Facebook argues that victims were free to opt-out at any time. (Source: Bloomberg)

In wake of Capital One breach, congressional scrutiny focuses on Amazon. In a letter to Amazon, the company that managed the cloud service responsible for the Capital One breach, Senator Ron Wyden (D-OR) argued that, “[w]hen a major corporation loses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation’s cybersecurity practices… However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.” (Source: Wall Street Journal)

Suggested reading: The Capital one breach autopsy

Breach du jour: Stock X. The online clothing marketplace appears to be the latest retailer to suffer a data breach. @zackwhittaker reports that customer names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information such as shoe size and trading currency,” were compromised. (Source: TechCrunch)

National Consumers League
Published August 15, 2019