And here comes another issue of the Sunday Weekly… On Mondays!
Magecart attacks keep ongoing. This time it is a Fitness Depot, the largest exercise equipment retailer in Canada. In a letter sent, they blame their Internet Service Provider (ISP) because it did not activate the antivirus. I would recommend Fitness Depot to review that statement since Magecart works injecting itself in the online payment forms and cannot be detected by an antivirus. It is the responsibility of the website owner to protect the application running their e-commerce. So either it is a ridiculous statement or a misunderstanding of what Fitness Depot management was told. Either way, the information leaked contains full names, emails, and credit card information. If you want to read more information about Magecart, this blog post from Yonathan Klinsma explaining how British Airways had the same problem is pretty good. And only with 22 lines of code.
A US Military contractor, Westech International, hit with Maze attack, which consists of encrypting data and is also used to extort the victims, publishing the data leaked unless a payment is made. Based on the data released, it is difficult to say how sensitive the stolen information is.
If you own a QNAP device, I would strongly recommend checking if any update is available and, please, change all default passwords. It seems these devices are being targetted by eCh0raix ransomware, which results in a fully encrypted data you will not be able to recover.
40 million records leaked. If I tell you that you will probably be like this:
And that’s precisely what happened to the Wishbone app, which seems to be popular in the young population (that would explain why I had never heard about it).
Cisco has communicated a security breach due to Saltstack‘s bug impacting their Cisco Modeling Labs Corporate Edition and Cisco Virtual Internet Routing Lab Personal Edition. It is recommended you apply the workarounds suggested.
State-sponsored attacks to the US presidential candidates’ campaigns are being detected by Google Threat Analysis Group. I guess this will be the trend when we are five months away from the US Elections.
It was a long time ago since I last mentioned Zoom, but here we are again. On the positive side, Zoom announced its plans to implement End to End encryption. The negative side, though, is that this functionality will only be available for paid accounts. I understand the decision, E2E encryption costs money. But where I struggle a bit more is with the way they bend the E2E term. You see, when I read E2E encryption, I understand it like this: all information traveling from the sender to the recipient is fully encrypted and not readable by any third party. But reading Alex Stamos’ Twitter thread, I do not know, it is unclear:
Either way, I still believe Zoom is doing positive things to increase security in their product, and I acknowledge it is not always easy. But at least they are doing something.
That’s all for now! Remember to follow me on Twitter and, as usual, stay safe!