But mail is not limited to. Researchers compared data from the People Data Labs database with information on an insecure server, looking for records about themselves there. We got an almost complete coincidence: data on social networks, well-known postal addresses, phone numbers (including a number that was not used anywhere, and only a telecom operator could know about his belonging to a specific person). As well as the address of residence accurate to the city and coordinates. Who owned the open server is not clear, it was hosted on the Google cloud platform, which does not disclose customer information. It is possible that the server owner is generally some third party who has legitimately or not very gained access to the information.
It is clear that aggregators of personal data are not interested in such a leak - they earn on the sale of information. An accidental leak on the side of such a company is also unlikely, since databases of competing companies were stored on one server. Of course, these are not password databases (which have been leaked by millions of records in the past), they do not cause direct damage. But they can facilitate the work of cybercriminals involved in social engineering. We must not forget that most of this information is transmitted by us voluntarily - in LinkedIn profiles, Facebook posts and so on. Somewhere on almost every active network user, a very detailed personal file is stored, constantly updated with new data. The leak allows us to estimate the scale: only two private companies, most likely not connected with the state, aggregating information from open sources, own data on about 15% of the world's population.
Facebook announced the closure of a serious vulnerability in the Whatsapp messenger ( news , official bulletin ). When processing metadata of a video file in MP4 format, a buffer overflow can result, which leads to application crashes or arbitrary code execution. It’s easy to exploit the vulnerability: just know the victim’s number and send her a prepared video file. If automatic downloading of content is enabled in the application, no additional actions will be required from the user (conclusion: it is better to disable automatic downloading).
The vulnerability is similar to another Whatsapp issue discovered and closed in May this year . In that case, a buffer overflow was called up in the module for VOIP communication, and operation was simpler - you do not even need to send anything, it is enough to initiate a “wrong” call. The consequences of the May vulnerability were more serious, it was reliably used in real attacks and spread by companies selling exploits to special services. Both the May vulnerability and the fresh one were commented by the creator of the competing Telegram messenger Pavel Durov. His argument, in short: in Telegram there were no such large-scale vulnerabilities, but in Whatsapp there is, therefore it is unsafe. Durov can be understood, but not the fact that it is worth making far-reaching conclusions about the security of the code for closed vulnerabilities. You can draw conclusions on real attacks, but here a lot depends on the popularity base of software or service.
What else happened
Kaspersky Lab experts share forecasts on the development of complex cyber attacks for 2020. Increasingly, large-scale cyber operations are conducted under the “false flag”: “evidence” is added to the code and the server side, leading to incorrect attribution of the campaign. Attacks with the help of ransomware Trojans become targeted, and the volume of "carpet bombing" is falling. They identify the victims who are precisely able to pay, and they are specifically targeted. The growth of attacks using IoT devices is predicted, both by hacking installed devices and by introducing Trojan IoT horses into the victim’s network.
Google raises the reward for detecting vulnerabilities in the security chip Titan M to one and a half million dollars. Titan M is used in the latest Pixel smartphones (starting with Pixel 3) and provides secure access to the most valuable data, for example, when making payments. The maximum payout is for finding a vulnerability that allows you to bypass security systems remotely.
The video above is a curious example of escalating privileges through a flaw in the User Account Control mechanism. Download the Microsoft-signed binary, try to start with administrator rights, get the password entry window, click on the link in the certificate properties, open a browser with system privileges. Vulnerability in Windows 7, 8 and 10 is closed on November 12 .
Check Point looked at vulnerabilities in the widespread open source software that is embedded in popular Android applications. We found unpatched libraries as part of the Facebook, WeChat and AliExpress app. Facebook commented that the presence of a vulnerability in the code does not guarantee its operation: the problem code may simply not be involved.
The Monero cryptocurrency site was hacked and on November 18 noon handed out modified distributions with the function of stealing money from users' wallets.