Cisco Patches Flaws in Security Manager After Proof-of-Concept Code Released

Hundreds of TeslaPowerwall gateways exposed to hackers, Microsoft and chipmakers team to thwart sidechannel attacks, Malsmoke campaign lures visitors to adult entertainment sites, much more

Don’t miss our special report from this morning on Trump’s firing of CISA Director Chris Krebs.

As a reminder, starting in January, many of our special reports, along with our archives, will be behind a free newsletter subscription wall or a paywall. Consider signing up for a free email subscriber, and we’ll extend benefits to you before we end our free-to-all status.

Cisco published multiple security advisories concerning critical flaws in Cisco Security Manager (CSM) a week after the networking equipment maker quietly released patches with version 4.22 of the platform. The advisories came after researcher Florian Hauser (frycos) publicly disclosed proof-of-concept (PoC) code for as many as 12 security vulnerabilities affecting the web interface of CSM that makes it possible for an unauthenticated attacker to achieve remote code execution (RCE) attacks. The flaws were first disclosed three months ago, on July 13. (Ravie Lakshmanan / The Hacker News)

Related: IT ProZDNet SecuritySecurityWeekHelp Net Security, Reddit - cybersecurityTenable BlogSecurity AffairsUS-CERT Current Activity

Hundreds of TeslaPowerwall Gateways May Have Been Exposed to Remote Attackers

A total of 379 total unique Tesla Backup Gateway installations on the web could have allowed a hacker to gain access to the systems thanks to weak default logins or a user name of any email address and a password of the last five characters of the gateway serial number, Tod Beardsley, director of research at cybersecurity consultancy Rapid7 discovered. Rapid 7 said it had responded to Beardsley’s findings positively and has already been working to prevent any possible exposure. (Thomas Brewster / Forbes)

Related: ZDNet SecuritySecurityWeek, Rapid7The Sun 

Microsoft and Top Chipmakers to Make New ‘Pluton’ Chip to Protect Against Side-channel Attacks

Microsoft and three top chipmakers, AMD, Intel, and Qualcomm, announced they would make a new chip called Pluton designed to protect against side-channel attacks, which steal critical data such as encryption keys and credentials from computing systems and made famous by the 2018 Spectre and Meltdown vulnerabilities. The companies say that the new chip will cut off a key vector for data-stealing attacks: a communication channel between a computing system’s central processing unit (CPU) and another piece of hardware known as the trusted platform module (TPM). The Pluton chip will be built into Windows computers, although it’s not clear when the hardware will be available. (Sean Lyngaas / Cyberscoop)

Related: SlashGear » securityIT ProSecurity WeekReddit - cybersecurityReddit - cybersecuritySC MagazineGeekWire OriginalWebProNews, HotHardware.com, The Register,  Slashdot

Candian Businesses Could Pay 5% of Global Revenues for Exposing PII Under Proposed New Law

Companies that fail to protect customers’ personal information could be fined up to 5% of global revenue under the terms of a proposed new privacy law called the Digital Charter Implementation Act, the country’s Innovation Minister Navdeep Bains said. The law, which Parliament still has to approve, says Canadians who feel their data has been improperly gathered or shared can turn to the country’s Privacy Commissioner and demand the information be deleted. In a development that is likely to presage the introduction of similar laws in the U.S. and elsewhere, the bill also requires businesses to be transparent when they use automated decision-making systems like algorithms and artificial intelligence to make significant recommendations about individuals. (David Ljunggren / Reuters)

Related: SecurityWeekBloomberg TechnologyCTVNews.caCBCMobileSyrup.com

Share Metacurity

Malsmoke Malware Campaign Operatives Use Fake Videos to Lure Adult Content Customers

A malware campaign called Malwmoke has switched from exploit kits to social engineering to target adult content consumers, according to researchers at Malwarebytes. The campaign focuses on high-traffic adult portals such as xHamster, which counts hundreds of millions of monthly visitors, or Bravo Porn Tube, with over 8 million visitors every month. The Malsmoke operators lure victims into playing fake videos on the site and then hit them with a fake Java plugin installation request, which, if successfully pursued, installs malware. (Ionut Ilascu / Bleeping Computer)

Related: MalwarebytesTechNadu

Follow Us on Twitter

Other Infosec Developments

  • Micropayments platform Coil accidentally exposed some of its users' email addresses in a mass email announcement about, ironically, a privacy email it sent out. At least 1,000 clearly seen email addresses were sent out in the CC line. The company issued an apology saying, “We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error.” (Ax Sharma / Bleeping Computer)

    Related: The Register

  • U.S. Representative. Lauren Underwood (D-IL) said Tuesday that federal lawmakers need to do more to help organizations, especially state and local governments, protect themselves against ransomware. She advocated that the Senate take up a bill, passed in the House in September, that would create a $400 million cybersecurity grant program for state and local governments. (Benjamin Freed / StateScoop)

    Related: The Hill

  • California-based electronics retailer TronicsXchange, previously trading as GreenElectronicsExchange (GEEx), exposed over 2.6 million files, including ID cards and biometric images, researchers at Website Planet discovered. The data was exposed in a misconfigured AWS S3 bucket. The most damaging exposed files for customers was the 80,000 or so images of personal identification cards such as driver’s licenses and 10,000 fingerprint scans. (Phil Muncaster / Infosecurity Magazine)

    Related: DataBreaches.net

  • Israeli startup Cato Networks closed a $130 million Series A funding round based on a $1 billion company valuation. The round was led by Lightspeed Venture Partners, which led the startup’s two previous rounds. New investor Coatue joined the group, alongside existing investors Greylock, Aspect Ventures / Acrew Capital, Singtel Innov8, and Cato founder Shlomo Kramer. (Oshry Alkeslasi / Geektime)

  • According to local Florida publications, a hacker, likely located in Sweden, broke into a Florida man’s Ring home security camera and called local law enforcement to confess to hoarding explosives and killing his wife after seeing her cheat on him. Law enforcement showed up at the home and met the supposed murdered wife, thereby discovering that the hacker had swatted Courtney’s husband. (Sarah Courtney / Motherboard)

Photo by Haidan on Unsplash