StockX was hacked, exposing millions of customers’ data.*:


  • The fashion and sneaker trading platform pushed out a password reset email to its users on Thursday citing “system updates,” but left users confused and scrambling for answers.


  • StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.


  • An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker.


  • The seller provided TechCrunch a sample of 1,000 records. We contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size.


  • Every person who responded confirmed their data as accurate.


  • The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency.


  • Neither the founder of the company ’Luber’ nor chief executive Scott Cutler has commented on the breach.


  • Jake Williams, the founder of Rendition Infosec, said the company “robbed their users of the chance to evaluate their exposure” by not informing customers of the breach when it happened.


*Source: Techcrunch, August 03, 2019




Microsoft Confirms New Windows CPU Attack Vulnerability, Advises All Users To Update Now*:


  • A security vulnerability that affects Windows computers running on 64-bit Intel and AMD processors could give an attacker access to your passwords, private conversations, and any other information within the operating system kernel memory.


  • Users are advised to update Windows in order to mitigate against this new CPU “SWAPGS attack” risk.


  • “We call this the SWAPGS attack because the vulnerability leverages the SWAPGS instruction,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, says “an under-documented instruction that makes the switch between user-owned memory and kernel memory.”


  • Botezatu also says that, at this point, “all Intel CPUs manufactured between 2012 and today are vulnerable to the SWAPGS attack.”


  • Which means every Intel chip going back to the “Ivy Bridge” processor is vulnerable if inside a machine running Windows.


  • However, it appears it is not just Intel CPUs that are affected by the SWAPGS attack vulnerability.


  • According to a Red Hat advisory published August 6th, the threat “applies to x86-64 systems using either Intel or AMD processors.” Something that AMD itself disputes.


  • The chances of falling victim to a SWAPGS attack now that the details have been disclosed have increased, so users are advised to apply available updates as a matter of urgency if they have not already done so


*Source: Forbes, August 06, 2019


QuickBooks hosting provider hit by ransomware attack*


  • An update on iNSYNQ’s website explained the ransomware attack experienced on 16 July “impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible”.


  • When using a hosting server, users can access their QuickBooks account with a user name and password.


  • Although they share similar login processes, the hosting solution and the QuickBooks Online Edition offer different features and functionality.


  • Since the attack, iNSYNQ has been criticized for leaving customers in the dark and providing little detail or updates on the recovery process.


  • Unfortunately for affected parties, unlike its cloud solution, Intuit’s hosting program specifies that it is the hosts that participate in the program the ones “solely responsible for the security, privacy, availability, and backup of QuickBooks data files and the software that they host”.


  • As explained by Dave Watson, managing director of Hosted Accountants, part of IRIS Software Group, losing data does not only impact a firms’ operations, but it can also hurt its reputation if the clients’ records are lost or compromised.


  • “The consequences for your firm can be severe,” he said. “No one wants to call their client and let them know you have lost all their data. Not to mention issues with GDPR, and confidentiality.”


  • QuickBooks recommends training staff so that they avoid downloading files from unrecognized sources and so that they follow best practice, including checking emails and links for mismatched URLs and unknown return addresses.


*Source: Accountingweb, August 07, 2019




  • The New York Privacy Act, introduced last month by state senator Kevin Thomas, would give residents there more control over their data than in any other state.


  • It would also require businesses to put their customers’ privacy before their own profits.


  • The bill is still seeking a cosponsor in the state assembly, but Thomas says he is confident that he has majority support in the Senate and hopes to pass the bill this summer.


  • The Committee on Consumer Protection, which Thomas chairs, is scheduled to hold a hearing on the bill Tuesday.


  • With it, the Empire State is poised to become the next battleground in the fight for state privacy laws.


  • California became the first state to pass such a law last year with the California Consumer Protection Act; industry groups and consumer advocates have been sparring over its language ever since.


  • Businesses argue that the CCPA is overly broad and that complying with different laws in every state is unworkable, preferring instead a lighter touch regulation at the federal level.


  • The New York Privacy Act bears some similarity to the California law. Like the CCPA, it would allow people to find out what data companies are collecting on them, see who they’re sharing that data with, request that it be corrected or deleted, and avoid having their data shared with or sold to third parties altogether.


  • If the New York Privacy Act does pass, it will likely follow California’s example and be amended and refined before it ultimately becomes law.


*Source: Wired, April 06, 2019


Warning Issued For Apple’s 1.4 Billion iPad And iPhone Users*


  • The security firm Check Point has revealed it has found a way to hack every iPhone and iPad running iOS 8 right up to betas of iOS 13.


  • This spread covers eight years of devices (iOS 8 supports the 2011 iPhone 4S) and, with Tim Cook stating there are 1.4BN active iOS devices around the world, this is worrying news for the owners of pretty much all of them.


  • What Check Point discovered is that the Contacts app built into iOS can be exploited using the industry-standard SQLite database so that any search of Contacts can trick the device into running malicious code capable of stealing user data and passwords.


  • “It is available in every operating system, desktop, and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox, and Android are popular users of SQLite.”


  • But the real shocker is why the Contacts app vulnerability exists in the first place: it capitalizes on a known bug which Apple has failed to fix for four years.


  • As AppleInsider explains: “The bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps.


  • However, Check Point’s researchers then managed to make a trusted app [the ubiquitous Contacts app] send the code to trigger this bug and exploit it.”


  • All of which puts Apple in an uncomfortable situation. The company has long touted security as a major selling point over rivals, but the holes keep coming and when this one comes off the back of four years of inaction, it’s not a good look.


*Source: Forbes, August 10, 2019

Share This