In the headlines: ImageMagick vulnerability, HIV patient data leak, Brazilian WhatsApp suspension and more

ImageMagick vulnerability being exploited in the wild

Following its reveal last week, hackers are leaping on the ImageMagick vulnerability, which could allow an attacker to execute code on servers using the the vulnerable library frequently used to crop or resize images. ImageMagick is a popular open-source library which can be used with various technologies including PHP, Ruby, NodeJS and Python. It’s widely spread, meaning millions of sites will be susceptible to this vulnerability, for which a patch has already been rolled out. Now that we know the vulnerability is being exploited in the wild, we urge users to update this library as soon as possible.

NHS fined over HIV patient data leak

You may recall this breach hitting the headlines in 2015. Well, now the UK Information Commissioner’s Office has gone ahead and issued a fine of £180k to the NHS clinic responsible for the leak, which included the names of 700 HIV patients. The leak was made by a basic error whereby the recipients of a clinic newsletter were visible to all other recipients. It’s a mistake we’ve all made, but this time it was a huge breach of patient confidentiality and has been costly to the Chelsea and Westminster Trust branch of the health service.

Massive data breach containing 57 million emails discovered

An unusual data dump has been discovered, containing around 57 million sets of personal details, including email addresses. The data has been analysed by security specialist Troy Hunt who discovered that the data included details of people from major tech companies and government agencies. What’s unclear is where this data came from and how it was accessed. The copy in Hunt’s hands was obtained when a grey hat hacker managed to obtain it from a Russian hacker group but it’s not clear if they are the responsible party. There are some rumours that it may have come from a dating site such as Zoosk or Badoo but as yet there is no confirmation of this and the data is up for sale on the dark web.

Researcher arrested for disclosing vulnerability in elections site

There has been outrage in the security community this week following the arrest of researcher David Levin, who discovered and disclosed a SQL injection vulnerability in the Lee County state elections site. Levin was charged with three third degree felony counts of property crime and has since been released on a $15,000 bail bond. Many have spoken in his defense, arguing that he also provided the means to fix the vulnerability and that locating such bugs is essential to keep public data secure.

Twitter blocks US intelligence agencies from using data mining tool

Twitter have met with controversy this week, following their decision to block intelligence agencies from having access to their data mining tool. Many organisations, including journalistic agencies use the tool for research but Twitter have decided that in order to protect user confidence in security, government agencies may not have access to the data, which could be used to track protesters and other espionage purposes. Twitter are distancing themselves from any association with government agencies, perhaps due to the aftermath of the Apple FBI case.

Google moves Blogspot to HTTPS

Google has just boosted the security of its Blogger service by migrating to HTTPS. Their official statement on the move reads “HTTPS is fundamental to Internet security; it protects the integrity and confidentiality of data sent between websites and visitors’ browsers,”. Every blog hosted by the service will now have a HTTPS address by default and users also have the option to create a redirect from their HTTP URL.

Tax and salary data stolen from payroll firm ADP

ADP is a large company providing tax, payroll and benefits administration to a number of big firms and a total of 640,000 companies. The news came from US Bancorp, who warned its employees that some of their data may have been compromised due to a weakness in the ADP customer portal. In fact, it emerges that hackers managed to create phony accounts for more than a dozen of ADP’s clients. ADP did point out that the accounts could only be created with other data which had not been accessed through ADP. They are not turning off the self-registration feature and strengthening their verification procedures.

Brazilian WhatsApp suspension overturned

There has been tension between the WhatsApp messaging service and the Brazilian government for some time, over the tech company’s inability to hand over data. WhatsApp’s service is end-to-end encrypted, meaning that it does not have access to users’ conversations even if it were compelled to do so. The latest turn in this issue occurred last week, when a judge issued a 72-hour suspension order. Fortunately, this was overturned by a different judge the next day. 200 million people reportedly use the messaging app in Brazil, which was shut down for 12 hours last December for the same reasons. WhatsApp insist they have complied with Brazilian courts as far as they are able and expressed their disappointment at the planned suspension. The legal case causing these issues continues so we may yet see another suspension order if an agreement between the authorities and WhatsApp cannot be reached.

Office 365 vulnerability affects all federated services

Office 365, Microsoft’s cloud based portal which allows remote access to services such as Outlook, OneDrive and Skype through paid licensing, was revealed to have a major security flaw in January. The flaw allowed for a cross-domain authentication bypass and was found in the SAML Service Provider implementation in Office 365. It’s now been revealed that the vulnerability was more serious than first thought, potentially allowing an attacker access to any federated account, including emails, data and files. It’s not thought that the vulnerability was exploited at any point, having been rapidly mitigated by Microsoft.

Two high severity bugs fixed in OpenSSL

Two high severity flaws in OpenSSL could have allowed an attacker to decrypt login credentials or execute malicious code on compromised servers. Updates were released on Tuesday, patching the vulnerability registered as CVE-2016-2107. It was classed as a ‘padding oracle’ weakness and ironically was introduced accidentally during the patching of another vulnerability in 2013. Experts blame these latest flaws on OpenSSLs continued support of outdated encryption schemes.