Weekly Axis Of Easy #43
- Critical Drupal vulnerability allows remote code execution
- Facebook funding anti-privacy efforts while apologizing for privacy violations
- US Gov to gain access to social media of all visa applicants
- Under Armour data breach affects 150 million MyFitnessPal users
- Criminal group who executed 1 Billion euro cybertheft arrested in Spain
- Elon Musk’s “April Fools” joke accelerates Tesla stock crash
- BREAKING: Panera Bread leaked millions of customer records online
If you are running any sites on Drupal below 7.58 or 8.51, stop reading this, go upgrade, right now. A new critical vulnerability in Drupal allows for remote code execution. While no exploits have been sighted in the wild, yet, you don’t want your sites being the proof-of-concept case when it happens. (Somebody may want to tell Cambridge Analytica, the data mining firm that opened the Facebook can-o-worms about this because they’re running an affected version on their webservers).
The hits just kept on coming for Facebook in the aftermath of the Cambridge Analytica scandal which we covered in detail last week. Revelations surfaced that Facebook logged phone calls and SMS messages without users knowledge while an app developer under the gun for “abusing Facebook data” claims the firm knew full well what was happening with the data and signed off on it.
As if this wasn’t enough, while Zuck was apologizing out of one side of his mouth (read: “we’ll never violate your trust again, even though we repeatedly get caught violating your trust”) it came to light that the firm is, right now, while all this is going on, actively funding a lobby effort to block data privacy legislation in California.
Visa applicants to the US will be required to make available their social media history, usernames, previous email addresses for up to 5 years. It is estimated to affect nearly a million visa applicants and over 14 million non-immigrant visa applicants. This won’t affect visitors from countries that currently enjoy visa-free travel to the US, such as Canada, UK and Germany.
The makers of the MyFitnessPal food and nutrition app have disclosed a major data breach affecting 150 million users. It is currently believed the breached data includes usernames, email addresses and encrypted passwords. Word is that Under Armour is notifying affected users.
Quoting the Europol release: “The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies.”
After a high profile crash fatality, a credit downgrade by Moody’s and a Model S recall, Tesla hasn’t been exactly “rolling 7’s” lately. In that light perhaps Elon Musk’s “April fools” joke that “Tesla is Bankrupt” didn’t help matters. The glam/fan stock has lost near 20% in a week amid an analyst pronouncement that without a major cash injection Tesla really will be bankrupt within a few months.
We’ve learned this from experience: during Tech Bubbles, April fools gags have an elevated chance of becoming reality, like our 2011 gag did, so be careful what you joke about. (In case you were wondering, this year ours was that we figured out who Satoshi Nakamoto is)
This just in, literally as I was finishing the previous item, Krebs on Security reports that Panera Bread was leaking millions of customer records, including names, phone numbers, addresses, and last four digits of credit card from their website. A security researcher reported the issue to them last August, the files were not taken down until today. Just bear in mind that armed with that kind of data, cyber-thieves have more than enough data points on you to game quite a few password recovery systems at other services.