Database Security Digest - November 2017

DataSunrise Blog
The following  digest presents the most important database security news of November.

Hacked UK Shipping Giant Clarksons: Data May Be Leaked at Any Minute

British shipping company Clarksons confirmed that it had recently been attacked by hackers. The company said that cybercriminals have accessed its systems and the public should expect some of sensitive and confidential corporate data to be leaked. It is remains unclear when exactly Clarksons company was hacked and when the breach was discovered. The amount of ransom and identity of hackers remains unknown. Thus, on becoming the victim of the hackers, Clarksons joins the list of big companies hit by a major cyber-attack this year.

Uber Officially Confirmed Massive Data Breach

A global transportation technology company Uber officially disclosed a massive data breach. Hackers broke app’s database and stole the personal information on 57 million passengers and drivers, including their names, email addresses and phone numbers. The company paid the hackers 100,000 USD to delete the data and keep the breach in secret. The attack happened in 2016 and the payout was disguised as a bug bounty prize. However, Uber’s CEO Dara Khosrowshahi revealed this breach in November of 2017. The cybersecurity experts declared that “attack was the criminal act so was the cover up”.  The experts also said that “companies should account the possibility of security failures and anticipate malicious behavior of any actors.” Meanwhile, Financial Times reported that Uber’s latest quarterly results showed adjusted losses had widened to 734 million USD, up 14 per cent on the previous quarter.

1.7 Million Users of IMGUR Were Compromised

Imgur, the popular image sharing service, confirms email addresses and passwords were stolen in a security breach occurred in 2014. The hack went unnoticed for 4 years, until a security researcher Troy Hunt informed IMGUR that he has details of stolen info of Imgur users. The company is still investigating the cause of hack and believes that the hack could be a result of an old algorithm which was used at that time.

 PayPal Shutdown Tio Networks Service That Leaked 1.6 Million Records

PayPal Holdings Inc. said that personally identifiable information for 1.6 million users has potentially been compromised at a company it acquired earlier this year. Among customer information possibly affected were names, addresses, bank-account details, Social Security numbers and login details of consumers who used TIO to pay bills. Customers have been offered free credit checks and identity theft insurance. Meanwhile, shares of PayPal were already down 0.6%.

Oracle Emergency Update

Oracle has released an emergency update for severe vulnerabilities affecting several of its products that rely on its proprietary Jolt protocol, with two of the bugs scoring 9.9 and 10 on the CVSS scale. The bugs were discovered by researchers at ERPScan who named the series of five vulnerabilities JoltandBleed, because of similarities between the 2014 vulnerability discovered in OpenSSL HeartBleed bug. It describes the vulnerabilities as such:
  • CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server (9.9 on CVSS scale)
  • CVE-2017-10267 is a vulneralility of stack overflows (7.5 on CVSS scale)
  • CVE-2017-10278 is a vulneralility of heap overflows (7.0 on CVSS scale)
  • CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to brute-force passwords of DomainPWD which is used for the Jolt Protocol authentication (5.3 on CVSS scale)
  • CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system. (10 on CVSS scale)

MongoDB Critical Vulnerability

CVSS severity score 9.1 MongoDB has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.

PostgreSQL 10.1 Update

The release contains a variety of fixes related to crashes, incorrect queries, table errors, and several vulnerabilities. Refer to the release note for more details.