#CyberHeadlines: Three Unresolved Vulnerabilities
Companies seem to like to deny security vulnerabilities found by cyber security experts. That’s why they remain largely unresolved. Here are three recent unresolved vulnerabilities which you are likely vulnerable to…
Unresolved Vulnerabilities #1: Netgear flaw compromises thousands of devices open to attack
On Friday, December 16th, CERT issued an advisory that customers discontinue their use of Nighthawk routers until a revealed vulnerability can be properly patched. This vulnerability was found by Acew0rm, a security researcher from St. Louis who notified Netgear about the problem back in August. Netgear never responded to Acew0rm, so they disclosed the vulnerability to the public. From there, it caught the attention of CERT. CERT proposed that this could be exploited for ransomware attacks and that 7 Nighthawk routers were vulnerable, as well as one additional outside network.
Unresolved Vulnerabilities #2: Uber is spying on you
Uber’s former forensic investigator, Ward Spangenberg, has come out to say that users’ information is not safe with the ride-share company. Apparently, Uber employees have already been exploiting user information for such purposes as helping ex-boyfriends stalk their ex-girlfriends or searching celebrity trip information. In a court declaration signed in October, Spangenberg said that “Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Two years ago, Uber had given assurance that it had strict policies prohibiting employees from accessing such user information, but five former Uber security professionals say that the company continued to allow broad access even after those proclamations.
Unresolved Vulnerabilities #3: Hackers purportedly use Punycode to bypass Office 365 phishing filters
According to Avanan, hackers are encoding domain names with Unicode characters, allowing them to bypass Office 365 phishing filters in their productivity software. In a statement provided to SC Media, Microsoft has denied the claims. Recently, a Punycode phishing attack sent emails posed as FedEx, alerting users of an important package. After clicking the link, users were brought to a fake Office 365 landing page where they were told to enter their credentials to continue. A company spokesperson denied the attacks telling SC Media that “Office 365 can and does mark this type of attack as spam. We encourage users to check the authenticity of the links prior to clicking them, [and to] avoid opening links in emails from senders they don’t recognize or visiting unsecure sites.”