Cybersecurity Weekly: Adolescent hacking study, DoorDash breach, Outlook file extension blacklist

September 27, 2019 by Sam Fay

A study decodes how kids get into hacking. DoorDash loses personal records of 5 million clients and drivers. Outlook plans to add 38 more file extensions to its blacklist. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. Decoding how kids get into hacking

New research identifies characteristics and gender-specific behaviors in kids that could lead them to become juvenile hackers. Researchers assessed responses from 50,000 teens around the world to determine predictors of hacking and are the first to dig into gendered differences from a global data set. For most kids, simply having opportunities to hack played a big role in malicious behavior.
Read more »

2. 120 new cybersecurity jobs announced in Belfast by Silicon Valley firm

Northern Ireland’s cybersecurity sector is set to expand further with the arrival of Contrast Security. The Silicon Valley-based firm will create up to 120 jobs at its new development and delivery center in Belfast. The new jobs will be generated over the next three years, contributing nearly £4 million annually in additional salaries to the area once fully operational.
Read more »

3. DoorDash breach exposes 4.9 million users’ personal data

DoorDash customers are strongly urged to change their passwords after a breach exposed personal data of almost 5 million users. DoorDash said the company became aware of a security intrusion earlier in September after it noticed some unusual activity from a third-party service provider. After investigation, it was announced that the attacker first gained access in May 2019.
Read more »

4. Thinkful confirms data breach days after it was acquired for $80 million

On September 19, Thinkful, an online education site for developers, confirmed that it recently experienced a data breach. The news comes just two weeks after the edtech company was acquired by Chegg for $80 million. While the company is reported to have emailed users about the investigation, it has not publicly acknowledged the breach on its website or blog.
Read more »

5. Outlook for Web bans 38 more file extensions in email attachments

To protect its users from malicious scripts and executables, Microsoft plans to blacklist 38 additional file extensions by adding them to its blocked list of file extensions.. This new collection of file extensions includes Python files, Powershell files, digital certificates and Java files, as well as some other miscellaneous extensions.
Read more »

6. Researchers disclose another SIM card attack possibly impacting millions

In addition to the Simjacker attack that made the news a month ago, Ginno Security Lab identified a second SIM card attack method involving the Wireless Internet Browser, which SmartTrust created for SIM toolkit based browsing. This attack has been dubbed WIBattack. Both attacks are difficult to detect and stealthy — there is no direct indication when devices are targeted.
Read more »

7. iOS 13 bug gives third-party keyboards “full access” permissions

Apple released a security advisory to warn users of an unpatched security bug in iOS 13 that affects third-party keyboard apps. The bug can result in granting keyboard extensions full access, even when users deny it. Granting keyboard extensions full access could allow developers to capture everything the users type on their devices.
Read more »

8. Voting machine systems contain “design” flaws, regardless of age

The new voting machine flaws found by hackers aren’t all typical security vulnerabilities. “These new things are not bugs. They are backdoors and hidden features [that] have been painstakingly carved into the DNA of the machine so it’s not easily discovered. They are features made by the vendors on purpose,” says Hursti, founder of Nordic Innovation Labs and a renowned election security expert.
Read more »

9. Microsoft released an out-of-band patch to fix zero-day flaw exploited in the wild

Microsoft has released an out-of-band patch for an Internet Explorer zero-day vulnerability that was exploited in attacks in the wild. The vulnerability tracked as CVE-2019-1367 is a memory corruption flaw that resides in the Internet Explorer’s scripting engine, affecting the way that objects in memory are handled. A successful exploit could grant the attacker the same privileges as the current user.
Read more »

10. MyPayrollHR CEO arrested, admits to $70 million fraud

Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider abruptly left with $35 million in payroll and tax deposits from customers. This week, the CEO was arrested and allegedly confessed that the diversion was part of a scam that earned him $70 million over several years.
Read more »

Posted: September 27, 2019
Sam Fay
View Profile