Security Newsletter

15 April 2019

Featured

WikiLeaks founder Julian Assange has been arrested at the Ecuadorian Embassy in London—that's almost seven years after he took refuge in the embassy to avoid extradition to Sweden over a sexual assault case. According to a short note released by London's Metropolitan Police Service, Assange was arrested immediately after the Ecuadorian government today withdraws his political asylum.

U.S. Department of Justice also confirmed today that Assange would face extradition proceedings for his alleged role in "one of the largest compromises of classified information in the history of the United States." Following his arrest on Thursday, Ecuadorian President Lenín Moreno tweeted, "In a sovereign decision, Ecuador withdrew the asylum status to Julian Assange after his repeated violations to international conventions and daily-life protocols."

However, WikiLeaks said Ecuador had acted illegally in terminating Mr Assange's political asylum "in violation of international law." Assange's arrest comes a day after WikiLeaks editor Kristinn Hrafnsson accused the Ecuadorian government of an extensive spying operation against Julian Assange inside the Ecuadorian embassy. Assange, the 47-year-old Australian hacker, founded WikiLeaks in 2006 and has since made many high-profile revelations through the platform, exposing 'dirty' secrets of several political parties, individuals, and government organizations across the world.

 

Two Thirds of Hotel Sites Leak Guest Booking Info to Third-Parties

Third-party services running on most hotel websites have access to guest booking information, including personal data and payment card details. The data they're privy to also allows them to cancel reservations. Multiple websites for over 1,500 hotels in 54 countries fail to protect user information from partner services such as advertisers and analytics companies. In 67% of the studied cases, some level of personal information is leaked via booking reference codes.

The data exposed this way may include the guest's full name, email and physical address, phone number, the last four digits of the payment card as well as its type and expiration date, and the passport number.

Being in the referrer filed means that the booking reference code is passed along by the browser, potentially reaching over 30 service providers like social networks, search engines, and analytics services. However, bad this may sound, the third-party providers are not to blame for getting more information than they need to operate properly. 25% of the officers did not reply six weeks after being informed of the privacy risks. Those that responded needed an average of 10 days to issue a reply and said they would commit to fixing the problem.

 

Dragonblood vulnerabilities disclosed in WiFi WPA3 standard

Two security researchers disclosed details today about a group of vulnerabilities collectively referred to as Dragonblood that impact the WiFi Alliance's recently launched WPA3 Wi-Fi security and authentication standard. If ever exploited, the vulnerabilities would allow an attacker within the range of a victim's network to recover the (weak) Wi-Fi password and infiltrate the target's network.

In total, five vulnerabilities are part of the Dragonblood ensemble --a denial of service attack, two downgrade attacks, and two side-channel information leaks. While the denial of service attack is somewhat unimportant as it only leads to crashing WPA3-compatible access points, the other four are the ones that can be used to recover user passwords.

The WiFi Alliance announced today a security update for the WPA3 standard following Vanhoef and Ronen's public disclosure of the Dragonblood flaws. "These issues can all be mitigated through software updates without any impact on devices' ability to work well together," the WiFi Alliance said today in a press release. Vendors of WiFi products will now have to integrate these changes into their products via firmware updates. Vanhoef is the same security researcher who in the fall of 2017 disclosed the KRACK attack on the WiFi WPA2 standard, which was the main reason the WiFi Alliance developed WPA3 in the first place.

 

More #News

 

#Patch Time!

 

#Tech and #Tools

Kindred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us:

• You like to break things, then explain how to fix it? Be part of our Cyber Security team
• You prefer the blue team side? Check out our Security analyst position
• You're into identity and access management? We are looking for an IAM Specialist
• Interested in Governance, Risk and Compliance? Apply for our Information Security Specialist role

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. You can find all our open vacancies on our career page.

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.