recommended reading

Hackers Steal Coachella Accounts; Bugs Leak User Data, Passwords

Festival-goers view the "Coachella Bound" art installation at the campgrounds at The Coachella Music and Arts Festival in 2015.

Festival-goers view the "Coachella Bound" art installation at the campgrounds at The Coachella Music and Arts Festival in 2015. // Zach Cordner/Invision/AP

In case you missed our coverage this week in ThreatWatchNextgov’s regularly updated index of cyber breaches:

Google Discloses Another Unpatched Microsoft Bug

Google again released information about a flaw in a Microsoft product without an available security patch.

This time, Google Project Zero Team shared the details for how a bug in the Windows graphic device interface dynamic link library could leak private user data. The team said the vulnerability also affects Internet Explorer and Office Online.

The team shared the information with Microsoft on Nov. 16, but released the information publicly Monday when 90 days passed without a security patch, IT News reported. Microsoft previously addressed the issue with a June patch, but the Google team said problems remained, according to Threatpost.

It’s at least the third time Google went public with an unresolved Microsoft issue. In January 2015, Google released information 90 days after it notified Microsoft about a security hole in Windows 8.1 that allowed improper access to server functions. In November, Google disclosed what it called a critical zero-day in Windows 10. Microsoft hit back, disagreeing with the critical designation and saying Google’s announcement put Windows customers at potential risk.

950,000 Coachella Music Festival Accounts for Sale

Music lovers who in the past have or are planning to attend the Coachella festival may want to change their email passwords.

A data trader alleges to have more than 950,000 Coachella website user accounts for sale on a dark web marketplace called Tochka, Motherboard reported. The data includes email addresses, usernames and hashed passwords for Coachella.com and its message board.

Payment information doesn’t appear to be included, according to Motherboard.

Still, if Coachella attendees reuse usernames and passwords, they may want to brush up on how to choose a secure password and select a unique password for every site they visit. 

Cloudflare Bug Leaked Passwords, Dating Chats and Other Sensitive Info for Months

Cloudflare, a company that provides optimization and security services for websites, disclosed a bug that may have exposed passwords, authentication tokens, private messages and other sensitive information since September.

Cloudflare notified its customers Thursday, according to Fortune. Average website users, however, probably wouldn’t know if they were affected because they don’t sign up for Cloudflare’s services, websites do.

“I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” wrote Google Project Zero Team Member Tavis Ormandy, who alerted Cloudflare to the problem.

Ormandy tweeted he found information from Uber, OKCupid, FitBit and 1Password, though the password manager said it was not affected by the bug.

The problem, now mitigated, stemmed from a new HTML parser chain, a specific combination of tools, and an “ancient piece of software that contained a latent security problem,” Cloudflare Chief Technology Officer John Graham-Cumming wrote in a blog.

The company also worked with search engines that may have cached the data.

“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” Graham-Cumming wrote.

Ormandy applauded the company’s fast response to the problem, but said Cloudflare’s response “severely downplays the risk to customers.”

More than 5.5 million sites use Cloudflare, according to Fortune.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.