recommended reading

Hackers Steal Coachella Accounts; Bugs Leak User Data, Passwords

Festival-goers view the "Coachella Bound" art installation at the campgrounds at The Coachella Music and Arts Festival in 2015.

Festival-goers view the "Coachella Bound" art installation at the campgrounds at The Coachella Music and Arts Festival in 2015. // Zach Cordner/Invision/AP

In case you missed our coverage this week in ThreatWatchNextgov’s regularly updated index of cyber breaches:

Google Discloses Another Unpatched Microsoft Bug

Google again released information about a flaw in a Microsoft product without an available security patch.

This time, Google Project Zero Team shared the details for how a bug in the Windows graphic device interface dynamic link library could leak private user data. The team said the vulnerability also affects Internet Explorer and Office Online.

The team shared the information with Microsoft on Nov. 16, but released the information publicly Monday when 90 days passed without a security patch, IT News reported. Microsoft previously addressed the issue with a June patch, but the Google team said problems remained, according to Threatpost.

It’s at least the third time Google went public with an unresolved Microsoft issue. In January 2015, Google released information 90 days after it notified Microsoft about a security hole in Windows 8.1 that allowed improper access to server functions. In November, Google disclosed what it called a critical zero-day in Windows 10. Microsoft hit back, disagreeing with the critical designation and saying Google’s announcement put Windows customers at potential risk.

950,000 Coachella Music Festival Accounts for Sale

Music lovers who in the past have or are planning to attend the Coachella festival may want to change their email passwords.

A data trader alleges to have more than 950,000 Coachella website user accounts for sale on a dark web marketplace called Tochka, Motherboard reported. The data includes email addresses, usernames and hashed passwords for Coachella.com and its message board.

Payment information doesn’t appear to be included, according to Motherboard.

Still, if Coachella attendees reuse usernames and passwords, they may want to brush up on how to choose a secure password and select a unique password for every site they visit. 

Cloudflare Bug Leaked Passwords, Dating Chats and Other Sensitive Info for Months

Cloudflare, a company that provides optimization and security services for websites, disclosed a bug that may have exposed passwords, authentication tokens, private messages and other sensitive information since September.

Cloudflare notified its customers Thursday, according to Fortune. Average website users, however, probably wouldn’t know if they were affected because they don’t sign up for Cloudflare’s services, websites do.

“I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” wrote Google Project Zero Team Member Tavis Ormandy, who alerted Cloudflare to the problem.

Ormandy tweeted he found information from Uber, OKCupid, FitBit and 1Password, though the password manager said it was not affected by the bug.

The problem, now mitigated, stemmed from a new HTML parser chain, a specific combination of tools, and an “ancient piece of software that contained a latent security problem,” Cloudflare Chief Technology Officer John Graham-Cumming wrote in a blog.

The company also worked with search engines that may have cached the data.

“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” Graham-Cumming wrote.

Ormandy applauded the company’s fast response to the problem, but said Cloudflare’s response “severely downplays the risk to customers.”

More than 5.5 million sites use Cloudflare, according to Fortune.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.