Saturday 16th November 2024

Good morning everyone and a very happy Saturday to you all. Today's edition covers a PostgreSQL flaw that sent database admins scrambling to patch, Microsoft Power Pages missteps put millions of personal records at risk, and the hacker behind one of crypto’s biggest heists just got sentenced. Enjoy and have a great weekend.

PostgreSQL Flaw Could Let Hackers in the Back Door

Cybersecurity researchers have unearthed a high-severity vulnerability in PostgreSQL, the open-source database system widely used by businesses worldwide. Tracked as CVE-2024-10979, the flaw (with a CVSS score of 8.8) could let unprivileged users manipulate environment variables, potentially leading to code execution or data leaks.

Environment variables store dynamic runtime data—like access keys and paths—making them a juicy target. According to PostgreSQL, this flaw allows attackers to alter variables like PATH, enabling malicious activity even without system-level privileges. Translation: A sneaky hacker could execute arbitrary code or extract sensitive info.

The issue has been patched in PostgreSQL versions 17.1, 16.5, and earlier supported releases. Experts recommend users apply updates immediately and tighten extension permissions to reduce risks.

Details are being withheld for now, but the threat underscores a crucial truth: Even trusted open-source systems require constant vigilance. Stay patched, stay safe.

Microsoft Power Pages Misconfigurations Expose Sensitive Data

Millions of individuals’ sensitive data, including internal files and personal identifiable information (PII), have been exposed due to misconfigured access controls in Microsoft Power Pages. The revelation comes from AppOmni’s Aaron Costello, who highlighted the issue in September after finding "significant amounts of data" left accessible online.

Power Pages, a low-code SaaS platform for creating external websites, serves over 250 million users monthly. A flaw in its role-based access controls makes it easy for missteps to occur. Specifically, many organizations grant excessive permissions to “authenticated users”—a role that often includes public registrants—mistakenly treating them as internal members.

- 1.1 million UK NHS employees had sensitive details exposed, including emails and home addresses (now secured).

- Millions of records from organizations in health, tech, and finance sectors remain vulnerable.

Costello attributes most leaks to overly permissive table access controls, public registration settings, and skipped column-level security masking. Microsoft flags risky configurations, but fixing them requires diligence.

Admins should reduce user permissions and limit access levels. Treat "authenticated users" as external by default to avoid giving them unnecessary privileges. Microsoft has yet to comment on this growing concern.

Bitfinex Hacker Gets Five Years for $10B Bitcoin Heist

Ilya Lichtenstein, who masterminded the 2016 Bitfinex cryptocurrency hack, has been sentenced to five years in prison, the U.S. Department of Justice announced. The hack siphoned off 120,000 bitcoins, now valued at over $10.5 billion, making it one of the largest crypto thefts in history.

Lichtenstein exploited Bitfinex's network to authorize fraudulent transactions, using tools like chain hopping and mixing services to launder the stolen funds. The elaborate scheme included converting crypto into fiat, hiding assets in gold coins, and even buying Walmart gift cards—an action that ultimately led investigators to the couple's San Francisco home.

His wife, Heather Morgan, aka “Razzlekhan” (a rapper and writer), also pleaded guilty to laundering the stolen funds and faces sentencing on November 18. While prosecutors stated she played a smaller role, her involvement was significant enough for full accountability.

Lichtenstein’s sentencing follows other major convictions, including Roman Sterlingov, founder of Bitcoin Fog, and Daren Li, linked to a $73.6M pig butchering scam. Together, these cases underscore how crypto criminals are increasingly in regulators’ crosshairs.

The feds are beefing up their crypto forensics—bad news for anyone hoping stolen Bitcoin remains untraceable.