A collection point
...and some of my own.
CA: Rogers Data Breach Exposed Customer Info in Unsecured Database. Lawrence Abrams for Bleeping Computer: Canadian ISP Rogers Communications has begun to notify customers of a data breach that exposed their personal information due to an unsecured database. In a data breach notification posted to their site, Rogers states that they learned on February 26th, 2020 that a vendor database containing customer information was unsecured and publicly exposed to the Internet. The following customer information was exposed by this data breach: address, account number, email address, telephone number. "Some wireless account numbers were included in the vendor database. If a customer’s wireless account number was included, we added a block to their account (called port protection) to prevent their phone number from being transferred to another carrier without their authorization. Customers can call us if they wish to remove this block." FR: France warns of new ransomware gang targeting local governments Catalin Cimpanu for Zero Day: CERT-FR says the Pysa gang has moved to target French organizations, with the agency receiving reports of multiple infections. CERT-FR said there was evidence suggesting that the Pysa gang launched brute-force attacks against management consoles and Active Directory accounts. These brute-force attacks were followed by the exfiltration of a company's accounts & passwords database. Victim organizations also reported seeing unauthorized RDP connections to their domain controllers, and the deployment of Batch and PowerShell scripts. Our Smartphone Data Can Predict How Coronavirus Will Spread Rebecca Sadwick: In May of 2019, Facebook’s data science team introduced disease-prevention maps to help nonprofits and universities identify future outbreaks. They include movement maps chronicling how people travel, and population density maps leveraging satellite imagery and census data to include insights on demographics such as the ages of population. “We’re coming off years of intense criticism of these companies ... but at some point we need to rely on them,” said Michelle Richardson, director of the Privacy & Data Project at the Center for Democracy & Technology. “If people are scared because of past overreaches, this is an opportunity [for these companies] to rebuild trust.” Google spokesman Johnny Luu echoed the sentiment by stating that the company is “exploring ways that aggregate anonymized location information could help in the fight against COVID-19,” in a statement to The Washington Post. This could include determining the “impact of social distancing, similar to the way we show popular restaurant times and traffic patterns in Google Maps… and would not involve sharing data about any individual’s location, movement or contacts.” It remains to be seen which of these new trends and paradigm shifts endure once the imminent threat of the COVID-19 pandemic is behind us. By any account, increased cross-functional collaboration between teams with different perspectives and skill sets should continue to advance our collective human knowledge and ongoing fight against pandemics, which are projected to become more likely in the future. UK: Military Secrets Exposed by Printing Company Security researchers have warned that as many as 100,000 customers of a UK-based printing company including military organizations may have had sensitive personal and business documents exposed in another cloud leak. A misconfigured Amazon Web Services S3 bucket on January 22 owned by Doxzoo, a British document printing and binding company with global clients. The 343GB database contained over 270,000 records from a range of clients, including “complete scripts and screenplays, full-length books, sought-after paid wellness plans and internal military handbooks. Additionally, Doxzoo seems to regularly request full scans of photo IDs (such as passports) to fulfill orders.” UK: COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted Online Davey Winder: The latest victim is Hammersmith Medicines Research, a British company that previously tested the Ebola vaccine and is on standby to perform the medical trials on any COVID-19 vaccine. The cyber-attack, which took place on March 14, was spotted in progress, stopped, and systems restored without paying any ransom. The hackers sent Hammersmith Medicines Research sample files containing details of people who participated in testing trials between eight and 20 years previously and then published samples of data on the dark web in an attempt to extort payment. USA: NY: New York's SHIELD Act could change companies’ security practices nationwide The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York State bill signed into law July 2019. One key provision in the legislation that could significantly change security practices across the country took effect March 21, possibly inducing companies big and small to change the way they secure and transmit not only New Yorkers' private data but all consumers' sensitive information. Technically an amendment to the state's data breach notification law, the SHIELD Act has as much of an impact on internet and tech companies' privacy and security practices as the more famous California Consumer Privacy Act (CCPA) or even the European Union's General Data Protection Regulation (GDPR). The bill substantially broadens the scope of consumer privacy and data security protection by: - Expanding the range of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers - Broadening the definition of a data breach to include unauthorized access to private information. - Applying the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State. - Updating the notification procedures companies and state entities must follow when there has been a breach of private information. - Creating data security requirements tailored to the size of a business. The first four of these requirements took effect on October 23, 2019, while the last provision went into effect on March 21, 2020 RU: Leaked Plans Reveal Mirai-Like Russian IoT Botnet BBC Russia: Digital Revolution is well known for hacking organizations that do business with the Federal Security Service (FSB). Last week it published technical documents detailing a project known as “Fronton.” It proposes a scheme to compromise unsecured smart devices by cracking their factory default passwords. The resulting zombie devices would be formed into a botnet and used to launch DDoS attacks on FSB targets. Originally created in 2017-18, the 12 documents list the Fronton, Fronton-3D and Fronton 18 projects. They appear to be the work of Moscow-based FSB contractor, 0Day, which Digital Revolution claimed to have hacked back in April 2019. CN: Hacker selling data of 538 million Weibo users The personal details of more than 538 million users of Chinese social network Weibo are currently available for sale online, according to ads seen by ZDNet and corroborating reports from Chinese media. In ads posted on the dark web and other places, a hacker claims to have breached Weibo in mid-2019 and obtained a dump of the company's user database. Personal details include names, site usernames, gender, location, and -- for 172 million users -- phone numbers but no passwords, hence the bargain sales price of only US$250.00. The hacker provided samples of the data which Weibo users confirmed to be accurate. UK: Unprotected Database Exposed 5 Billion Previously Leaked Records An Elasticsearch instance containing over 5 billion records of data leaked in previous cybersecurity incidents was found exposed to anyone with an Internet connection. Keepnet Labs, a UK Security firm said that the data was “collected and correlated” for its customers only, to inform them if their accounts were part of previous breaches. “There is a certain irony in an exposed database of previously compromised data. While the data exposed in this breach appears to be collected from previously known sources, the fact that it was all readily available, indexed, and publicly exposed makes it a big concern." CovidLock coronavirus victim tracking app demands ransom payment from Android users Graham Cluley: Android app that pretends to warn users about those infected with the COVID-19 Coronavirus in their vicinity. What actually happens is the app locks users out of their devices and demands that $100 worth of Bitcoin ransom payment is made within 48 hours. If payment is not made, the ransomware claims, the phone will be completely erased and pictures, videos, and social media accounts shared online. Be careful. This is a 3rd party (side loaded app) that you really don't want to get involved with. US Health Department Hacked Amid Coronavirus Pandemic The intrusion occurred on Sunday night and is thought to have been motivated by a desire to slow the agency down and spread misinformation among the public. After compromising the department's system, attackers circulated a false claim that the American government planned to introduce a nationwide lockdown. The erroneous rumor that every American would be ordered to self-quarantine at home was quashed by the National Security Council. Just before midnight on Sunday, the NSC published the following statement on Twitter: “Text message rumors of a national #quarantine are FAKE. There is no national lockdown. @CDCgov has and will continue to post the latest guidance on #COVID19.” President Trump followed the next day with the declaration of a national emergency and a statement that people might want to self isolate, but the two events were unrelated. Europol busts up two SIM-swapping hacking rings After a months-long, cross-border investigations, Europol announced on Friday that it’s arrested more than two dozen people suspected of draining bank accounts by hijacking victims’ phone numbers via SIM-swap fraud. SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network. Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity. By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account. Investigators arrested the suspects in simultaneous raids throughout Romania. Europol says that this gang’s thefts targeted dozens of victims in Austria. The alleged crooks carried out the thefts through a series of SIM-swapping attacks in the spring of 2019 and stole over half a million euros, Europol says (£456,975, USD $558,350) EU: Oops! Microsoft Teams goes down as Europe starts working from home Remote not-working during the Coronavirus pandemic. As millions of people across Europe choose to work remotely rather than head into the office in the wake of the Coronavirus pandemic, a widely-used communication and collaboration tool that allows workers to have video meetings, chat, and share files has gone down. Microsoft Teams posted on its Twitter support account that it was aware that users were experiencing problems using the service: "We’re investigating messaging-related functionality problems within Microsoft Teams. Please refer to TM206544 in your admin center for further details." WFH. Tips to remember if you move around with personal computers. Full-disk encryption ensures that even if the device falls into the wrong hands, the company’s data is not accessible. Log out when not in use – both at home and in public places. An inquisitive child accidentally sending an email to the boss or a customer is easily prevented, as is limiting the opportunity for someone to access the machine while your back is turned in the local coffee shop. Strong password policy – enforce passwords on boot, set inactivity timeouts, and ban sticky notes with passwords on them: people still do this! Never leave the device unattended or on public display. If it’s in the car, then it should be in the trunk. US: Senate bill would ban TikTok from government phones The bill comes from Senators Josh Hawley (R-MO) and Rick Scott (R-FLA). It would expand on current TikTok bans from the State Department, the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Transportation Security Administration (TSA). "TikTok is owned by a Chinese company that includes Chinese Communist Party members on its board, and it is required by law to share user data with Beijing. The company even admitted it collects user data while their app is running in the background – including the messages people send, pictures they share, their keystrokes and location data, you name it. As many of our federal agencies have already recognized, TikTok is a major security risk to the United States, and it has no place on government devices." UK: Telephone, TV and internet provider Virgin Media has suffered a data breach, or not, depending on whom you ask. Paul Ducklin: "No, this was not a cyber-attack. […] No, our database was not hacked. […] Certain sources are referring to this as a data breach. The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack but as a result of the database being incorrectly configured." TurgenSec, an unassociated IT security company that alerted Virgin Media to the breached information – found the database where 900,000 users had their name, email address, home address, phone number and date of birth exposed. Since this is only a percentage of the total of Virgin's customer base, customers should expect one of two things: A real email from Virgin informing them of the breach, or a phish email from someone trying to steal their details. So it's a lose-lose either way. US: From Last week you'll need a notarized document to get a .gov domain Danny Bradbury: The US government tightened its rules around the registration of government web domains to stop fraudsters impersonating government sites The General Service Administration (GSA) said: "Effective from March 10, 2020, the DotGov Program began requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain. This was a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain. This step helps maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations." US: Phone carriers may soon be forced to adopt anti-robocall tech (and you will love the acronyms!) US carriers haven’t been doing enough to block robocalls, according to the Federal Communications Commission (FCC), so its chairman, Ajit Pai, has proposed a set of rules that would force carriers to block robocalls. In November 2018, Pai asked the phone carriers to adopt a technology framework called SHAKEN/STIR to help solve the problem. STIR (Secure Telephone Identity Revisited) defines a set of protocols used on SIP networks for applying digital signatures to telephone numbers from calling parties. SHAKEN (Signature-based Handling of Asserted information using toKENs) is a framework for STIR, providing implementation guidelines for carriers to roll out STIR so that it is compatible with all their networks and operates in real-time. A year later, the take up had been minimal, but with the passage of the (wait for it) Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act last December it all became law. From June 30 2021 the rules blocking robocalling become mandatory. FBI arrests alleged owner of Deer.io, top market for stolen accounts The FBI on Saturday arrested the alleged owner of Deer.io: a Russia-based marketplace for buying and selling credentials for hacked accounts siphoned off of malware-infected computers, victims’ personally identifiable information (PII), as well as financial and corporate data. According to the arrest warrant, the suspect, Kirill Victorovich Firsov, was arrested at the John F. Kennedy Airport, in New York. EU: Data of millions of eBay and Amazon shoppers exposed Researchers have discovered another big database containing millions of European customer records left unsecured on Amazon Web Services (AWS) for anyone to find using a search engine. A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe. The AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days. Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards. US: EARN IT Act threatens end-to-end encryption EARN IT was introduced by Republican Lindsey Graham, Democrat Richard Blumenthal and other legislators who’ve used the specter of online child exploitation to argue for the weakening of encryption. This comes as no surprise: in December 2019, while grilling Facebook and Apple, Graham and other senators threatened to regulate encryption unless the companies give law enforcement access to encrypted user data, pointing to child abuse as one reason. What Graham threatened at the time: "You’re going to find a way to do this or we’re going to go do it for you... Period. End of discussion." The bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. The Electronic Frontier Foundation (EFF) frames the importance of Section 230: "Section 230 enforces the common-sense principle that if you say something illegal online, you should be the one held responsible, not the website or platform where you said it (with some important exceptions). The [senator] discusses weakening security and requiring government access to every aspect of Americans’ lives. That means the EARN IT Act would backfire for its core purpose, while violating the constitutional rights of online service providers and users alike." US: Dept. of Homeland Security sued over secretive use of face recognition The American Civil Liberties Union (ACLU) and the the New York Civil Liberties Union are suing the Department of Homeland Security (DHS), US Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and the Transportation Security Administration (TSA) over their failure to provide details about the use of facial recognition at airports. "The public has a right to know when, where, and how the government is using face recognition, and what safeguards, if any, are in place to protect our rights. This unregulated surveillance technology threatens to fundamentally alter our free society and is in urgent need of democratic oversight," lawyers for the ACLU stated. Confessions app Whisper spills almost a billion records The Washington Post: Whisper offers a kind of anonymous social network service that allows people to post their innermost fears and desires, supposedly without risk. Its users post everything from dark family secrets to stories of infidelity. It gathers these up and uses them for articles on its website, including “Naughty Nannies Confess To Sleeping With The Fathers They Work For”, “Alcoholism Runs In My Family”, and “I Married The Wrong Person”. The problem is that Whisper didn’t steward that data very well. 900m records in a 5 TB database spanning 75 different servers, logged between the app’s release in 2012 and the 8 years to present day were exposed. The data was stored in plain text on ElasticSearch servers and included 90 metadata points per account. The leak divulged stated age, gender, ethnicity, home town, nickname and ... wait for it... the exact geolocation of the user's most recent post. Microsoft Edge Shares Privacy-destroying Telemetry According to the analysis, from the School of Computer Science and Statistics at Trinity College in Ireland, Edge sends privacy-invasive telemetry, used to link requests (and associated IP address/location) to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages. Edge sends hashed identifiers that are linked to device hardware, called the hardware UUIDs (universally unique identifiers) to Microsoft, which are “strong and enduring identifier[s] that cannot be easily changed or deleted.” Worse, this behavior can’t be disabled by users. In addition, Edge features a search autocomplete functionality that shares details of web pages visited. Part of this functionality transmits web page information to servers unrelated to search autocomplete. Nice. So if you have any Microsoft boxes at home, stay away from the Edge! NG: Rise and fall of ‘Dton,’ Elizabeth Montalbano: Ever wonder who’s behind one of those Nigerian cybercrime email campaigns asking you to enter into a shady business deal and how they’re enacted? Well security researchers tracked him for years hoping to expose all his exploits and those of his accomplices. “By day, he is Dton, administrator of businesses and achiever of organizational goals,” researchers wrote in the report. “But by night, he is Bill Henry, cybercriminal entrepreneur.” The first phase of Dton’s cybercriminal enterprise was to purchase stolen credit card details from Ferrum Shop, an online marketplace flogging more than 2.5 million stolen payment card credentials, then charge about $550 to each card he purchased. This netted him a tidy six-figure income that should have been enough for a lucrative side hustle from his day job. But, becoming a little more greedy, Dton began buying “leads,” or email addresses of potential marks, in bulk, and then launching campaigns of his own to steal user credentials they wrote. With these leads, Dton escalated his cybercrime activity by sending a variety of malware, comprised of infostealers, keyloggers and crypters, to the bulk email addresses he purchased, researchers said. These campaigns included the type of emails many people have already come across in their inboxes—the ones that include a formal greeting and request the potential victim to enter into a financial deal with the sender of the email based on the recommendation of a mutual contact. To engage in his newfound cybercrime activities, Dton bought and tested various malware—such as packers and crypters, infostealers and keyloggers, exploits and remote VMs. “Dton now disguises his custom-built malware into everyday email attachments, blasts them out to each of the email addresses on his lists, and harvests user credential details without the email owners ever knowing,” researchers wrote. Cybercriminal activities have similar structures to legitimate businesses, researchers revealed in their report. During his criminal activity, Dton also had partners in crime and even had to report to managers, with the same every-day headaches and disagreements with coworkers that people in legitimate jobs have to contend with. Eventually, these frustrations led him to, rather than use malware he bought from other people, hire someone to create a customized RAT that he could use in his cybercriminal campaigns. But eventually Dton turned on the developer of the RAT, using it to compromise the developer’s own machine, researchers said. Eventually Dton got busted, and he lost the hundreds of thousands stolen, but his 7-year side job did get him free room and board and a nice striped outfit to wear. As the CoronaVirus (Covid-19) takes hold, all else seems trivial, but things will go back to some form of normalcy. While you read these updates you can practice not touching your face......
Ironpie automatic vacuum with camera According to Trifo, the Ironpie is “An AI-powered robot vacuum that vacuums up dirt, dust, crumbs – even sand – like no one’s business” and it claims that its “mission is to clean and protect your home, so you can do more important things. I keep your home safe from dirt, dust, crumbs, sand and more; and also use my advanced vision system to keep intruders out. I am always alert and never sleep on the job.” The Trifo can be connected to the internet via WiFi, and be controlled remotely for vacuuming, as well as for remote video stream viewing, since it incorporates a video camera. The security concerns of connecting video cameras to the internet should be obvious. So Checkmarx tested the device and found some really worrying deficiencies: Insecure encryption, Access to video feed, insecure app update. They also contacted Trio last December to let them know and have yet to receive a response. So if you have an Ironpie, pop it into the oven, set the temp to 400 and give it a good grilling. We are sure that cooking your Ironpie will resolve all the security issues associated with it, but it might not get your house quite as clean. "Watch out!" Stripe customers. A new scam involving anyone who has paid by Stripe has the baddies just copying the Stripe validation web interface and sending an email like this: "We don’t recognize the device that was just used to sign in to your Stripe account. If this was you, you don’t need to do anything. If you don’t recognize it, please update your password." Don't take the bait! UK: Why Free WiFi isn't really free. Jeremiah Fowler discovered Mid-Feb 2020 yet another unsecured database with 146 million user data records from a company that offers "free wifi" at UK train stations and airports. They collect things like names, email addresses, age ranges and device data of users of the service. "In this case anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user." GoodRx stops sharing personal medical data with Google, Facebook GoodRx – a mobile app that saves US consumers money on prescription drugs – has apologized and sworn to do better after a Consumer Reports investigation found that it was sharing people’s data with 20 other internet-based companies. Consumer Reports had discovered that GoodRx was sharing the names of medications that people were using the app to research, including those of a highly sensitive, personal nature. For example, the consumer-focused nonprofit found it could use the app to look for discounts on Lexapro, an antidepressant; PrEP and Edurant, used to prevent and treat HIV, respectively; Cialis, for erectile dysfunction; Clomid, a medication used in fertility treatments; and Seroquel, an antipsychotic often prescribed to control schizophrenia and bipolar disorder. The details GoodRx was sharing could lead to companies being able to infer “highly intimate details” about users, Consumer Reports said: "With the information coming off our test phone and browser, a company could infer highly intimate details about GoodRx users suffering from serious chronic conditions, and make educated guesses about their sexual orientation." Facebook: No, we are not killing Libra by Lisa Vaas: Late last Tuesday, multiple reports suggested that Facebook has decided not to support its Libra virtual currency in its own products and will instead offer users the ability to make payments with government-issued currencies, or that the platform and its partners are weighing whether they should recast it as mostly a payments network that could operate with multiple coins. According to a report from The Information that cited three sources, Facebook has been mulling offering digital versions of currencies such as the US dollar and the euro, in addition to its proposed Libra token. The Information also reported that Facebook will still launch a digital wallet to enable users to make purchases and send and receive money, but that the rollout would be delayed by several months. A Facebook spokesperson sent this statement: "Reporting that Facebook does not intend to offer the Libra currency in its Calibra wallet is entirely incorrect. Facebook remains fully committed to the project." Google launches FuzzBench service to benchmark fuzzing tools Researchers integrate the fuzzer they want to test using an easy API and 50 lines of code. FuzzBench then throws real-world benchmarks and many trials at the tool until, after 24 hours, the results appear: Based on data from this experiment, FuzzBench will produce a report comparing the performance of the fuzzer to others and give insights into the strengths and weaknesses of each fuzzer. Fuzzing software involves throwing large numbers of random, tweaked and permuted (fuzzed) input files at an application in the hope of triggering unexpected or hard to find bugs, thereby highlighting security vulnerabilities. Developers submit the fuzzer they want to test to the FuzzBench platform which generates the report by running 20 trials of 24 benchmarks over a 24-hour period using 2,000 CPUs. The fuzz also runs ten other popular fuzzers (including AFL, LibFuzzer, Honggfuzz, QSYM, Eclipser) to provide a comparison. Statistical tests are part of the suite to estimate how much of the difference between one fuzzer and another is down to chance as well as providing the raw data so developers or pen-testers can make their own assessment. Crashes aren’t included as a metric but will be in future. You can see a sample report at fuzzbench(dot)com. Zynga faces class action suit over massive Words With Friends hack Lisa Vaas: Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – is facing a potential class action lawsuit over the September 2019 breach in which hackers got access to more than 218 million Words with Friends accounts. Zynga admitted to the breach at the time, saying that hackers got their hands on “certain player account information” but that, at least during the early stages of its investigation, it didn’t think any financial information was accessed. The game maker didn’t disclose how many accounts were affected, saying only that they’d contact players with affected accounts. Have I Been Pwned confirmed in December 2019 that more than 173 million accounts were hit. Hacker News, which scrutinized a sample sent over by GnosticPlayers, said that the breached data included names, emails, Login IDs, hashed passwords – “SHA1 with salt”, password reset tokens, Zynga account IDs, and connections to Facebook and other social media services. We don’t know exactly what “SHA1 with salt” means, but we do know that it isn’t bcrypt, scrypt, PBKDF2 or any other of the recognized password hashing functions you’d hope and expect to have been used. HK: Cathay Pacific fined over crooks slurping its database for over 4 years The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested 9.4 million people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information over a period of 4 years. The ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection. UK: Boots stops loyalty card payouts after 150K accounts get stuffed The loyalty cards award shoppers with four points for every £1 they spend. One point will get you one penny’s worth of spending power, so if your card has a balance of, say, 199 points, you could use it to buy something that costs £1.99 at a store or online at boots.com… which, of course, means that anybody who gets access to your account can do the same, regardless of where they’re located. That’s why Boots shut down the program, so nobody can shop with points at either stores or online.) Boots suggests that the suspicious activity spotted in customers’ accounts is coming from baddies trying to get at their accounts by using credentials that were exposed in some other breach – credentials that those customers have used, reused, re-reused and refused to let go of. It’s called credential stuffing. Sticking (reused!) passwords into every online place you can think of is a simple way to get into somebody else’s account without permission: just go online and look for lists of breached credentials, often available for sale or for free, then try them out until you get lucky. 5 Tips From Homeland Security To Help You Avoid COVID-19 Scams Lee Mathews: Use Trusted Sources, Avoid Clicking On Links In Unsolicited Emails, IMs, or Texts, Avoid Opening Attachments In Unsolicited Emails, Do Not Reveal Personal Or Financial Information In Email, IMs, or Texts and finally: Verify A Charity’s Authenticity Before Making Donations. New Android ‘Dangerous’ Download Warning: 61,669 Malicious Apps Hiding On App Store China features front and center in the RiskIQ report: With 40% of app spending, “China remains the largest app market,” an ecosystem that goes way beyond the official stores. “The top-three most prolific app stores in 2019 were Chinese, ahead of both Google and Apple.” In fact, China’s leading app store, ApkGK, accounted for more than twice the number of new apps as the Play Store. Putting all that together, it’s little surprise that the four most dangerous app stores (by concentration of malicious apps) are all Chinese: 9Game, VmallApps, Xiamoi and Zhushou. And 9Game leads the way overall—RiskIQ warns that it is the most dangerous of all the app stores, with a staggering 61,669 blacklisted apps. Microsoft Confirms ‘Really, Really High’ Hacking Risk For Millions Of Users: Here’s What You Do Now. the company warns that 1.2 million accounts were compromised in January, almost all of which were preventable by one simple security measure...multi-factor authentication or MFA. A truly alarming 80% of those compromised enterprise accounts, which if you do the quick math is almost 1 million hacked accounts in January alone, were hit by either “password spray” or “replay” attacks. A list of security conferences canceled or postponed due to coronavirus concerns. These are just security conferences. Gatherings like the Geneva auto show or Baselworld, they've been cancelled too... Wild West Hacking Fest - March 10 to March 13, San Diego - Current status: Virtual. Red Team Summit - March 11 to March 12, Menlo Park - Current status: Postponed to June 11-12. Women in Cybersecurity - March 12 to March 14, Aurora (Colorado) - Current status: Canceled. ICS West (trade show) - March 17 to March 20, Las Vegas - Current status: Postponed to July, new date to be announced. Pwn2Own CanSecWest (hacking contest) - March 18 to March 20, Vancouver - Current status: Optional remote-participation. Hackers participating in the Pwn2Own hacker contest can attend, but they can also ask content organizers to execute exploits on their behalf. InsomniHack - March 19 to March 20, Geneva - Current status: Postponed to June 4 - June 5. Black Hat Asia - March 31 to April 3, Singapore - Current status: Postponed for September 29 - October 2. BSidesCharm - April 4 to April 5, Baltimore - Current status: Proceeding on adjusted rules. Remote speakers will be given the option to use video conferencing and avoid traveling to the conference. BountyCon - April 4 to April 5, Singapore - Current status: Postponed to August 31. Kaspersky's Security Analyst Summit - April 6 to April 9, Barcelona - Current status: Postponed for September. Exact date to be announced later. DEF CON China - April 17 to April 19, Beijing - Current status: Postponed, new date to be announced. Internet Freedom Festival - April 20 to April 24, Valencia - Current status: Canceled. Area41 - June 11 to June 12, Zurich - Current status: Postponed to June 2021, next year. Chinese Security Firm Attributes Attacks to the CIA It's maybe not surprising that the CIA actually uses its trove of Vault 7 hacking tools—and more—to sneak past the defenses of US adversaries. But it's certainly rare to see the agency get publicly called out, as Chinese security firm Qihoo 360 did this week. US security firms regularly attribute, or at least strongly imply, attacks to Chinese hacking groups like APT10. Regardless of whether Qihoo 360 actually has the goods, it'll be interesting to see if other countries feel similarly emboldened to start calling out US hackers, especially when the US itself has become more aggressive with its own "naming and shaming" campaigns. An Unfixable Flaw Exposes 5 Years of Intel Chips Ever since speculative execution bugs Spectre and Meltdown upended security for the majority of computers a little over two years ago, newly discovered hardware flaws seem to bedevil Intel every few months. This time it's a flaw in Intel's Converged Security and Management Engine's mask ROM, a particularly nasty spot for a bug because it can't be patched with a firmware update. "Because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole," wrote security firm Positive Technologies in a blog post announcing the issue. Intel argues that pulling off an attack would require local access, specialized gear, and a high level of skill, making it relatively impractical in the real world. Given the potential impact, though, it's still a concerning flaw—one that affects every Intel CPU and chipset released in the last five years. Virgin Media Exposes Database of Nearly 1 Million Customers Leaving a database exposed on the internet is bad enough as it is. It's worse when that database includes personally identifiable information, like home addresses and emails. And worse still when someone outside the company actually finds and accesses those details. Virgin Media has checked all three, with a database of 900,000 customers left vulnerable. Data breaches happen all the time, but that by no means excuses them. There are some steps you can take to protect yourself when they happen, but the onus is on corporations to make sure they don't in the first place. Someone Accessed Thousands of J. Crew Online Accounts Oh, hello again. Nearly a year ago, J. Crew suffered a so-called credential stuffing attack that impacted the the online accounts of fewer than 10,000 customers. It did, though, include some payment information, like the type of credit or debit card used and the last four digits of the card numbers, plus expiration dates and associated addresses. Not ideal! Regulators may raise an eyebrow at how long it took J. Crew to come forward with this one. Hackers can clone millions of Toyota, Hyundai, and Kia keys Over the past few years, owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds. Researchers from KU Leuven in Belgium and the University of Birmingham in the UK earlier this week revealed new vulnerabilities they found in the encryption systems used by immobilizers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car's ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement a Texas Instruments encryption system called DST80. A hacker who swipes a relatively inexpensive Proxmark RFID reader/transmitter device near the key fob of any car with DST80 inside can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to use the same Proxmark device to impersonate the key inside the car, disabling the immobilizer and letting them start the engine. The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40. Earn it?? The Register.co.uk: On Thursday, a bipartisan group of US senators introduced legislation with the ostensible purpose of combating child sexual abuse material (CSAM) online – at the apparent cost of encryption. The law bill is called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which folds up into the indignant acronym EARN IT. (See also the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, aka the USA PATRIOT Act.) Backed by senators Lindsey Graham (R-SC), Richard Blumenthal (D-CT), Josh Hawley (R-MO) and Dianne Feinstein (D-CA), the proposed law intends to make technology companies "earn" their exemption from liability allowed under Section 230 of the US Communications Decency Act by requiring internet companies to follow a set of best practices to keep CSAM off their networks. For the uninitiated, Section 230 gives internet platforms blanket legal protections: simply put, websites can't be held liable for any bad stuff shared by users, plus or minus some minor caveats. Critics say today's rules are too broad, and let technology giants off the hook too easily. 7 Cloud Attack Techniques Credential Exposure Leading to Account Hijack: The exposure of API credentials leading to an account hijack is a high-severity, high-likelihood attack kill chain in the cloud. Misconfiguration Mishaps: "Just about anyone can get an S3 bucket and do whatever they want with it." Attacks linked to misconfiguration still happen because organizations so frequently fail to protect their information in the public cloud. Major Cloud Services Are Hot Targets As organizations move to the cloud, cybercriminals continue to do the same. This is evident in phishing attacks mimicking the login pages of popular cloud services, like Office 365. Cybercriminals are after credentials that will give them the keys to cloud services. "Unfortunately, a lot of people still use weak credentials." Cryptomining When they do get into the cloud, many intruders continue to engage in cryptomining: a low-severity, high-likelihood attack that most businesses face. An attacker can obtain credentials with RunInstance, virtual machine, or a container, run a large instance or virtual machine, run and inject a cryptominer and connect to a network, and exfiltrate the results. Server-Side Request Forgery Server-side request forgery (SSRF) is a dangerous attack method and growing issue in cloud environments. SSRF is a threat due to the use of metadata API, which lets applications access configurations, logs, credentials, and other information in the underlying cloud infrastructure. Metadata API can only be accessed locally; however, an SSRF vulnerability makes it accessible from the Internet. Gaps in the Cloud Supply Chain "A lot of the services we consume, applications we use ... it's never just from one company." Brute Force and Access-as-a-Service Brute-force attacks are top-of-mind for Trend Micro's Clay, who says attackers have begun to craft phishing emails with links to malicious pages tied to cloud infrastructure and accounts. Pop-ups may prompt victims to enter their usernames and passwords into fake login pages for Office 365 and other cloud applications. "They're all looking for credentials." Venezuela offline A power outage and fluctuations in supply across Venezuela 1 March 2020, knocked out approximately 35% of the country’s telecommunications infrastructure. Smart speakers mistakenly eavesdrop up to 19 times a day Virtual assistants like Siri and Alexa are programmed not to listen to your conversation constantly. Instead, they listen for a ‘wake phrase’. When they hear it, it’s their cue to listen to what you subsequently say, which could be an instruction or a request. Google Assistant responds to “OK Google”, Apple’s Siri perks up when you say “Hey Siri” and Microsoft’s Cortana pricks up its digital ears when you say “Hey Cortana”. The problem is that just like humans, virtual assistants often mishear things. Siri might think that “Seriously” sounds enough like its wake word to start listening to what you’re saying, but that’s just one of a range of sounds that might trigger it. That’s why it’s been reported recording everything from sex to criminal deals. Until now, we haven’t known just how (in)accurate these voice assistants are at listening for wake phrases. Thanks to research by academics at Northeastern University and Imperial College London, now we do. It turns out they’re not that accurate at all. Set up in front of playing videos, they found that devices would activate up to 19 times each day on average. The HomePod device was the worst, with an over-enthusiastic Siri switching on for lots of phrases. Speech that triggered it started with “Hi” or “Hey” followed by something starting with something sounding like an “S” and a vowel, or something that sounds like “ri”. Examples of speech that set it off included “He clearly”, “Hey sorry” or “I’m sorry”, and “Okay, yeah”, so watch who you’re apologising to or agreeing with. Even “historians” would set it off. When the devices did wake up, they’d often do so for relatively long periods. The HomePod and the Echos would wake up for at least six seconds more than half the time. The second-generation Echo Dot and the Harman Kardon speaker had the longest activations, earwigging for between 20 and 43 seconds. EU Commission to staff: Switch to Signal messaging app The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications. The instruction appeared on internal messaging boards in early February, notifying employees that "Signal has been selected as the recommended application for public instant messaging." The app is favored by privacy activists because of its end-to-end encryption and open-source technology. "It's like Facebook's WhatsApp and Apple's iMessage but it's based on an encryption protocol that's very innovative," said Bart Preneel, cryptography expert at the University of Leuven. "Because it's open-source, you can check what's happening under the hood," he added. Signal was developed in 2013 by privacy activists. It is supported by a nonprofit foundation that has the backing of WhatsApp founder Brian Acton, who had left the company in 2017 after clashing with Facebook's leadership. Taking someone else's GPS tracker off your car isn’t ‘theft,’ court rules A suspected meth dealer is off the hook for at least one of the charges he’s facing: that he “stole” the GPS device that police stuck on his car to track his movements. That’s what the supreme court in the US state of Indiana ruled last week. On Thursday, Chief Justice Loretta Rush handed down an opinion with which four justices concurred: that affidavit accompanying warrants had failed to establish probable cause that the suspect – Derek Heuring – had stolen the tracking device placed on his SUV by police who suspected he was dealing methamphetamine. The tracker had been streaming out Heuring’s location data for six days. Then, it abruptly stopped. For 10 days, police couldn’t track their target’s movements. Because the GPS device was a critical element in discovering subsequent offenses: unregistered gun, drugs, drugs paraphernalia, it may turn out that none of the evidence could be used against the dealer. The case continues.... Brave beats other browsers in privacy study Douglas Leith, professor of computer systems at Trinity University, examined six browsers: Chrome, Firefox, Safari, Brave, Edge, and Yandex. It used several tests to deduce whether the browser can track the user’s IP address over time, and whether it leaks details of web page visits. To do this, it looked at the data shared on startup after a fresh install, on a restart, and after both pasting and typing a URL into the address bar. It also explored what the browser did when it was idle. Even though Mozilla makes a talking point of privacy in Firefox, it was Brave, developed by Mozilla’s founder (and creator of JavaScript) Brendan Eich, that won out. Brave, which has accused Google of privacy violations, is “by far the most private of the browsers studied” when used with its out of the box settings, according to the paper. Worst was Yandex. Yandex didn’t respond to the paper’s allegations that its browser, popular among Russian speakers, sends user browsing data to Yandex servers as part of its autocomplete API, along with the text of web pages to its translation service. It also sends the SHA-1 hashed MAC address of a machine to Yandex, along with browser identifiers, enabling them to be tied together, Leith’s paper said. Clearview AI loses entire database of faceprint-buying clients to hackers Clearview AI, the controversial facial recognition startup that’s gobbled up more than three billion of our photos by scraping social media sites and any other publicly accessible nook and cranny it can find, has lost its entire list of clients to hackers – including details about its many law enforcement clients. The company told its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts they’ve set up, and to the number of searches they’ve run. If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t. "Clearview continues to give us a clear view of why biometric surveillance is an unsalvageable trash fire." UK: Lawmakers Warned of “Persistent” Hacking Threat Parliamentary email holders were sent nearly 21 million spam messages in 2018-19 financial year but internal security systems blocked them before they reached the inboxes of MPs, Lords and their staffers. Spam can also come from unexpected places: in 2016 the speaker John Bercow was forced to intervene after MPs complained of being bombarded by emails from Donald Trump’s election team. UK: Home Office Admits 100 GDPR Breaches in EU Scheme The Home Office breached the GDPR 100 times in its handling of EU citizens’ data in the space of just five months, an inspector’s report has revealed. Between March 30 and August 31 2019 the government department admitted a catalog of errors including misplaced passports, documents sent to the wrong recipient’s address and unauthorized disclosure, according to the Independent Chief Inspectorate of Borders and Immigration (ICIBI) “Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said. US: Congress passed legislation offering $1 billion to help telecom carriers “rip and replace” equipment from Chinese giants Huawei and ZTE. On Thursday, US lawmakers have passed legislation that plans to give $1 billion to telecom carriers to “rip and replace” equipment from Chinese tech giants Huawei and ZTE. The measure approved by the Senate is now passed to the White House for the final signature from President Donald Trump. “Telecommunications equipment from certain foreign adversaries poses a significant threat to our national security, economic prosperity, and the future of US leadership in advanced wireless technology,” said Senator Roger Wicker. “By establishing a ‘rip and replace’ program, this legislation will provide meaningful safeguards for our communications networks and more secure connections for Americans.” A few weeks ago, the Wall Street Journal reported that U.S. officials say Huawei can covertly access telecom networks where its equipment is installed. China cracks down on 'sexual innuendo' and 'celebrity gossip' in new censorship rules Sweeping new internet censorship rules have gone into effect in China, prompting concerns that authorities will further control information and online debate as the country reels from the coronavirus outbreak. China’s cybersecurity administration has since Saturday implemented a set of new regulations on the governance of the “online information content ecosystem” that encourage “positive” content while barring material deemed “negative” or illegal. The regulations, released last year, come as Chinese internet users have become increasingly critical of censorship because of the removal of news and comments about the government’s handling of the coronavirus outbreak. Volunteers have been preserving removed content while internet users have been trying new ways to evade censors. Walgreens' mobile app leaked users' personal data "Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app," the company said. The mobile app error allowed users to view other users' personal data and drug prescription details between Thursday, January 9, and Wednesday, January 15. 2020 and exposed; First and last name, prescription number and drug name, store number, shipping address. If you are one of the 12.5 million people with the app on your phone and you used it Mohave a prescription filled, it's just another few bits of your personal details leaked. US: Intuit’s $7 billion deal to buy Credit Karma is a test for antitrust regulators. According to Intuit CEO Sasan Goodarzi, the merger will benefit not just the companies, but also consumers. “What you’re now able to bring together with the two companies is the customers’ complete financial identity so they can get the best loan and insurance products for them,” he said in a conference call announcing the merger Monday, as reported by American Banker. By combining the two companies’ datasets, in other words, Intuit will be able to build more richly detailed dossiers of the financial backgrounds for millions of people. That, in turn, will allow lenders—and Intuit itself—to target offers even more efficiently. (When reached for comment, a spokesperson for Intuit pointed me to smartmoneydecisions.com, a website the companies created about their deal.) Does this sound familiar? It should. It’s the entire value proposition behind the ad-supported Internet. Facebook and Google, two of the most profitable companies in the world, make their billions by monitoring as much of our online (and, increasingly, offline) behavior as possible and selling ads against that data. They, and other websites and apps like them, justify the surveillance by arguing that consumers appreciate having ads that are more relevant to them. Read a privacy policy, and it will probably mention something about “sharing your data with advertising partners” in order to “present offers that might interest you.” It’s not about extracting more money out of us, the story goes; it’s about helping us find what we really want. And companies don’t just seek out people with good scores or lots of money. In fact, people with weaker credit scores can in some ways be more lucrative customers for credit products. “Being weaker is not bad to the industry,” said Martha Poon, a sociologist who studies credit scoring technology. “The weaker you are, the higher the interest rate they can charge you. That, for them, is good.” In the modern credit industry, she added, “what’s at stake is not selecting borrowers who are so-called ‘worthy’ of credit. It’s extending as much credit as possible in a way that allows the lender to have an economically viable business.” Samsung Reveals Galaxy S20 Security Surprise Davey Winder: The all-new and S3K250AF-based "Secure Element" security solution, which will first feature in the Galaxy S20, brings the concept of standalone and isolated sensitive data storage to Samsung smartphones for the first time. Google has the Titan M in its Pixel devices, and Apple has the T2 chip-powered secure enclave in iPhones. This Is Huawei’s Alarming New Surprise For Google: Here’s Why You Should Be Concerned Zak Doffman: Huawei "Search" is on its way, and will soon launch “as part of the Huawei ecosystem.” Not only does this represent a further business risk to Google from the ongoing technology split, east versus west, but it also raises some significant questions around who curates and filters our news. Huawei is the second largest supplier of smartphones worldwide, its global audience stretches way beyond China’s borders. This isn’t a mapping app, it’s not a new front-end for our email or a payment processing engine. This is a potential filter that sits atop the World Wide Web, serving up content for hundreds of millions of users worldwide. Whether or not you believe the U.S. allegations that Huawei is controlled by the Chinese state, that it is subsidised and subject to Beijing’s national security laws, it is unarguably a company based in the most highly censored country on the planet. There is also the fact that search related data would be captured from the search history of those users. The NSA’s $100 Million Call Records Surveillance Program Only Led to a Single Investigation The NSA’s vast phone metadata collection, authorized under Section 215 of the Patriot Act, has been one of the most controversial practices in the intelligence agency’s history since it was exposed in 2013 by the leaks of Edward Snowden. But only now, a year after the program was officially ended, has the public learned not only the sweeping scope of that surveillance but also how expensive it was—and how expensive. A declassified study by the intelligent community’s Privacy and Civil Liberties Oversight Board shared with Congress this week revealed that the metadata program cost $100 million, and only on two occasions produced information that the FBI didn’t already possess. On one of those occasions, the investigation was dropped after the FBI looked into the lead. In another case, the NSA’s findings led to an actual foreign intelligence investigation. For that one case, the report doesn't reveal the nature of the investigation or what may have resulted. Hopefully whatever happened, it was worth $100 million of taxpayer funds—and an enormous controversy that has tarnished the NSA’s reputation for years. US: Schools Are Using Radio Frequency Scanners to Track Students CNET took a close look this week at Inpixon, a company that provides technology that allows schools to keep track of students' locations accurate down to a meter. The company touts its safety benefit, but raises obvious surveillance concerns, especially given that the affected group is definitionally minors. Its scanners pick up Wi-Fi, Bluetooth, and cellular signals from student smartphones, smartwatches, tablets, and more. And while it technically anonymizes data, it's easy enough to pair it with ubiquitous in-school camera systems to tie the individual to the activity. Alleged White Supremacist Arrested in Connection With Swatting Attacks The Justice Department this week announced the arrest of John Cameron Denton, an alleged former leader of the white supremacist group Atomwaffen Division, in connection with a series of swatting events between November 2018 and April 2019. (Swatting is the practice of calling 911 to report a serious crime at an address where none is occurring to get a heavily armed SWAT team to show up; it has gotten people killed, though not in the instances Denton is alleged to have participated in.) If convicted, Denton faces up to five years in prison. |
Linking the world
Sharing is caring Archives
May 2024
Categories |