A collection point
...and some of my own.
Israel Says Hackers Targeted SCADA Systems at Water Facilities Eduard Kovacs: According to an alert published by Israel’s National Cyber Directorate, the attacks targeted supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities. Organizations in the water and energy sectors have been advised to immediately change the passwords of internet-accessible control systems, reduce internet exposure, and ensure that all control system software is up to date. According to Israeli media reports, the attacks were launched on Friday and Saturday and they targeted facilities across the country. Representatives of Israel’s Water Authority claimed the attacks did not cause any operational damage. Collection of South Korean, U.S. Payment Cards Emerges on Underground Market Ionut Arghire: Uploaded on a popular darknet cardshop on April 9, this collection represents the largest sale of South Korean records on underground markets this year, the cyber-security company warns. It also shows the growing popularity of APAC-issued card dumps among cyber-criminals. The total number of records in the database is 397,365, and the dump has a total price of $1,985,835, at $5 per record. The dump has a 30-40% validity rate, infamous underground marketplace Joker’s Stash announced. The database mainly contains Track 2 information, such as bank identification number (BIN), account number, and expiration date, and may include the card verification value (CVV) as well. Such data is usually harvested from infected POS terminals, ATM skimmers, or breached payment systems. While the provenance of the data is still unknown, Group-IB discovered that 49.9% of the records in it were from South Korea (198,233 items valued at $991,165). Furthermore, 49.3% of the items were related to banks and financial organizations in the United States. Nintendo Breach Affects 160,000 User Accounts Last week we reported that many Nintendo accounts were being mysteriously compromised. This week Nintendo has begun restricting log-ins and resetting affected passwords after admitting that as many as 160,000 accounts may have been illegally accessed by hackers. The Japanese gaming giant said it was disabling access to accounts via the legacy Nintendo Network ID (NNID), which was associated with its now-defunct Nintendo 3DS handsets and Wii U consoles. That’s because, since the beginning of April, hackers have been using NNIDs “obtained illegally by some means other than our service” to access user accounts and buy digital items using stored cards. Unauthorized third parties may also have been able to view personal information including name, date of birth, gender, country/region and email address. Specialists speculate that Nintendo has a functioning API for which gaming services have been deprecated that is probably being hit with credential stuffing attacks. 309 million Facebook users’ phone numbers found online Last week researchers at cybersecurity intelligence firm Cyble came across a database with 267m Facebook user profiles being sold on the Dark Web. Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it … for the grand total of £500. That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age. Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data. How did the data get leaked? Probably via Facebook's developer API. The initial breach exposed 267,140,436 records of what were mostly Facebook users in the US and most of the records seemed to be valid. The same 267m records were exposed on a US Elasticsearch server in March 2020, but this time, the exposure included an additional 42 million records. Included were Facebook IDs, phone numbers, and usernames, gender, email address, birth date and other personal data. Want to turn access to your records off? In Facebook, go to “Settings & privacy”.
Facebook Users Beware: Here’s Why Messenger Rooms Is Not Actually Private Kate O'Flaherty: Facebook has just launched Messenger Rooms, a video chat app with the ability to add up to 50 people in a virtual room. In a blog, the company has outlined the security and privacy it claims underpin the service, taking a clear swipe at rival app Zoom. But when Facebook talks about “privacy” in Rooms, it defines this as the ability to block or report people, as well as the option to “lock” a room to prevent uninvited guests from crashing your chat. So it’s not that private at all–Messenger Rooms uses the same data collection policies as Facebook, which includes sharing your information with third parties. “Privacy settings on Facebook don’t protect data from Facebook, or its partners’ exploitation of the data." AU: Rabobank security cert expires and gives its Australian Android app a case of internet-blindness “There was a recent issue which was caused by an expired security certificate within the bank’s mobile banking app. It only affected Android users causing the ‘connection error’ message when customers tried to log in to their app. This security certificate problem has since been fixed, with a new app update released which has resolved the issue for the majority of impacted customers.” However the fix didn’t work for all users. “The bank is assisting those still-impacted customers to provide a work-around solution (i.e. un-installing, reinstalling and re-registering the app), while we continue to work on the system fix required to resolve the problem.” Complicating matters is that customers need to chat to Rabobank’s contact centre to resolve the problem. However that “has recently experienced a higher volume of calls … as a function of the current market conditions, which is not unexpected given present circumstances.” Chinese ‘Frontline’ COVID-19 Research Firm Reported Hacked: Data Now On Dark Web Zak Doffman: It’s a controversial subject—the use of CT scans to diagnose coronavirus—but it’s an emerging field. And while the likes of the U.S. Centers for Disease Control and Prevention and the American College of Radiology have cautioned against it, one Chinese medical company has harnessed Intel’s technology and Huawei’s marketing channels to push Huiying Medial's solutions into frontline hospitals. Cyber researchers at Cyble now report that a threat actor they describe as “credible,” has gained access to the medical company’s “COVID-19 detection technology source code and COVID-19 experimental data.” Huiying Medical has not yet responded to a request for comment from the day before publishing. According to Cyble, the threat actor “THE0TIME” is selling the data for 4 BTC, around $30,000. That data is said to include user information, technology source code, and reports on experiments. Cyble “reviewed the exclusive and non-public samples and verified the claim.” The team identified confidential images from the breached data, which they are not making public. Signal Says It Will Leave the US Market If the EARN IT Act Passes Congress The end-to-end encrypted messaging app Signal, which is respected and trusted for its transparent, open source design, says that it will be one of the immediate casualties should the controversial EARN IT Act pass Congress. Written by South Carolina Republican senator Lindsey Graham and Connecticut Democrat Richard Blumenthal and introduced in the Senate last month, the EARN IT Act claims to be a vehicle for improving how digital platforms reduce sexual exploitation and abuse of children online. But the law would really create leverage for the government to ask that tech companies undermine their encryption schemes to enable law enforcement access. Signal developer Joshua Lund said in a blog post on Wednesday that Signal is not cool with that! More specifically, he noted that Signal would face insurmountable financial burdens as a result of the law and would therefore be forced to leave the US market rather than undermine its encryption to stay. Given that Signal is recommended and used across the Department of Defense, Congress, and other parts of the US government, this would be a seemingly problematic outcome for everyone. WhatsApp Takes New Steps to Stop the Spread of Misinformation on Its Platform WhatsApp announced on Tuesday that it will restrict forwarding of highly forwarded messages, so users can only send them to one chat at a time. The idea is to make it much more difficult and tedious to bulk-forward a message. WhatsApp has put other restrictions on forwarding in the past. Last year it started labeling highly forwarded messages with a double-arrow icon, and it has been particularly focused on curbing the spread of misinformation in recent months, given the Covid-19 pandemic. Travelex Paid $2.3 Million to Hackers After Being Hit by Ransomware Hackers hit the currency exchange firm Travelex with ransomware at the beginning of January, crippling the company's operations. This turned out to be just the beginning of the company's problems and financial woes. The Wall Street Journal reports, though, that before it was embroiled in the drama of a major accounting scandal, Travelex paid its ransomware attackers a whopping $2.3 million in an attempt to get them to go away. Paying hackers their requested ransom is not illegal in the United Kingdom where Travelex is based, but it is frowned upon by the international law enforcement community and security experts. Victims can't be sure that attackers will actually retreat after they receive the ransom, and paying emboldens hackers to attempt more ransomware schemes. ON FRIDAY, APPLE and Google announced a joint collaboration to make a Covid-19 "contact-tracing" framework available for legions of Android and iOS smartphones. Slated for release next month, the platform will give public health organizations the ability to track infections and use Bluetooth proximity analysis to warn people if they've come into contact with someone who has reported that they're infected. The service will be opt-in only and is designed to preserve privacy, the companies say. The pandemic has fueled debate about contact-tracing apps, but researchers say that it is possible to design encryption schemes for such services in a way that would successfully protect user privacy. San Francisco International Airport Discloses Data Breach The incident involved SFOConnect.com and SFOConstruction.com, two low-traffic websites designed to keep visitors informed on a variety of SFO-related topics, such as the COVID-19 crisis, alternate AirTrain routing, airfield operations, airport construction contracts, and the like. In March 2020, the websites were targeted by cyber-criminals who injected malicious code into them, aiming to steal the login credentials of visiting individuals. The hackers, SFO says, appear to have targeted the usernames and passwords that people use “to log on to those personal devices.” Basically, they were after the victims’ Windows login credentials. This data was stolen directly from the users’ browsers even before it reached SFO systems. Since this happened on the users’ devices, the website administrators would have had no visibility into it. “Attackers know that people tend to reuse passwords across different websites and take credentials collected from other sites, then try to use them to log into more valuable websites, such as banks. It is vital to ensure that people are taught about the dangers of reusing passwords across multiple websites and that people enable multi-factor authentication, such as a text message with a code or a code generated from an app on a smart phone, wherever possible.” Apple and Google Team Up on Virus 'Contact Tracing' by Smartphone The companies next month plan to release software interface technology to allow for interoperability -- so that an alert would work regardless of the operating system. Apple and Google contended that "privacy, transparency, and consent" were top priorities in the joint initiative, addressing concerns about systems which could disclose personal data on individuals. "Contact tracing can help slow the spread of COVID-19 and can be done without compromising user privacy," Apple chief executive Tim Cook said in a tweet. Technology-enabled or digital contact tracing has played a "conspicuously visible" part of the pandemic responses of South Korea, Singapore, Israel, and other nations, law professor and privacy researcher Ryan Calo said in Senate testimony this week. "I understand the intuition behind digital contact tracing," Calo said in prepared remarks. "But I see the gains in the fight against the virus as unproven and the potential for unintended consequences, misuse, and encroachment on privacy and civil liberties to be significant." Drones Take Italians' Temperature and Issue Fines Authorities in Italy are using Drones equipped with heat sensors to take the temperature of citizens and send the information to a drone operator, who has a thermal map on his hand-held screen -- shining orange and purple blobs. The hovering drone emits a mechanical buzz reminiscent of a wasp and shouts down instructions in a tinny voice. "Attention! You are in a prohibited area. Get out immediately," commands the drone, about the size of a loaf of bread. "Violations of the regulations result in administrative and criminal penalties," the drone says. "Once a person's temperature is read by the drone, you must still stop that person and measure their temperature with a normal thermometer," Matteo Copia, a police commander, said. Copia says the local police force has received new powers that allow it to check people's temperature without their knowledge or permission. Thousands of Zoom credentials available on a Dark Web forum “In a recent investigation of deep and dark web forums, IntSights researchers came across a cybercriminal who shared a database containing more than 2300 usernames and passwords to Zoom accounts. An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys.” Nine Amazon workers describe the daily risks they face in the pandemic LOUISE MATSAKIS, WIRED.COM As the novel coronavirus pandemic sweeps the globe, an otherwise marginalized class of workers is suddenly in the spotlight. Often undervalued and poorly paid, they are grocery store clerks, sanitation workers, medical professionals, and other employees who can’t stay home—even when the nation is on lockdown. In the United States, hundreds of thousandsof these so-called essential workers are employed by or contract for Amazon, whose delivery network has emerged as a vital service for millions of Americans stuck inside their homes. Warehouse worker, early forties, Texas: Since the virus came, for the last couple of weeks, we’ve taken advantage of the unpaid—not paid—time off. This next upcoming paycheck, I think I will be paid for six hours of work. I’m staying home because my mom, she had a pacemaker put in not too long ago, and she lives with me. We don’t want to go without money. In fact, I don’t know how we’re going to pay our bills this month. I’m down to about $200, and this stimulus check is probably not going to come for another month. When we walk through the main front doors, we hit these turnstiles to enter. Everyone has to touch them, and I have never, not one time in my life, seen anybody clean those things. I know that in my fulfillment center, we’ve got over 900 people who work there, and we have three entrances to choose from. All it’s going to take is one infected person. The day this interview was conducted, Amazon notified the worker about a confirmed case of Covid-19 at their workplace. Food Catering, early thirties, Ohio It’s kind of impossible to socially distance with our jobs, because our storage room is so small. They had us take out at least 70 percent of the microwaves, in the hopes that things would be more spaced out in the break rooms. But the problem is now we have an overwhelming amount of employees trying to use way fewer microwaves. It’s a big job, there’s a lot to do. During peak, which is usually around Christmastime, we can be there up to 11, 12 hours a day. But it’s starting to be more like that now, as Amazon is hiring more and more people to keep up with demand for essential items. They just hired another 100 people today. I’m petrified. It’s just me and my 16-year-old son, and he’s a type 1 diabetic. After this interview was conducted, multiple confirmed cases of Covid-19 were reported at their workplace. They are now taking unpaid time off. Warehouse worker, late thirties, Illinois A couple of weeks ago, they started doing superficial stuff for the coronavirus. They put tape on the ground by the time clocks for social distancing, and they removed some of the time clocks. But then they hired more people, which made the crowding worse in some areas. Now, when you walk in the door, they scan your head for your temperature. If it’s high, they send you home. But the issue is if you come in late, nobody is there to scan your head. Also, none of the managers know how to use the scanners, which I don’t get. You pull the trigger, aim at the person’s temple, and done. So they were just waiving people in anyway. Yesterday we got emails and text messages saying that there’s now several confirmed cases at our warehouse. I think they should at least close the warehouse down for cleaning. Once somebody in the building has got it, they’ve touched so much, and everybody else has touched it, too. Warehouse worker, early sixties, California": One problem we’re encountering is that once we’re on the floor and we’re doing our work, they don’t mandate social distancing. People aren’t staying 6 feet away. Instead of going around me, workers cut right in front of me, they bump into me. We have no hand sanitizers. We have no wipes. They’re not providing face masks. Grocery warehouse worker, late twenties, Washington Cooler space and the freezer space are very compact. The suits were the final nail in the coffin for me. In the freezer, it’s around zero degrees Fahrenheit. Amazon has these big puffy bodysuits that you put on over your whole body, including your mouth, which you need to keep you insulated. You find one that fits you, you do your time in the freezer, then you come out and you take it off, and some other poor bastard uses it. Because of the coronavirus, I haven’t been going in. For me, it’s just not worth the risk. While they are taking basic precautions, the fact of the matter is there are over 200, maybe 300 people that come in and out of this warehouse every day. They can’t possibly sanitize every single surface every two hours. New IRS Site Could Make it Easy for Thieves to Intercept Some Stimulus Payments Brian Krevs: Each year, scam artists file phony tax refund requests on millions of Americans, regardless of whether or not the impersonated taxpayer is actually due a refund. In most cases, the victim only finds out when he or she goes to file their taxes and has the return rejected because it has already been filed by scammers. In this case, fraudsters would simply need to identify the personal information for a pool of Americans who don’t normally file tax returns, which may well include a large number of people who are disabled, poor or simply do not have easy access to a computer or the Internet. Armed with this information, the scammers need only provide the target’s name, address, date of birth and Social Security number, and then supply their own bank account information to claim at least $1,200 in electronic payments. Unfortunately, SSN and DOB data is not secret, nor is it hard to come by. As noted in countless stories here, there are multiple shops in the cybercrime underground that sell SSN and DOB data on tens of millions of Americans for a few dollars per record. A review of the Web site set up to accept bank account information for the stimulus payments reveals few other mandatory identity checks to complete the filing process. It appears that all applicants need to provide a mobile phone number and verify they can receive text messages at that number, but beyond that the rest of the identity checks seem to be optional. To check the filer’s identity, the site asks for a state-issued driver’s license ID number, and the ID’s issuance and expiration dates. However, the instructions say “if you don’t have a driver’s license or state issued ID, you can leave the following fields blank.” Alas, much may depend on how good the IRS is at spotting phony applications, and whether the IRS has access to and bothers to check state driver’s license records. But given the enormous pressure the agency is under to disburse these payments as rapidly as possible, it seems likely that at least some Americans will get scammed out of their stimulus payments. Dutch authorities launch sudden strike against DDoS-for-hire operators; taking down 15 sites in a week. The Distributed Denial of Service or DDoS-for-hire websites, also known as DDoS booters or DDoS stressors, allowed users to sign up and launch DDoS attacks against websites and other internet infrastructure. Dutch authorities said the takedowns took place last week, and they received support from web hosting companies, domain registrars, Europol, Interpol, and the FBI. Authorities did not release the name of the 15 DDoS services. |
Linking the world
Sharing is caring Archives
May 2024
Categories |